Post Reply 
Remove Obfuscated Code [20081221b]
Dec. 22, 2008, 06:56 AM
Post: #30
RE: Remove Obfuscated Code [20081221a]
(Dec. 21, 2008 12:10 PM)DarthTrader Wrote:  Here's what I came up with last night:
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081220b dt]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 32767
Match = "*(\\([0-7]+{1,3}&&[#000:377])"
        "|(%|\\x)([a-f0-9])+{2}"
        "|(%|\\)u([a-f0-9])+{4}"
        ")+{5,*}*"
Replace = "$ALERT(Script with obfuscated code surgically removed from:\r\n\r\n\u\r\n\r\n)"
There are a few things I do not understand about the match. Why is the range of the first item matched from 0 to 377? What character has a code of 377?
In the second line, why are there 2 backslashes before the x? I know that \x is a command prefix, but why the extra backslash?
In the third line, why is the u not inside the first set of parentheses?
Why are you trying to match at least 5 of the expressions and no less?
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
Remove Obfuscated Code [20081221b] - Kye-U - Dec. 17, 2008, 03:30 AM
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 17, 2008, 06:11 PM
RE: Remove Obfuscated Code [20081216] - z12 - Dec. 20, 2008, 12:53 PM
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 20, 2008, 07:06 PM
RE: Remove Obfuscated Code [20081220a] - Kye-U - Dec. 20, 2008, 10:34 PM
RE: Remove Obfuscated Code [20081220a] - Kye-U - Dec. 20, 2008, 11:05 PM
RE: Remove Obfuscated Code [20081220b] - z12 - Dec. 21, 2008, 12:50 AM
RE: Remove Obfuscated Code [20081220b] - Kye-U - Dec. 21, 2008, 03:28 AM
RE: Remove Obfuscated Code [20081221a] - Siamesecat - Dec. 22, 2008 06:56 AM
RE: Remove Obfuscated Code [20081221b] - Kye-U - Dec. 21, 2008, 08:32 PM
RE: Remove Obfuscated Code [20081221b] - Kye-U - Dec. 22, 2008, 03:39 AM
RE: Remove Obfuscated Code [20081221b] - z12 - Dec. 22, 2008, 10:58 AM

Forum Jump: