Tout commence sur un site de téléphonie. Un pop-under surgit, alors que j'ai bien activé AdblockPlus.
Le pop-under en question vient de gestionpub.com, et ils définissent un pop under, ou site under, comme ceci:
Le site under, un format bien spécifique
Le site under est une page, le plus souvent la page
d’accueil d’un site annonceur, qui s’affiche en dessous de la page visitée.
Elle apparait donc après la fermeture de la fenêtre de navigation, ce qui évite de perturber l'internaute.
Jugé parfois trop intrusif à cause de mauvaises pratiques,
l’efficacité du site under n’est désormais plus à démontrer. Plus impactant
visuellement qu’une bannière classique, son plébiscite auprès des grands
annonceurs est aujourd’hui indéniable.
Ça tombe bien, j’étais un peu nostalgique de la fin des années 90, lorsque à la moindre visite sur un site, une multitude de pop-ups à peine envahissants, venaient recouvrir la totalité de l’écran.
Je laisse les publicitaires dans leur doux rêve d'efficacité; aujourd'hui la plupart des gens utilisent une fenêtre avec des onglets multiples, ce qui rend ce système un peu obsolète. Mais l'important, c'est qu'ils continuent d'y croire. Pendant ce temps, ils ont l'impression d’être efficaces.
Je vais donc voir dans le code source de la page, et je tombe sur ceci:
<script language="javascript" type="text/javascript">
if((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPad/i)) || (navigator.userAgent.match(/iPod/i)))
{
document.write("");}
else
{
document.write('<sc' + 'ript type="text/javascript" >var _0xe25e=["\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x6C\x6F\x61\x64\x65\x64","\x63\x6F\x6D\x70\x6C\x65\x74\x65","\x6F\x6E\x6C\x6F\x61\x64","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65"];function loadScript(_0xc1d7x2,_0xc1d7x3){var _0xc1d7x4=document[_0xe25e[1]](_0xe25e[0]);_0xc1d7x4[_0xe25e[2]]=_0xe25e[3];if(_0xc1d7x4[_0xe25e[4]]){_0xc1d7x4[_0xe25e[5]]=function (){if(_0xc1d7x4[_0xe25e[4]]==_0xe25e[6]||_0xc1d7x4[_0xe25e[4]]==_0xe25e[7]){_0xc1d7x4[_0xe25e[5]]=null;_0xc1d7x3();} ;} ;} else {_0xc1d7x4[_0xe25e[8]]=function (){_0xc1d7x3();} ;} ;_0xc1d7x4[_0xe25e[9]]=_0xc1d7x2;document[_0xe25e[12]](_0xe25e[11])[0][_0xe25e[10]](_0xc1d7x4);} ; loadScript("/includes/MediaSiteUnderV301.js", function(){_gpUnder.init("http://a01.gestionpub.com/GP1c44ca2461d65d045/?out=html",0,0,0,1,1,1,0,0,0,\'14215\');});</sc' + 'ript>');
}
On s'apercoit déjà qu'un quick fix peut etre de se faire passer pour un iPhone sur le site sur lequel on a trouvé ce genre d'horreur.
Après un petit reformatage, on obtient ceci:
<script language="javascript" type="text/javascript">
if((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPad/i)) || (navigator.userAgent.match(/iPod/i)))
{
document.write("");}
else {
document.write('<sc'
+ 'ript type="text/javascript" >' +
'var _0xe25e=["\x73\x63\x72\x69\x70\x74",
"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74",
"\x74\x79\x70\x65",
"\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74",
"\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65",
"\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65",
"\x6C\x6F\x61\x64\x65\x64",
"\x63\x6F\x6D\x70\x6C\x65\x74\x65",
"\x6F\x6E\x6C\x6F\x61\x64",
"\x73\x72\x63",
"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64",
"\x68\x65\x61\x64",
"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65"];'
+ 'function loadScript(_0xc1d7x2,_0xc1d7x3){'
+'var _0xc1d7x4=document[_0xe25e[1]](_0xe25e[0]);_0xc1d7x4[_0xe25e[2]]=_0xe25e[3];'
+'if(_0xc1d7x4[_0xe25e[4]])'
+'{_0xc1d7x4[_0xe25e[5]]='
+'function (){if(_0xc1d7x4[_0xe25e[4]]==_0xe25e[6]||_0xc1d7x4[_0xe25e[4]]==_0xe25e[7])'
+'{_0xc1d7x4[_0xe25e[5]]=null;_0xc1d7x3();} ;} ;} '
+'else {_0xc1d7x4[_0xe25e[8]]=function (){_0xc1d7x3();} ;} ;'
+'_0xc1d7x4[_0xe25e[9]]=_0xc1d7x2;'
+'document[_0xe25e[12]](_0xe25e[11])[0][_0xe25e[10]](_0xc1d7x4);} ; '
+'loadScript("/includes/MediaSiteUnderV301.js",'
+' function(){_gpUnder.init("http://a01.gestionpub.com/GP1c44ca2461d65d045/?out=html",0,0,0,1,1,1,0,0,0,\'14215\');});</sc'
+ 'ript>');
}
L'obfuscation est l'art de rendre un code source plus difficile a comprendre par l'utilisation de différentes techniques, telles que l'encodage en hexadécimal des chaines de caractère,
C'est de l'obfuscation classique, sans talent, avec un bête document.write, suivi de la liste des codes ASCII sous forme hexadécimale.
Pour inverser le processus, c'est facile: il suffit d'exécuter le Javascript, jusqu'au moment où il n'y a plus de code obfusqué. Mais qu'est-ce qui se cache derrière tout ça? Quel est le but final? Probablement de ne pas se faire bloque par les logiciels standard tels que AdblockPlus. Car le code Javascript en lui même n'a rien d'excitant, et je ne pense pas qu'ils font cela pour espérer protéger leur propriété intellectuelle.
Commençons donc par inverser cette première chaine. Ce qui n'est pas lisible directement est le contenu de la variable _0xe25e. On commence par créer un document HTML avec ce code source:
<html>
<head>
<title>Desobfuscation Javascript</title>
<script type="text/javascript">
function nouveauContenu() {
document.open();
document.write(
'var _0xe25e=["\x73\x63\x72\x69\x70\x74",
"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74",
"\x74\x79\x70\x65",
"\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74",
"\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65",
"\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65",
"\x6C\x6F\x61\x64\x65\x64",
"\x63\x6F\x6D\x70\x6C\x65\x74\x65",
"\x6F\x6E\x6C\x6F\x61\x64","\x73\x72\x63",
"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64",
"\x68\x65\x61\x64",
"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65"]');
document.close();
}
</script>
</head>
<body onload="nouveauContenu();">
</body>
</html>
On lance un navigateur avec ce document a interpreter, et on obtient cette chaine:
var _0xe25e=["script","createElement","type","text/javascript","readyState","onreadystatechange","loaded","complete","onload","src","appendChild","head","getElementsByTagName"]
On a donc à faire à une forme de compression avec l'utilisation d'un dictionnaire.
Pas si mal pour des publicitaires.. Je rigole, je sais bien qu'ils ont payés un développeur sans scrupules pour faire ceci.
Revenons au code source:
Voici à quoi ressemble maintenant le script en Javascript, vu du navigateur:
var _0xe25e=["script","createElement",
"type","text/javascript",
"readyState","onreadystatechange",
"loaded","complete","onload","src",
"appendChild","head",
"getElementsByTagName"];
function loadScript(_0xc1d7x2,_0xc1d7x3)
{var _0xc1d7x4=document[_0xe25e[1]](_0xe25e[0]);
_0xc1d7x4[_0xe25e[2]]=_0xe25e[3];
if(_0xc1d7x4[_0xe25e[4]]){_0xc1d7x4[_0xe25e[5]]=
function ()
{if(_0xc1d7x4[_0xe25e[4]]==_0xe25e[6]||_0xc1d7x4[_0xe25e[4]]==_0xe25e[7])
{_0xc1d7x4[_0xe25e[5]]=null;_0xc1d7x3();} ;} ;}
else {_0xc1d7x4[_0xe25e[8]]=function (){_0xc1d7x3();} ;} ;
_0xc1d7x4[_0xe25e[9]]=_0xc1d7x2;
document[_0xe25e[12]](_0xe25e[11])[0][_0xe25e[10]](_0xc1d7x4);} ;
loadScript("/includes/MediaSiteUnderV301.js",
function(){
_gpUnder.init("http://a01.gestionpub.com/GP1c44ca2461d65d045/?out=html",
0,0,0,1,1,1,0,0,0,\'14215\');});
Que fait la fonction loadScript? Pour le savoir, il comprendre qu'elle a d'abord été imprimée dans le document avant d'etre interpretée.
Créons un fichier texte (keywords0) avec un mot du dictionnaire par ligne:
"script",
"createElement",
"type",
"text/javascript",
"readyState",
"onreadystatechange",
"loaded",
"complete",
"onload",
"src",
"appendChild",
"head",
"getElementsByTagName"]
Puis un coup de awk va permettre de créer un script qui reconstitue la fonction intiale:
$ cat keywords.0.txt | awk 'BEGIN{print "#!/usr/bin/sed -f"} {str = str "s+_0xe25e\\["NR-1 "\\]+" substr($0,1,length($0)-1) "+g\n";} END {print str;}' > script.sed
$ cat script.sed
s+_0xe25e\[0\]+"script"+g
s+_0xe25e\[1\]+"createElement"+g
s+_0xe25e\[2\]+"type"+g
s+_0xe25e\[3\]+"text/javascript"+g
s+_0xe25e\[4\]+"readyState"+g
s+_0xe25e\[5\]+"onreadystatechange"+g
s+_0xe25e\[6\]+"loaded"+g
s+_0xe25e\[7\]+"complete"+g
s+_0xe25e\[8\]+"onload"+g
s+_0xe25e\[9\]+"src"+g
s+_0xe25e\[10\]+"appendChild"+g
s+_0xe25e\[11\]+"head"+g
s+_0xe25e\[12\]+"getElementsByTagName"+g
On a la liste des substitutions à effectuer pour retrouver le code initial:
$ cat obf | ./script.sed
function loadScript(_0xc1d7x2,_0xc1d7x3)
{var _0xc1d7x4=document["createElement"]("script");
_0xc1d7x4["type"]="text/javascript";
if(_0xc1d7x4["readyState"]){_0xc1d7x4["onreadystatechange"]=
function ()
{if(_0xc1d7x4["readyState"]=="loaded"||_0xc1d7x4["readyState"]=="complete")
{_0xc1d7x4["onreadystatechange"]=null;_0xc1d7x3();} ;} ;}
else {_0xc1d7x4["onload"]=function (){_0xc1d7x3();} ;} ;
_0xc1d7x4["src"]=_0xc1d7x2;
document["getElementsByTagName"]("head")[0]["appendChild"](_0xc1d7x4);} ;
loadScript("/includes/MediaSiteUnderV301.js",
function(){
_gpUnder.init("http://a01.gestionpub.com/GP1c44ca2461d65d045/?out=html",
0,0,0,1,1,1,0,0,0,\'14215\');});
Les noms des variables ont disparu, il faut donc remettre un peu de sens dans cela:
_0xc1d7x4 ->theScript, et on renomme les argument de loadScript pour mieux les comprendre.
On a donc maintenant ceci:
function loadScript(argument0,argument1)
{var theScript=document["createElement"]("script");
theScript["type"]="text/javascript";
if(theScript["readyState"]){theScript["onreadystatechange"]=
function ()
{if(theScript["readyState"]=="loaded"||theScript["readyState"]=="complete")
{theScript["onreadystatechange"]=null;argument1();} ;} ;}
else {theScript["onload"]=function (){argument1();} ;} ;
theScript["src"]=argument0;
document["getElementsByTagName"]("head")[0]["appendChild"](theScript);} ;
loadScript("/includes/MediaSiteUnderV301.js",
function(){
_gpUnder.init("http://a01.gestionpub.com/GP1c44ca2461d65d045/?out=html",
0,0,0,1,1,1,0,0,0,\'14215\');});
On voit que argument0 est le texte d'une fonction Javascript. Je ne m'attarde pas sur ces fonctions, c'est juste du boilerplate pour mettre en place l'appel a la fonction prise ici:
/includes/MediaSiteUnderV301.js
Voici son code source: (une très grande ligne)
var _0x948c=["","\x75\x74\x63","\x74\x79\x70\x65","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x61\x6C\x69\x67\x6E\x48","\x61\x6C\x69\x67\x6E\x56","\x62\x79\x70\x61\x73\x73","\x64\x65\x6C\x69\x76\x65\x72\x79","\x69\x6E\x74\x65\x72\x76\x61\x6C","\x73\x61\x66\x61\x72\x69","\x69\x6E\x64\x65\x78\x4F\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x69\x64","\x2D","\x73\x70\x6C\x69\x74","\x72\x65\x6E\x64\x65\x72","\x68\x6F\x6F\x6B\x55\x6E\x6C\x6F\x61\x64","\x64\x65\x6C\x61\x79\x52\x65\x6E\x64\x65\x72","\x72\x65\x6E\x64\x65\x72\x45\x76\x65\x6E\x74\x73","\x63\x68\x72\x6F\x6D\x65","\x6F\x70\x65\x6E\x57\x69\x6E\x64\x6F\x77","\x63\x61\x70\x74\x75\x72\x65\x45\x76\x65\x6E\x74","\x6F\x76\x65\x72\x72\x69\x64\x65\x4C\x69\x6E\x6B\x73","\x64\x65\x6C\x65\x74\x65\x45\x76\x65\x6E\x74\x73","\x6F\x6E\x6B\x65\x79\x64\x6F\x77\x6E","\x68\x6F\x6F\x6B\x43\x6C\x69\x63\x6B","\x6F\x6E\x6D\x6F\x75\x73\x65\x64\x6F\x77\x6E","\x6F\x6E\x62\x65\x66\x6F\x72\x65\x75\x6E\x6C\x6F\x61\x64","\x63\x6C\x69\x63\x6B\x65\x64","\x5F\x67\x70\x55\x6E\x64\x65\x72\x2E\x63\x6C\x69\x63\x6B\x65\x64\x3D\x66\x61\x6C\x73\x65","\x5F\x67\x70\x55\x6E\x64\x65\x72\x2E\x72\x65\x6E\x64\x65\x72\x28\x29","\x6D\x73\x69\x65\x20\x38\x2E\x30","\x49\x45\x38","\x66\x69\x72\x65\x66\x6F\x78","\x63\x68\x61\x72\x41\x74","\x69\x6E\x69\x74","\x69\x73\x4F\x70\x65\x6E","\x67\x65\x74\x42\x6F\x75\x6E\x64","\x67\x65\x74\x46\x46\x56\x65\x72\x73\x69\x6F\x6E","\x61\x62\x6F\x75\x74\x3A\x62\x6C\x61\x6E\x6B","\x22\x74\x6F\x70\x3D\x35\x30\x30\x2C","\x6C\x65\x66\x74\x3D\x33\x30\x30\x30\x2C","\x77\x69\x64\x74\x68\x3D\x31\x30\x2C","\x68\x65\x69\x67\x68\x74\x3D\x31\x30","\x2C\x73\x63\x72\x6F\x6C\x6C\x62\x61\x72\x73\x3D\x31\x2C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x3D\x31\x2C\x74\x6F\x6F\x6C\x62\x61\x72\x3D\x30\x2C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x3D\x31\x2C\x6D\x65\x6E\x75\x62\x61\x72\x3D\x30\x2C\x73\x74\x61\x74\x75\x73\x3D\x31\x2C\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x3D\x31\x22","\x2C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x3D\x31","\x6F\x70\x65\x6E","\x70\x75\x50\x6F\x70","\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x77\x69\x6E\x64\x6F\x77\x2E\x63\x6C\x6F\x73\x65\x28\x29","\x64\x69\x61\x6C\x6F\x67\x74\x6F\x70\x3A\x33\x30\x30\x30\x3B\x64\x69\x61\x6C\x6F\x67\x6C\x65\x66\x74\x3A\x33\x30\x30\x30\x3B\x64\x69\x61\x6C\x6F\x67\x57\x69\x64\x74\x68\x3A\x31\x30\x3B\x64\x69\x61\x6C\x6F\x67\x48\x65\x69\x67\x68\x74\x3A\x31\x30","\x73\x68\x6F\x77\x4D\x6F\x64\x61\x6C\x44\x69\x61\x6C\x6F\x67","\x72\x65\x73\x69\x7A\x65\x54\x6F","\x6D\x6F\x76\x65\x54\x6F","\x65\x72\x72\x65\x75\x72\x20\x3A\x20","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x64\x6F\x63\x75\x6D\x65\x6E\x74","\x22\x74\x6F\x70\x3D","\x2C","\x6C\x65\x66\x74\x3D","\x77\x69\x64\x74\x68\x3D","\x68\x65\x69\x67\x68\x74\x3D","\x62\x6C\x75\x72","\x66\x6F\x63\x75\x73","\x77\x72\x69\x74\x65","\x77\x69\x6E\x64\x6F\x77","\x63\x6C\x6F\x73\x65\x64","\x5F\x67\x70\x55\x6E\x64\x65\x72\x5F\x69\x73\x4F\x70\x65\x6E","\x31","\x77\x72\x69\x74\x65\x43\x6F\x6F\x6B\x69\x65","\x63\x6C\x69\x63\x6B","\x5F\x67\x70\x55\x6E\x64\x65\x72\x2E\x72\x65\x6E\x64\x65\x72\x45\x76\x65\x6E\x74\x73\x28\x29","\x6D\x73\x69\x65","\x6F\x6E","\x64\x65\x74\x61\x63\x68\x45\x76\x65\x6E\x74","\x62\x6F\x64\x79","\x64\x6F\x63\x75\x6D\x65\x6E\x74\x45\x6C\x65\x6D\x65\x6E\x74","\x72\x65\x6D\x6F\x76\x65\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x6C\x6F\x61\x64","\x73\x68\x6F\x77\x4D\x6F\x64\x65\x6C\x65\x73\x73\x44\x69\x61\x6C\x6F\x67","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x64\x69\x61\x6C\x6F\x67\x54\x6F\x70\x3A","\x70\x78\x3B","\x64\x69\x61\x6C\x6F\x67\x4C\x65\x66\x74\x3A","\x64\x69\x61\x6C\x6F\x67\x57\x69\x64\x74\x68\x3A","\x64\x69\x61\x6C\x6F\x67\x48\x65\x69\x67\x68\x74\x3A","\x70\x78","\x61\x74\x74\x61\x63\x68\x45\x76\x65\x6E\x74","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x61","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x6C\x65\x6E\x67\x74\x68","\x6F\x6E\x63\x6C\x69\x63\x6B","\x74\x61\x72\x67\x65\x74","\x63\x61\x6C\x6C\x62\x61\x63\x6B","\x61\x64\x64\x4C\x6F\x61\x64\x45\x76\x65\x6E\x74","\x6F\x6E\x6C\x6F\x61\x64","\x66\x75\x6E\x63\x74\x69\x6F\x6E","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x70\x61\x74\x68\x3D\x2F","\x3B","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x67\x65\x74\x43\x6F\x6F\x6B\x69\x65\x56\x61\x6C","\x20","\x72\x65\x61\x64\x43\x6F\x6F\x6B\x69\x65","\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68","\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74","\x6F\x75\x74\x65\x72\x57\x69\x64\x74\x68","\x66\x72\x61\x6D\x65\x73","\x6F\x75\x74\x65\x72\x48\x65\x69\x67\x68\x74","\x73\x63\x72\x65\x65\x6E\x54\x6F\x70","\x73\x63\x72\x65\x65\x6E\x4C\x65\x66\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];var _gpUnder=_gpUnder||{};_gpUnder={major:3,minor:3,window:null,clicked:false,index:0,utc:_0x948c[0],width:0,height:0,type:0,position:1,alignH:1,alignV:2,bypass:0,delivery:0,interval:10000,id:6541,init:function(_0xb8e8x2,_0xb8e8x3,_0xb8e8x4,_0xb8e8x5,_0xb8e8x6,_0xb8e8x7,_0xb8e8x8,_0xb8e8x9,_0xb8e8xa,_0xb8e8xb,_0xb8e8xc){this[_0x948c[1]]=_0xb8e8x2;this[_0x948c[2]]=_0xb8e8x3;this[_0x948c[3]]=_0xb8e8x4;this[_0x948c[4]]=_0xb8e8x5;this[_0x948c[5]]=_0xb8e8x6;this[_0x948c[6]]=_0xb8e8x7;this[_0x948c[7]]=_0xb8e8x8;this[_0x948c[8]]=_0xb8e8x9;this[_0x948c[9]]=_0xb8e8xa;this[_0x948c[10]]=_0xb8e8xb;if(navigator[_0x948c[14]][_0x948c[13]]()[_0x948c[12]](_0x948c[11])>0){this[_0x948c[15]]=_0xb8e8xc[_0x948c[17]](_0x948c[16])[0]}else{this[_0x948c[15]]=_0xb8e8xc}switch(this[_0x948c[9]]){case 0:this[_0x948c[18]]();break;case 1:this[_0x948c[19]]();break;case 2:this[_0x948c[20]]();break;case 3:this[_0x948c[21]]();break;}},render:function(){var _0xb8e8xd=navigator[_0x948c[14]][_0x948c[13]]()[_0x948c[12]](_0x948c[22])>-1;if(!_0xb8e8xd){this[_0x948c[23]]()}this[_0x948c[24]]();this[_0x948c[25]]()},renderEvents:function(){_gpUnder[_0x948c[26]]();_gpUnder[_0x948c[23]]()},hookUnload:function(){document[_0x948c[27]]=this[_0x948c[28]];document[_0x948c[29]]=this[_0x948c[28]];window[_0x948c[30]]=function(){if(!_gpUnder[_0x948c[31]]){_gpUnder[_0x948c[18]]()}}},hookClick:function(){_gpUnder[_0x948c[31]]=true;setTimeout(_0x948c[32],2000)},delayRender:function(){setTimeout(_0x948c[33],this[_0x948c[10]])},getBrowser:function(){var _0xb8e8xe=navigator[_0x948c[14]][_0x948c[13]]();if(_0xb8e8xe[_0x948c[12]](_0x948c[34])>1){return _0x948c[35]}return null},getFFVersion:function(){var _0xb8e8xf=navigator[_0x948c[14]][_0x948c[13]]();var _0xb8e8x10=_0xb8e8xf[_0x948c[12]](_0x948c[36]);return _0xb8e8xf[_0x948c[37]](_0xb8e8x10+8)},callback:function(){_gpUnder[_0x948c[38]](_gpUnder[_0x948c[1]],_gpUnder[_0x948c[2]],_gpUnder[_0x948c[3]],_gpUnder[_0x948c[4]],_gpUnder[_0x948c[5]],_gpUnder[_0x948c[6]],_gpUnder[_0x948c[7]],0,3,0,_gpUnder[_0x948c[15]])},openWindow:function(){if(this[_0x948c[8]]&1){return}if(this[_0x948c[39]]()){return}var _0xb8e8x11=this[_0x948c[40]]();var _0xb8e8x12;if(this[_0x948c[41]]()>3){if(this[_0x948c[41]]()<7){_0xb8e8x12=window[_0x948c[49]](_0x948c[42],_0x948c[0],_0x948c[43]+_0x948c[44]+_0x948c[45]+_0x948c[46]+((this[_0x948c[2]]==0)?_0x948c[47]:_0x948c[48]));if(_0xb8e8x12!=null){_0xb8e8x12[_0x948c[50]]=function(_0xb8e8x13){try{window[_0x948c[53]](_0x948c[51],null,_0x948c[52]);_0xb8e8x12[_0x948c[54]](_0xb8e8x11[2],_0xb8e8x11[3]);_0xb8e8x12[_0x948c[55]](_0xb8e8x11[0],_0xb8e8x11[1])}catch(e){alert(_0x948c[56])}this[_0x948c[59]][_0x948c[58]][_0x948c[57]]=_0xb8e8x13};_0xb8e8x12[_0x948c[50]](this[_0x948c[1]]);_0xb8e8x12[_0x948c[54]](_0xb8e8x11[2],_0xb8e8x11[3]);_0xb8e8x12[_0x948c[55]](_0xb8e8x11[0],_0xb8e8x11[1])}}else{_0xb8e8x12=window[_0x948c[49]](_0x948c[42],_0x948c[0],_0x948c[60]+_0xb8e8x11[0]+_0x948c[61]+_0x948c[62]+_0xb8e8x11[1]+_0x948c[61]+_0x948c[63]+_0xb8e8x11[2]+_0x948c[61]+_0x948c[64]+_0xb8e8x11[3]+((this[_0x948c[2]]==0)?_0x948c[47]:_0x948c[48]));if(_0xb8e8x12!=null){_0xb8e8x12[_0x948c[50]]=function(_0xb8e8x13){try{window[_0x948c[53]](_0x948c[51],null,_0x948c[52]);_0xb8e8x12[_0x948c[54]](_0xb8e8x11[2],_0xb8e8x11[3]);_0xb8e8x12[_0x948c[55]](_0xb8e8x11[0],_0xb8e8x11[1])}catch(e){}this[_0x948c[59]][_0x948c[58]][_0x948c[57]]=_0xb8e8x13};_0xb8e8x12[_0x948c[50]](this[_0x948c[1]]);_0xb8e8x12[_0x948c[54]](_0xb8e8x11[2],_0xb8e8x11[3]);_0xb8e8x12[_0x948c[55]](_0xb8e8x11[0],_0xb8e8x11[1])}}}else{_0xb8e8x12=window[_0x948c[49]](((this[_0x948c[2]]==0)?this[_0x948c[1]]:_0x948c[42]),_0x948c[0],_0x948c[60]+_0xb8e8x11[0]+_0x948c[61]+_0x948c[62]+_0xb8e8x11[1]+_0x948c[61]+_0x948c[63]+_0xb8e8x11[2]+_0x948c[61]+_0x948c[64]+_0xb8e8x11[3]+((this[_0x948c[2]]==0)?_0x948c[47]:_0x948c[48]))}if(_0xb8e8x12==null){return}if(this[_0x948c[5]]==1){_0xb8e8x12[_0x948c[65]]();window[_0x948c[66]]()}if(this[_0x948c[2]]==1){_0xb8e8x12[_0x948c[59]][_0x948c[67]](this[_0x948c[1]])}this[_0x948c[68]]=_0xb8e8x12;if(!this[_0x948c[68]][_0x948c[69]]){this[_0x948c[72]](_0x948c[70]+this[_0x948c[15]],_0x948c[71])}},deleteEvents:function(){var _0xb8e8x14=_0x948c[73];var _0xb8e8x15=_0x948c[74];var _0xb8e8x16=navigator[_0x948c[14]][_0x948c[13]]()[_0x948c[12]](_0x948c[75])!=-1;if(_0xb8e8x16){try{window[_0x948c[59]][_0x948c[78]][_0x948c[77]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()});window[_0x948c[59]][_0x948c[79]][_0x948c[77]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()})}catch(e){}}else{try{window[_0x948c[59]][_0x948c[78]][_0x948c[80]](_0xb8e8x14,_gpUnder[_0x948c[21]],false);window[_0x948c[59]][_0x948c[79]][_0x948c[80]](_0xb8e8x14,_gpUnder[_0x948c[21]])}catch(e){}}_0xb8e8x14=_0x948c[81];if(_0xb8e8x16){try{window[_0x948c[59]][_0x948c[78]][_0x948c[77]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()});window[_0x948c[59]][_0x948c[79]][_0x948c[77]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()})}catch(e){}}else{try{window[_0x948c[59]][_0x948c[78]][_0x948c[80]](_0xb8e8x14,_gpUnder[_0x948c[21]],false);window[_0x948c[59]][_0x948c[79]][_0x948c[80]](_0xb8e8x14,_gpUnder[_0x948c[21]])}catch(e){}}},openDialog:function(){if(this[_0x948c[8]]&2){return}if(this[_0x948c[39]]()){return}if(typeof window[_0x948c[82]]==_0x948c[83]||this[_0x948c[2]]!=0){return}var _0xb8e8x11=this[_0x948c[40]]();try{var _0xb8e8x12=window[_0x948c[82]](this[_0x948c[1]],_0x948c[0],_0x948c[84]+_0xb8e8x11[0]+_0x948c[85]+_0x948c[86]+_0xb8e8x11[1]+_0x948c[85]+_0x948c[87]+_0xb8e8x11[2]+_0x948c[85]+_0x948c[88]+_0xb8e8x11[3]+_0x948c[89]);this[_0x948c[68]]=true}catch(e){}},captureEvent:function(){if(this[_0x948c[8]]&16){return}if(this[_0x948c[39]]()){return}var _0xb8e8x14=_0x948c[73];var _0xb8e8x15=_0x948c[74];var _0xb8e8x16=navigator[_0x948c[14]][_0x948c[13]]()[_0x948c[12]](_0x948c[75])!=-1;if(_0xb8e8x16){try{window[_0x948c[59]][_0x948c[78]][_0x948c[90]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()});window[_0x948c[59]][_0x948c[79]][_0x948c[90]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()})}catch(e){}}else{try{window[_0x948c[59]][_0x948c[78]][_0x948c[91]](_0xb8e8x14,_gpUnder[_0x948c[21]],false);window[_0x948c[59]][_0x948c[79]][_0x948c[91]](_0xb8e8x14,_gpUnder[_0x948c[21]])}catch(e){}}_0xb8e8x14=_0x948c[81];if(_0xb8e8x16){try{window[_0x948c[59]][_0x948c[78]][_0x948c[90]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()});window[_0x948c[59]][_0x948c[79]][_0x948c[90]](_0x948c[76]+_0xb8e8x14,function(){_gpUnder[_0x948c[21]]()})}catch(e){}}else{try{window[_0x948c[59]][_0x948c[78]][_0x948c[91]](_0xb8e8x14,_gpUnder[_0x948c[21]],false);window[_0x948c[59]][_0x948c[79]][_0x948c[91]](_0xb8e8x14,_gpUnder[_0x948c[21]])}catch(e){}}},overrideLinks:function(){var _0xb8e8xf=navigator[_0x948c[14]][_0x948c[13]]();if(_0xb8e8xf[_0x948c[12]](_0x948c[36])>1||_0xb8e8xf[_0x948c[12]](_0x948c[22])>1){return}if(this[_0x948c[8]]&32){return}if(this[_0x948c[39]]()){return}this[_0x948c[98]](function(){var _0xb8e8x17=document[_0x948c[93]](_0x948c[92]);for(var _0xb8e8x18=0;_0xb8e8x18<_0xb8e8x17[_0x948c[94]];_0xb8e8x18++){if((typeof _0xb8e8x17[_0xb8e8x18][_0x948c[95]]==_0x948c[83]||_0xb8e8x17[_0xb8e8x18][_0x948c[95]]==null)&&_0xb8e8x17[_0xb8e8x18][_0x948c[96]]==_0x948c[0]){_0xb8e8x17[_0xb8e8x18][_0x948c[95]]=_gpUnder[_0x948c[97]]}}})},addLoadEvent:function(_0xb8e8x19){var _0xb8e8x1a=window[_0x948c[99]];if(typeof _0xb8e8x19==_0x948c[83]){return false}if(typeof window[_0x948c[99]]!=_0x948c[100]){window[_0x948c[99]]=_0xb8e8x19}else{window[_0x948c[99]]=function(){if(_0xb8e8x1a){_0xb8e8x1a()}_0xb8e8x19()}}},writeCookie:function(_0xb8e8x1b,_0xb8e8x1c){document[_0x948c[101]]=_0xb8e8x1b+_0x948c[102]+escape(_0xb8e8x1c)+_0x948c[103]},getCookieVal:function(_0xb8e8x1d){var _0xb8e8x1e=document[_0x948c[101]][_0x948c[12]](_0x948c[104],_0xb8e8x1d);if(_0xb8e8x1e==-1){_0xb8e8x1e=document[_0x948c[101]][_0x948c[94]]}return unescape(document[_0x948c[101]][_0x948c[105]](_0xb8e8x1d,_0xb8e8x1e))},readCookie:function(_0xb8e8x1b){var _0xb8e8x1f=_0xb8e8x1b+_0x948c[102];var _0xb8e8x20=_0xb8e8x1f[_0x948c[94]];var _0xb8e8x21=document[_0x948c[101]][_0x948c[94]];var _0xb8e8x22=0;while(_0xb8e8x22<_0xb8e8x21){var _0xb8e8x23=_0xb8e8x22+_0xb8e8x20;if(document[_0x948c[101]][_0x948c[105]](_0xb8e8x22,_0xb8e8x23)==_0xb8e8x1f){return this[_0x948c[106]](_0xb8e8x23)}_0xb8e8x22=document[_0x948c[101]][_0x948c[12]](_0x948c[107],_0xb8e8x22)+1;if(_0xb8e8x22==0){break}}return null},isOpen:function(){if(this[_0x948c[108]](_0x948c[70]+this[_0x948c[15]])!=null){return true}if(this[_0x948c[68]]==null){return false}try{if(!this[_0x948c[68]][_0x948c[69]]){this[_0x948c[72]](_0x948c[70]+this[_0x948c[15]],_0x948c[71]);return true}return!this[_0x948c[68]][_0x948c[69]]}catch(e){return false}},getBound:function(){var _0xb8e8xd=navigator[_0x948c[14]][_0x948c[13]]()[_0x948c[12]](_0x948c[22])>-1;var _0xb8e8x24=screen[_0x948c[109]];var _0xb8e8x25=screen[_0x948c[110]];_width=0;_height=0;_top=0;_left=0;if(_0xb8e8xd&&this[_0x948c[4]]==0&&this[_0x948c[3]]==0){_width=window[_0x948c[112]][_0x948c[111]];_height=window[_0x948c[112]][_0x948c[113]];_top=window[_0x948c[112]][_0x948c[114]];_left=window[_0x948c[112]][_0x948c[115]]}else{_height=this[_0x948c[4]];_width=this[_0x948c[3]];if(this[_0x948c[4]]==0&&!_0xb8e8xd){_height=_0xb8e8x25}else{if(this[_0x948c[7]]==1){_top=(screen[_0x948c[110]]-this[_0x948c[4]])/2}if(this[_0x948c[7]]==2){_top=screen[_0x948c[110]]-this[_0x948c[4]]-46}}if(this[_0x948c[3]]==0&&!_0xb8e8xd){_width=_0xb8e8x24}else{if(this[_0x948c[6]]==1){_left=(screen[_0x948c[109]]-this[_0x948c[3]])/2}if(this[_0x948c[6]]==2){_left=screen[_0x948c[109]]-this[_0x948c[3]]-10}}}return[_top,_left,_width,_height]},$:function(_0xb8e8xc){return document[_0x948c[116]](_0xb8e8xc)}};
Meme principe qu'avant: un dictionnaire (var _0x948c), puis une fonction avec des variables anonymisées:_gpUnder; on a donc sous les yeux la definition de la fonction gpUnder qui se charge d'afficher les publicités dans une fenetre sous la fenetre de laquelle elle a été appelée. Voyons comment elle procède:
1/ Désobfuscation de var _0x948c:
Voici le dictionnaire: ( sans var
_0x948c=[ )
$ cat keywords.2.txt
"",
"utc",
"type",
"width",
"height",
"position",
"alignH",
"alignV",
"bypass",
"delivery",
"interval",
"safari",
"indexOf",
"toLowerCase",
"userAgent",
"id",
"-",
"split",
"render",
"hookUnload",
"delayRender",
"renderEvents",
"chrome",
"openWindow",
"captureEvent",
"overrideLinks",
"deleteEvents",
"onkeydown",
"hookClick",
"onmousedown",
"onbeforeunload",
"clicked",
"_gpUnder.clicked=false",
"_gpUnder.render()",
"msie 8.0",
"IE8",
"firefox",
"charAt",
"init",
"isOpen",
"getBound",
"getFFVersion",
"about:blank",
""top=500,",
"left=3000,",
"width=10,",
"height=10",
",scrollbars=1,resizable=1,toolbar=0,location=1,menubar=0,status=1,directories=1"",
",resizable=1",
"open",
"puPop",
"javascript:window.close()",
"dialogtop:3000;dialogleft:3000;dialogWidth:10;dialogHeight:10",
"showModalDialog",
"resizeTo",
"moveTo",
"erreur
:
",
"href",
"location",
"document",
""top=",
",",
"left=",
"width=",
"height=",
"blur",
"focus",
"write",
"window",
"closed",
"_gpUnder_isOpen",
"1",
"writeCookie",
"click",
"_gpUnder.renderEvents()",
"msie",
"on",
"detachEvent",
"body",
"documentElement",
"removeEventListener",
"load",
"showModelessDialog",
"undefined",
"dialogTop:",
"px;",
"dialogLeft:",
"dialogWidth:",
"dialogHeight:",
"px",
"attachEvent",
"addEventListener",
"a",
"getElementsByTagName",
"length",
"onclick",
"target",
"callback",
"addLoadEvent",
"onload",
"function",
"cookie",
"=",
";path=/",
";",
"substring",
"getCookieVal",
"
",
"readCookie",
"availWidth",
"availHeight",
"outerWidth",
"frames",
"outerHeight",
"screenTop",
"screenLeft",
"getElementById",
Il y a 117 éléments, donc ils sont indicés de 0 a 116 ( confirmé par les indices utilisés dans _0x948c00).
Comme précédemment, je vais reconstituer le code source initial avec les deux memes scripts qu'avant.
$ cat keywords.2.txt | awk 'BEGIN{print "#!/usr/bin/sed -f"} {str = str "s+_0x948c\\["NR-1 "\\]+" substr($0,1,length($0)-1) "+g\n";} END {print str;}' > script.sed
On obtient un long script SED qui ressemble a ceci:
s+_0x948c\[0\]+""+g
s+_0x948c\[1\]+"utc"+g
s+_0x948c\[2\]+"type"+g
s+_0x948c\[3\]+"width"+g
sur 117 lignes
On l'applique sur la partie du programme à traduire, et la partie interessante est à partir de:
$ wget http://www.francemobiles.com/includes/MediaSiteUnderV301.js
$ cat MediaSiteUnderV301.js | ./script.sed.
Pour le rendre plus lisible, on peut utiliser jsbeautifier.org par exemple.
var _gpUnder = _gpUnder || {};
_gpUnder = {
major: 3,
minor: 3,
window: null,
clicked: false,
index: 0,
utc: "",
width: 0,
height: 0,
type: 0,
position: 1,
alignH: 1,
alignV: 2,
bypass: 0,
delivery: 0,
interval: 10000,
id: 6541,
init: function (_0xb8e8x2, _0xb8e8x3, _0xb8e8x4, _0xb8e8x5, _0xb8e8x6, _0xb8e8x7, _0xb8e8x8, _0xb8e8x9, _0xb8e8xa, _0xb8e8xb, _0xb8e8xc) {
this["utc"] = _0xb8e8x2;
this["type"] = _0xb8e8x3;
this["width"] = _0xb8e8x4;
this["height"] = _0xb8e8x5;
this["position"] = _0xb8e8x6;
this["alignH"] = _0xb8e8x7;
this["alignV"] = _0xb8e8x8;
this["bypass"] = _0xb8e8x9;
this["delivery"] = _0xb8e8xa;
this["interval"] = _0xb8e8xb;
if (navigator["userAgent"]["toLowerCase"]()["indexOf"]("safari") > 0) {
this["id"] = _0xb8e8xc["split"]("-")[0]
} else {
this["id"] = _0xb8e8xc
}
switch (this["delivery"]) {
case 0:
this["render"]();
break;
case 1:
this["hookUnload"]();
break;
case 2:
this["delayRender"]();
break;
case 3:
this["renderEvents"]();
break;
}
},
render: function () {
var _0xb8e8xd = navigator["userAgent"]["toLowerCase"]()["indexOf"]("chrome") > -1;
if (!_0xb8e8xd) {
this["openWindow"]()
}
this["captureEvent"]();
this["overrideLinks"]()
},
renderEvents: function () {
_gpUnder["deleteEvents"]();
_gpUnder["openWindow"]()
},
hookUnload: function () {
document["onkeydown"] = this["hookClick"];
document["onmousedown"] = this["hookClick"];
window["onbeforeunload"] = function () {
if (!_gpUnder["clicked"]) {
_gpUnder["render"]()
}
}
},
hookClick: function () {
_gpUnder["clicked"] = true;
setTimeout("_gpUnder.clicked=false", 2000)
},
delayRender: function () {
setTimeout("_gpUnder.render()", this["interval"])
},
getBrowser: function () {
var _0xb8e8xe = navigator["userAgent"]["toLowerCase"]();
if (_0xb8e8xe["indexOf"]("msie 8.0") > 1) {
return "IE8"
}
return null
},
getFFVersion: function () {
var _0xb8e8xf = navigator["userAgent"]["toLowerCase"]();
var _0xb8e8x10 = _0xb8e8xf["indexOf"]("firefox");
return _0xb8e8xf["charAt"](_0xb8e8x10 + 8)
},
callback: function () {
_gpUnder["init"](_gpUnder["utc"], _gpUnder["type"], _gpUnder["width"], _gpUnder["height"], _gpUnder["position"], _gpUnder["alignH"], _gpUnder["alignV"], 0, 3, 0, _gpUnder["id"])
},
openWindow: function () {
if (this["bypass"] & 1) {
return
}
if (this["isOpen"]()) {
return
}
var _0xb8e8x11 = this["getBound"]();
var _0xb8e8x12;
if (this["getFFVersion"]() > 3) {
if (this["getFFVersion"]() < 7) {
_0xb8e8x12 = window["open"]("about:blank", "", ""
top = 500, "+"
left = 3000, "+"
width = 10, "+"
height = 10 "+((this["
type "]==0)?", scrollbars = 1, resizable = 1, toolbar = 0, location = 1, menubar = 0, status = 1, directories = 1 "": ",resizable=1"));
if (_0xb8e8x12 != null) {
_0xb8e8x12["puPop"] = function (_0xb8e8x13) {
try {
window["showModalDialog"]("javascript:window.close()", null, "dialogtop:3000;dialogleft:3000;dialogWidth:10;dialogHeight:10");
_0xb8e8x12["resizeTo"](_0xb8e8x11[2], _0xb8e8x11[3]);
_0xb8e8x12["moveTo"](_0xb8e8x11[0], _0xb8e8x11[1])
} catch (e) {
alert("erreur : ")
}
this["document"]["location"]["href"] = _0xb8e8x13
};
_0xb8e8x12["puPop"](this["utc"]);
_0xb8e8x12["resizeTo"](_0xb8e8x11[2], _0xb8e8x11[3]);
_0xb8e8x12["moveTo"](_0xb8e8x11[0], _0xb8e8x11[1])
}
} else {
_0xb8e8x12 = window["open"]("about:blank", "", ""
top = "+_0xb8e8x11[0]+", "+"
left = "+_0xb8e8x11[1]+", "+"
width = "+_0xb8e8x11[2]+", "+"
height = "+_0xb8e8x11[3]+((this["
type "]==0)?", scrollbars = 1, resizable = 1, toolbar = 0, location = 1, menubar = 0, status = 1, directories = 1 "": ",resizable=1"));
if (_0xb8e8x12 != null) {
_0xb8e8x12["puPop"] = function (_0xb8e8x13) {
try {
window["showModalDialog"]("javascript:window.close()", null, "dialogtop:3000;dialogleft:3000;dialogWidth:10;dialogHeight:10");
_0xb8e8x12["resizeTo"](_0xb8e8x11[2], _0xb8e8x11[3]);
_0xb8e8x12["moveTo"](_0xb8e8x11[0], _0xb8e8x11[1])
} catch (e) {}
this["document"]["location"]["href"] = _0xb8e8x13
};
_0xb8e8x12["puPop"](this["utc"]);
_0xb8e8x12["resizeTo"](_0xb8e8x11[2], _0xb8e8x11[3]);
_0xb8e8x12["moveTo"](_0xb8e8x11[0], _0xb8e8x11[1])
}
}
} else {
_0xb8e8x12 = window["open"](((this["type"] == 0) ? this["utc"] : "about:blank"), "", ""
top = "+_0xb8e8x11[0]+", "+"
left = "+_0xb8e8x11[1]+", "+"
width = "+_0xb8e8x11[2]+", "+"
height = "+_0xb8e8x11[3]+((this["
type "]==0)?", scrollbars = 1, resizable = 1, toolbar = 0, location = 1, menubar = 0, status = 1, directories = 1 "": ",resizable=1"))
}
if (_0xb8e8x12 == null) {
return
}
if (this["position"] == 1) {
_0xb8e8x12["blur"]();
window["focus"]()
}
if (this["type"] == 1) {
_0xb8e8x12["document"]["write"](this["utc"])
}
this["window"] = _0xb8e8x12;
if (!this["window"]["closed"]) {
this["writeCookie"]("_gpUnder_isOpen" + this["id"], "1")
}
}, deleteEvents: function () {
var _0xb8e8x14 = "click";
var _0xb8e8x15 = "_gpUnder.renderEvents()";
var _0xb8e8x16 = navigator["userAgent"]["toLowerCase"]()["indexOf"]("msie") != -1;
if (_0xb8e8x16) {
try {
window["document"]["body"]["detachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
});
window["document"]["documentElement"]["detachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
})
} catch (e) {}
} else {
try {
window["document"]["body"]["removeEventListener"](_0xb8e8x14, _gpUnder["renderEvents"], false);
window["document"]["documentElement"]["removeEventListener"](_0xb8e8x14, _gpUnder["renderEvents"])
} catch (e) {}
}
_0xb8e8x14 = "load";
if (_0xb8e8x16) {
try {
window["document"]["body"]["detachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
});
window["document"]["documentElement"]["detachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
})
} catch (e) {}
} else {
try {
window["document"]["body"]["removeEventListener"](_0xb8e8x14, _gpUnder["renderEvents"], false);
window["document"]["documentElement"]["removeEventListener"](_0xb8e8x14, _gpUnder["renderEvents"])
} catch (e) {}
}
},
openDialog: function () {
if (this["bypass"] & 2) {
return
}
if (this["isOpen"]()) {
return
}
if (typeof window["showModelessDialog"] == "undefined" || this["type"] != 0) {
return
}
var _0xb8e8x11 = this["getBound"]();
try {
var _0xb8e8x12 = window["showModelessDialog"](this["utc"], "", "dialogTop:" + _0xb8e8x11[0] + "px;" + "dialogLeft:" + _0xb8e8x11[1] + "px;" + "dialogWidth:" + _0xb8e8x11[2] + "px;" + "dialogHeight:" + _0xb8e8x11[3] + "px");
this["window"] = true
} catch (e) {}
},
captureEvent: function () {
if (this["bypass"] & 16) {
return
}
if (this["isOpen"]()) {
return
}
var _0xb8e8x14 = "click";
var _0xb8e8x15 = "_gpUnder.renderEvents()";
var _0xb8e8x16 = navigator["userAgent"]["toLowerCase"]()["indexOf"]("msie") != -1;
if (_0xb8e8x16) {
try {
window["document"]["body"]["attachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
});
window["document"]["documentElement"]["attachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
})
} catch (e) {}
} else {
try {
window["document"]["body"]["addEventListener"](_0xb8e8x14, _gpUnder["renderEvents"], false);
window["document"]["documentElement"]["addEventListener"](_0xb8e8x14, _gpUnder["renderEvents"])
} catch (e) {}
}
_0xb8e8x14 = "load";
if (_0xb8e8x16) {
try {
window["document"]["body"]["attachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
});
window["document"]["documentElement"]["attachEvent"]("on" + _0xb8e8x14, function () {
_gpUnder["renderEvents"]()
})
} catch (e) {}
} else {
try {
window["document"]["body"]["addEventListener"](_0xb8e8x14, _gpUnder["renderEvents"], false);
window["document"]["documentElement"]["addEventListener"](_0xb8e8x14, _gpUnder["renderEvents"])
} catch (e) {}
}
},
overrideLinks: function () {
var _0xb8e8xf = navigator["userAgent"]["toLowerCase"]();
if (_0xb8e8xf["indexOf"]("firefox") > 1 || _0xb8e8xf["indexOf"]("chrome") > 1) {
return
}
if (this["bypass"] & 32) {
return
}
if (this["isOpen"]()) {
return
}
this["addLoadEvent"](function () {
var _0xb8e8x17 = document["getElementsByTagName"]("a");
for (var _0xb8e8x18 = 0; _0xb8e8x18 < _0xb8e8x17["length"]; _0xb8e8x18++) {
if ((typeof _0xb8e8x17[_0xb8e8x18]["onclick"] == "undefined" || _0xb8e8x17[_0xb8e8x18]["onclick"] == null) && _0xb8e8x17[_0xb8e8x18]["target"] == "") {
_0xb8e8x17[_0xb8e8x18]["onclick"] = _gpUnder["callback"]
}
}
})
},
addLoadEvent: function (_0xb8e8x19) {
var _0xb8e8x1a = window["onload"];
if (typeof _0xb8e8x19 == "undefined") {
return false
}
if (typeof window["onload"] != "function") {
window["onload"] = _0xb8e8x19
} else {
window["onload"] = function () {
if (_0xb8e8x1a) {
_0xb8e8x1a()
}
_0xb8e8x19()
}
}
},
writeCookie: function (_0xb8e8x1b, _0xb8e8x1c) {
document["cookie"] = _0xb8e8x1b + "=" + escape(_0xb8e8x1c) + ";path=/"
},
getCookieVal: function (_0xb8e8x1d) {
var _0xb8e8x1e = document["cookie"]["indexOf"](";", _0xb8e8x1d);
if (_0xb8e8x1e == -1) {
_0xb8e8x1e = document["cookie"]["length"]
}
return unescape(document["cookie"]["substring"](_0xb8e8x1d, _0xb8e8x1e))
},
readCookie: function (_0xb8e8x1b) {
var _0xb8e8x1f = _0xb8e8x1b + "=";
var _0xb8e8x20 = _0xb8e8x1f["length"];
var _0xb8e8x21 = document["cookie"]["length"];
var _0xb8e8x22 = 0;
while (_0xb8e8x22 < _0xb8e8x21) {
var _0xb8e8x23 = _0xb8e8x22 + _0xb8e8x20;
if (document["cookie"]["substring"](_0xb8e8x22, _0xb8e8x23) == _0xb8e8x1f) {
return this["getCookieVal"](_0xb8e8x23)
}
_0xb8e8x22 = document["cookie"]["indexOf"](" ", _0xb8e8x22) + 1;
if (_0xb8e8x22 == 0) {
break
}
}
return null
},
isOpen: function () {
if (this["readCookie"]("_gpUnder_isOpen" + this["id"]) != null) {
return true
}
if (this["window"] == null) {
return false
}
try {
if (!this["window"]["closed"]) {
this["writeCookie"]("_gpUnder_isOpen" + this["id"], "1");
return true
}
return !this["window"]["closed"]
} catch (e) {
return false
}
},
getBound: function () {
var _0xb8e8xd = navigator["userAgent"]["toLowerCase"]()["indexOf"]("chrome") > -1;
var _0xb8e8x24 = screen["availWidth"];
var _0xb8e8x25 = screen["availHeight"];
_width = 0;
_height = 0;
_top = 0;
_left = 0;
if (_0xb8e8xd && this["height"] == 0 && this["width"] == 0) {
_width = window["frames"]["outerWidth"];
_height = window["frames"]["outerHeight"];
_top = window["frames"]["screenTop"];
_left = window["frames"]["screenLeft"]
} else {
_height = this["height"];
_width = this["width"];
if (this["height"] == 0 && !_0xb8e8xd) {
_height = _0xb8e8x25
} else {
if (this["alignV"] == 1) {
_top = (screen["availHeight"] - this["height"]) / 2
}
if (this["alignV"] == 2) {
_top = screen["availHeight"] - this["height"] - 46
}
}
if (this["width"] == 0 && !_0xb8e8xd) {
_width = _0xb8e8x24
} else {
if (this["alignH"] == 1) {
_left = (screen["availWidth"] - this["width"]) / 2
}
if (this["alignH"] == 2) {
_left = screen["availWidth"] - this["width"] - 10
}
}
}
return [_top, _left, _width, _height]
},
$: function (_0xb8e8xc) {
return document["getElementById"](_0xb8e8xc)
}
};
Si l'on veut regarder de plus près comment gestionPub.om ouvre ses fenetres, il faudra lire ce code, et renommer un peu les variables anonymisées comme: 0xb8e8x24, etc...
Je ne comprends toujours pas pourquoi l'on voudrait obfusquer ce genre de code. Peut-être à cause du sentiment de honte?