Can anyone explain the following code?
Function(
Function(
'return \'\\141\\75\\160\\162\\157\\155\\160\\164\\50\\47\\105\\156\\164\\162\\145\\172\\40\\154\\145\\40\\155\\157\\164\\40\\144\\145\\40\\160\\141\\163\\163\\145\\47\\51\\73\\151\\146\\50\\141\\75\\75\\47\\164\\157\\164\\157\\61\\62\\63\\154\\157\\154\\47\\51\\173\\141\\154\\145\\162\\164\\50\\47\\142\\162\\141\\166\\157\\47\\51\\73\\175\\145\\154\\163\\145\\173\\141\\154\\145\\162\\164\\50\\47\\146\\141\\151\\154\\56\\56\\56\\47\\51\\73\\175\''
) ()
)()
Interesting here: an actual function is getting created using the Function().
But since I cannot view the native code, I am having difficulty understanding the actual function that is getting created. This is taken from root-me.org Javascript - native code challenge.
It deobfuscates to:
a = prompt('Entrez le mot de passe');
if(a=='toto123lol'){
alert('bravo');
} else{
alert('fail...');
}
To verify, in Chrome, open Developer Tools, open the console, and paste in:
Function(
'return \'\\141\\75\\160\\162\\157\\155\\160\\164\\50\\47\\105\\156\\164\\162\\145\\172\\40\\154\\145\\40\\155\\157\\164\\40\\144\\145\\40\\160\\141\\163\\163\\145\\47\\51\\73\\151\\146\\50\\141\\75\\75\\47\\164\\157\\164\\157\\61\\62\\63\\154\\157\\154\\47\\51\\173\\141\\154\\145\\162\\164\\50\\47\\142\\162\\141\\166\\157\\47\\51\\73\\175\\145\\154\\163\\145\\173\\141\\154\\145\\162\\164\\50\\47\\146\\141\\151\\154\\56\\56\\56\\47\\51\\73\\175\''
) ()
This is the steps of "how the encoding works", essentially. To "encode" the letter "a":
test = "a";
console.log(test.charCodeAt(0)); //97
console.log(parseInt('141', 8)); //97
console.log('\141'); //a
But since I cannot view the native code, I am having difficulty understanding the actual function that is getting created.
You have native code inside the script tag. It just looks unusual as it is referencing the ASCII key codes; octagonal to be exact (OCT). Here is a link
ASCII Key Codes
First we have an executable tag that starts things off. Here is a link explaining what it does.
HTML tags
Inside the tag we have two functions or function constructors.
If your were to type Function() into your console you would get
function anonymous() {}
For more information check out this link.
Funciton JS link
Let's start with the nested function first.
Function(
'return \'\\141\\75\\160\\162\\157\\155\\160\\164\\50\\47\\105\\156\\164\\162\\145\\172\\40\\154\\145\\40\\155\\157\\164\\40\\144\\145\\40\\160\\141\\163\\163\\145\\47\\51\\73\\151\\146\\50\\141\\75\\75\\47\\164\\157\\164\\157\\61\\62\\63\\154\\157\\154\\47\\51\\173\\141\\154\\145\\162\\164\\50\\47\\142\\162\\141\\166\\157\\47\\51\\73\\175\\145\\154\\163\\145\\173\\141\\154\\145\\162\\164\\50\\47\\146\\141\\151\\154\\56\\56\\56\\47\\51\\73\\175\'')()
By using the JS Function constructor, we can pass in arguments to our new function as well as the function body.
new Function ([arg1[, arg2[, ...argN]],] functionBody)
In the nested function we just create an anonumous funciton and pass it a function body in the form of a string like this
'return \'\\141\\75\\160\\162\\157\\155\\160\\164\\50\\47\\105\\156\\164\\162\\145\\172\\40\\154\\145\\40\\155\\157\\164\\40\\144\\145\\40\\160\\141\\163\\163\\145\\47\\51\\73\\151\\146\\50\\141\\75\\75\\47\\164\\157\\164\\157\\61\\62\\63\\154\\157\\154\\47\\51\\173\\141\\154\\145\\162\\164\\50\\47\\142\\162\\141\\166\\157\\47\\51\\73\\175\\145\\154\\163\\145\\173\\141\\154\\145\\162\\164\\50\\47\\146\\141\\151\\154\\56\\56\\56\\47\\51\\73\\175\''
When the function runs the first string '' (quotes) are removed and this statement is run
return \'\\141\\75...'
The return, of course executes and exits the function, and when THIS function is run we get another function body in the form of another string value.
"a=prompt('Entrez le mot de passe');if(a=='toto123lol'){alert('bravo');}else{alert('fail...');}"
The leading '\', which is after the return statement, but before the actual string is only to escape the following quote, so the compiler does not mistake it for the second closing quote of the quote just before the return statement. We could get rid of it, as well as the second one just after the last number, and instead write the function body like this
Function(
'return "\\141\\75\\160\\162\\157\\155\\160\\164\\50\\47\\105\\156\\164\\162\\145\\172\\40\\154\\145\\40\\155\\157\\164\\40\\144\\145\\40\\160\\141\\163\\163\\145\\47\\51\\73\\151\\146\\50\\141\\75\\75\\47\\164\\157\\164\\157\\61\\62\\63\\154\\157\\154\\47\\51\\173\\141\\154\\145\\162\\164\\50\\47\\142\\162\\141\\166\\157\\47\\51\\73\\175\\145\\154\\163\\145\\173\\141\\154\\145\\162\\164\\50\\47\\146\\141\\151\\154\\56\\56\\56\\47\\51\\73\\175"')()
If you ran this code in your console you would get the same result, try it!
If you do you will find that all these numbers have compiled to actual letters and numbers, in fact it compiled to ASCII character codes. This happened because of the use of '\' which proceeds each number. For less confusion, let's turn this "\\" instead into this "\"
Function(
'return "\141\75\160\162\157\155\160\164\50\47\105\156\164\162\145\172\40\154\145\40\155\157\164\40\144\145\40\160\141\163\163\145\47\51\73\151\146\50\141\75\75\47\164\157\164\157\61\62\63\154\157\154\47\51\173\141\154\145\162\164\50\47\142\162\141\166\157\47\51\73\175\145\154\163\145\173\141\154\145\162\164\50\47\146\141\151\154\56\56\56\47\51\73\175"')()
As you will see, this will still run and we get
"a=prompt('Entrez le mot de passe');if(a=='toto123lol'){alert('bravo');}else{alert('fail...');}"
So the nested function returns a function body as a string, which then gets executed in the outer Function constructer in the same way that the nested function fired. Here is the same example with a few things removed for better clarity
Function(
Function('return "\141\75\160\162\157\155\160\164\50\47\105\156\164\162\145\172\40\154\145\40\155\157\164\40\144\145\40\160\141\163\163\145\47\51\73\151\146\50\141\75\75\47\164\157\164\157\61\62\63\154\157\154\47\51\173\141\154\145\162\164\50\47\142\162\141\166\157\47\51\73\175\145\154\163\145\173\141\154\145\162\164\50\47\146\141\151\154\56\56\56\47\51\73\175"')())()
Note: you may need to open a new window and then paste this in the console and click enter.
And for even more clarity, we could just copy and paste the initial returned value into the outer function like this
Function("a=prompt('Entrez le mot de passe');if(a=='toto123lol'){alert('bravo');}else{alert('fail...');}")()
This will also work.
What the nested function does
The first part opens a browser prompt window and attaches its future value to variable 'a'. Try this
Function("a=prompt('Enter Password');console.log(a);")()
when you press enter your value will show in the console. The second part of the function analizes this returned value by comparing it to a string 'toto123lol'.
when the entered value is exactly 'toto123lol' a new alert window will appear displaying 'bravo'.
If the entered value is not exactly 'toto123lol' a new alert window will appear displaying 'fail...'
As you can see, the initial function of your question contains all the needed information to not only run working code, but also all the native code you need to figure out what it is doing.
After checkout out the website you mentioned
Root-me.org
Perhaps what the test is trying to show is that what may look like harmless code, can actually be anything with could be executable within an HTML tag. Or perhaps that there are many ways in which to influence behavior?
I hope this answers your question.
UPDATE: If you are wondering what the difference is between '\\' or '\' I have asked it here - why double or single escapes
Related
I am passing order data from Shopify to VimeoOTT using Zapier. We have been doing this for a year and it works great, except when the customer's name has special characters in it. For example "Jack & Jill (tumble)" The & or ( parenthesis ) causes an error that stops the process.
I am trying to use Zapier's Javascript Action to find and replace the name data's special characters, but I keep getting a coding error. This is my first time working with Javascript :(.
This image shows the Zapier Code Action
Here is an image showing the error I get
// this is wrapped in an `async` function
// you can use await throughout the function
nameFix = inputData.nameFix.replace(/[^a-zA-Z0-9 ]/g,'_').replace(/_{2,}/g,'_');
output = [nameFix];
In javascript, variables must be declared before they are used using let or const:
const nameFix = inputData.nameFix.replace(...
So, that'll fix the error you're seeing.
Separately, JS steps in Zapier must return an object (which has keys and values). So, you'll want to return the result like so:
return {result: nameFix}
I am very new to this, but I wrote this and thought it would work first time, but I get an 'ReferenceError: Can't find variable: street' console error.
I get this error if I click on the 'Street' button.
It's quite basic but this is the first time I've made a function to use a var/ref from the onClick attribute.
Please see onClick markup...
Supersport
Street
Cruiser
Scooter
Motocross
Enduro
Kids
then please see my function, which gets the ref error above...
Also please note I am trying to use the onClick var/ref within my function so I can target specific elements relative to the button being clicked.
bikeFilter = function (y) {
$('.bike').fadeOut();
scrollTo(186);
$('.bike[data-group=' + y + ']').fadeIn();
bikeSliderNav();
bikeSlider();
return false;
}
Any expert advice would be really helpful.
Thanks in advance.
You'd probably wanna pass a String as input to your function and not the name of an undeclared and uninstantiated variable.
Try to use the single quotes to refer it as a String constant (you need single quotes since you are already using double quotes to tell your html tag the attribute value):
onclick="bikeFilter('scooter')"
Take a look here to see the difference in data typing in js, and here for a quick start about functions.
You should use them like :
onclick="bikeFilter('motocross')"
Don't forget to put ' around your parameters
First of all, I've done my research and I did find a bunch of simialr questions. However, I didn't find an answer that applies to my problem. All the examples I found were related to unescaped characters, single/double quote mishaps and the like. I on the other hand am getting this error on the following function:
$('.seq_input').blur(function(){
//var id = $(this).data('id');
//var index = parseInt($(this).val()),
//element = $("#test-list li").eq(id).remove();
//$("#test-list li").eq(index - 1).before(element); // -1 because users like 1 based indices
alert('what?');
});
As you see I commented out everything and just left an alert, and I'm still getting the error, pointing to the last line of the function. It couldn't have anything to do with other functions because I just added this one alone at the end of my current Javascript.
Can someone please tell me what's going on here? Why on Earth would a function that just alerts something (or even if it doesn't do anything) give an error?
NOTE: error is shown as soon as the page is loaded
There are invisible characters between the trailing semicolon and the parenthesis. I concatenated your code, put it in a string, and called a non-existent function in order to trigger a error (using this method).
'});'.l()
>>> TypeError: "})\u200B\u200B\u200B;".l is not a function
$('.seq_input') may used on the other functions, try using new id to do that function.
I add a string (i.e. 'Bob Smith') from a jQuery click event trapped using the on function . . .
$(".vendorLookup").on("click", { fullName: $(this).text() }, displayAddy);
In the displayAddy handler for the click event, I extract the string (a persons first and last name) and split out the first and last name . . .
var name = event.data.fullName;
var parts = name.split(" ");
IE can figure this one out but Chrome and Firefox will not split unless I use the regular expression split(/\s/) (unless I use the w3schools.com Tryit code editor and then it works).
Question: what exactly is going on here and when will I get bit by this later on when parsing for spaces cross-browser?
(Note: I don't think it matters but I am running this script on a wiki page in SharePoint 2010)
I'm not sure whats going on (I tested it and see some weird behavior), but you can work around it by doing something like this
function displayAddy() {
var parts = $(this).text().split(" ");
$('#fname').html(parts[0]);
$('#lname').html(parts[1]);
}
$('#name').on("click", displayAddy);
Since the event is being passed off to a callback the callback already has a this object. in this instance the this object is going to be DOM object with the class #name.
Here's an example of it in action.
I just found out that when you call toString() on a javascript function, as in myFunction.toString(), the source code of that function is returned.
If you try it in the Firebug or Chrome console it will even go as far as formatting it nicely for you, even for minimized javascript files.
I don't know what is does for obfuscated files.
What's the use of such a toString implementation?
It has some use for debugging, since it lets you see the code of the function. You can check if a function has been overwritten, and if a variable points to the right function.
It has some uses for obfuscated javascript code. If you want to do hardcore obfuscation in javascript, you can transform your whole code into a bunch of special characters, and leave no numbers or letters. This technique relies heavily on being able to access most letters of the alphabet by forcing the toString call on everything with +""
example: (![]+"")[+[]] is f since (![]+"") evaluates to the string "false" and [+[]] evaluates to [0], thus you get "false"[0] which extracts the first letter f.
Some letters like v can only be accessed by calling toString on a native function like [].sort. The letter v is important for obfuscated code, since it lets you call eval, which lets you execute anything, even loops, without using any letters. Here is an example of this.
function.ToString - Returns a string representing the source code of the function. For Function objects, the built-in toString method decompiles the function back into the JavaScript source that defines the function.
Read this on mozilla.
You can use it as an implementation for multi-line strings in Javascript source.
As described in this blog post by #tjanczuk, one of the massive inconveniences in Javascript is multi-line strings. But you can leverage .toString() and the syntax for multi-line comments (/* ... */) to produce the same results.
By using the following function:
function uncomment(fn){
return fn.toString().split(/\/\*\n|\n\*\//g).slice(1,-1).join();
};
…you can then pass in multi-line comments in the following format:
var superString = uncomment(function(){/*
String line 1
String line 2
String line 3
*/});
In the original article, it was noted that Function.toString()'s behaviour is not standardised and therefore implementation-discrete — and the recommended usage was for Node.js (where the V8 interpreter can be relied on); however, a Fiddle I wrote seems to work on every browser I have available to me (Chrome 27, Firefox 21, Opera 12, Internet Explorer 8).
A nice use case is remoting. Just toString the function in the client, send it over the wire and execute it on the server.
My use case - I have a node program that processes data and produces interactive reports as html/js/css files. To generate a js function, my node code calls myfunc.toString() and writes it to a file.
You can use it to create a Web Worker from function defined in the main script:
onmessage = function(e) {
console.log('[Worker] Message received from main script:',e.data);
postMessage('Worker speaking.');
}
b = new Blob(["onmessage = " + onmessage.toString()], {type: 'text/javascript'})
w = new Worker(window.URL.createObjectURL(b));
w.onmessage = function(e) {
console.log('[Main] Message received from worker script:' + e.data);
};
w.postMessage('Main speaking.');