dirk0minati
-
Posts
3 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by dirk0minati
-
-
9 hours ago, justsomeguy said:
It's probably malicious, why do you want to figure out what it's doing? Start by understanding that all of those are valid variable names. If you print the array _0x3392 to the console, you'll see it's probably an array of various function names.
console.log(['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']); undefined (15) […] 0: "aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=" 1: "UkN2UkY=" 2: "aW5uZXJIVE1M" 3: "R2FOTU4=" 4: "Z2V0RWxlbWVudHNCeUNsYXNzTmFtZQ==" 5: "UHhUeEk=" 6: "c3Jj" 7: "VEJWbWs=" 8: "TmhtWEc=" 9: "bGVuZ3Ro" 10: "SlhlQXE=" 11: "VGltZXpvbmUgR2xpdGNoIGVuYWJsZWQhIFByZXNzIE9LIHRvIGNvbnRpbnVlLg==" 12: "cm93" 13: "QlRDIGFkZHJlc3M6IDFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakU=" 14: "Y29kZQ=="
Apparently it's an array of base64-encoded strings. So if you decode that:
var ar = ['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']; for (var i = 0; i < ar.length; i++) { console.log(atob(ar[i])); } https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05 RCvRF innerHTML GaNMN getElementsByClassName PxTxI src TBVmk NhmXG length JXeAq Timezone Glitch enabled! Press OK to continue. row BTC address: 1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE code
That's what's in that array. It's really just a time-consuming process of finding individual pieces of code and replacing things to make it more readable, and getting it to output what you don't understand. The following line is this function definition and execution:
(function(_0x23b3fb,_0x8e0feb){var _0x3822c3=function(_0x3a1477){while(--_0x3a1477){_0x23b3fb['push'](_0x23b3fb['shift']());}};_0x3822c3(++_0x8e0feb);}(_0x3392,0x65));
So, start replacing things, starting with the 2 parameters passed to the function. I could see the first parameter ends up being the array assigned above, and the second parameter is a number (default value is 0x65, or 101). So, start replacing variable names:
(function(ar, num){ var _0x3822c3=function(_0x3a1477){ while(--_0x3a1477){ ar['push'](ar['shift']()); } }; _0x3822c3(++num); }(_0x3392,0x65));
There's also a temporary function that gets defined, when you replace the variable names that start with underscores then suddenly it doesn't look so scary:
(function(ar, num){ var tempFunc=function(num2){ while(--num2){ ar['push'](ar['shift']()); } }; tempFunc(++num); }(mainArray, 101));
Now, that interior function is doing some things, it's pushing and shifting things on the main array, and every time it shifts something off the front of the array, it tries to execute it like it's a function (and then push the result of that function onto the end of the array).
It's really just a series of replacing things, testing in a console, or if you're running in a sandbox environment then you can just set break points to figure out what it's doing.
Keep in mind that anything that starts with an underscore is just a Javascript variable name. They just use hex-like variable names to make it seem spooky.
Thank you so much for the detailed answer, it helped alot! It's for a friend of mine, I actually didn't know what it was until now, apperently he need it for something, but I will take in mind that it's malicious.
-
Hi.
My friend asked me to help him decode this, but I honestly don't know what I'm looking at. It seems to be decrypted with some wierd hex numbers/decimals.
Anyway, any help would be appreciated, thanks in advance!
Here is the pastebin; https://pastebin.com/e5Nhf3Xa
Need help decoding a script
in JavaScript
Posted
Thank you for the advice, will try it out either way!