Author Topic: Decode this? (Read 5100 times)

crim · November 12, 2009, 07:19:37 pm

Does anyone know how i can decode this?
I've tried Wepawet & jsunpack and none of them are able to decode this

SysAdMini · November 12, 2009, 07:50:15 pm

Can you tell us the url of the script ?

The script requires "document.lastModified" property. I won't decode without this information.

crim · November 12, 2009, 09:20:29 pm

its fragus

Code: [Select]

http://redirectcounter1.com/news.php
/EDIT by SysAdMini: added Code tags

SysAdMini · November 12, 2009, 09:38:58 pm

Using Malzilla:

-download the script

-get the lastmodified property from http header : Last-Modified: Fri, 12 Dec 2008 11:11:40 GMT

-replace lastmodified by its value:

acghiw=document,
befkly=acghiw.lastModified,
copvwx=new Date(befkly).toUTCString()

acghiw=document,
befkly="Fri, 12 Dec 2008 11:11:40 GMT",
copvwx=new Date(befkly).toUTCString()

-run the script
-done

example encoded and decoded attached. pw=infected

SysAdMini · November 12, 2009, 09:56:53 pm

JavaScript anti-analysis tricks: last-modified
http://www.cs.ucsb.edu/~marco/blog/2009/10/javascript-anti-analysis-tricks-last-modified.html

Author Topic: Decode this? (Read 5100 times)

crim

Decode this?

SysAdMini

Re: Decode this?

crim

Re: Decode this?

SysAdMini

Re: Decode this?

SysAdMini

Re: Decode this?