YXScript.DLL-VBScript.Decode的优秀解决方案

YXScript.DLL - 一个比任何你见到的解码程序(脚本)快10000倍的组件!

对于这个问题,网上满天飞到处都是那段JavaScript的网页脚本,一大堆菜鸟拼命转载

如果脚本比较小(几KB)的时候,基本还够用,近期公司的服务器被人攻击,截获一个木马

是100KB,用那段脚本直接卡了数分钟,还只解码了一部分,没办法,求人不如求己,我干

脆写了个DLL输出标准WINDOWSAPI函数来解码,下面就对这个DLL和主要实现思想

做个探讨:

对加密后的脚本,你会发现从不出现4个字符:(CR) (LF) (<) (>),

就是说这些在vbs和asp中属于特殊字符的有特定对应的密文,有篇文章是介绍这方面

详情的,但是密码表有些地方有错误,由于微软有协议不给对产品逆向工程,我这里也不

公布密码表了,现在就YXScript.dll做较详细的介绍和VB使用的例子:

最重要的解码函数:

Declare Function YXScrDecode Lib "YXScript.dll" (ByVal Source As String, ByVal Result As String, ByVal szCount As Long) As Long
'函数原型long YXScrDecode(char *Source,char Result[],long szCount)

Source 是要解密的字符串

Result 存放结果的字符串(字节数组)

szCount 至少是Source的长度(字节)

返回值 解码后代码的长度(字节)

注:为了提高处理的速度和排除错误的影响,YXScrDecode 不校验代码的合法性

它会将整个字符串都解码,如果位置错误也会得到乱码

双字标识替换函数:

Declare Function YXControlChar Lib "YXScript.dll" (ByVal arrChar As String, ByVal szCnt As Long) As Long
'函数原型:long YXControlChar(char arrChar[],long szCnt)
arrChar 原字符串(字节数组)

szCnt 是字符串的长度

返回值 结果字符串的长度

注:为了防止参数传递错误可以用以下VB代码得到相同的效果

Script = Replace(Script, "@#", Chr(13))
Script = Replace(Script, "@&", Chr(10))

Script = Replace(Script, "@!", "<")
Script = Replace(Script, "@*", ">")
Script = Replace(Script, "@$", "@") '最后生成@

提取密码部分的函数

Declare Function YXPureScript Lib "YXScript.dll" (ByVal cArray As String, ByVal rArray As String, ByVal szCnt As Long) As Long
'函数原型long YXPureScript(char cArray[],char rArray[],long szCnt)
功能:将结果赋值到rArray 返回结果字符串长度(字节)

注释:

代码是以#@~^******==开头,以******==^#~@结尾的部分,******代表字母,

与代码的长度有关,可用于校验解码是否正确,意义不大

用Instr和Mid可实现同样功能切更准确,但速度慢些

密码表查询函数

Declare Function YXSeekChar Lib "YXScript.dll" (ByVal arrChar As String, ByVal c As Byte) As Long
'函数原型long YXSeekChar(char arrChar[],char c)
返回c在arrChar中的位置(索引)以对照找出明码

未开放函数,永远返回0

Declare Function YXScrEncode Lib "YXScript.dll" (ByVal Source As String, ByVal Result As String, ByVal szCount As Long) As Long
'long YXScrEncode(char *Source,char Result[],long szCount)

直接对文件操作的函数
Declare Function YXScrCracker Lib "YXScript.dll" (ByVal lpFileName As String, ByVal lpNewName As String) As Long
'long YXScrCracker(char *lpFileName,char *lpNewName)

功能:处理lpFileName解码保存到lpNewName,如果结果长度小于lpNewName(若已存在)

lpNewName超过的部分会保留(即二进制读写的模式)

注释:当前可能有误

1.0.0.1的DLL只测试了YXScrDecode函数,确保这个函数是正确的

下面给出一个VB的函数来展示使用过程

Public Function DCScript(ByVal Script As String) As String
    Dim s As String, l As Long
    Dim b As Long, e As Long
    Dim k As Long
    l = Len(Script): s = Space(l)       '...
    b = InStr(Script, "#@~^")           '#@~^******==
    e = InStr(Script, "^#~@")           '******==^#~@
    If b = 0 Or e = 0 Then
        If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then
            Exit Function
        Else
            If e = 0 Then e = l Else e = e - 8
            If b = 0 Then b = 1 Else b = b + 12
        End If
    Else
        b = b + 12                      '为0则全部解密
        e = e - 8                       '为0则算到末尾
    End If
    'frmMain.Caption = "Decoding ..."
    Script = Mid(Script, b, e - b + 1)
    'Script = Replace(Script, "@#", Chr(13))
    'Script = Replace(Script, "@&", Chr(10))
    Script = Replace(Script, "@#@&", Chr(13) + Chr(10)) 'vbcCrlf
    Script = Replace(Script, "@!", "<")
    Script = Replace(Script, "@*", ">")
    Script = Replace(Script, "@$", "@") '最后生成@
    k = YXScrDecode(Script, s, Len(Script))
    s = Replace(s, Chr(13) + Chr(2), vbCrLf)
    'frmMain.Caption = "碰到我算你倒霉!"
    DCScript = Left(s, k + 1)
End Function

相关的程序源代码可以在我的下载里下载到:

http://download.csdn.net/source/2185998

借此声明,我还没有到公司上班,我要发飙某些人蜘蛛纸牌都没得玩,请勿攻击他人合法权益!