Decode this strange Javascript

2020-02-06 02:41发布

问题:

I came across this code in a .js file. What is this code ??

I have downloaded that file onto my localhost webserver.Keeping this code in the .js file redirects me to google.com and when i am commenting this code the page runs perfectly !!

I can understand that this is done to enforce that the page is to be executed from a server link only !!!

How can i decode this js ???

[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65']('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29'))()

回答1:

Python happens to use the same way of encoding, so I just threw it at a Python shell.

>>> '\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'
'constructor'
>>> '\x75\x6e\x65\x73\x63\x61\x70\x65'
'unescape'
>>> import urllib
>>> urllib.unquote('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29')
"if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')"

So this code boils down to (adding whitespace for clarity):

[]['constructor']['constructor'](
  "if (~location.protocol.indexOf('http:') &&
       ~location.host.indexOf('template-help.com'))
     {}
   else
     (location.href='http://www.google.com')")()

So what does this actually do? Node.js to the rescue:

> [].constructor
[Function: Array]
> [].constructor.constructor
[Function: Function]
> 

So [] is simply an empty array, [].constructor gives us the array constructor (which is a Function object), and finally, [].constructor.constructor gives us the constructor of the Function object. That constructor accepts a string containing some code, and turns it into a callable function, that then gets called (note the () at the very end). So this eventually just executes this code:

if (~location.protocol.indexOf('http:') &&
    ~location.host.indexOf('template-help.com'))
  {}
else
  (location.href='http://www.google.com')

Yeah, if I wrote code like that, I'd obfuscate it too! ;)



回答2:

Try this...

<html>
<head>
<script type="text/javascript">
var a="[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65'](" + unescape('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29') + "))()";
</script>
</head>
<body>
<input type=button value=click onclick="javascript:alert(a);">
</body>
</html>

The answer, as already pointed out, is...

[]['constructor']['constructor'](self['unescape'](if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')))()


回答3:

It is doubly-coded, first as %nn URL-style characters, then as \xnn string characters. It decodes to

[]['constructor']['constructor'](
  self['unescape']('
    if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}
    else(location.href='http://www.google.com')
  '))()

Note that the quotes no longer nest properly after decoding, and the ['unescape'] has already been done.



回答4:

i found this code while downloading one of the template from templatemonster.com. I tried each and every step but i wasnt make that website availbale on either my local/own server. I then thought it might be some JS if not flash.

tried removing every js One after Another and then found that they paste this code at the last of their file to not let you download the pages. :)

to understand the code i searched Google and found this thread. Gr8 article.

happy now! I'm a cracker now. :)

The code they paste is :

[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']'\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'()

and in jquery^version.js



回答5:

I would suggest use this next time URL DECODE You could easily decode that string.

if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')

It's a way to hide code, and check if the script is running on specific domain. if not redirect it somewhere. in this case google.com



回答6:

That js file you are talking about is a piece of js code that http://templates.entheosweb.com/ uses to secure it's web scripts and themes from being stolen from their website. Wherever you got that file means that the theme or files it was included with was stolen from that website.



回答7:

Its Happen once you copy/paste or save as template files from template-help.com

simply delete that section to run perfectly. If we decode the code , its looks like this -

    []['constructor']['constructor'](
  "if (~location.protocol.indexOf('http:') &&
       ~location.host.indexOf('template-help.com'))
     {}
   else
     (location.href='http://www.google.com')")()

So delete it n enjoy.