Jump to content
Sign in to follow this  
dirk0minati

Need help decoding a script

Recommended Posts

It's probably malicious, why do you want to figure out what it's doing?  Start by understanding that all of those are valid variable names.  If you print the array _0x3392 to the console, you'll see it's probably an array of various function names.

console.log(['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']);
undefined
(15) […]

0: "aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU="

1: "UkN2UkY="

2: "aW5uZXJIVE1M"

3: "R2FOTU4="

4: "Z2V0RWxlbWVudHNCeUNsYXNzTmFtZQ=="

5: "UHhUeEk="

6: "c3Jj"

7: "VEJWbWs="

8: "TmhtWEc="

9: "bGVuZ3Ro"

10: "SlhlQXE="

11: "VGltZXpvbmUgR2xpdGNoIGVuYWJsZWQhIFByZXNzIE9LIHRvIGNvbnRpbnVlLg=="

12: "cm93"

13: "QlRDIGFkZHJlc3M6IDFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakU="

14: "Y29kZQ=="

Apparently it's an array of base64-encoded strings.  So if you decode that:

var ar = ['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d'];

for (var i = 0; i < ar.length; i++) {
  console.log(atob(ar[i]));
}

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05 
RCvRF 
innerHTML 
GaNMN 
getElementsByClassName 
PxTxI 
src 
TBVmk 
NhmXG 
length 
JXeAq 
Timezone Glitch enabled! Press OK to continue. 
row
BTC address: 1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE 
code

That's what's in that array.  It's really just a time-consuming process of finding individual pieces of code and replacing things to make it more readable, and getting it to output what you don't understand.  The following line is this function definition and execution:

(function(_0x23b3fb,_0x8e0feb){var _0x3822c3=function(_0x3a1477){while(--_0x3a1477){_0x23b3fb['push'](_0x23b3fb['shift']());}};_0x3822c3(++_0x8e0feb);}(_0x3392,0x65));

So, start replacing things, starting with the 2 parameters  passed to the function.  I could see the first parameter ends up being the array assigned above, and the second parameter is a number (default value is 0x65, or 101).  So, start replacing variable names:

(function(ar, num){
  var _0x3822c3=function(_0x3a1477){
    while(--_0x3a1477){
      ar['push'](ar['shift']());
    }
  };
  _0x3822c3(++num);
}(_0x3392,0x65));

There's also a temporary function that gets defined, when you replace the variable names that start with underscores then suddenly it doesn't look so scary:

(function(ar, num){
  var tempFunc=function(num2){
    while(--num2){
      ar['push'](ar['shift']());
    }
  };
  tempFunc(++num);
}(mainArray, 101));

Now, that interior function is doing some things, it's pushing and shifting things on the main array, and every time it shifts something off the front of the array, it tries to execute it like it's a function (and then push the result of that function onto the end of the array).

It's really just a series of replacing things, testing in a console, or if you're running in a sandbox environment then you can just set break points to figure out what it's doing.

Keep in mind that anything that starts with an underscore is just a Javascript variable name.  They just use hex-like variable names to make it seem spooky.

Share this post


Link to post
Share on other sites

Yeah, it's obfuscated. You can decode the strings by just printing them out. It's a long and tedious process, so I'm not going to waste my time on it, but I'll show you some examples with one of the strings:

'\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d'

The first step is to convert the character codes into actual letters. Just opening the Javascript console in your browser, pasting the string and pressing enter will do that and it yields this:

aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=

The "=" on the end makes it obvious that it's base64 encoded. Javascript uses atob() and btoa() to convert to and from base64. atob() will decode this, so I write this into the Javascript console:

atob("aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=")

The console then prints this:

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05

 

That's one string decoded. It's up to you to decode all the rest.

Share this post


Link to post
Share on other sites
9 hours ago, justsomeguy said:

It's probably malicious, why do you want to figure out what it's doing?  Start by understanding that all of those are valid variable names.  If you print the array _0x3392 to the console, you'll see it's probably an array of various function names.


console.log(['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d']);
undefined
(15) […]

0: "aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU="

1: "UkN2UkY="

2: "aW5uZXJIVE1M"

3: "R2FOTU4="

4: "Z2V0RWxlbWVudHNCeUNsYXNzTmFtZQ=="

5: "UHhUeEk="

6: "c3Jj"

7: "VEJWbWs="

8: "TmhtWEc="

9: "bGVuZ3Ro"

10: "SlhlQXE="

11: "VGltZXpvbmUgR2xpdGNoIGVuYWJsZWQhIFByZXNzIE9LIHRvIGNvbnRpbnVlLg=="

12: "cm93"

13: "QlRDIGFkZHJlc3M6IDFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakU="

14: "Y29kZQ=="

Apparently it's an array of base64-encoded strings.  So if you decode that:


var ar = ['\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d','\x55\x6b\x4e\x32\x55\x6b\x59\x3d','\x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x52\x32\x46\x4f\x54\x55\x34\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d','\x55\x48\x68\x55\x65\x45\x6b\x3d','\x63\x33\x4a\x6a','\x56\x45\x4a\x57\x62\x57\x73\x3d','\x54\x6d\x68\x74\x57\x45\x63\x3d','\x62\x47\x56\x75\x5a\x33\x52\x6f','\x53\x6c\x68\x6c\x51\x58\x45\x3d','\x56\x47\x6c\x74\x5a\x58\x70\x76\x62\x6d\x55\x67\x52\x32\x78\x70\x64\x47\x4e\x6f\x49\x47\x56\x75\x59\x57\x4a\x73\x5a\x57\x51\x68\x49\x46\x42\x79\x5a\x58\x4e\x7a\x49\x45\x39\x4c\x49\x48\x52\x76\x49\x47\x4e\x76\x62\x6e\x52\x70\x62\x6e\x56\x6c\x4c\x67\x3d\x3d','\x63\x6d\x39\x33','\x51\x6c\x52\x44\x49\x47\x46\x6b\x5a\x48\x4a\x6c\x63\x33\x4d\x36\x49\x44\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x3d','\x59\x32\x39\x6b\x5a\x51\x3d\x3d'];

for (var i = 0; i < ar.length; i++) {
  console.log(atob(ar[i]));
}

https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05 
RCvRF 
innerHTML 
GaNMN 
getElementsByClassName 
PxTxI 
src 
TBVmk 
NhmXG 
length 
JXeAq 
Timezone Glitch enabled! Press OK to continue. 
row
BTC address: 1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE 
code

That's what's in that array.  It's really just a time-consuming process of finding individual pieces of code and replacing things to make it more readable, and getting it to output what you don't understand.  The following line is this function definition and execution:

 


(function(_0x23b3fb,_0x8e0feb){var _0x3822c3=function(_0x3a1477){while(--_0x3a1477){_0x23b3fb['push'](_0x23b3fb['shift']());}};_0x3822c3(++_0x8e0feb);}(_0x3392,0x65));

 

So, start replacing things, starting with the 2 parameters  passed to the function.  I could see the first parameter ends up being the array assigned above, and the second parameter is a number (default value is 0x65, or 101).  So, start replacing variable names:

 


(function(ar, num){
  var _0x3822c3=function(_0x3a1477){
    while(--_0x3a1477){
      ar['push'](ar['shift']());
    }
  };
  _0x3822c3(++num);
}(_0x3392,0x65));

 

There's also a temporary function that gets defined, when you replace the variable names that start with underscores then suddenly it doesn't look so scary:

 


(function(ar, num){
  var tempFunc=function(num2){
    while(--num2){
      ar['push'](ar['shift']());
    }
  };
  tempFunc(++num);
}(mainArray, 101));

 

Now, that interior function is doing some things, it's pushing and shifting things on the main array, and every time it shifts something off the front of the array, it tries to execute it like it's a function (and then push the result of that function onto the end of the array).

It's really just a series of replacing things, testing in a console, or if you're running in a sandbox environment then you can just set break points to figure out what it's doing.

Keep in mind that anything that starts with an underscore is just a Javascript variable name.  They just use hex-like variable names to make it seem spooky.

Thank you so much for the detailed answer, it helped alot! It's for a friend of mine, I actually didn't know what it was until now, apperently he need it for something, but I will take in mind that it's malicious.

Edited by dirk0minati

Share this post


Link to post
Share on other sites
9 hours ago, Ingolme said:

Yeah, it's obfuscated. You can decode the strings by just printing them out. It's a long and tedious process, so I'm not going to waste my time on it, but I'll show you some examples with one of the strings:


'\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6a\x61\x47\x56\x6a\x61\x32\x39\x31\x64\x43\x35\x77\x59\x58\x6b\x75\x5a\x7a\x4a\x68\x4c\x6d\x4e\x76\x62\x53\x39\x78\x63\x69\x39\x6e\x5a\x57\x35\x6c\x63\x6d\x46\x30\x5a\x54\x39\x68\x5a\x47\x52\x79\x5a\x58\x4e\x7a\x50\x54\x46\x51\x54\x58\x63\x35\x57\x44\x4e\x54\x57\x6d\x6c\x48\x5a\x7a\x6c\x54\x59\x31\x42\x4f\x59\x58\x64\x6a\x65\x47\x39\x6c\x63\x44\x56\x30\x64\x32\x6b\x32\x61\x6d\x56\x53\x61\x6b\x55\x6d\x59\x57\x31\x76\x64\x57\x35\x30\x50\x54\x41\x75\x4d\x44\x55\x3d'

The first step is to convert the character codes into actual letters. Just opening the Javascript console in your browser, pasting the string and pressing enter will do that and it yields this:


aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=

The "=" on the end makes it obvious that it's base64 encoded. Javascript uses atob() and btoa() to convert to and from base64. atob() will decode this, so I write this into the Javascript console:


atob("aHR0cHM6Ly9jaGVja291dC5wYXkuZzJhLmNvbS9xci9nZW5lcmF0ZT9hZGRyZXNzPTFQTXc5WDNTWmlHZzlTY1BOYXdjeG9lcDV0d2k2amVSakUmYW1vdW50PTAuMDU=")

The console then prints this:


https://checkout.pay.g2a.com/qr/generate?address=1PMw9X3SZiGg9ScPNawcxoep5twi6jeRjE&amount=0.05

 

That's one string decoded. It's up to you to decode all the rest.

Thank you for the advice, will try it out either way! 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...