Need help decoding a script

[dirk0minati]

Hi.

My friend asked me to help him decode this, but I honestly don't know what I'm looking at. It seems to be decrypted with some wierd hex numbers/decimals.

 

Anyway, any help would be appreciated, thanks in advance!

 

Here is the pastebin; https://pastebin.com/e5Nhf3Xa

[justsomeguy]

It's probably malicious, why do you want to figure out what it's doing?  Start by understanding that all of those are valid variable names.  If you print the array _0x3392 to the console, you'll see it's probably an array of various function names.

console.log(['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']);
undefined
(15) […]

0: "aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU="

1: "UkN2UkY="

2: "aW5uZXJIVE1M"

3: "R2FOTU4="

4: "Z2V0RWxlbWVudHNCeUNsYXNzTmFtZQ=="

5: "UHhUeEk="

6: "c3Jj"

7: "VEJWbWs="

8: "TmhtWEc="

9: "bGVuZ3Ro"

10: "SlhlQXE="

11: "VGltZXpvbmUgR2xpdGNoIGVuYWJsZWQhIFByZXNzIE9LIHRvIGNvbnRpbnVlLg=="

12: "cm93"

13: "QlRDIGFkZHJlc3M6IDFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakU="

14: "Y29kZQ=="

Apparently it's an array of base64-encoded strings.  So if you decode that:

var ar = ['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d'];

for (var i = 0; i < ar.length; i++) {
  console.log(atob(ar[i]));
}

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05 
RCvRF 
innerHTML 
GaNMN 
getElementsByClassName 
PxTxI 
src 
TBVmk 
NhmXG 
length 
JXeAq 
Timezone Glitch enabled! Press OK to continue. 
row
BTC address: 1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE 
code

That's what's in that array.  It's really just a time-consuming process of finding individual pieces of code and replacing things to make it more readable, and getting it to output what you don't understand.  The following line is this function definition and execution:

(function(_0x23b3fb,_0x8e0feb){var _0x3822c3=function(_0x3a1477){while(--_0x3a1477){_0x23b3fb['push'](_0x23b3fb['shift']());}};_0x3822c3(++_0x8e0feb);}(_0x3392,0x65));

So, start replacing things, starting with the 2 parameters  passed to the function.  I could see the first parameter ends up being the array assigned above, and the second parameter is a number (default value is 0x65, or 101).  So, start replacing variable names:

(function(ar, num){
  var _0x3822c3=function(_0x3a1477){
    while(--_0x3a1477){
      ar['push'](ar['shift']());
    }
  };
  _0x3822c3(++num);
}(_0x3392,0x65));

There's also a temporary function that gets defined, when you replace the variable names that start with underscores then suddenly it doesn't look so scary:

(function(ar, num){
  var tempFunc=function(num2){
    while(--num2){
      ar['push'](ar['shift']());
    }
  };
  tempFunc(++num);
}(mainArray, 101));

Now, that interior function is doing some things, it's pushing and shifting things on the main array, and every time it shifts something off the front of the array, it tries to execute it like it's a function (and then push the result of that function onto the end of the array).

It's really just a series of replacing things, testing in a console, or if you're running in a sandbox environment then you can just set break points to figure out what it's doing.

Keep in mind that anything that starts with an underscore is just a Javascript variable name.  They just use hex-like variable names to make it seem spooky.

[Ingolme]

Yeah, it's obfuscated. You can decode the strings by just printing them out. It's a long and tedious process, so I'm not going to waste my time on it, but I'll show you some examples with one of the strings:

'\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d'

The first step is to convert the character codes into actual letters. Just opening the Javascript console in your browser, pasting the string and pressing enter will do that and it yields this:

aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=

The "=" on the end makes it obvious that it's base64 encoded. Javascript uses atob() and btoa() to convert to and from base64. atob() will decode this, so I write this into the Javascript console:

atob("aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=")

The console then prints this:

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05

 

That's one string decoded. It's up to you to decode all the rest.

[dirk0minati]

9 hours ago, justsomeguy said:

It's probably malicious, why do you want to figure out what it's doing?  Start by understanding that all of those are valid variable names.  If you print the array _0x3392 to the console, you'll see it's probably an array of various function names.

console.log(['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']);
undefined
(15) […]

0: "aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU="

1: "UkN2UkY="

2: "aW5uZXJIVE1M"

3: "R2FOTU4="

4: "Z2V0RWxlbWVudHNCeUNsYXNzTmFtZQ=="

5: "UHhUeEk="

6: "c3Jj"

7: "VEJWbWs="

8: "TmhtWEc="

9: "bGVuZ3Ro"

10: "SlhlQXE="

11: "VGltZXpvbmUgR2xpdGNoIGVuYWJsZWQhIFByZXNzIE9LIHRvIGNvbnRpbnVlLg=="

12: "cm93"

13: "QlRDIGFkZHJlc3M6IDFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakU="

14: "Y29kZQ=="

Apparently it's an array of base64-encoded strings.  So if you decode that:

var ar = ['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d'];

for (var i = 0; i < ar.length; i++) {
  console.log(atob(ar[i]));
}

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05 
RCvRF 
innerHTML 
GaNMN 
getElementsByClassName 
PxTxI 
src 
TBVmk 
NhmXG 
length 
JXeAq 
Timezone Glitch enabled! Press OK to continue. 
row
BTC address: 1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE 
code

That's what's in that array.  It's really just a time-consuming process of finding individual pieces of code and replacing things to make it more readable, and getting it to output what you don't understand.  The following line is this function definition and execution:

 

(function(_0x23b3fb,_0x8e0feb){var _0x3822c3=function(_0x3a1477){while(--_0x3a1477){_0x23b3fb['push'](_0x23b3fb['shift']());}};_0x3822c3(++_0x8e0feb);}(_0x3392,0x65));

 

So, start replacing things, starting with the 2 parameters  passed to the function.  I could see the first parameter ends up being the array assigned above, and the second parameter is a number (default value is 0x65, or 101).  So, start replacing variable names:

 

(function(ar, num){
  var _0x3822c3=function(_0x3a1477){
    while(--_0x3a1477){
      ar['push'](ar['shift']());
    }
  };
  _0x3822c3(++num);
}(_0x3392,0x65));

 

There's also a temporary function that gets defined, when you replace the variable names that start with underscores then suddenly it doesn't look so scary:

 

(function(ar, num){
  var tempFunc=function(num2){
    while(--num2){
      ar['push'](ar['shift']());
    }
  };
  tempFunc(++num);
}(mainArray, 101));

 

Now, that interior function is doing some things, it's pushing and shifting things on the main array, and every time it shifts something off the front of the array, it tries to execute it like it's a function (and then push the result of that function onto the end of the array).

It's really just a series of replacing things, testing in a console, or if you're running in a sandbox environment then you can just set break points to figure out what it's doing.

Keep in mind that anything that starts with an underscore is just a Javascript variable name.  They just use hex-like variable names to make it seem spooky.

Thank you so much for the detailed answer, it helped alot! It's for a friend of mine, I actually didn't know what it was until now, apperently he need it for something, but I will take in mind that it's malicious.

Edited September 19, 2019 by dirk0minati

[dirk0minati]

9 hours ago, Ingolme said:

Yeah, it's obfuscated. You can decode the strings by just printing them out. It's a long and tedious process, so I'm not going to waste my time on it, but I'll show you some examples with one of the strings:

'\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d'

The first step is to convert the character codes into actual letters. Just opening the Javascript console in your browser, pasting the string and pressing enter will do that and it yields this:

aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=

The "=" on the end makes it obvious that it's base64 encoded. Javascript uses atob() and btoa() to convert to and from base64. atob() will decode this, so I write this into the Javascript console:

atob("aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=")

The console then prints this:

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05

 

That's one string decoded. It's up to you to decode all the rest.

Thank you for the advice, will try it out either way!