Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hiding Source Code
Posted by: rvdh
Date: June 08, 2009 06:40AM

Hiding Source in MSIE for example by using UTF-16 (UTF-16BE)

<meta http-equiv="Content-Type" content="text/html; charset=UTF-16" />


or:

<?php

    function utf16($str) {

	$utf8 = utf8_encode($str);


        if(function_exists('mb_convert_encoding')) {

            return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');

       		 } else { 

			return $str;
		}

    }

  echo utf16('<iframe src="http://www.google.com/malware/malwarez.html"></iframe>');

?>

This is due to a bug in the UNICODE parser from Microsoft, I'm not sure if they fixed this yet since i found this last year, but it's a good example of conforming to some kind of endianness while ignoring to parse another endianness, which of course can be abused.



Edited 1 time(s). Last edit at 06/08/2009 06:42AM by rvdh.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: rvdh
Date: June 08, 2009 06:45AM

Hiding a style sheet (with xss vectors in it of course):

<?php

header("Link: <stylesheet.css>; rel=\"stylesheet\"; title=\"style\"");

?>

The LINK header will only show up as -exactly- a header, but not in the direct source code. Great to fool some people. Doesn't seem to work in MSIE.

Both examples can be found here: http://rvdh.ath.cx/?i=312 where I wrote about it last year.


--



Edited 2 time(s). Last edit at 06/08/2009 10:57PM by rvdh.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: rvdh
Date: June 08, 2009 07:19AM

Probably one of the smallest JS packers I wrote, makes a big long string from formatted JavaScript. Trivial and easy to de-obfuscate using toSource() again, but sometimes useful for further obfuscation with various types of encoding:

Pack:-
new Function("function x() {\nalert(1)\n}").toSource();


Un-Pack:-
new Function("function x() {alert(1)}").toSource(2);



Edited 4 time(s). Last edit at 06/08/2009 09:55AM by Gareth Heyes.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: Bj
Date: December 17, 2009 05:24PM

sorry how do i make use of this please should I just embed this inside my javascript just like that?

FQA: I visited a website and just as I right click to view the source code a popup says "sorry right click is disabled for this page" therefore I cannot view the source code some body tell me how that was done.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: Kyo
Date: December 21, 2009 03:18AM

are you...a troll?

That was done with javascript, but it's not a serious protection in any way. To use the above examples (1 and 2 at least) you need to upload the files you want to hide to a server and use the tricks in PHP.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: Reiners
Date: December 21, 2009 04:30AM

btw in opera you can still print a stupid nullbyte to "prevent" source code viewing.

Options: ReplyQuote
Re: Hiding Source Code
Posted by: Anonymous User
Date: December 21, 2009 10:16AM

https://bugs.eclipse.org/bugs/show_bug.cgi?id=283231

No need to comment on this one

Options: ReplyQuote
Re: Hiding Source Code
Posted by: rvdh
Date: December 26, 2009 04:30PM

lol

|
|
v

Quote

Praveen 2009-10-23 04:59:27 EDT
Upon investigation, it appears that this to be the JRE IO-classes problem on
Linux. The function ResourceTextFileBuffer.setDocumentContent() is responsible for
reading the contents of the (resource) file through BufferedReader. However,
when the file contains a 'null' byte, then the characters following the null
byte are not filled into the buffer.

Of course, because it encounters a termination! you should throw a Null Exception!

Options: ReplyQuote


Sorry, only registered users may post in this forum.