Obfuscated code
in [JavaScript]
|
Prev: Adding and removing many style elements
Next: Tagamet Super sale. Free-of-charge courier delivery!. Tagamet as an opiat enhancer,Tagamet for canine colitis,urticaria Tagamet,Tagamet melanomas,Tagamet 2007 jelsoft enterprises ltd
From: Lasse Reichstein Nielsen on 6 May 2010 15:12 "7String" <7String(a)thenewsgroup.com> writes: > yes, most likely its a byte values of the binary file > (executable). How an executable been converted into this strings in > order to be restored in an original form? That's impossible to say without seeing the code. /L -- Lasse Reichstein Holst Nielsen 'Javascript frameworks is a disruptive technology'
From: Dr J R Stockton on 7 May 2010 14:50
In comp.lang.javascript message <hrunec$ccn$1(a)news.eternal- september.org>, Thu, 6 May 2010 18:32:27, balzer <nospam(a)news.eternal- september.org> posted: >Here is offuscated code sample, it obfuscated binary, seems > >%b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004) >,c(000),c(000): .this line is 275413 characters long::c(000),c(000),c(0 >00),c(000 ),"") > >which encoding method is used to obfuscate binary? This is not base64. I doubt whether that is JavaScript as much as I doubt that your native language is English. Therefore, there is no reason to consider leading zero as indicating octal. Taken as decimal representations of 'ASCII', the first two characters are MZ, the third is hex 90. That pattern, followed by sparse numbers, is characteristic of MSDOS/Windows executables. For examples, see sig, use >mtr -h \windows\*.exe or similar. So the coding seems trivial, well short of crypto; but malware detectors may not decode it. -- (c) John Stockton, nr London, UK. ?@merlyn.demon.co.uk Turnpike v6.05 IE 7. Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links. MiniTrue is good for viewing/searching/altering files, at a DOS / CMD prompt; free, DOS/Win/UNIX, new via <URL:http://www.merlyn.demon.co.uk/pc-links.htm>. |