Today we are going to introduce the encryption and decryption methods in JavaScript. We should be clear that it is impossible to keep javascript code confidential because it is interpreted and executed in IE, what we need to do is to increase the difficulty of copying by the publisher as much as possible. the following javascript code is used as an example: SCRIPTLANGUAGEjavascriptaler
Today we are going to introduce the encryption and decryption methods in JavaScript. We should be clear that it is impossible to keep javascript code confidential because it is interpreted and executed in IE, what we need to do is to increase the difficulty of copying by the publisher as much as possible.
The following javascript code is encrypted as an example:
Alert ("My love together");
SCRIPT
I. Simplest encryption and decryption
You must have a good understanding of the javascript Functions escape () and unescape () (many web pages use them for encryption), namely encoding and decoding strings. For example, the example code uses escape () the function is encrypted in the following format:
Alert % 28% 22% u9ED1 % u5BA2 % u9632 % u7EBF % 22% 29% 3B
How? Do you still understand? Of course, the ASCII character "alert" is not encrypted. If you want to, you can write javascript code to re-encrypt it as follows:
% 61% 6C % 65% 72% 74% 28% u9ED1 % u5BA2 % u9632 % u7EBF % 22% 3B
Haha! How? This time it is completely encrypted!
Of course, the encrypted code cannot be run directly. Fortunately, eval (codeString) is available. This function is used to check and execute javascript code, the required codeString parameter is a string value that contains valid javascript code, and the preceding decoding unescape () is added. The encrypted result is as follows:
Var code = unescape ("% 61% 6C % 65% 72% 74% 28% 22% u9ED1 % u5BA2 % u9632 % u7EBF % 22% 3B ");
Eval (code)
SCRIPT
Is it easy? Don't be happy. decryption is as simple as it is. The decryption code is put to others (unescape ())! Haha
Ii. Amazing use of the Escape Character ""
You may not be familiar with the Escape Character "", but some special characters such as n (line feed), r (carriage return), and '(single quotes) are provided for javascript) should I know something about it? In fact, "" can be followed by octal or hexadecimal numbers. For example, the character "a" can be expressed: "141" or "x61" (note the lowercase character "x "), for double-byte characters such as the Chinese character "", it can only be expressed as "u9ED1" in hexadecimal notation (note that it is a lowercase character "u "), the character "u" indicates a dubyte character. According to this example, the code can be expressed:
The octal escape string is as follows:
Eval ("1411541451621610942u9ed1u5ba2u9632u7ebf424173 ")
SCRIPT
The hexadecimal escape string is as follows:
Eval ("x61x6Cx65x72x74x28x22u9ED1u5BA2u9632u7EBFx22x29x3B ")
SCRIPT
There is no decoding function this time, because javascript will convert itself during execution. The decoding is also very simple as follows:
Alert ("x61x6Cx65x72x74x28x22u9ED1u5BA2u9632u7EBFx22x29x3B ")
SCRIPT
The displayed dialog box shows the decrypted result!
Iii. coding using the Script Encoder produced by Microsoft
The use of the tool is not described much! I used javascript to call the Scripting. Encoder code of the control!
Var Senc = new ActiveXObject ("Scripting. Encoder ");
Var code =' Rnalert (""); rn "SCRIPT";
Var Encode = Senc. EncodeScriptFile (". htm", code, 0 ,"");
Alert (Encode );
SCRIPT
The encoded result is as follows:
#@~ ^ FgAAAA ==##@ & lsdd' J r # p #@ & FgMAAA == #~ @ SCRIPT
Ugly enough, right? However, the corresponding decryption tools have already been released, and even the decrypted webpages are available! I will not talk about it because it decrypts too much Web Page code! The original decryption code is as follows:
Function decode ()
Alert (decode. toString ());
SCRIPT
What? Is it simple enough? The principle is that IE will first decode the encoded code before it runs. If we put the encrypted code into a user-defined function such as decode, call the toString () method for the decode of the custom function to obtain the decoded code!
If you think that the LANGUAGE attribute of the Code obtained through this encoding is JScript. Encode, which is easy to recognize, there is also an almost unknown method of window object execScript (). Its prototype is:
Window.exe cScript (sExpression, sLanguage)
Parameters:
SExpression: required. String ). Code to be executed.
SLanguage: required. String ). Specifies the language of the code to be executed. The default value is Microsoft JScript.
In use, the previous "window" can be omitted without writing!
Using this code, we can run the encoded javascript code as follows:
ExecScript ("#@~ ^ FgAAAA ==##@ & lsdd' J I love r together # p #& FgMAAA == #~ @ "," JScript. Encode ")
SCRIPT
You can use method 2 to Encode the strings in "" so that "JScript. Encode" and encoding signature code "#@~ ^ "No, the effect will be better!
4. Add any NUL null characters (hexadecimal 00 H)
In an accidental experiment, I found that when I add any number of "null characters" to any location on the HTML webpage, IE will normally display the content and execute the javascript code normally, when we use a General Editor to view the added "null character", it will display a space or Black Block, making the original code hard to understand, if you use NotePad to view the information, the "null character" will become "space". The encrypted result is as follows: (the "space" displayed indicates "null character ")
A l er t ("I love it ");
</SC r I P T>
How? Is it messy? If you do not know the method, it is difficult to remove the "null character" (00 H!
5. Useless content and line feed space TAB Method
In javascript code, we can add a large number of useless strings or numbers, as well as useless code and comments, so that the real useful code is not buried in it, add a large number of line breaks, spaces, and tabs in the useful code, and use "" to wrap a normal string, this will make the code hard to understand! The encrypted form is as follows:
"Xajgxsadffgds"; 1234567890
625623216; var $ = 0; alert // @ $ % & * () (& (^ % ^
// Cctv function //
(// Hhsaasajx xc
/*
Asjgdsgu */
"I love it together" // ashjgfgf
/*
@ # % $ ^ & % $ 96667r45fggbhytjty
*/
// Window
)
; "# @ $ # % @ # 432hu"; 212351436
SCRIPT
At least if I see such a code, I will not try to analyze it. Where are you?
Vi. Self-write decryption Function Method
This method is similar to the one in version 2. It only writes a function to decrypt the code. Many VBS viruses use this method to encrypt themselves to prevent scanning of signatures! The following is a simple encryption and decryption function I wrote. the encryption code is as follows (see file "encryption .htm" for details "):
Function compile (code)
{
Var c = String. fromCharCode (code. charCodeAt (0) + code. length );
For (var I = 1; I Alert (escape (c ));
}
Compile ('alert ("my friends"); ')
SCRIPT
The encrypted result is as follows:
O % CD % D1 % D7 % E6 % 9CJ % u9EF3 % uFA73 % uF1D4 % u14F1 % u7EE1Kd
Encrypted and decrypted
Function uncompile (code)
{
Code = unescape (code );
Var c = String. fromCharCode (code. charCodeAt (0)-code. length );
For (var I = 1; I Return c;
}
Eval (uncompile ("o % CD % D1 % D7 % E6 % 9CJ % u9EF3 % uFA73 % uF1D4 % u14F1 % u7EE1Kd "));
SCRIPT
7. Misuse
Use the try {} catch (e) {} structure to test and decrypt the code. Although this idea is good (haha, boast of yourself), I only give an example because it is not practical.
Var a = 'alert ("my friends"); ';
Var c = "";
For (var I = 0; ialert (c );
// The above is the encryption code. Of course, if you actually use this method, the encryption will not be written
// Now the variable c is the encrypted code
// The following function t () First assumes that the initial password is 0 and is decrypted and executed,
// If an error occurs, add the password to 1 and then decrypt it until it runs correctly.
Var d = c; // Save the encrypted code
Var B = 0; // assume that the initial password is 0.
T ();
Function t () catch (e ){
C = "";
For (var I = 0; I B + = 1;
T ();
// SetTimeout ("t ()", 0 );
}
}
SCRIPT