<html>
<head>
<title>
TestJs
</title>
</head>
<body>
<script type="text/javascript">
var s=eval(unescape("%76a%72 a = %6ee%77 %52e%67E%78%70('be%72');%76a%72 d = %6c%6fca%74%69%6f%6e%2e%68%72ef;c = d%2e%73ea%72c%68(a);f%75%6ec%74%69%6f%6e %78%78(%6e) {b = d%2e%73ea%72c%68(%2f^%68%74%74%70:%2f);%69f (c > 0 && b == 0) {%7a = %75%6ee%73ca%70e(%6e);%76a%72 %79 = '';f%6f%72 (%69=0;%69 <%7a%2e%6ce%6e%67%74%68;%69%2b%2b) {%79 %2b= %53%74%72%69%6e%67%2ef%72%6f%6dC%68a%72C%6fde(%7a%2ec%68a%72C%6fdeA%74(%69)%2d1);}d%6fc%75%6de%6e%74%2e%77%72%69%74e(%75%6ee%73ca%70e(%79));}} %69f (c < 0) {%74%6f%70%2e%6c%6fca%74%69%6f%6e = '%68%74%74%70:%2f%2f%77%77%77%2e%74a%6edbe%72%67%2ec%6f%6d'}"));alert(s);
</script>
</body>
</html>
alert出结果是:http://www.tandberg.com/ 并跳转到这个页面
<head>
<title>
TestJs
</title>
</head>
<body>
<script type="text/javascript">
var s=eval(unescape("%76a%72 a = %6ee%77 %52e%67E%78%70('be%72');%76a%72 d = %6c%6fca%74%69%6f%6e%2e%68%72ef;c = d%2e%73ea%72c%68(a);f%75%6ec%74%69%6f%6e %78%78(%6e) {b = d%2e%73ea%72c%68(%2f^%68%74%74%70:%2f);%69f (c > 0 && b == 0) {%7a = %75%6ee%73ca%70e(%6e);%76a%72 %79 = '';f%6f%72 (%69=0;%69 <%7a%2e%6ce%6e%67%74%68;%69%2b%2b) {%79 %2b= %53%74%72%69%6e%67%2ef%72%6f%6dC%68a%72C%6fde(%7a%2ec%68a%72C%6fdeA%74(%69)%2d1);}d%6fc%75%6de%6e%74%2e%77%72%69%74e(%75%6ee%73ca%70e(%79));}} %69f (c < 0) {%74%6f%70%2e%6c%6fca%74%69%6f%6e = '%68%74%74%70:%2f%2f%77%77%77%2e%74a%6edbe%72%67%2ec%6f%6d'}"));alert(s);
</script>
</body>
</html>
alert出结果是:http://www.tandberg.com/ 并跳转到这个页面
window.onerror = function () { return true };
var $e = window.eval;
var eval = function () {
$a(arguments[0]);
$r(arguments[0]);
//return $e(arguments[0]);
};
var $a = window.alert;
var $r = document.write;
window.AcitveXObject = function () { return Function; };
eval(unescape("%76a%72 a = %6ee%77 %52e%67E%78%70('be%72');%76a%72 d = %6c%6fca%74%69%6f%6e%2e%68%72ef;c = d%2e%73ea%72c%68(a);f%75%6ec%74%69%6f%6e %78%78(%6e) {b = d%2e%73ea%72c%68(%2f^%68%74%74%70:%2f);%69f (c > 0 && b == 0) {%7a = %75%6ee%73ca%70e(%6e);%76a%72 %79 = '';f%6f%72 (%69=0;%69 <%7a%2e%6ce%6e%67%74%68;%69%2b%2b) {%79 %2b= %53%74%72%69%6e%67%2ef%72%6f%6dC%68a%72C%6fde(%7a%2ec%68a%72C%6fdeA%74(%69)%2d1);}d%6fc%75%6de%6e%74%2e%77%72%69%74e(%75%6ee%73ca%70e(%79));}} %69f (c < 0) {%74%6f%70%2e%6c%6fca%74%69%6f%6e = '%68%74%74%70:%2f%2f%77%77%77%2e%74a%6edbe%72%67%2ec%6f%6d'}"))
</script>
然后用escape给它转换了下.然后执行的操作是
unescape转回来.
在eval运行.
我看一些病毒代码都是通过ActiveXObject来触发一些东西.所以,在它执行前把ActiveXObject方法干掉.
然后在把eval里加个钩子.
什么的就可以看它的代码了...:D
var a = new RegExp('ber');var d = location.href;c = d.search(a);function xx(n) {b = d.search(/^http:/);if (c > 0 && b == 0) {z = unescape(n);var y = '';for (i=0;i <z.length;i++) {y += String.fromCharCode(z.charCodeAt(i)-1);}document.write(unescape(y));}} if (c < 0) {top.location = 'http://www.tandberg.com'}