注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

冰魂's blog

关注网络技术.

 
 
 
 
 

日志

 
 

[分享]Javascript Deobfuscator实现之Javascript函数劫持  

2011-08-28 04:47:41|  分类: [Web前端] |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

1.思路
其实思路非常简单,Javascript作为典型的弱类型语言,函数也是对象,可以进行赋值等操作。于是我们可以考虑在脚本层面上对eval、document.write、document.writeln等函数进行劫持,从而实现反混淆。
2.实现
<script>

function error_handler(desc,page,line){

 //do what you like

 return true

}


window.onerror=error_handler;


real_eval=eval

real_write=document.write

real_writeln=document.writeln

eval=hooked_eval

document.write=hooked_write

document.writeln=hooked_writeln


function hooked_write(){

         for(var i = 0; i < arguments.length; i++){

                   AddEntry("document.write("+arguments[i]+")")

                   real_write(arguments[i])

         }

}


function hooked_writeln(x){

         var i;

         for(i = 0; i < arguments.length-1; i++){

                   AddEntry("document.write("+arguments[i]+")")

                   real_write(arguments[i])

         }

         AddEntry("document.writeln("+arguments[i]+")")

         real_writeln(arguments[i])

}


function hooked_eval(x){

         AddEntry("eval("+x+")")

         return real_eval(x)

}


function AddEntry(x){

         //do what you like

}

</script>
3.扩展
实现更广泛的劫持,参考http://www.xfocus.net/articles/200712/963.html
4.缺点
容易被反劫持,参考http://www.xfocus.net/articles/200712/963.html

5.示例

<script>

function clearLog(){
 document.all.error.innerText=""
 var t = document.all.t1
 for(i=t.rows.length-1;i>=1;i--){
  t.deleteRow(i);
 }
 document.frame1.run_next = new Array()
}

</script>


<table id=t1 width=600 border=1 cellpadding=0 cellspacing=0 bordercolor=black>
<tr><td bgcolor="#7c7c7c" align=center><font color=white>Log - <a href="javascript:clearLog()" style="color:white">Clear</a></font></td></tr>
</table>
<br>

<div id=error name=error style="color:red"></div>
<br><br>

<textarea rows=20 cols=65 id=ta name=ta style="position:absolute:top:0;left:0"></textarea><br>
<input type=button onclick="runjs(ta.value)" value="RunJS">
<script>
 function error_handler(desc,page,line){

 document.all.error.innerText = 'Error caught At Line :'+line+"\n"+
                                   'Description: \t'+desc
 return true

}

window.onerror=error_handler;
</script>

<script>

var run_next = new Array();

function LoadCode(i){
 ta.value = run_next[i]
}

function hooked_write(){

         for(var i = 0; i < arguments.length; i++){

                   AddEntry("document.write("+arguments[i]+")")
                   
          //write() method is not proper here, it can erase the current document
                   //real_write(arguments[i])

         }

}

function hooked_writeln(x){

         var i;

         for(i = 0; i < arguments.length-1; i++){

                   AddEntry("document.write("+arguments[i]+")")

                   //write() method is not proper here, it can erase the current document
                   //real_write(arguments[i])

         }

         AddEntry("document.writeln("+arguments[i]+")")
         
         //writeln() method is not proper here, it can erase the current document
         //real_writeln(arguments[i])

}


function hooked_eval(x){

         AddEntry("eval("+x+")")

         return real_eval(x)

}

function AddEntry(x){
     run_next[run_next.length] = x
 a = "<a href='javascript:frame1.LoadCode("+(run_next.length-1)+")'>Load</a> - "
 document.all.t1.insertRow().insertCell().innerHTML= a + x.split('<').join('&lt;') ;
}

function runjs(x){
 document.all.error.innerText = ""
 real_eval(x)

real_eval=eval

real_write=document.write

real_writeln=document.writeln

eval=hooked_eval

document.write=hooked_write

document.writeln=hooked_writeln

</script>

  评论这张
 
阅读(773)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017