Affirming: This article has been published in "hacker X file" in 1994, please indicate it.
---------------------------
I remember that when the ASP Trojan came out, I claimed to "never killed the Trojan", huh, huh, when I went today, I couldn't stay with the sip, I didn't leave it. ^ _ ^ Huh, affected by Trojans to avoid anti-virus software ideas Impact, we can also give ASP Trojans (huh, of course, not using UPX, etc.). What are you waiting for? Please look down.
In fact, this idea is simple, that is, the ASP code is encoded, and then decoded. There are two methods here, one is to use Microsoft tools Script Encoder; second, use the ASP's Execute function.
Let me talk about Script Encoder first. This stuff can be free from the official website of Microsoft, and also comes with detailed instructions, here don't say it. However, after its encrypted file will have <% @ language = vbscript.encode%>, huh, Temple, the administrator knows this ASP file is encrypted. How can I decrypt? Here is a decryption software ("click Enter Download"). Now I know, Microsoft's Script Encoder is not insurance, so we have to write a program to "hand).
The ASP's EXECUTE function is to perform a string, ie, can write the ASP statement into a string and then execute with Execute. For example, this line code: Execute ("" "" "" "" ""), the execution is equivalent to execute Response.write ("HackerxFiles"). Here, because the Dongdong in the Execute function is a string, there is a quotation mark to double-write. Oh, since Execute is a string, then we can use the Dongdong inside.
How to encrypt? Oh, use the simplest shift. Please see the code:
But = 1 cc = replace (NR, VBCRLF, "Hu") for i = 1 to Len (CC) IF MID (CC, I, 1) <> "Hu" THEN PK = ASC (MID (CC, I, 1 )) But if pk> 126 THEN PK = PK-95 elseif PK <32 THEN PK = PK 95 END IF TEMP = Temp & Chr (PK) Else Temp = Temp & "Hu" end if next temp = replace (TEMP, "" "", "" "" ") Response.write (TEMP)
This code is the cyclic shift method under the ASP. That variable Butt is the number of shifts, can be modified. Oh, how do you call a loop? Because the program compares the ASCII code of the characters, it will be processed when it is greater than 126 or less than 32, and the range is between 32 to 126. Because this avoids the characters that Windows cannot display. This is also the reason why the return line will be replaced. Here I wrote a shift encrypted ASP program xor.asp, I hope to help you. Then let's take a look at the results after encryption with the above code: "sftqpotf / xsjuf) # ibdlfsygjmft # *", hey, this time I can't understand it. ^ _ ^
Since adding secret, of course, I want to decrypt, see the code:
Function Unencode (Temp) But = 1 'This is the number of digits moved by the shift method! Note Modify the consistency for I = 1 to Len (Temp) IF (Temp, I, 1) <> "Hu" THEN PK = ASC (MID (Temp, I, 1)) - But IF PK> 126 THEN PK = PK-95 Elseif PK <32 THEN PK = PK 95 END IF A = A & CHR (PK) ELSE A = A & VBCRLF END IF NEXT UNENCODE = Aend Function
Oh, now I don't know how to do it, just call this decryption function is: Execute (unencode ("sftqpotf / xsjuf) # ibdlfsygjmft # *"), how, is it successful!
I will give you a demonstration here, so that everyone understands how to encrypt ASP Trojans. Because the ASP Trojan code of the ocean is too much, I am lazy, I will show the shortcoming cmd.asp to demonstrate!
First run the xor.asp I wrote, then use Notepad to open cmd.asp, copy its ASP code section to xor.asp text box (view),
Fill in shift parameters (here I use 1), click "Conversion", huh, huh, the result will come out. Then create a text document, copy the contents of cmd.asp, and then the Unencode function content is also added (here you want to pay attention to modifying the value of the variable BUT in the Unencode function consistent with the displacement parameter value of the encrypted time), then put it The ASP section replaces the form of Execute (Unencode (HU)), where the HU assigns the encrypted result obtained by the previous step. Oh, then save it to the ASP file is OK! Here is a few words. If the code is relatively long, you can be divided into several encryption, then use several Execute executions, but you must pay attention to the integrity of the ASP code, that is, you can't divide the associated code such as if, end if to two executers went.
Take a look, you can also run!
There is a thinking ASP Trojan chasing device in the 8th disc, huh, just right to test our results today. Hey, look, it can detect the cmd.asp original version and the 2005 version of the Hanoi Top Network with Script Encoder, and the Xcmd.asp we just carefully can not be detected! Oh, I know that it is awesome. ^ _ ^ Related tools download:
File: Click to Download
