Reputation: 199
Decode strange JavaScript code
I don't know much about decoding and encoding, but I found this on my website (it was hacked and someone took over a page in my site). I analysed the page but can't read this:
<script type="text/javascript">
eval(atob("dmFyIGMgPSAwOwokKGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpIHsKICAgICQoIiNiMSIpLm9uKCdjbGljaycsIGZ1bmN0aW9uKCkgewogICAgICAgICsrYzsKICAgICAgICBpZiAoYyA+IDE1KSB7CiAgICAgICAgICAgICQodGhpcykuYXR0cih7CiAgICAgICAgICAgICAgICBocmVmOiAiaHR0cDovL3d3dy54bi0tYWRkYXMtbzRhLmRlL2ZpbmFsLmh0bWwiLAogICAgICAgICAgICAgICAgdGFyZ2V0OiAiX3NlbGYiCiAgICAgICAgICAgIH0pOwogICAgICAgIH0KICAgIH0pOwogICAgJCgiI2IyIikub24oJ2NsaWNrJywgZnVuY3Rpb24oKSB7CiAgICAgICAgaWYgKGMgPiAyMCkgd2luZG93LmxvY2F0aW9uID0gImh0dHA6Ly93d3cueG4tLWFkZGFzLW80YS5kZS9maW5hbC5odG1sIjsKICAgICAgICBlbHNlIHdpbmRvdy5hbGVydCgiRGVlbCBhYW4gMjAgdmFuIGplIHZyaWVuZGVuIG92ZXIgV2hhdHNBcHAgZGUgQWRpZGFzIHByb21vdGllIVxuXG4gSmUgbW9ldCBkZWxlbiAiICsgYyk7CiAgICB9KTsKfSk7"));
</script>
What does it mean? and how can I read it?
Upvotes: 2
Views: 8110
Answers (1)
Reputation: 517
This is base64 encoded piece of code which is getting evaluated at runtime.
Your Code
<script type="text/javascript">
eval(atob("dmFyIGMgPSAwOwokKGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpIHsKICAgICQoIiNiMSIpLm9uKCdjbGljaycsIGZ1bmN0aW9uKCkgewogICAgICAgICsrYzsKICAgICAgICBpZiAoYyA+IDE1KSB7CiAgICAgICAgICAgICQodGhpcykuYXR0cih7CiAgICAgICAgICAgICAgICBocmVmOiAiaHR0cDovL3d3dy54bi0tYWRkYXMtbzRhLmRlL2ZpbmFsLmh0bWwiLAogICAgICAgICAgICAgICAgdGFyZ2V0OiAiX3NlbGYiCiAgICAgICAgICAgIH0pOwogICAgICAgIH0KICAgIH0pOwogICAgJCgiI2IyIikub24oJ2NsaWNrJywgZnVuY3Rpb24oKSB7CiAgICAgICAgaWYgKGMgPiAyMCkgd2luZG93LmxvY2F0aW9uID0gImh0dHA6Ly93d3cueG4tLWFkZGFzLW80YS5kZS9maW5hbC5odG1sIjsKICAgICAgICBlbHNlIHdpbmRvdy5hbGVydCgiRGVlbCBhYW4gMjAgdmFuIGplIHZyaWVuZGVuIG92ZXIgV2hhdHNBcHAgZGUgQWRpZGFzIHByb21vdGllIVxuXG4gSmUgbW9ldCBkZWxlbiAiICsgYyk7CiAgICB9KTsKfSk7"));
</script>
Decoding Steps (Easy One)
- GoTo base63decode.org
- Copy Code inside atob block.
- paste it in encoded string block and press decode.
Decoded Code
<script type="text/javascript">
eval(var c = 0;
$(document).ready(function() {
$("#b1").on('click', function() {
++c;
if (c > 15) {
$(this).attr({
href: "[ a phishing URL -- removed ]",
target: "_self"
});
}
});
$("#b2").on('click', function() {
if (c > 20) window.location = "[ a phishing URL -- removed ]";
else window.alert("Deel aan 20 van je vrienden over WhatsApp de Adidas promotie!\n\n Je moet delen " + c);
});
}););
</script>
What this is doing
First Code is getting decoded and after Capturing events happening on two buttons having unique id's b1 and b2 and based on clicks count decision is happening where the location is getting changed or a new tab is created with a phishing web site condition is upon 15 clicks you will click after will be this button and you will be navigated to this URL if anything goes wrong then after 20 clicks a new window will be generated with this URL.
Upvotes: 4
Related Questions
- Understanding obscure JavaScript code
- How to decode this encoded Javascript?
- How can I decode this encoded JavaScript file?
- Decode some injected Javascript?
- How this JS code is working and what form it is encoded in?
- Decode this strange Javascript
- How to decode this javascript?
- Could use some help decoding this code
- how to decode this Javascript
- Weird JavaScript Code