How to decode this javascript?

后端 未结 3 991
孤独总比滥情好
孤独总比滥情好 2021-01-07 11:26

My question is how can I decode this JavaScript and how is encoded (with which program or online tool).

Here is the JavaScript that I want to decode: http://pastebin

相关标签:
3条回答
  • 2021-01-07 11:57

    Every obfuscated script needs some kind of eval. In here, the lines

    _L = 'constr\x75\x63\x74\x6F\x72';
    [][_L][_L](_Z[_h._t4](_F))();
    

    are doing this. _L is the string "constructor", and [].constructor.constructor is the Function constructor. It will be called with the decoded script, and the resulting function will be called. We can substitute it with an alert, paste the script in the console*, and wait for the result - we don't even need to understand how the decoding works. In your case, the result is (yes, including all the comments and linebreaks):

    var alarm ="0";
    var content = document;
    
    if ((content.getElementById("wrapper") != null))
    {
        document.getElementById('wrapper').style.display = 'block';
    }
    
    function a ()
    {
        if ((content.getElementById("links") != null))
        {
            var temp = content.getElementById("links").innerHTML;
            if ((temp.indexOf('nofollow')+1) > 0)  alarm = "1";
            else if ((temp.indexOf('noindex')+1) > 0)  alarm = "1";
        }
        else alarm = "1";
    }
    
    function b ()
    {
        if ((content.getElementById("aa") != null) && (content.getElementById("ab") != null))
        {
            temp = document.getElementById("aa").href;
            if ("http://uc-portaller.ru/" != temp) alarm = "1";
    
            temp = document.getElementById("ab").innerHTML;
            if ("скрипты для ucoz" != temp) alarm = "1";
        }
        else alarm = "1";
    }
    
    function c ()
    {
        if ((content.getElementById("ba") != null) && (content.getElementById("bb") != null))
        {
    
            temp = content.getElementById("ba").href;
            if ("http://austere.ru/" != temp) alarm = "1";
    
            temp = content.getElementById("bb").innerHTML;
            if ("доска объявлений" != temp) alarm = "1";
        }
        else alarm = "1";
    }
    
    function d ()
    {
        if ((content.getElementById("ca") != null) && (content.getElementById("cb") != null))
        {
    
            temp = content.getElementById("ca").href;
            if ("http://www.for-creative.com/" != temp) alarm = "1";
    
            temp = content.getElementById("cb").innerHTML;
            if ("темы для ucoz" != temp) alarm = "1";
        }
        else alarm = "1";
    }
    
    a ();
    
    if (alarm == "0") b ();
    if (alarm == "0") c ();
    if (alarm == "0") d ();
    
    if (alarm == "1") prompt('Нарушены условия использования, по всем вопросам обращайтесь в ICQ:', '376880395');
    
    
    
    
    
    
    
    
    
    
    
    
    $(document).ready(function(){
    
        //When you click on a link with class of poplight and the href starts with a # 
        $('a.poplight[href^=#]').click(function() {
            var popID = $(this).attr('rel'); //Get Popup Name
            var popURL = $(this).attr('href'); //Get Popup href to define size
    
            //Pull Query & Variables from href URL
            var query= popURL.split('?');
            var dim= query[1].split('&');
            var popWidth = dim[0].split('=')[1]; //Gets the first query string value
    
            //Fade in the Popup and add close button
            $('#' + popID).fadeIn().css({ 'width': Number( popWidth ) }).prepend('');
    
            //Define margin for center alignment (vertical + horizontal) - we add 80 to the height/width to accomodate for the padding + border width defined in the css
            var popMargTop = ($('#' + popID).height() + 80) / 2;
            var popMargLeft = ($('#' + popID).width() + 80) / 2;
    
            //Apply Margin to Popup
            $('#' + popID).css({ 
                'margin-top' : -popMargTop,
                'margin-left' : -popMargLeft
            });
    
            //Fade in Background
            $('body').append('<div id="fade"></div>'); //Add the fade layer to bottom of the body tag.
            $('#fade').css({'filter' : 'alpha(opacity=0)'}).fadeIn(); //Fade in the fade layer 
    
            return false;
        });
    
    
        //Close Popups and Fade Layer
        $('a.close, #fade').live('click', function() { //When clicking on the close or fade layer...
            $('#fade , .popup_block').fadeOut(function() {
                $('#fade, a.close').remove();  
        }); //fade them both out
    
            return false;
        });
    
    
    });
    
    
    
    
            $.fn.tabs = function () {
                return this.each(function () {
                   var $tabwrapper = $(this); 
    
                   var $panels = $tabwrapper.find('> div');
                   var $tabs = $tabwrapper.find('> ul a');
    
                   $tabs.click(function () {  
                       $tabs.removeClass('selected');
                       $(this).addClass('selected');
    
                       $panels
                        .hide() // hide ALL the panels
                        .filter(this.hash) // filter down to 'this.hash'
                            .show(); // show only this one
    
                       return false;
                   }).filter(window.location.hash ? '[hash=' + window.location.hash + ']' : ':first').click();
                });
            };
    
            $(document).ready(function () {
                // console.log(window.location.hash);
    
                $('div.tabs').tabs();
            });
    

    *) Of course you need to be sure what you're doing. There's always a small risk that it's a malicious script, and you might have not found all evals. @jfriend00's tip on executing the decoding snippets line-by-line is a safer way.

    0 讨论(0)
  • 2021-01-07 11:59

    Have a look at: http://www.labnol.org/software/deobfuscate-javascript/19815/

    They show you how can you do something like that, it's basically a matter of using chrome debugger to "beautify" the code and make it easier to read.

    Some versions of chrome don't have the command on a context menu, just look for the command "Pretty print" (has a icon like -> {})

    Once done that, you can use a javascript console to evaluate small snippets of code to reverse engineer it. Eg. the expression (at the beginning of your code)

    1) (s\u0065lf + ([] * 0) * 1)
    2) '\x5B'
    3) ((s\u0065lf + ([] * 0) * 1)[0 ^ 0] == '\x5B')
    

    returns this string on my browser

    1) "[object Window]0"
    2) "["
    3) true
    

    Just find the starting point and follow from there. Obfuscated code follows the same rules as normal one, it's just all messed up.

    0 讨论(0)
  • 2021-01-07 12:13

    The only way I know of to understand what this code does is to find a safe environment (in case the code has malicious intent) and execute it line-by-line in a debugger and watch what it does as it deobfuscates itself to turn itself into normal javascript. The variable names will often stay obscured, but the giant string in _O will get decoded into something (probably javascript code).

    0 讨论(0)
提交回复
热议问题