Original article:Http://hi.baidu.com/aiqing0342/blog/item/a47ae226a5c747108b82a173.html
Cfkfinder is an easy-to-use Ajax file manager, but as a commercial software, it has a "nasty information" that stays in the head, such
So we will study how to crack it today.
We started our research with ckfinder_ie.js. This file is stored in the core/JS directory. We found it was compressed.CodeClick here to download the formatted ckfinder_ie file.
After a hard test, I found that this "annoying information" is generated by the code of this line:
- If (1 = (DK. indexof (AB. BW. substr () % 5) & amp; amp; window. top [QC + '\ 143 \ 141 \ x74 \ x69 \ 157 \ x6e' ] [QF + '\ 163 \ x74' ]. tolowercase ()! = AB. EO)
- | AB. bw. substr (3,1 )! = Dk. substr (DK. indexof (AB. BW. substr (0, 1) + DK. indexof (AB. BW. substr (2, 1) * 9) % (DK. length-1), 1)
- ) {
- en. call (window, Qo);
- };
If (1 = (DK. indexof (AB. BW. substr () % 5) & amp; amp; window. top [QC + '\ 143 \ 141 \ x74 \ x69 \ 157 \ x6e'] [QF + '\ 163 \ x74']. tolowercase ()! = AB. EO) | AB. bw. substr (3,1 )! = Dk. substr (DK. indexof (AB. BW. substr (0, 1) + DK. indexof (AB. BW. substr (2, 1) * 9) % (DK. length-1), 1) {en. call (window, Qo );};
Directly Delete this part of code, and the information will not appear, but we need to continue tracing its principles.
Search for EN and Qo. We found the following code:
-
- VaRQe ='\ 100';
- VaREn = Window [QE +'\ 166 \ x61 \ x6c'];
-
- VaRQo ='\ 145 \ X46 \ 56 \ 160 \ 141 \ 162 \ X65 \ 156 \ x74 \ x4e \ 157 \ x64 \ X65 \ x2e \ x61 \ x72 \ 145 \ 156 \ 164 \ 116 \ x6f \ 144 \ 145 \ x2e \ 151 \ x6e \ 163 \ X65 \ x72 \ 164 \ 122 \ x6f \ 167 \ x28 \ x33 \ 51 \ x2e \ 151 \ 156 \ x73 \ X65 \ x72 \ x74 \ x43 \ 145 \ 154 \ 154 \ 50 \ x2d \ 61 \ x29 \ 56 \ x69 \ x6e \ x6e \ 145 \ x72 \ 110 \ 124 \ 115 \ 114';
- Qo + = '\ 75 \ x27 \ x3c \ 144 \ x69 \ 166 \ x20 \ 163 \ x74 \ x79 \ x6c \ 145 \ 75 \ x22 \ x74 \ 145 \ 170 \ x74 \ 55 \ x61 \ 154 \ 151 \ x67 \ 156 \ x3a \ 40 \ 143 \ 145 \ 156 \ x74 \ X65 \ x72 \ 73 \ 40 \ 146 \ 157 \ x6e \ x74 \ x2d \ x73 \ 151 \ 172 \ X65 \ x3a \ x20 \ 61 \ x36 \ 160 \ 170 \ x3b \ x20 \ 143 \ x6f \ 154 \ 157 \ x3a \ x20 \ X52 \ x65 \ x64 \ x3b \ 40 \ 141 \ x64 \ x64 \ x69 \ 156 \ 147 \ 72 \ 40 \ 61 \ 60 \ 160 \ x78 \ 73 \ 40 \ x66 \ x6f \ 156 \ x74 \ x2d \ x77 \ 145 \ 151 \ x68 \ 147 \ x3a \ 40 \ 164 \ 142 \ x6c \ x64 \ x22 \ 76 \ x54 \ 157 \ x69 \ 163 \ x20 \ x69 \ x73 \ 40 \ x74 \ 150 \ 145 \ x20 \ 144 \ 145 \ x6d \ 157 \ 40 \ 166 \ x72 \ 145 \ x69 \ x6f \ x6e \ 40 \ x6f \ 146 \ 40 \ 103 \ 113 \ 106 \ x6e \ x64 \ 151 \ x72 \ x2e \ 40 \ 74 \ x61 \ x20 \ x68 \ 162 \ 145 \ x66 \ X3D \ x22 \ x68 \ x74 \ 164 \ cross \ 72 \ x2f \ 57 \ x77 \ 167 \ x77 \ 56 \ 143 \ 153 \ x66 \ x69 \ 156 \ x64 \ X65 \ x72 \ 56 \ x63 \ x6f \ 155 \ 42 \ 40 \ 164 \ 141 \ x67 \ X65 \ 162 \ X3D \ 42 \ x5f \ x62 \ x6c \ x61 \ 156 \ x6b \ x22 \ 40 \ 163 \ 164 \ 171 \ x6c \ 145 \ 75 \ 42 \ x63 \ x6f \ x6c \ x6f \ x72 \ 72 \ 40 \ 102 \ 154 \ x75 \ X65 \ 42 \ x3e \ 103 \ x6c \ 151 \ 143 \ x6b \ x20 \ 150 \ 145 \ 162 \ 40 \ x74 \ 145 \ 40 \ x76 \ x69 \ x73 \ x69 \ x74 \ x20 \ x6f \ 165 \ 162 \ x20 \ x77 \ X65 \ x62 \ 40 \ 163 \ 151 \ 164 \ 74 \ 57 \ 141 \ 76 \ x2e \ 40 \ x3c \ 151 \ x6e \ 160 \ x75 \ x74 \ 40 \ x74 \ x79 \ 160 \ X65 \ X3D \ x22 \ 142 \ x75 \ x74 \ x74 \ x6f \ x6e \ 42 \ 40 \ x76 \ 141 \ 154 \ x75 \ 145 \ X3D \ x22 \ x48 \ 151 \ x64 \ 145 \ x20 \ x4d \ X65 \ x73 \ x73 \ x61 \ 147 \ X65 \ x22 \ 40 \ 157 \ x6e \ 143 \ x6c \ x69 \ x63 \ x6b \ X3D \ 42 \ 164 \ 150 \ 151 \ x73 \ 56 \ 160 \ x61 \ x72 \ 145 \ x6e \ 164 \ x4e \ 157 \ 144 \ x2e \ x61 \ 145 \ X65 \ x6e \ x74 \ x4e \ x6f \ x64 \ x65 \ 56 \ x73 \ x74 \ x79 \ 154 \ 145 \ x2e \ x64 \ x69 \ 163 \ 160 \ x6c \ x61 \ x79 \ 75 \ 134 \ x27 \ 156 \ 157 \ 156 \ X65 \ 134 \ x27 \ 73 \ x22 \ x20 \ x2f \ x3e \ 74 \ x2f \ 144 \ x69 \ 166 \ 76 \ x27 \ 73';
-
- En. Call (window,'\ X76 \ x61 \ 162 \ 40 \ 145 \ 106 \ 73');
VaR Qe = '\ 100'; var en = Window [QE +' \ 145 \ x61 \ x6c']; vaR Qo = '\ 145 \ X46 \ 56 \ 160 \ 141 \ 162 \ X65 \ 156 \ x74 \ x4e \ 157 \ x64 \ X65 \ x2e \ x61 \ x72 \ 145 \ 156 \ 164 \ 116 \ x6f \ 144 \ 145 \ x2e \ 151 \ x6e \ 163 \ X65 \ x72 \ 164 \ 122 \ x6f \ 167 \ x28 \ x33 \ 51 \ x2e \ 151 \ 156 \ x73 \ X65 \ x72 \ x74 \ x43 \ 145 \ 154 \ 50 \ x2d \ 61 \ x29 \ 56 \ x69 \ x6e \ x6e \ 154 \ x72 \ 110 \ 124 \ 115 \ 114 '; qo + = '\ 75 \ x27 \ x3c \ 144 \ x69 \ 166 \ x20 \ 163 \ x74 \ x79 \ x6c \ 145 \ 75 \ x22 \ x74 \ 145 \ 170 \ x74 \ 55 \ x61 \ 154 \ 151 \ x67 \ 156 \ x3a \ 40 \ 143 \ 145 \ x74 \ X65 \ x72 \ 73 \ 40 \ 156 \ 146 \ x6e \ x74 \ x2d \ x73 \ 151 \ 172 \ X65 \ x3a \ x20 \ 61 \ x36 \ 160 \ 170 \ x3b \ x20 \ 143 \ x6f \ 154 \ 157 \ x3a \ x20 \ X52 \ X65 \ x64 \ x3b \ 40 \ 141 \ x64 \ x64 \ x69 \ 156 \ 147 \ 72 \ 40 \ 61 \ 60 \ 160 \ x78 \ 73 \ 40 \ x66 \ x6f \ 156 \ x74 \ x2d \ x77 \ 145 \ 151 \ x68 \ 147 \ x3a \ 40 \ 164 \ 142 \ x6c \ x64 \ x22 \ 76 \ x54 \ 150 \ x69 \ 163 \ x20 \ x69 \ x73 \ 40 \ x74 \ 150 \ 145 \ x20 \ 144 \ 145 \ x6d \ 157 \ 40 \ 166 \ x72 \ 145 \ x69 \ x6f \ x6e \ 40 \ x6f \ 146 \ 40 \ 103 \ 113 \ 106 \ x6e \ x64 \ 151 \ x72 \ x2e \ 40 \ 74 \ x61 \ x20 \ x68 \ 162 \ 145 \ x66 \ X3D \ x22 \ x68 \ x74 \ 164 \ cross 167 \ 72 \ x2f \ 57 \ x77 \ 143 \ x77 \ 56 \ 153 \ x66 \ x69 \ 156 \ x64 \ X65 \ x72 \ 56 \ x63 \ x6f \ 155 \ 42 \ 40 \ 164 \ 141 \ 162 \ x67 \ X65 \ 164 \ X3D \ 42 \ x5f \ x62 \ x6c \ x61 \ 156 \ x6b \ x22 \ 40 \ 163 \ 164 \ x6c \ 171 \ 75 \ 42 \ x63 \ x6f \ x6c \ x6f \ x72 \ \ 40 \ 102 \ 154 \ x75 \ X65 \ 42 \ x3e \ 103 \ x6c \ 151 \ 143 \ x6b \ x20 \ 150 \ 145 \ 162 \ 40 \ x74 \ 145 \ 40 \ x76 \ x69 \ x73 \ x69 \ x74 \ x20 \ x6f \ 165 \ 162 \ x20 \ x77 \ X65 \ x62 \ 40 \ 163 \ 151 \ 164 \ 74 \ 57 \ 141 \ 76 \ x2e \ 40 \ x3c \ 151 \ x6e \ 160 \ x75 \ x74 \ 40 \ x74 \ x79 \ 160 \ X65 \ X3D \ x22 \ 142 \ x75 \ x74 \ x74 \ x6f \ x6e \ 42 \ 40 \ x76 \ 141 \ x75 \ 154 \ X3D \ x22 \ x48 \ 145 \ x64 \ 151 \ x20 \ x4d \ X65 \ x73 \ x73 \ x61 \ 147 \ X65 \ x22 \ 40 \ 157 \ x6e \ 143 \ x6c \ x69 \ x63 \ x6b \ X3D \ 42 \ 164 \ 150 \ 151 \ x73 \ 56 \ 160 \ x61 \ x72 \ 145 \ x6e \ 164 \ x4e \ 157 \ 144 \ x2e \ x61 \ 145 \ X65 \ x6e \ x74 \ x4e \ x6f \ x64 \ X65 \ 56 \ x73 \ x74 \ x79 \ 154 \ 145 \ x2e \ x64 \ x69 \ 163 \ 160 \ x6c \ x61 \ x79 \ 75 \ 134 \ x27 \ 156 \ 157 \ 156 \ X65 \ 134 \ x27 \ 73 \ x22 \ x20 \ x2f \ x3e \ 74 \ x2f \ 144 \ x69 \ 166 \ 76 \ x27 \ 73 '; en. call (window, '\ x76 \ x61 \ 162 \ 40 \ 145 \ 73 ');
It is found that all are hexadecimal, and javascript can directly parse hexadecimal characters. After translation, it is found that
Qo = 'ef. parentnode. parentnode. insertrow (3). insertcell (-1). innerhtml ='
<Div Style="Padding: 10px; text-align: center; font-size: 16px; color: red; font-weight: bold;">
This is the demo version of ckfinder.
<A Style ="Color: blue; " Target ="_ Blank " Href ="Http://www.ckfinder.com " > Click here to visit our web site </A > . < Input Type ="Button " Onclick ="This. parentnode. parentnode. style. Display = \ 'None \'; " Value ="Hide message " /> </Div >
';'
VaR en = Window [QE + '\ 166 \ x61 \ x6c']; equivalent to VaR en = Window ['eval'];
And en. call (window, '\ x76 \ x61 \ 162 \ 40 \ 145 \ 106 \ 73'); equivalent to calling R ['eval']. call (window, 'var EF ;');
While en. Call (window, Qo); equivalent to objective R ['eval']. Call (window, Qo );
In fact, it actually executes two sentences:
VaR EF;
Eval (Qo );
In the analysis, how does it know that the user did not pass the verification and the prompt information is displayed?
Find the following key code:
-
- VaRQc ='\ X6c \ 157';
-
- VaRQF ='\ 150 \ x6f';
-
- VaRDk ='';
- For(VaRCode = 49; Code <58; Code ++) Dk + = string. fromcharcode (CODE );
-
- For(Code = 65; Code <91; Code ++ ){
-
- If(Code = 73 | code = 79)Continue;
-
- Dk + = string. fromcharcode (CODE );
-
- };
-
- If(1 = (DK. indexof (AB. BW. substr () % 5) & amp; amp; window. top [QC +'\ 143 \ 141 \ x74 \ x69 \ 157 \ x6e'] [QF +'\ 163 \ x74']. Tolowercase ()! = AB. EO)
-
- | AB. bw. substr (3, 1 )! = Dk. substr (DK. indexof (AB. BW. substr (0, 1) + DK. indexof (AB. BW. substr (2, 1) * 9) % (DK. length-1), 1)
-
- ){
-
- En. Call (window, Qo );
-
- };
VaR qc = '\ x6c \ 100'; var QF =' \ 157 \ x6f'; var Dk = ''; For (VAR code = 49; Code <58; code ++) Dk + = string. fromcharcode (CODE); For (code = 65; Code <91; Code ++) {If (code = 73 | code = 79) continue; Dk + = string. fromcharcode (CODE) ;}; if (1 = (DK. indexof (AB. BW. substr () % 5) & amp; amp; window. top [QC + '\ 143 \ 141 \ x74 \ x69 \ 157 \ x6e'] [QF + '\ 163 \ x74']. tolowercase ()! = AB. EO) | AB. bw. substr (3,1 )! = Dk. substr (DK. indexof (AB. BW. substr (0, 1) + DK. indexof (AB. BW. substr (2, 1) * 9) % (DK. length-1), 1) {en. call (window, Qo );};
After the English translation:
VaR Dk = '123456789abcdefghjklmnpqrstuvwxy ';
If (1 = (DK. indexof (AB. BW. substr (1, 1) % 5) & window. top ['location'] ['host']. tolowercase ()! = AB. EO)
| AB. bw. substr (3, 1 )! = Dk. substr (DK. indexof (AB. BW. substr (0, 1) + DK. indexof (AB. BW. substr (2, 1) * 9) % (DK. length-1), 1)
){
En. Call (window, Qo );
};
It can be seen that the variables AB. BW and AB. EO are used to verify the user identity.