Here is offuscated code sample, it obfuscated binary,
seems
%b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000)
,c(000),c(004),c(000),c(000):
.this line is 275413 characters long::c(000),c(000),c(000)
,c(000 ),"")
which encoding method is used to obfuscate binary? This
is not base64.
Somewhere in association with this is a function named 'c' or some
code that creates a function named 'c' (most likely the latter as this
style of obfuscation usually includes an attempt to conceal the
decoding function). Finding that function definition, or using the
code that creates to extract the function definition, will show how
these numbers are being handled, and so probably expose how they are
'encoded'.
However, things may not be quite as simple as they may appear as the
input numbers literal are not simply related to the numbers they
represent. Javascript has provision for octal number literals, which
commence with a zero. So 077 is (or may be, as octal literals are not
required by ECMA 262 3rd Ed.) an octal literal, and so is (or may be)
- ((7*8)+7) -, or 63, while 144 is a decimal numeric literal. But
ECMAScript does not allow a zero as the first character in a decimal
numeric literal unless it is the only character in the literal,
immediately followed by a decimal point or immediately followed by an
"ExponentIndicator" (one of 'e' or 'E'), and octal literals may not
contain the digits 8 and 9, so values such as 090 are ECMAScript
syntax errors that, if they 'work' at all, are relying on a non-
standard extension to the language where, presumably, they are
interpreted as decimal.
Richard.
