Can somebody disassemble that and explain to me how it works? That's protected email link.
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
" r,i=o\\\"\\\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!11)1t{yrx{=+;x+ll" +
"=};acct(h)e}{f}roi(l=1-i;=>;0-i)-o{=+.xhcratAi(;)r}teru n.oussbrt0(o,)l};(f" +
")\\\"43\\\\,q\\\"sydn%{~l/,\\\\\\\\\\\\\\\\20\\\\0r\\\\gggo2>02\\\\\\\\27\\" +
"\\07\\\\01\\\\\\\\23\\\\07\\\\02\\\\\\\\13\\\\0Y\\\\30\\\\04\\\\02\\\\\\\\3" +
"1\\\\04\\\\03\\\\\\\\00\\\\0O\\\\3R1L6Q01\\\\\\\\06\\\\05\\\\03\\\\\\\\01\\" +
"\\03\\\\02\\\\\\\\GF6801\\\\\\\\\\\\r2\\\\00\\\\\\\\3N<7<132\\\\06\\\\#3;?}" +
"'0< =w<?# &*)1d03\\\\\\\\%y3'7(03\\\\\\\\1_00\\\\\\\\36\\\\03\\\\02\\\\\\\\" +
"UTC]G_5C03\\\\\\\\_FBUN[OC\\\"\\\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odr" +
"ChamCro.fngriSt+=;o27=1y%2;*=)yy)3+(4i>f({i+)i+l;i<0;i=r(foh;gten.l=x,l\\\"" +
"\\\\\\\"\\\\o=i,r va){,y(x fontincfu)\\\"\")" ;
while(x=eval(x));
//-->
//]]>
</script>
Can somebody disassemble that and explain to me how it works? That's protected email link.
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
" r,i=o\\\"\\\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!11)1t{yrx{=+;x+ll" +
"=};acct(h)e}{f}roi(l=1-i;=>;0-i)-o{=+.xhcratAi(;)r}teru n.oussbrt0(o,)l};(f" +
")\\\"43\\\\,q\\\"sydn%{~l/,\\\\\\\\\\\\\\\\20\\\\0r\\\\gggo2>02\\\\\\\\27\\" +
"\\07\\\\01\\\\\\\\23\\\\07\\\\02\\\\\\\\13\\\\0Y\\\\30\\\\04\\\\02\\\\\\\\3" +
"1\\\\04\\\\03\\\\\\\\00\\\\0O\\\\3R1L6Q01\\\\\\\\06\\\\05\\\\03\\\\\\\\01\\" +
"\\03\\\\02\\\\\\\\GF6801\\\\\\\\\\\\r2\\\\00\\\\\\\\3N<7<132\\\\06\\\\#3;?}" +
"'0< =w<?# &*)1d03\\\\\\\\%y3'7(03\\\\\\\\1_00\\\\\\\\36\\\\03\\\\02\\\\\\\\" +
"UTC]G_5C03\\\\\\\\_FBUN[OC\\\"\\\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odr" +
"ChamCro.fngriSt+=;o27=1y%2;*=)yy)3+(4i>f({i+)i+l;i<0;i=r(foh;gten.l=x,l\\\"" +
"\\\\\\\"\\\\o=i,r va){,y(x fontincfu)\\\"\")" ;
while(x=eval(x));
//-->
//]]>
</script>
2 Answers
Reset to default 6eval() takes a string an interprets it as Javascript code.
What the while(x=eval(x)) loop is doing is evaluating the string in x as code, and taking the result, storing that back in x, and evaluating it again until the result is false.
Thus, the content is some Javascript code that has then been "abstracted" into a different set of Javascript code that can produce the original code as a string; this abstraction has then been repeated an arbitrary number of times. The while loop unrolls those repeated abstractions until the original Javascript code has been created and then the final eval() runs the actual code.
var x="function f(x){var i,o=\"\",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
"x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
" r,i=o\\\"\\\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!11)1t{yrx{=+;x+ll" +
"=};acct(h)e}{f}roi(l=1-i;=>;0-i)-o{=+.xhcratAi(;)r}teru n.oussbrt0(o,)l};(f" +
")\\\"43\\\\,q\\\"sydn%{~l/,\\\\\\\\\\\\\\\\20\\\\0r\\\\gggo2>02\\\\\\\\27\\" +
"\\07\\\\01\\\\\\\\23\\\\07\\\\02\\\\\\\\13\\\\0Y\\\\30\\\\04\\\\02\\\\\\\\3" +
"1\\\\04\\\\03\\\\\\\\00\\\\0O\\\\3R1L6Q01\\\\\\\\06\\\\05\\\\03\\\\\\\\01\\" +
"\\03\\\\02\\\\\\\\GF6801\\\\\\\\\\\\r2\\\\00\\\\\\\\3N<7<132\\\\06\\\\#3;?}" +
"'0< =w<?# &*)1d03\\\\\\\\%y3'7(03\\\\\\\\1_00\\\\\\\\36\\\\03\\\\02\\\\\\\\" +
"UTC]G_5C03\\\\\\\\_FBUN[OC\\\"\\\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odr" +
"ChamCro.fngriSt+=;o27=1y%2;*=)yy)3+(4i>f({i+)i+l;i<0;i=r(foh;gten.l=x,l\\\"" +
"\\\\\\\"\\\\o=i,r va){,y(x fontincfu)\\\"\")" ;
now...
> var x1 = eval(x);
> x1
function f(x){var i,o="",ol=x.length,l=ol;while(x.charCodeAt(l/13)!=111){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o.substr(0,ol);}f(")34,\"qysnd{%l~,/\\\\020\\rggog>220\\720\\710\\320\\720\\310\\Y030\\420\\130\\430\\000\\OR3L1Q610\\600\\530\\100\\320\\FG8610\\r\\200\\N37<1<230\\63#?;'}<0= <w#?& )*d130\\y%'3(730\\_100\\630\\320\\TU]C_GC530\\F_UB[NCO\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y;2=*y))y+34(>i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\"\"=o,i rav{)y,x(f noitcnuf")
and then...
> var x2 = eval(x1);
> x2
function f(x,y){var i,o="",l=x.length;for(i=0;i<l;i++){if(i>(43+y))y*=2;y%=127;o+=String.fromCharCode(x.charCodeAt(i)^(y++));}return o;}f("OCN[BU_F\035CG_C]UT\023\036\001_\037(3'%y\031d*) &?#w< =0<}';?#36\032<1<73N\002\r\0168GF\023\001\035\006\016Q1L3RO\000\034\031\024\030Y\013\027\023\017\027\022>goggr\020\\/,~l%{dnsyq",43)
and finally...
> var x3 = eval(x2);
> x3
document.writeln("<a href=\"mailto:ACTUAL EMAIL REMOVED\" title=\"\">ACTUAL EMAIL REMOVED</a>");0;
The javascript code above generated By HiveLogic Enkoder looks ugly but is in fact pretty simple. It can be easly reversed.
it use 3 levels of obfuscation.
SHORT ANSWER
This code mean something like:
eval(swapLetters_2by2(reverse_text(XOR_decode(document.write("some HTML")))));
swapLetters_2by2() will divide text into blocks of two letters and flip them. for example :
"function"=>fu nc ti on=>uf cn it no=>"ufcnitno".reverse_text() simply reverse the text (exactly like strrev in php, or [::-1] in python).
Finally, XOR_decode() decode some XOR encoded text
LONG ANSWER
Here are the three algorithms used by HiveLogic Enkoder to decode some encoded HTML :
XOR : third level of obfuscation
The javascipt function used by Enkoder for XOR decoding is the following :
function f(x,y)//x is the encoded text. y is the key for decoding (it's a number who increase)
{
var i,o="",//o will be the decoded text
l=x.length;
for(i=0;i<l;i++)//for all letters of the text
{
y%=127;//127 because a char is a number from [-128;127].
o+=String.fromCharCode(x.charCodeAt(i)^(y));// o+=x^y . o is a string, x a char
y++;
}
return o;
}
f("the encoded text",A_RANDOM_NUMBER);
It's a basic XOR() decode/encode function. (i am saying decode/encode because as you probably know it XOR(XOR(x))=x . Function to encode is the same that function to decode)
However, sometimes severals "protections" are added in the for loop, like
if(i>A_RANDOM_NUMBER+y)
{
y*=SOMEVALUE or y+=SOMEVALUE;
}
Reverse text : second level of obfuscation
The reverse text algorithm just reverse a string: Hello world=>dlrow olleH.
function f(x)
{
var i,o="",l=x.length;
for(i=l-1;i>=0;i--)//for all letters from last to first.
{
o+=x.charAt(i);//and adding them into a new variable, from last to first
}
return o;
}
f("the XOR encoded AND reversed text");
I simplified the function because somethime some additional code is added, surrounded by "if" that are never triggered. this code is only here to brainfuck people who would analyse hiveLogic encoder.
Swap letters : First level of obfuscation
The swap letter algorithm just flip blocks of two letters
function f(x)
{
var i,o="",l=x.length;
for(i=0;i<l;i+=2)//for all 2 letters
{
if(i+1<l)o+=x.charAt(i+1);//adding first the letter at i+1 in a new var
o+=x.charAt(i);//then adding the letter at i
}
return o;
}
f("XOR encoded, reversed, and 2 by 2 swapped text");
As you can see theses three tunctions are pretty easy to understand.
So, for your javascript :
First you have this code :
//the swaping 2 by 2 letters function
function f(x){var i,o="",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}
//the XOR, reversed and flipped text
f("ufcnitnof x({)av r,i=o\"\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!11)1t{yrx{=+;x+ll=};acct(h)e}{f}roi(l=1-i;=>;0-i)-o{=+.xhcratAi(;)r}teru n.oussbrt0(o,)l};(f)\"43\\,q\"sydn%{~l/,\\\\\\\\20\\0r\\gggo2>02\\\\27\\07\\01\\\\23\\07\\02\\\\13\\0Y\\30\\04\\02\\\\31\\04\\03\\\\00\\0O\\3R1L6Q01\\\\06\\05\\03\\\\01\\03\\02\\\\GF6801\\\\\\r2\\00\\\\3N<7<132\\06\\#3;?}'0< =w<?# &*)1d03\\\\%y3'7(03\\\\1_00\\\\36\\03\\02\\\\UTC]G_5C03\\\\_FBUN[OC\"\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odrChamCro.fngriSt+=;o27=1y%2;*=)yy)3+(4i>f({i+)i+l;i<0;i=r(foh;gten.l=x,l\"\\\"\\o=i,r va){,y(x fontincfu)\"")
After executing it, the result will be :
//the reverse text function
function f(x){var i,o="",ol=x.length,l=ol;while(x.charCodeAt(l/13)!=111){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o.substr(0,ol);}
//the XOR encoded and reversed text
f(")34,\"qysnd{%l~,/\\\\020\\rggog>220\\720\\710\\320\\720\\310\\Y030\\420\\130\\430\\000\\OR3L1Q610\\600\\530\\100\\320\\FG8610\\r\\200\\N37<1<230\\63#?;'}<0= <w#?& )*d130\\y%'3(730\\_100\\630\\320\\TU]C_GC530\\F_UB[NCO\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y;2=*y))y+34(>i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\"\"=o,i rav{)y,x(f noitcnuf");
Then, you execute it again and you will have the following result:
//the XOR decoding function.
//Note that you have one additional encoding in it : if(i>43+y)y*=2;
function f(x,y){var i,o="",l=x.length;for(i=0;i<l;i++){if(i>(43+y))y*=2;y%=127;o+=String.fromCharCode(x.charCodeAt(i)^(y++));}return o;}
//the XOR encoded text.
f("OCN[BU_F\035CG_C]UT\023\036\001_\037(3'%y\031d*) &?#w< =0<}';?#36\032<1<73N\002\r\0168GF\023\001\035\006\016Q1L3RO\000\034\031\024\030Y\013\027\023\017\027\022>goggr\020\\/,~l%{dnsyq",43);
Finally, you execute it again and some javascript containing your email will be printed. :
document.writeln("<a href=\"mailto:roman.[PROTECTED]@gmail.\" title=\"\">roman.[PROTECTED]@gmail.</a>");0;
Congrats, the obfusced Javascript is now decoded.
However, i want you to undertand you that your code is not a general case : sometimes, the code generated by HiveLogic Enkoder is simply swapLetters_2by2(XOR_decode()). Or reverse_text(XOR_decode()) (as far as i saw, XOR encoding is always used)
I also want you to warn you and warn all user who will read this : yes, Enkoder block spambots who don't understand javascript. But enkoder use only 3 very basics functions to encode your email address, so hackers and scammers will probabably write (...have probably adreally written ) some decode script for HiveLogic Enkoder