88
CHAPTER 3 JavaScript and VBScript
escapes within strings and regular expressions. In this case, the Unicode refers to the string rather than the variable reference. To use these strings for obfuscation we need to evaluate the result of the strings using JavaScript native functions, such as eval, Function, and setTimeout. The following code, in which we partially obfuscate the letter a, shows how to do this: <script typeÂź"text/javascript"> alert("\u0061lert(1)") eval("\\u0061lert(1)") </script>
The first example in the preceding code shows the string "alert(1)." This is because the Unicode escape is being used as a string escape. The second example is confusing because the backslash is escaped, forcing the string to be sent to eval as a Unicode escape that is not converted. Because Unicode is allowed instead of the letter, as in the previous snippet, the actual string sent to eval is \u0061lert (1), which calls the function. Unicode can be used in yet another way within regular expressions. Literal expressions support the raw Unicode escape, which matches the character provided in the escape sequence. Using the RegExp constructor allows you to use string escapes as well as RegExp escapes, which allows you to encode Unicode multiple times. In addition, the RegExp object is a function in many browsers, including, at the time of this writing, Firefox, Chrome, and Opera. This allows a regular expression to be called and returned as an array which then can be used to execute obfuscated code. Here are some examples of using regular expressions to create obfuscated code. The first line in the following code contains the string 'alert(1)' and the replace function is called. This function accepts two arguments: the regular expression to match and the function to call in the second argument or string. <script typeÂź"text/javascript"> // deobfuscated string 'alert(1)'.replace(/alert(1)/,eval); //unicode escapes '\u0061\u006c\u0065\u0072\u0074(1)'.replace(/\u0061\u006c\u0065 \u0072\u0074.+/,\u0065\u0076\u0061\u006c); //doub l ed regexp unicode \u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030 \u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075 \u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032 \u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029')['\u0073 \u006f\u0075\u0072\u0063\u0065'].\u0072\u0065\u0070\u006c\u0061 \u0063\u0065(\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075 \u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035 \u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030 \u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075 \u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0035\u0063