In this case e had been aliased to eval and a was a string that had been manipulated by the various functions at the beginning of the file (and passed around via a series of misleading assignments). Looking at the code, there were a few methods that were designed to be confusing, and then several KB of strings like this that would eventually be decoded as javascript and executed: 22=" 4kqkk 255ie 35bnh 4mehn 2lh3b 7i29n 6m2jb 7jhln 562ik."Īfter digging around for a few minutes I was able to determine that the bit of code I really carded about was this: try Next I tried running it through jsunpack to see if it could make any sense of it - no luck, it broke the parser. I started with running the URL through VirusTotal, which scored 0/46 - so it was something of interest and not being detected by Anti-Virus software (at least statically). I've seen several variations on this code - there are enough similarities that it's clear that they have the same source, but different enough that the solution to deobfuscate changes each time. I was recently analyzing a web page that contained some highly obfuscated JavaScript - it's clear that the author had went through quite a bit of effort to make it as hard to understand as possible.
0 kommentar(er)
