Explaination of JavaScript "The Da Vinci Code"

Novice security researchers can reach an impasse analyzing the such-like JS-code (it generates an alert):

(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å) 

I would like to remove the veil of secrecy, and explain how it works. It uses several JS-rules:
  • implicit type conversion;
  • arrays indexing;
  • string and arithmetic operations (unary and binary);
  • JSON-based object creation;
  • referencing the global object (window) using some functions with invalid or empty parameters;
  • accessing properties by bracket notation.
Let me show it in action via JavaScript Shell:
[] //explicit empty array declaration
![] //implicit conversion to the Boolean value
false
[]+![] //implicit conversion to the String value
false
([]+![])[3] //get a char by index 3
s
a=[],++a //implicit conversion to the Integer value
1
([]+![])[a=[],++a] //use several implicit conversion, get a char by index 1
a
{} //explicit empty object creation via JSON-declaration
({}+[]) //implicit conversion tho the String value
[object Object]
({}+[])[a=[],-~++a] //use several implicit conversion, get a char by index 2
b
x=[].sort,x() //get window object
[object Window]
(x=[].sort,x())["location"] //access window.location property
http://www.squarefree.com/shell/shell.html
Please notice that getting window object is not a trivial procedure, but there is a good description how it works: (x=[].sort)()===window
Now let's proceed to the analyzing the original sample:
//setting up variables
Å=[],µ=!Å+Å
false
µ
false
È=-~-~++Å
3
Å
1
Ç=!!Å+µ
truefalse
ª=Ç[Å]+Ç[+!Å]
rt
Knowing the variables the mysterious code turns out in the trivial one:

µ[Å]+µ[Å+Å]+Ç[È]+ª //one of the expression in the code
alert
(É=["false"]["sort"])()["alert"](1) //deobfuscated code
As you can see there is no magic here. But it clearly shows that in daedal hands JavaScript can be a dangerous weapon. So be cautious and careful, and no magic can resist your skills!

Comments

Popular posts from this blog

DIY: Business cards in LaTeX

Python vs JS vs PHP for embedded systems

Shellcode detection using libemu