Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: help with obfuscated javascript

From: "Krpata, Tyler" <tkrpata () bjs com>
Date: Fri, 5 Jan 2007 11:46:46 -0500
The %u indicates a unicode character. This is probably shellcode. If you
look at it as assembly, it looks like the start of some kind of decoder
loop. (The byte order of each char would be reversed from what you're
seeing, so the shellcode would be something like
\x90\x90\x90\x90\xeb\x0f\x5b\x33...etc)


-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com]

On Behalf Of Andrew
Sent: Friday, January 05, 2007 4:22 AM
To: security-basics () securityfocus com
Subject: help with obfuscated javascript

I'm already familiar with how to unobfuscate  basic unescaped

javascript

such as %79%6C%75%6D, etc.

I recently ran across a file with the following:

unescape("%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%

.....


Any idea what this encoding is/how to decode it?

Thanks!



------------------------------------------------------------------------
--

-
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.



http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t



------------------------------------------------------------------------
--

-



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: