Explaination of JavaScript "The Da Vinci Code"

Novice security researchers can reach an impasse analyzing the such-like JS-code (it generates an alert):

(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å) 

I would like to remove the veil of secrecy, and explain how it works. It uses several JS-rules:
  • implicit type conversion;
  • arrays indexing;
  • string and arithmetic operations (unary and binary);
  • JSON-based object creation;
  • referencing the global object (window) using some functions with invalid or empty parameters;
  • accessing properties by bracket notation.
Let me show it in action via JavaScript Shell:
[] //explicit empty array declaration
![] //implicit conversion to the Boolean value
false
[]+![] //implicit conversion to the String value
false
([]+![])[3] //get a char by index 3
s
a=[],++a //implicit conversion to the Integer value
1
([]+![])[a=[],++a] //use several implicit conversion, get a char by index 1
a
{} //explicit empty object creation via JSON-declaration
({}+[]) //implicit conversion tho the String value
[object Object]
({}+[])[a=[],-~++a] //use several implicit conversion, get a char by index 2
b
x=[].sort,x() //get window object
[object Window]
(x=[].sort,x())["location"] //access window.location property
http://www.squarefree.com/shell/shell.html
Please notice that getting window object is not a trivial procedure, but there is a good description how it works: (x=[].sort)()===window
Now let's proceed to the analyzing the original sample:
//setting up variables
Å=[],µ=!Å+Å
false
µ
false
È=-~-~++Å
3
Å
1
Ç=!!Å+µ
truefalse
ª=Ç[Å]+Ç[+!Å]
rt
Knowing the variables the mysterious code turns out in the trivial one:

µ[Å]+µ[Å+Å]+Ç[È]+ª //one of the expression in the code
alert
(É=["false"]["sort"])()["alert"](1) //deobfuscated code
As you can see there is no magic here. But it clearly shows that in daedal hands JavaScript can be a dangerous weapon. So be cautious and careful, and no magic can resist your skills!

Comments

Popular posts from this blog

Web application framework comparison by memory consumption

Trac Ticket Workflow

Shellcode detection using libemu