Pages: 1

 

#1 27-12-2007 11:45:21

Thibow
Administrateur
Lieu: Nord
Date d'inscription: 17-12-2007
Messages: 633
Site web

[perl]Decodeur Javascript

Voici un decodeur Javascript puissant, tout nouveau, trouvé sur 0x000000, il permet de decoder les javascript de script malveillant smile

Code:

#!/usr/bin/perl -w
use strict;
## Javascript decoder script by Nicholas Albright of DISOG - http://www.disog.org
## Special thanks to Jose Nazario and Daniel Wesemann for their contributions to the community!

## Check for Spidermonkey and arguments:
if (! -e "/usr/bin/js") { die ("** This script requires Mozilla\'s SpiderMonkey. Install it and symlink it to /usr/bin/js\n"); }
if (! $ARGV[0]) { &Usage }
$SIG{INT} = \&TrapBreak;
our ($Result, $ResultHold, $Answer, $Pass) = (0, 0, 0, 1);
our $Infile = shift;
our $StepThru = shift || '0';

#Open our encoded javascript file and put it into a scalar (for easier handling)
open (EncodedFile, "<$Infile") || die ("Unable to open file $Infile. Check your spelling and try again.\n");
    our $EncodedJS = do { local $/; <EncodedFile> };
close (EncodedFile);

#attempt to decode, and check to see if it needs another pass
&MakeHuman();
&CheckAgain();

##Print results, or failures.
if ($Result) { 
    print ("\n//\t\t\t** Begin Decoded Javascript **\n\n$Result\n\n//\t\t\t** End Decoded Javascript. It took $Pass passes. **\n"); 
    exit 0; 
}

elsif ($ResultHold) { 
    $Pass = $Pass-1;
    print ("\n//\t\t\t** Begin Decoded Javascript **\n\n$ResultHold\n\n//\t\t\t** End Decoded Javascript. It took $Pass passes. **\n"); 
    exit 0;
}

else { 
    print ("\n//\t\t\t** Decode failed. You might wish to try step mode and or clean up the code a bit.\n"); 
    exit 255; 
}

## Sub routines:
sub MakeHuman {
    my $Document = ("function docfunc(){this.write=function(string) {print(string);}};\nvar document=new docfunc();");
    if ($EncodedJS =~ /eval/i) { $Document = ("$Document\neval=print;"); }
    my $Javascript = ("$Document\n$EncodedJS");
       $Javascript =~ (s/<\/?((java)?script|body|html)([^>]*)?>/\n\/\/$&\t\/\/\t<-\tRemoved by JSDECODE\n/gi);
          $Javascript =~ (s/\"/\\\"/gi);
       $Result = (`js -e "$Javascript" 2>/dev/null`);
}

sub CheckAgain {
    while ($Result =~ /(<?\/?(java)?script>|function)/i and $Result !~ /<(body|html)>/i) {
      $ResultHold = $Result;
           if ($StepThru =~ /step/i) {
          print ("*** Pass $Pass: What I decoded appears to be another JavaScript. Shall I try to decode it too ([YES]/no)? ");
            $Answer = <STDIN>;
    }
        if ($Answer !~ /n/i){ 
            $EncodedJS = $Result;
            &MakeHuman();
            $Pass++
            }
    else { return (); };
    }
}

sub TrapBreak {
    print ("\n** CTL-BREAK Caught. Cleaning up and exiting. **\n");
    close (EncodedFile);
    exit 255;
}

sub Usage {
    print ("Nicholas Albright\'s Javascript Decoder (jsdecode.pl)\n");
    print ("\tOptions:\n\t\t-step = step through multiple encodings (useful if you want to see every decode phase)\n");
    print ("\tUsage:\n\t\t$0 <encoded_file.js> [-step]\n\n"); 
    exit 0;
}

#We should never get this far.
die ("Something failed. Check the script and try again\n");

Hors ligne

 

 

Pages: 1

Pied de page des forums

Propulsé par PunBB
© Copyright 2002–2005 Rickard Andersson
Traduction par punbb.fr