解码十六进制编码/混淆的javascript
[英]Decoding hex encoded/obfucated javascript
问题描述
I'm a SysAdmin that doesn't know much about javascript. 
我是对javascript不太了解的SysAdmin。
I recently started running Snort on a network and it gave me the alert "ET WEB_CLIENT Hex Obfuscation of document.write % Encoding" on a website one of my users visited. 我最近开始在网络上运行Snort,它在我访问过一个用户的网站上给了我警报“ ET WEB_CLIENT document.write%Encoding的十六进制混淆”。 Looking at the Snort rule and the html/javascript on the site I was able to find the following that I think triggered the rule: 通过查看Snort规则和网站上的html / javascript,我发现以下内容触发了该规则:
eval(unescape("%66%75%6e%63%74%69%6f%6e%20%52%73%52%73%52%73%52%73%28%74%65%61%61%62%62%29%20%7b%76%61%72%20%74%74%74%6d%6d%6d%3d%22%22%3b%6c%3d%74%65%61%61%62%62%2e%6c%65%6e%67%74%68%3b%77%77%77%3d%68%68%68%68%66%66%66%66%3d%4d%61%74%68%2e%72%6f%75%6e%64%28%6c%2f%32%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%09%68%68%68%68%66%66%66%66%3d%68%68%68%68%66%66%66%66%2d%31%3b%66%6f%72%28%69%3d%30%3b%69%3c%68%68%68%68%66%66%66%66%3b%69%2b%2b%29%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%29%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%2b%68%68%68%68%66%66%66%66%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%20%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%6c%2d%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%74%74%74%6d%6d%6d%29%3b%7d%3b%52%73%52%73%52%73%52%73%28%77%6c%6b%6a%69%29%3b"));
I ran that block of javascript through a HexDecoder ( http://ddecode.com/hexdecoder/ ) and got the following: 我通过HexDecoder( http://ddecode.com/hexdecoder/ )运行了该JavaScript块,并得到了以下内容:
eval(unescape("function RsRsRsRs(teaabb) {var tttmmm="";l=teaabb.length;www=hhhhffff=Math.round(l/2);if(l<2*www) hhhhffff=hhhhffff-1;for(i=0;i<hhhhffff;i++)tttmmm = tttmmm + teaabb.charAt(i)+ teaabb.charAt(i+hhhhffff);if(l<2*www) tttmmm = tttmmm + teaabb.charAt(l-1);document.write(tttmmm);};RsRsRsRs(wlkji);"));
Can anyone point me in the right direction to continue decoding this to determine what it might be doing? 谁能指出我正确的方向,继续解码它以确定它可能在做什么?
1 个解决方案
解决方案1
0 2015-03-11 16:34:37
Can anyone point me in the right direction...
Just open your browser's web console and paste it in, without the eval( at the beginning and the final ) at the end. 只需打开浏览器的Web控制台并将其粘贴, 而不用 eval(开头和结尾)结束即可。 That will show you the code it's trying to run, without running it. 这将向您显示它正在尝试运行的代码,而不运行它。
You can take it further by taking the resulting 您可以通过将结果
function RsRsRsRs(teaabb) {
var tttmmm = "";
l = teaabb.length;
www = hhhhffff = Math.round(l / 2);
if (l < 2 * www) hhhhffff = hhhhffff - 1;
for (i = 0; i < hhhhffff; i++) tttmmm = tttmmm + teaabb.charAt(i) + teaabb.charAt(i + hhhhffff);
if (l < 2 * www) tttmmm = tttmmm + teaabb.charAt(l - 1);
document.write(tttmmm);
};
RsRsRsRs(wlkji);
...which defines and then calls a function and changing the document.write part of it to console.log , so you can see what it's trying to put into the document. ...定义并调用一个函数,并将document.write一部分更改为console.log ,因此您可以看到它试图放入文档中的内容。
But there must be more to it, as the end is trying to use a variable that doesn't exist. 但是还必须有更多的功能,因为最终是试图使用一个不存在的变量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.