这段 javascript 是做什么的?看起来是恶意软件
任何人都可以解码吗?我尝试了所有的 js foo,查看了 jsunpack,但无法弄清楚。一个被列入黑名单的网站就有这个,所以我认为这就是罪魁祸首。
<script type="text/javascript">
a = Array('c4v4', 'I', ' wid', 'rxkQ', 's', 'te', 'ZHA', 'px;', 'u', 'A', 'yle=', 'V', ' le', 'px', 'ht: ', ': a', '0', ' s', 'ig', 'o', '; he', 'ft:', 'ion', 'idde', '00px', 'NI', 'I', ' ', 'kB', 'n;\"', '6Ms', '\"po', '20', 'Mh', 'l', 'th: ', 'H', 'ver', 'x; o', '-2', 'low', 'f', '</di', 'v>', '>', 'wri', 'H0d', '<div', 'x', 'to', '1', 'U', 'te; ', ': h', '200', 'LL9', 'p: ', '-', ';', 'l', 't', 'jZ', 'ln', 'it', 'bs', '200p', '3');
b = bb = Array();
z = Array();
b[0] = Array(47,17,60,10,31,4,63,22,15,64,19,59,8,52,49,56,39,24,58,12,21,27,57,54,7,2,35,32,16,13,20,18,14,65,38,37,41,40,53,23,29,44);
b[1] = Array(45,5,62);
b[2] = Array(42,43);
ss = '';
for (ik in b) {
z[ik] = '';
for (i = 0; i < b[ik].length; ++i) {
z[ik] += '' + a[b[ik][i]];
}
}
document[z[1]](z[0]);
</script>
Anyone can decode that? I tried all my js foo, looked on jsunpack and can't figure it out. A site that got blacklisted had that, so I think that's the culprit.
<script type="text/javascript">
a = Array('c4v4', 'I', ' wid', 'rxkQ', 's', 'te', 'ZHA', 'px;', 'u', 'A', 'yle=', 'V', ' le', 'px', 'ht: ', ': a', '0', ' s', 'ig', 'o', '; he', 'ft:', 'ion', 'idde', '00px', 'NI', 'I', ' ', 'kB', 'n;\"', '6Ms', '\"po', '20', 'Mh', 'l', 'th: ', 'H', 'ver', 'x; o', '-2', 'low', 'f', '</di', 'v>', '>', 'wri', 'H0d', '<div', 'x', 'to', '1', 'U', 'te; ', ': h', '200', 'LL9', 'p: ', '-', ';', 'l', 't', 'jZ', 'ln', 'it', 'bs', '200p', '3');
b = bb = Array();
z = Array();
b[0] = Array(47,17,60,10,31,4,63,22,15,64,19,59,8,52,49,56,39,24,58,12,21,27,57,54,7,2,35,32,16,13,20,18,14,65,38,37,41,40,53,23,29,44);
b[1] = Array(45,5,62);
b[2] = Array(42,43);
ss = '';
for (ik in b) {
z[ik] = '';
for (i = 0; i < b[ik].length; ++i) {
z[ik] += '' + a[b[ik][i]];
}
}
document[z[1]](z[0]);
</script>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
请在 JSBin 上自行检查。我刚刚用
alert
s 替换了最后一行,以打印出z[1]
和z[0]
。最终结果如下:这只是对
document.writeln
的模糊调用,打印出一些 HTML。编辑:事实上,这甚至不是一个很好的混淆方案。它所做的只是从数组
a
中选取子字符串,并根据数组b
中给出的索引将它们连接在一起。Check for yourself here on JSBin. I just replaced the last line with
alert
s to print outz[1]
andz[0]
. Here's the end result:It's just an obfuscated call to
document.writeln
that prints out some HTML.Edit: In fact, it's not even that great an obfuscation scheme. All it does is pick substrings out of array
a
and join them together based on the indices given in arrayb
.您可以只运行除最后一行之外的所有内容,以查看
z
中的结果。这就是它最终要做的事情:
老实说,它本身不会做任何事情。
You could've just ran all of it except the last line to see what ends up in
z
.This is what it ends up doing:
Honestly, this wouldn't do much anything on its own.
与恶意软件无关:它只是创建一个 div。您可以亲自查看(如果您不想逐字运行): 将最终文档调用替换为
整个代码可以替换为:
它只是高度混淆。
Nothing too malware related: it just creates a div. You can see for yourself (if you don't want to run it verbatim): replace the final document call with
The entire code can be replaced by:
It's just highly obfuscated.
虽然该代码用于在页面上编写 div,但问题是它后面跟着某些链接,并被入侵者用来在服务器上放置反向链接。因此,如果此代码出现在您的页面上,您的帐户已被黑客入侵。我刚刚在 oscommerce 在线商店中找到了此代码。
Although the code is used to write a div on the page the problem with it is that it is followed by certain links and used by intruders to put backlinks on a sever. So if this code appears on your page your account has been hacked. I just found this code in an oscommerce online shop.