Last Updated: 2007-08-06 07:35:24 UTC
by Bojan Zdrnja (Version: 1)
During analysis I confirmed something that I saw previously as well (http://isc.sans.org/diary.html?storyid=1519) – Internet Explorer and Mozilla Firefox have different implementations of this method. The reader who initially submitted the link to the exploit web page, Daniel, did some initial investigation on the implementation of this function.
Yesterday another reader, Ant, sent us his analysis of how Internet Explorer and Mozilla handle this function. Ant did a great job and found out almost exactly what’s going on.
Basically, Internet Explorer always preserves the original text, no matter what’s inside. Mozilla Firefox (the Spidermonkey script engine), on the other side, does some simple optimizations before calling the arguments.callee.toString() method.
Here are Ant’s comments:
The following text is removed before calling the method:
/* comment2 */
The following operators are applied before calling the method:
arithmetic (+, -, *, /, %)
bitwise NOT (~)
bitwise shift (<<, >>, >>>)
So, in other words, if you have a variable var test = 2+3; the test I put in the diary would show VARTEST23 in Internet Explorer and VARTEST5 in Firefox.