Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Obfuscated Javascript
Posted by: zer01
Date: August 04, 2010 06:20PM

Hi all,

This is my first post, but I've been reading for a while now and I've learned immensely from sitting back, but now I've got a piece of obfuscated javascript I found out in the wild, and I'm curious as to what it does.

It's one of those stupid facebook 'shock' click things, in this case it was "SHOCKING: RUDE HIDDEN MESSAGE in Toy Story 3!", and I knew something sketchy had to be going on, as it brings you to a blank page. The URL it goes to is :
http://fbreality.co.cc/toystory/

Make sure you have noscript (or equivalent) enabled!

Here's a copy of the JS so you don't have to visit the site:
<script language="JavaScript" type="text/javascript">
// Copyright &#65533; 2005 Voormedia - WWW.VOORMEDIA.COM
var i,y,x="202020203c6469762069643d2268656164657222207374796c653d226261636b67726f756e643a20233362353939383b2070616464696e673a203230707820303b223e200d0a2020202020203c68313e53484f434b494e473a20525544452048494444454e204d45535341474520696e20546f792053746f72792033213c2f68313e200d0a202020203c2f6469763e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6469762069643d226d61696e223e200d0a2020202020203c6469762069643d226c6566742d636f6c756d6e2220636c6173733d22666c223e200d0a20202020202020203c68323e486172646c7920414e594f4e45206e6f74696365732074686973205349434b2068696464656e206d6573736167653c62723e7768656e207761746368696e6720546f792053746f72792033213c2f68323e200d0a20202020202020203c62723e466f6c6c6f7720746865203c623e656173792073746570733c2f623e2062656c6f7720746f207365652069742120286f6e6c792074616b6573203130207365636f6e6473290d0a20202020202020203c62723e200d0a20202020202020203c62723e200d0a20202020202020203c62723e200d0a20202020202020203c6e6f7363726970743e506c6561736520656e61626c65204a61766153637269707420696e20796f75722062726f7773657220746f20636f6e74696e75652e3c2f6e6f7363726970743e200d0a20202020202020203c696d67207372633d226172726f772e706e67222f3e200d0a20202020202020203c6272202f3e200d0a20202020202020203c6272202f3e200d0a20202020202020203c6469762069643d227374657031223e200d0a202020202020202020203c64697620636c6173733d2273746570223e3c7374726f6e673e5374657020313c2f7374726f6e673e202d20636c69636b206f6e20746865203c623e4c696b653c2f623e20627574746f6e2062656c6f773a3c2f6469763e200d0a202020202020202020203c6272202f3e200d0a202020202020202020203c6469762069643d226c696b65223e3c66623a6c696b65206c61796f75743d227374616e64617264222073686f775f66616365733d2274727565222077696474683d223330302220616374696f6e3d226c696b652220636f6c6f72736368656d653d226c69676874223e3c2f66623a6c696b653e3c2f6469763e200d0a20202020202020203c2f6469763e200d0a20202020202020203c6469762069643d227374657032223e200d0a202020202020202020203c64697620636c6173733d2273746570223e3c7374726f6e673e5374657020323c2f7374726f6e673e202d20636c69636b206f6e20746865203c623e53686172653c2f623e20627574746f6e2062656c6f773a3c2f6469763e200d0a202020202020202020203c6272202f3e200d0a202020202020202020203c6469762069643d227368617265223e3c696e7075742069643d2273686172652d627574746f6e2220747970653d227375626d6974222076616c75653d22536861726522206f6e636c69636b3d227368617265282922202f3e3c2f6469763e200d0a20202020202020203c2f6469763e200d0a20202020202020203c6469762069643d227374657033223e200d0a202020202020202020203c666f726d2069643d27666d2d636f6e74656e7427206d6574686f643d226765742220616374696f6e3d27766964656f2e706870273e200d0a2020202020202020202020203c696e707574206e616d653d2268696464656e2220747970653d2268696464656e222076616c75653d2268696464656e22202f3e200d0a202020202020202020203c2f666f726d3e200d0a20202020202020203c2f6469763e200d0a2020202020203c2f6469763e200d0a2020202020203c6469762069643d2272696768742d636f6c756d6e2220636c6173733d22666c223e200d0a20202020202020203c6272202f3e200d0a20202020202020203c62723e200d0a20202020202020203c696d67207372633d2274732e706e67222f3e200d0a2020202020203c2f6469763e200d0a2020202020203c64697620636c6173733d22666978223e3c2f6469763e200d0a202020203c2f6469763e200d0a202020203c6469762069643d2266622d726f6f74223e3c2f6469763e200d0a202020203c736372697074207372633d22687474703a2f2f636f6e6e6563742e66616365626f6f6b2e6e65742f656e5f55532f616c6c2e6a73223e3c2f7363726970743e200d0a202020203c73637269707420747970653d22746578742f6a61766173637269707422207372633d226a71756572792e6a73223e3c2f7363726970743e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6272202f3e200d0a202020203c6469762069643d22666f6f746572223e200d0a2020202020203c6469762069643d22666f6f742d6c6566742220636c6173733d22666c223e66627265616c6974792e636f2e63632026636f70793b20323031303c2f6469763e200d0a20202020202020203c6469762069643d22666f6f742d72696768742220636c6173733d22666c223e0d0a0909093c73637269707420747970653d22746578742f6a61766173637269707422207372633d22687474703a2f2f776964676574732e616d756e672e75732f7461622e6a73223e3c2f7363726970743e3c73637269707420747970653d22746578742f6a617661736372697074223e5741555f74616228276a62706432767a356e62666d272c20276c6566742d6d6964646c6527293c2f7363726970743e0d0a20202020202020203c2f6469763e200d0a2020202020203c64697620636c6173733d22666978223e3c2f6469763e200d0a202020203c2f6469763e20";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);
</script>

It's clearly trying to hide something, but I'm no good with javascript. Any ideas?

P.S. Sorry about not breaking it from that one super-long string, but I wasn't sure if linebreaks were going to interfere with any techniques people have - I know how frustrating that can be to mess with.

Options: ReplyQuote
Re: Obfuscated Javascript
Posted by: barbarianbob
Date: August 04, 2010 08:28PM

It builds html that tries to social engineer people. It says to click a "Like" button and a "Share" button to see it. It's built from javascript to obfuscate it, which is probably to avoid automatic reports.
It's nothing malicious.

Options: ReplyQuote
Re: Obfuscated Javascript
Posted by: Skyphire
Date: August 04, 2010 09:24PM

Next time you could simply do this in FireFox to see it's source: (preferred in FireBug console):

instead of:
document.write(y); 

write:
alert(y.toSource());

And you'll see it's source.

Options: ReplyQuote
Re: Obfuscated Javascript
Posted by: thornmaker
Date: August 04, 2010 10:36PM

as to what the actual obfuscation is....

the code has a long string of hex values stored as variable x. it loops through this string, 2 characters at a time, puts a % at the beginning of each group of 2 so you get something like %22. This is now a valid URL encoded character which gets automagically decoded when the code does the document.write(). So %22 would become " when it's written to the page.

Skyphire's trick (or variations thereof) is quite handy as it works with many types of JS obfuscation if you just want to see what the real payload is.

Options: ReplyQuote
Re: Obfuscated Javascript
Posted by: Gareth Heyes
Date: August 05, 2010 06:46AM

Crappy obfuscation if you ask me

http://tinyurl.com/3a5ev38

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.