Menu
I found this code in my website sourcecode:
var _0xd28d=["\x5F\x30\x78\x33\x32\x6C\x73\x6A\x39","\x5F\x78\x6C\x74","\x5F\x78\x38\x66\x6B\x63\x33","\x66\x6C\x6F\x6F\x72","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68"];
var _0x9ae4=[_0xd28d[0],12,_0xd28d[1],_0xd28d[2],2,31,Math,_0xd28d[3]];
var _0xcd6e=[_0x9ae4[5],_0x9ae4[0],_0x9ae4[_0x9ae4[4]],_0x9ae4[3],4,_0xd28d[4]];
var _0xr6g0={};
_0xr6g0[_0xcd6e[2]]=0;
_0xr6g0[_0x9ae4[4]]=function (){
var _0x4c68x4={};
_0x4c68x4[_0xd28d[0]]=_0x9ae4[0];
do{
_0x4c68x4[_0x9ae4[0]]+=_0x4c68x4[_0xd28d[0]][_0x9ae4[6][_0x9ae4[7]](_0x9ae4[6][_0xcd6e[5]]()*_0x4c68x4[_0xd28d[0]][_0xd28d[5]])];
}while(_0x4c68x4[_0xd28d[0]][_0xd28d[5]]<_0xcd6e[0]);
_0x4c68x4[_0x4c68x4[_0x9ae4[0]]]=function (){
_0xr6g0[_0xcd6e[2]]++;
_0xr6g0[_0xcd6e[2]]%=_0x9ae4[1];
return _0x4c68x4[_0x4c68x4[_0x9ae4[0]]];
};
return _0x4c68x4[_0x4c68x4[_0xcd6e[1]]];
};
_0xr6g0[_0x9ae4[_0xcd6e[4]]]()()()()()()()()()()()()()()()();
I was wondering, what is it? And What does it does?
267
One of the most sneaky uses of JavaScript is cross-site scripting (XSS). Simply put, XSS is a vulnerability that allows hackers to embed malicious JavaScript code into an legitimate website, which is ultimately executed in the browser of a user who visits the website.
Attackers frequently send malicious JavaScript files through bogus emails. It's easy to block these files from reaching a hapless user. Here's how. There have been several recent reports of fake updaters that spoof Google Chrome, Mozilla Firefox, and Internet Explorer landing pages.
The danger in these attacks lies in one key aspect: malware delivered via infected JavaScript files doesn't need user interaction. Better said, a user like you or me could get infected with malware without doing anything else than browsing a website.
Understanding JavaScript allows hackers to discover vulnerabilities and carry web exploitation since most of the applications on the web use JavaScript or its libraries. Cross-Site Scripting: JavaScript can be used to read saved cookies. It is used to develop cross-site scripting programs for hacking.
By itself, the code does nothing useful nor dangerous.
After manually deobfuscating:
count = 0;
func_a = function() {
func_b = function() {
count++;
count %= 12;
return func_b;
};
return func_b;
};
func_a()()()()()()()()()()()()()()()();
Looks like more an invalid attempt to keep the browser busy. But very valid to keep people curious.
UPDATE: fixed the deobfuscation.
197
The first 5 lines initialize variables. After decrypting the \x escapes and indexing to other arrays, we get:
_0xd28d = ['_0x32lsj9', '_xlt', '_x8fkc3', 'floor', 'random', 'length']
_0x9ae4 = ['_0x32lsj9', 12, '_xlt', '_x8fkc3', 2, 31, Math, 'floor']
_0xcd6e = [31, '_0x32lsj9', '_xlt', '_x8fkc3', 4, 'random']
_0xr6g0 = {'_xlt': 0}
Lines 6-18 create a function (after expanding the array indexing):
_0xr6g0[2] = function() {
var _0x4c68x4={};
_0x4c68x4['_0x32lsj9'] = '_0x32lsj9';
do{
_0x4c68x4['_0x32lsj9']+=_0x4c68x4['_0x32lsj9'][Math['floor'](Math['random']()*_0x4c68x4['_0x32lsj9']['length'])];
} while(_0x4c68x4['_0x32lsj9']['length'] < 31);
_0x4c68x4[_0x4c68x4['_0x32lsj9']] = function (){
_0xr6g0['_xlt']++;
_0xr6g0['_xlt'] %= 12;
return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
};
return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
};
Javascript allows a['b'] as an alternate syntax for a.b, so this is equivalent to:
_0xr6g0[2] = function() {
var _0x4c68x4 = {'_0x32lsj9': '_0x32lsj9'};
do{
_0x4c68x4._0x32lsj9 += _0x4c68x4._0x32lsj9[Math.floor(Math.random()*_0x4c68x4._0x32lsj9.length)];
} while(_0x4c68x4._0x32lsj9.length < 31);
_0x4c68x4[_0x4c68x4._0x32lsj9] = function (){
_0xr6g0._xlt++;
_0xr6g0._xlt %= 12;
return _0x4c68x4[_0x4c68x4._0x32lsj9];
};
return _0x4c68x4[_0x4c68x4._0x32lsj9];
};
The inner function has a randomly-generated 31-character name that doesn't matter, so it can be simplified to:
_0xr6g0[2] = function() {
function f()
{
_0xr6g0._xlt++;
_0xr6g0._xlt %= 12;
return f;
};
return f;
};
The last line calls _0xr6g0[2] 16 times, and this is an obfuscated way of writing
_0xr6g0._xlt = 4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
