YXScript.DLL - 一个比任何你见到的解码程序(脚本)快10000倍的组件!
对于这个问题,网上满天飞到处都是那段JavaScript的网页脚本,一大堆菜鸟拼命转载
如果脚本比较小(几KB)的时候,基本还够用,近期公司的服务器被人攻击,截获一个木马
是100KB,用那段脚本直接卡了数分钟,还只解码了一部分,没办法,求人不如求己,我干
脆写了个DLL输出标准WINDOWSAPI函数来解码,下面就对这个DLL和主要实现思想
做个探讨:
对加密后的脚本,你会发现从不出现4个字符:(CR) (LF) (<) (>),
就是说这些在vbs和asp中属于特殊字符的有特定对应的密文,有篇文章是介绍这方面
详情的,但是密码表有些地方有错误,由于微软有协议不给对产品逆向工程,我这里也不
公布密码表了,现在就YXScript.dll做较详细的介绍和VB使用的例子:
最重要的解码函数:
Declare Function YXScrDecode Lib "YXScript.dll" (ByVal Source As String, ByVal Result As String, ByVal szCount As Long) As Long
'函数原型long YXScrDecode(char *Source,char Result[],long szCount)
Source 是要解密的字符串
Result 存放结果的字符串(字节数组)
szCount 至少是Source的长度(字节)
返回值 解码后代码的长度(字节)
注:为了提高处理的速度和排除错误的影响,YXScrDecode 不校验代码的合法性
它会将整个字符串都解码,如果位置错误也会得到乱码
双字标识替换函数:
Declare Function YXControlChar Lib "YXScript.dll" (ByVal arrChar As String, ByVal szCnt As Long) As Long
'函数原型:long YXControlChar(char arrChar[],long szCnt)
arrChar 原字符串(字节数组)
szCnt 是字符串的长度
返回值 结果字符串的长度
注:为了防止参数传递错误可以用以下VB代码得到相同的效果
Script = Replace(Script, "@#", Chr(13))
Script = Replace(Script, "@&", Chr(10))
Script = Replace(Script, "@!", "<")
Script = Replace(Script, "@*", ">")
Script = Replace(Script, "@$", "@") '最后生成@
提取密码部分的函数
Declare Function YXPureScript Lib "YXScript.dll" (ByVal cArray As String, ByVal rArray As String, ByVal szCnt As Long) As Long
'函数原型long YXPureScript(char cArray[],char rArray[],long szCnt)
功能:将结果赋值到rArray 返回结果字符串长度(字节)
注释:
代码是以#@~^******==开头,以******==^#~@结尾的部分,******代表字母,
与代码的长度有关,可用于校验解码是否正确,意义不大
用Instr和Mid可实现同样功能切更准确,但速度慢些
密码表查询函数
Declare Function YXSeekChar Lib "YXScript.dll" (ByVal arrChar As String, ByVal c As Byte) As Long
'函数原型long YXSeekChar(char arrChar[],char c)
返回c在arrChar中的位置(索引)以对照找出明码
未开放函数,永远返回0
Declare Function YXScrEncode Lib "YXScript.dll" (ByVal Source As String, ByVal Result As String, ByVal szCount As Long) As Long
'long YXScrEncode(char *Source,char Result[],long szCount)
直接对文件操作的函数
Declare Function YXScrCracker Lib "YXScript.dll" (ByVal lpFileName As String, ByVal lpNewName As String) As Long
'long YXScrCracker(char *lpFileName,char *lpNewName)
功能:处理lpFileName解码保存到lpNewName,如果结果长度小于lpNewName(若已存在)
lpNewName超过的部分会保留(即二进制读写的模式)
注释:当前可能有误
1.0.0.1的DLL只测试了YXScrDecode函数,确保这个函数是正确的
下面给出一个VB的函数来展示使用过程
Public Function DCScript(ByVal Script As String) As String Dim s As String, l As Long Dim b As Long, e As Long Dim k As Long l = Len(Script): s = Space(l) '... b = InStr(Script, "#@~^") '#@~^******== e = InStr(Script, "^#~@") '******==^#~@ If b = 0 Or e = 0 Then If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then Exit Function Else If e = 0 Then e = l Else e = e - 8 If b = 0 Then b = 1 Else b = b + 12 End If Else b = b + 12 '为0则全部解密 e = e - 8 '为0则算到末尾 End If 'frmMain.Caption = "Decoding ..." Script = Mid(Script, b, e - b + 1) 'Script = Replace(Script, "@#", Chr(13)) 'Script = Replace(Script, "@&", Chr(10)) Script = Replace(Script, "@#@&", Chr(13) + Chr(10)) 'vbcCrlf Script = Replace(Script, "@!", "<") Script = Replace(Script, "@*", ">") Script = Replace(Script, "@$", "@") '最后生成@ k = YXScrDecode(Script, s, Len(Script)) s = Replace(s, Chr(13) + Chr(2), vbCrLf) 'frmMain.Caption = "碰到我算你倒霉!" DCScript = Left(s, k + 1) End Function
相关的程序源代码可以在我的下载里下载到:
http://download.csdn.net/source/2185998
借此声明,我还没有到公司上班,我要发飙某些人蜘蛛纸牌都没得玩,请勿攻击他人合法权益!