Last Updated: 2009-04-07 08:35:45 UTC
by Bojan Zdrnja (Version: 1)
be careful if you go there.
1) Usage of lists to return last values
This obfuscation method is very simple and it is used to assign a value to a variable. The attacker can use an arbitrary number of values in front which are all ignored. So, the following example:
assigns the string “it” to the variable “mutae”.
2) Expanding the list with conditionals
The attackers further expanded the expression mentioned above with a conditional. Conditionals are simply if/then statements, all in one line with special characters such as “?” and “:”. The following is an example of such usage:
I put special characters in red so it’s easier to see what’s happening here: the interpreter checks if 0.2e1 (which equals 2) is greater than or equal to 4e1 (which equals 40). If it is, the interpreter picks first part before the “:” character (.9075). It, of course, isn’t so the interpreter will pick strings “i”+”f” and concatenate them into “if”. Finally, this will result in the variable “rgvij” containing the string “if”. Not bad for obfuscation you’ll agree.
3) Usage of [ and ] operators when referencing objects
Those of you following our diaries here have seen the document.write() call million times already. This calls the method “write” in the object “document”. However, the same method can be called by using the [ and ] operators as well, as shown below:
document[“write”](“text to print”);
We can now easily see how this can be obfuscated with the following simple script:
a = document;
b = “write”;
c = “text to print”;
All of this results in the document object being assigned to the variable aaa. Simple and effective.