某WEB2.0跳转代码分析

现在的外贸所谓的黑页跳转和WEB2.0跳转，大部分都是通过JS触发。
今天碰到了个简单的http://nfljerseyscheap.tk/
观察HTML源码，

12 <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k1||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k1)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1);return p;}('L v$=["\\o\\9\\9\\o\\b\\8","\\q\\6\\j\\o","\\s\\i\\l\\9\\9","\\i\\h\\I","\\D\\m\\6\\A\\5\\h\\7\\s\\b\\8\\r\\e\\U\\H\\6\\j\\m\\8\\t\\d\\5\\w\\f\\f\\N\\M\\g\\5\\n\\9\\h\\6\\7\\6\\9\\j\\d\\5\\i\\q\\h\\9\\b\\G\\7\\8\\g\\5\\7\\8\\t\\7\\H\\i\\b\\6\\o\\j\\d\\5\\p\\8\\j\\7\\8\\c\\g\\5\\q\\i\\p\\I\\o\\c\\9\\G\\j\\m\\H\\p\\9\\b\\9\\c\\d\\5\\P\\k\\k\\k\\k\\k\\k\\g\\5\\u\\6\\m\\7\\l\\d\\w\\f\\f\\F\\g\\5\\l\\8\\6\\o\\l\\7\\d\\w\\f\\f\\F\\g\\5\\7\\9\\n\\d\\5\\f\\n\\t\\g\\5\\c\\6\\o\\l\\7\\d\\5\\f\\n\\t\\g\\5\\b\\8\\k\\7\\d\\5\\f\\n\\t\\g\\e\\E\\D\\6\\k\\c\\i\\y\\8\\5\\i\\b\\b\\9\\u\\7\\c\\i\\j\\h\\n\\i\\c\\8\\j\\p\\s\\r\\e\\7\\c\\G\\8\\e\\5\\k\\c\\i\\y\\8\\q\\9\\c\\m\\8\\c\\r\\e\\f\\e\\5\\6\\m\\r\\e\\c\\k\\e\\5\\h\\p\\c\\9\\b\\b\\6\\j\\o\\r\\e\\j\\9\\e\\5\\h\\c\\p\\r\\e\\l\\7\\7\\n\\d\\B\\B\\u\\u\\u\\J\\y\\i\\j\\j\\k\\b\\O\\8\\c\\h\\8\\s\\h\\J\\p\\9\\y\\e\\5\\h\\7\\s\\b\\8\\r\\e\\u\\6\\m\\7\\l\\d\\w\\f\\f\\F\\g\\l\\8\\6\\o\\l\\7\\d\\w\\T\\f\\f\\n\\t\\g\\m\\6\\h\\n\\b\\i\\s\\d\\q\\b\\9\\p\\I\\g\\A\\6\\h\\6\\q\\6\\b\\6\\7\\s\\d\\A\\6\\h\\6\\q\\b\\8\\g\\e\\B\\E\\D\\B\\m\\6\\A\\E"];L a=K.S;Q(a.x().C(v$[0])>z||a.x().C(v$[1])>z||a.x().C(v$[2])>z||a.x().C(v$[3])>z){K.R(v$[4])}',57,57,'|||||x20|x69|x74|x65|x6f||x6c|x72|x3a|x27|x30|x3b|x73|x61|x6e|x66|x68|x64|x70|x67|x63|x62|x3d|x79|x78|x77|_|x31|toLowerCase|x6d|0x0|x76|x2f|indexOf|x3c|x3e|x25|x75|x2d|x6b|x2e|document|var|x33|x34|x6a|x23|if|writeln|referrer|x36|x7a'.split('|'),0,{})) </script>

很明显的用了一个简单packed 压缩，解密之

12345 var _$ = ["\x67\x6f\x6f\x67\x6c\x65", "\x62\x69\x6e\x67", "\x79\x61\x68\x6f\x6f", "\x61\x73\x6b", "\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x27\x7a\x2d\x69\x6e\x64\x65\x78\x3a\x20\x31\x30\x30\x34\x33\x3b\x20\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x62\x73\x6f\x6c\x75\x74\x65\x3b\x20\x74\x65\x78\x74\x2d\x61\x6c\x69\x67\x6e\x3a\x20\x63\x65\x6e\x74\x65\x72\x3b\x20\x62\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x2d\x63\x6f\x6c\x6f\x72\x3a\x20\x23\x66\x66\x66\x66\x66\x66\x3b\x20\x77\x69\x64\x74\x68\x3a\x31\x30\x30\x25\x3b\x20\x68\x65\x69\x67\x68\x74\x3a\x31\x30\x30\x25\x3b\x20\x74\x6f\x70\x3a\x20\x30\x70\x78\x3b\x20\x72\x69\x67\x68\x74\x3a\x20\x30\x70\x78\x3b\x20\x6c\x65\x66\x74\x3a\x20\x30\x70\x78\x3b\x27\x3e\x3c\x69\x66\x72\x61\x6d\x65\x20\x61\x6c\x6c\x6f\x77\x74\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3d\x27\x74\x72\x75\x65\x27\x20\x66\x72\x61\x6d\x65\x62\x6f\x72\x64\x65\x72\x3d\x27\x30\x27\x20\x69\x64\x3d\x27\x72\x66\x27\x20\x73\x63\x72\x6f\x6c\x6c\x69\x6e\x67\x3d\x27\x6e\x6f\x27\x20\x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6d\x61\x6e\x6e\x66\x6c\x6a\x65\x72\x73\x65\x79\x73\x2e\x63\x6f\x6d\x27\x20\x73\x74\x79\x6c\x65\x3d\x27\x77\x69\x64\x74\x68\x3a\x31\x30\x30\x25\x3b\x68\x65\x69\x67\x68\x74\x3a\x31\x36\x30\x30\x70\x78\x3b\x64\x69\x73\x70\x6c\x61\x79\x3a\x62\x6c\x6f\x63\x6b\x3b\x76\x69\x73\x69\x62\x69\x6c\x69\x74\x79\x3a\x76\x69\x73\x69\x62\x6c\x65\x3b\x27\x2f\x3e\x3c\x2f\x64\x69\x76\x3e"]; var a = document.referrer; if (a.toLowerCase().indexOf(_$[0]) > 0x0 || a.toLowerCase().indexOf(_$[1]) > 0x0 || a.toLowerCase().indexOf(_$[2]) > 0x0 || a.toLowerCase().indexOf(_$[3]) > 0x0) {     document.writeln(_$[4]) }

可以看到_$也被加密了。不过目测也是简单16进制而已。
继续改代码

12 var _$ = ["\x67\x6f\x6f\x67\x6c\x65", "\x62\x69\x6e\x67", "\x79\x61\x68\x6f\x6f", "\x61\x73\x6b", "\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x27\x7a\x2d\x69\x6e\x64\x65\x78\x3a\x20\x31\x30\x30\x34\x33\x3b\x20\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x62\x73\x6f\x6c\x75\x74\x65\x3b\x20\x74\x65\x78\x74\x2d\x61\x6c\x69\x67\x6e\x3a\x20\x63\x65\x6e\x74\x65\x72\x3b\x20\x62\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x2d\x63\x6f\x6c\x6f\x72\x3a\x20\x23\x66\x66\x66\x66\x66\x66\x3b\x20\x77\x69\x64\x74\x68\x3a\x31\x30\x30\x25\x3b\x20\x68\x65\x69\x67\x68\x74\x3a\x31\x30\x30\x25\x3b\x20\x74\x6f\x70\x3a\x20\x30\x70\x78\x3b\x20\x72\x69\x67\x68\x74\x3a\x20\x30\x70\x78\x3b\x20\x6c\x65\x66\x74\x3a\x20\x30\x70\x78\x3b\x27\x3e\x3c\x69\x66\x72\x61\x6d\x65\x20\x61\x6c\x6c\x6f\x77\x74\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x63\x79\x3d\x27\x74\x72\x75\x65\x27\x20\x66\x72\x61\x6d\x65\x62\x6f\x72\x64\x65\x72\x3d\x27\x30\x27\x20\x69\x64\x3d\x27\x72\x66\x27\x20\x73\x63\x72\x6f\x6c\x6c\x69\x6e\x67\x3d\x27\x6e\x6f\x27\x20\x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6d\x61\x6e\x6e\x66\x6c\x6a\x65\x72\x73\x65\x79\x73\x2e\x63\x6f\x6d\x27\x20\x73\x74\x79\x6c\x65\x3d\x27\x77\x69\x64\x74\x68\x3a\x31\x30\x30\x25\x3b\x68\x65\x69\x67\x68\x74\x3a\x31\x36\x30\x30\x70\x78\x3b\x64\x69\x73\x70\x6c\x61\x79\x3a\x62\x6c\x6f\x63\x6b\x3b\x76\x69\x73\x69\x62\x69\x6c\x69\x74\x79\x3a\x76\x69\x73\x69\x62\x6c\x65\x3b\x27\x2f\x3e\x3c\x2f\x64\x69\x76\x3e"]; alert(_$)

弹出解码后的代码
然后运行，一切了然。


判断来路 然后显示frame框架