Explaination of JavaScript "The Da Vinci Code"

Novice security researchers can reach an impasse analyzing the such-like JS-code (it generates an alert):

(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å) 

I would like to remove the veil of secrecy, and explain how it works. It uses several JS-rules:
  • implicit type conversion;
  • arrays indexing;
  • string and arithmetic operations (unary and binary);
  • JSON-based object creation;
  • referencing the global object (window) using some functions with invalid or empty parameters;
  • accessing properties by bracket notation.
Let me show it in action via JavaScript Shell:
[] //explicit empty array declaration
![] //implicit conversion to the Boolean value
false
[]+![] //implicit conversion to the String value
false
([]+![])[3] //get a char by index 3
s
a=[],++a //implicit conversion to the Integer value
1
([]+![])[a=[],++a] //use several implicit conversion, get a char by index 1
a
{} //explicit empty object creation via JSON-declaration
({}+[]) //implicit conversion tho the String value
[object Object]
({}+[])[a=[],-~++a] //use several implicit conversion, get a char by index 2
b
x=[].sort,x() //get window object
[object Window]
(x=[].sort,x())["location"] //access window.location property
http://www.squarefree.com/shell/shell.html
Please notice that getting window object is not a trivial procedure, but there is a good description how it works: (x=[].sort)()===window
Now let's proceed to the analyzing the original sample:
//setting up variables
Å=[],µ=!Å+Å
false
µ
false
È=-~-~++Å
3
Å
1
Ç=!!Å+µ
truefalse
ª=Ç[Å]+Ç[+!Å]
rt
Knowing the variables the mysterious code turns out in the trivial one:

µ[Å]+µ[Å+Å]+Ç[È]+ª //one of the expression in the code
alert
(É=["false"]["sort"])()["alert"](1) //deobfuscated code
As you can see there is no magic here. But it clearly shows that in daedal hands JavaScript can be a dangerous weapon. So be cautious and careful, and no magic can resist your skills!

Comments

Post a Comment

Popular posts from this blog

Web application framework comparison by memory consumption

Memory consumption is slightly specific to my area of software development now, but I did some research recently and maybe these results can be useful for others. Of course, I know that precious comparison is very difficult to carry out, but actually I needed only overall picture. And let me admit that results are pretty interesting and even frustrated (at least for me). As a basis I took so-starving project, and measured initial RSS (Resident Set Size) of the each process (local development webservers). Platform: x86_64 Linux (latest Ubuntu with all updates). As a reference, here is the RSS of the interpreters in interactive console mode: Interpreter Version RSS (kB) stackless python 2.6.4 3916 ruby (via irb) 1.8.7 4664 python 2.7.1 5624 php 5.3.5 6924 v8 (via node.js shell) 2.5.9.9 8796 One more reference - the most simplest WSGI app ( example  in the Python documentation). It's RSS: 7336 Kb , so I assume it's almost impossible to consume ...
Read more

Trac Ticket Workflow

Trac is the wiki and issue tracking system that is the most used for my software development projects. Let me share few hints about its ticket workflow, especially about the statuses, the roles of the participants, and let me give an example of the workflow config. But if you are interested in other things like Trac plugins, source browser, customizing, etc, let me know. All the information given below regards the workflow described at the end of the article. The original Trac workflow is missed vital features like the support for ticket verifying, or the required ticket statuses range, so I do not use it in my projects. The description of the main statuses: new - the ticket has been created; in-progress - the developer has began to work with the ticket; fixed - the ticket is fixed (the problem issued in the ticket is solved); verified - the ticket is verified (tester or PM has verified that the ticket is fixed correctly); closed - the ticket is closed (it's not...
Read more

Python vs JS vs PHP for embedded systems

UPDATE (07/18/17): The original article was written in 2011 and pretty much outdated, I've updated the numbers and conclusions. I've got a question about which programming language is preferable for the website development for embedded systems (with limited resources). Here is my small investigation in a table form. Please note that the question was about only these 3 programming languages - there are better candidates for the embedded systems now (for example, Rust). The Memory and Performance overhead numbers are based on the n-body benchmark and calculated as relatives to "C gcc #4" measurements. Python 3 Node.js PHP Memory Overhead x7.62 x29.04 x8.53 Type System Strong Typing Weak Typing Weak Typing Vulnerabilities 220 1411 5626 Performance Overhead x78.31 x2.82 x30.12 Documentation Excellent Excellent Average C Bindings Excellent Average Poor Code Readability With PEP8 it can be almost perfect ESLint enforces very good style PEAR Coding Stan...
Read more