Learn how to identify and restore tools for obfuscated js.
Asked 1 years ago, Updated 1 years ago, 42 viewsThere are obfuscated js codes as follows:
zSbTF_sh=26496;
bas_sh=Math.floor((7&5)*(33|0x0f)*(11^0x5b)/(23<<3)*Math.sqrt(23>>3)*(29|82) -Math.power(11,3);
Bas_sh=navigator.userAgent.indexOf("Mac")!=-1?Math.ceil((7<2)*(9|4)/(0x0b&7))-(10^2):(7<<4)+(10>>2);
sfc_sh = String.fromCharCode;
functionSf_sh(){
var ht = "",nu,i;
for(i=0;i<Sf_sh.arguments.length;i++){
nu=eval(Bas_sh+Sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
return;
}
ww_sh=eval(Sf_sh(-14, -3, -15, -5, -13, -4, 2));
dd_sh=eval(Sf_sh(5,-9,-4,-14,-3,5));
al_sh=alert;
function sf_sh(){
var ht = "",nu,i;
for(i=0;i<sf_sh.arguments.length;i++){
nu = event(bas_sh+sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
return;
}
What tools were used to obfuscate this code?
Is it possible to identify it?
Also, is it possible to restore the shape to some extent easier to see?
If anyone knows, please take care of me.
javascript
4 Answers
The affected source code has been obfuscated using software for Windows called SHTML. When you convert source code in JS Encoder > Expert Mode (?) using the trial version, you get exactly the same output as the one mentioned in the question.
Original:
window.alert("Hello";Converted:
diOLa_sh=19054;
bas_sh=Math.ceil((0x27<<5)*Math.E*Math.LN10*Math.PI/2)+(17^7)*(5|7);
Bas_sh=navigator.userAgent.indexOf("Mac")!=-1?Math.ceil((7<2)*(9|4)/(0x0b&7))-(10^2):(7<<4)+(10>>2);
sfc_sh = String.fromCharCode;
functionSf_sh(){
varht=",
nu, i;
for(i=0;i<Sf_sh.arguments.length;i++){
nu=eval(Bas_sh+Sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
return;
}
ww_sh=eval(Sf_sh(-14, -3, -15, -5, -13, -4, 2));
dd_sh=eval(Sf_sh(5,-9,-4,-14,-3,5));
al_sh=alert;
function sf_sh(){
varht=",
nu, i;
for(i=0;i<sf_sh.arguments.length;i++){
nu = event(bas_sh+sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
return;
}
m1x26767_sh = Sf_sh(-42,-13, -6, -6, -3);
dd_sh.alert(m1x26767_sh);The variable name _sh must be short for SHTML.Some of them seemed to be commentary articles.Since the domain owners are the same, I think this is also a promotional article written by the creator for SEO.
However, this level of encryption can only be a child hoax.You can use a special tool, but I think Chrome's Dev Tool is sufficient for decoding.At the end of the source code,
debugger;
You can also add to load the JavaScript.You can replace only the parts mentioned in the question by yourself as follows:
diOLa_sh=19054;
bas_sh=Math.ceil((0x27<<5)*Math.E*Math.LN10*Math.PI/2)+(17^7)*(5|7);
Bas_sh=navigator.userAgent.indexOf("Mac")!=-1?Math.ceil((7<2)*(9|4)/(0x0b&7))-(10^2):(7<<4)+(10>>2);
sfc_sh = String.fromCharCode;
vars_buf="; // ■ Additional minutes
functionSf_sh(){
varht=",
nu, i;
for(i=0;i<Sf_sh.arguments.length;i++){
nu=eval(Bas_sh+Sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
vars_buf+="Sf_sh("+Array.prototype.slice.call(arguments)+")=\"+ht+"\"\n";//■Additional minutes
return;
}
ww_sh=eval(Sf_sh(-14, -3, -15, -5, -13, -4, 2));
dd_sh=eval(Sf_sh(5,-9,-4,-14,-3,5));
al_sh=alert;
function sf_sh(){
varht=",
nu, i;
for(i=0;i<sf_sh.arguments.length;i++){
nu = event(bas_sh+sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
vars_buf+="sf_sh("+Array.prototype.slice.call(arguments)+")=\"+ht+"\"\n";//■Additional minutes
return;
}
m1x26767_sh = Sf_sh(-42,-13, -6, -6, -3);
dd_sh.alert(m1x26767_sh);
alert(vars_buf);//■Additional
I don't know the obfuscation tool, but it's easy to try deciphering obfuscation without this kind of compression.
Looking at the code of the question from above,
bas_sh=Math.floor((7&5)*(33|0x0f)*(11^0x5b)/(23<<3)*Math.sqrt(23>>3)*(29|82)-Math.power(11,3);
This does not contain any variables, so you can change it to a constant.The result was 12349.
Bas_sh=navigator.userAgent.indexOf("Mac")!=-1?Math.ceil((7<2)*(9|4)/(0x0b&7))-(10^2):(7<4)+(10>>2);
This contains a trinomial operator, so if you evaluate it separately, you can see that Math.ceil(7<2)*(9|4)/(0x0b&7))-(10^2) and (7<4)+(10>2) are 114.So navigator.userAgent is dummy
Finally, the following functions:
functionSf_sh(){
var ht = "",nu,i;
for(i=0;i<Sf_sh.arguments.length;i++){
nu=eval(Bas_sh+Sf_sh.arguments[i]);
ht+=sfc_sh(nu);
}
return;
}
ww_sh=eval(Sf_sh(-14, -3, -15, -5, -13, -4, 2));
We use eval along the way, but this is a dummy because both Bas_sh and Sf_sh arguments are numeric.
The following ht initial value is "", so it can be considered a function that adds strings one character at a time in sfc_sh, or String.fromCharCode.
So if you actually run it, you can see that Sf_sh(-14, -3, -15, -5, -13, -4, 2) is " document" and Sf_sh(5, -9, -4, -14, -3, 5) is "window".So ultimately,
ww_sh= document;
dd_sh=window;
al_sh=alert;
You can tell by the code
If you use Firebug or Firefox Developer Edition, you may understand a little.
Firebug
Firefox Developer Edition
Ita_3y's comment should be written...
If I can't break the new line, it will be hard, so I will write it in the answer column.
1. Select the list part of "Everything" on the Script tab of Firebug that includes "View Evaluation Scripts".
2. Select the appropriate eval from the js list just to the right.
3. Shape the displayed JS with a shaping tool.
I think I can decipher it with this.
Reference
http://code.xenophy.com/?p=868
Example shaping tools
http://www.enjoyxstudy.com/misc/20060911/code_paste.html
I've never used anything else, but there's also a way called Caffeine Monkey.
Caffeine Monkey
http://www.secureworks.com/cyber-threat-intelligence/tools/caffeinemonkey/
Explanation site
http://kinshachi.ddo.jp/blog/comp/archives/000799.html
If you have any answers or tips
© 2024 OneMinuteCode. All rights reserved.