Remove Obfuscated Code [20081221b]

[Siamesecat]

(Dec. 21, 2008 12:10 PM)DarthTrader Wrote:  Here's what I came up with last night:

Code:

[Patterns]
Name = "<script>: Remove Obfuscated Code [20081220b dt]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 32767
Match = "*(\\([0-7]+{1,3}&&[#000:377])"
        "|(%|\\x)([a-f0-9])+{2}"
        "|(%|\\)u([a-f0-9])+{4}"
        ")+{5,*}*"
Replace = "$ALERT(Script with obfuscated code surgically removed from:\r\n\r\n\u\r\n\r\n)"

There are a few things I do not understand about the match. Why is the range of the first item matched from 0 to 377? What character has a code of 377?
In the second line, why are there 2 backslashes before the x? I know that \x is a command prefix, but why the extra backslash?
In the third line, why is the u not inside the first set of parentheses?
Why are you trying to match at least 5 of the expressions and no less?