Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Is this js code executable somewhere and is it reversable ?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Fri Mar 10, 2017 6:31 am    Post subject: Is this js code executable somewhere and is it reversable ? Reply with quote

Hello, there are 2 block of codes used to produce an HWID in js.
I'd like to know
1) Is it reversable ?
2) Can I execute it ? (i bet I can since my web browser seems to, but how ? in a js dialog box ?)

block 1

https://gist.github.com/atom0s/f255dbfc9aacc0c436bd78483d8fb710

block 2

https://gist.github.com/atom0s/8129188bf56e763ee5c14a49e4b7d241
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Fri Mar 10, 2017 6:27 pm    Post subject: Reply with quote

Use a site like:
http://jsbeautifier.org/

This will make the code readable again by adding linebreaks etc.

The code is partially obfuscated and 'protected'. Simple Google search shows parts of this code are considered malware. I don't know why you would want to run it.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Sat Mar 11, 2017 2:47 am    Post subject: Reply with quote

Thanks.
I'll want to run it because i need the unique HWID it generates. This code is part of a MMO launcher
Back to top
View user's profile Send private message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 149

PostPosted: Sat Mar 11, 2017 9:00 am    Post subject: Reply with quote

this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser)
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Sat Mar 11, 2017 10:07 am    Post subject: Reply with quote

This js code is executed both from their windows launcher and their web ID login.
I am using chrome and even though I don't know javascript it does seem like my computer is executing this code when I login from their website.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sat Mar 11, 2017 6:49 pm    Post subject: Reply with quote

Viloresi wrote:
this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser)


If they embed something like V8 into the launcher to execute the JS themselves or a customized version of a web element such as Chromium, they can allow it to execute anything as needed. Given that it is running within a launcher, I'd assume they have customized things to do what they need within their own bindings exposed to the JS language.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 149

PostPosted: Sun Mar 12, 2017 2:00 am    Post subject: Reply with quote

Ok guys but what I meant with plugin, was application software or everything similar to it, it's nearly impossible to run an application on your pc from a web page without having something installed ( that you may have installed when you first logged in that site).
Because it would be a security breach, everyone could infect people easily if that would be possible ( in some of the modern browsers these security checks can be disabled manually by the user).
The code seems encrypted so it's hard to read for me btw
[/u]
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Sun Mar 12, 2017 5:16 pm    Post subject: Reply with quote

atom0s wrote:
Viloresi wrote:
this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser)


If they embed something like V8 into the launcher to execute the JS themselves or a customized version of a web element such as Chromium, they can allow it to execute anything as needed. Given that it is running within a launcher, I'd assume they have customized things to do what they need within their own bindings exposed to the JS language.

Yes, the launcher uses chromium.
But I am fairly sure this code is executing even without launcher, just from chrome web browser :
1/ The mmo website make us send a resquest to the security company that answers with this java script code i posted in this thread.
2/My browser generates an Hwid such as

Mod Edited to stop format breaking.

And loging in through website does not require any specific software installation on the computer
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Mar 12, 2017 6:54 pm    Post subject: Reply with quote

If the page is already loaded with this JS running/ran, you can just use the console of your web browser to force execute functions that are registered to the current environment. Given that things are partially obfuscated and encrypted you are going to have to walk through the code visually to get to the parts that you feel are needed for your goal and decode the various strings.

There are various things being used in this code such as SHA1 hashing, base64 encoding/decoding, Triple DES, and so on. You can also debug the code as needed through your browser if you are able to load the site/page that this JS loads from etc too.


Viloresi wrote:
Ok guys but what I meant with plugin, was application software or everything similar to it, it's nearly impossible to run an application on your pc from a web page without having something installed ( that you may have installed when you first logged in that site).
Because it would be a security breach, everyone could infect people easily if that would be possible ( in some of the modern browsers these security checks can be disabled manually by the user).
The code seems encrypted so it's hard to read for me btw
[/u]


I'm not sure you quite understand how people get infected in the first place from websites. Downloading and executing things on someones system is not impossible or hard to do at all. They are commonly known as drive-by attacks where you could be browsing a site for not even a few seconds and leave but already be infected simply because 1 script was able to run.

Modern browsers attempt to keep up with these types of attacks, along with anti-virus' but new methods of exploiting are found daily. Not to mention this Javascript code is not only running by itself, it loads Flash objects which are also well known to be insecure and able to infect peoples systems.

Web-based infection would not exist at all if it were how you are thinking.

Because of these types of attacks a lot of browsers now, by default, disable Flash objects from auto-playing and instead attempt to enforce HTML5 based objects when valid and possible. Some browsers have Javascript disabled or highly locked down when possible. Some shipping with NoScript type addons etc.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Mar 12, 2017 7:11 pm    Post subject: Reply with quote

I've cleaned up the topic to fix the formatting and such since the long lines were breaking the template. Main post is linked to code pastes of the original topic, but in a 'pretty' format that is more readable.

For the obfuscation that is being done you can trace back to how things are being encoded and undo them, for example strings such as:

Code:
var _i_fh = _i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==").match(/^(\w+:\/\/(?::\d+)*)[^.]+(.*)/);


You can see that this is calling:
_i_o object's function __if_ap, which can be traced to the _i_o object here:

Code:

var _i_o = {
    _i_ft: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
    __if_ai: function(_i_al) {
        var _i_e = "";
        for (var _i_g = 0; _i_g < _i_al.length; _i_g += 3) {
            var _i_p = _i_al.charCodeAt(_i_g);
            var _i_q = _i_al.charCodeAt(_i_g + 1);
            var _i_r = _i_al.charCodeAt(_i_g + 2);
            var _i_s = _i_p >> 2;
            var _i_t = ((_i_p & 3) << 4) | (_i_q >> 4);
            var _i_u = ((_i_q & 15) << 2) | (_i_r >> 6);
            var _i_v = _i_r & 63;
            if (isNaN(_i_q)) {
                _i_u = _i_v = 64;
            } else if (isNaN(_i_r)) {
                _i_v = 64;
            }
            _i_e = _i_e + this._i_ft.charAt(_i_s) + this._i_ft.charAt(_i_t) + this._i_ft.charAt(_i_u) + this._i_ft.charAt(_i_v);
        }
        return _i_e;
    },
    __if_ap: function(_i_al) {
        var _i_w = "";
        var _i_x, chr2, chr3 = "";
        var _i_s, _i_t, _i_u, _i_v = "";
        var _i_g = 0;
        var _i_y = /[^A-Za-z0-9\+\/\=]/g;
        if (_i_y.exec(_i_al)) return "";
        do {
            _i_s = this._i_ft.indexOf(_i_al.charAt(_i_g++));
            _i_t = this._i_ft.indexOf(_i_al.charAt(_i_g++));
            _i_u = this._i_ft.indexOf(_i_al.charAt(_i_g++));
            _i_v = this._i_ft.indexOf(_i_al.charAt(_i_g++));
            _i_x = (_i_s << 2) | (_i_t >> 4);
            chr2 = ((_i_t & 15) << 4) | (_i_u >> 2);
            chr3 = ((_i_u & 3) << 6) | _i_v;
            _i_w = _i_w + String.fromCharCode(_i_x);
            if (_i_u != 64) _i_w = _i_w + String.fromCharCode(chr2);
            if (_i_v != 64) _i_w = _i_w + String.fromCharCode(chr3);
            _i_x = chr2 = chr3 = "";
            _i_s = _i_t = _i_u = _i_v = "";
        } while (_i_g < _i_al.length);
        return _i_w;
    }
};


In Chrome you can directly paste this entire block into the console and use its code. So paste that then do:
Code:
_i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==")


And Chrome will print the result of the string decryption, in this example:


Do the same for the rest, or create a decryption script to auto-replace things within the JS that use these functions to create a more readable base script.


Just skimming through some of the decrypted strings this really does not look like anything related to the MMO and instead the site is infected or not from an MMO website to begin with.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 149

PostPosted: Mon Mar 13, 2017 1:06 am    Post subject: Reply with quote

You are right, I'm just trying to state a point of view
Atomos I maybe wrong but isn't this the function that loads the javascript virus inside the page?

Code:
           }
    return true;
}
try {
    var _i_fm = new __if_f("io_temp");
    var _i_fn = new __if_e("io_temp");
    var _i_fo = new __if_g(_i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==") + "stmgwb2.swf", (__if_h()) ? "" : "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=");
    io_cm.push(_i_fm, _i_fn, io_adp, _i_fo);
    if (__if_h()) _i_cr.__if_fc("FLRTD", "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=");
    else _i_fm._if_hn = _i_fn._if_hn = "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=";
    try {
        var _i_dl = document.getElementsByTagName('head')[0];
        var _i_fp = document.createElement("script");
        _i_fp.setAttribute("language", "javascript");
        _i_fp.setAttribute("type", "text/javascript");
        _i_fp.setAttribute("src", _i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==c2NyaXB0L2xvZ28uanM="));
        _i_dl.appendChild(_i_fp);
    } catch (e) {}
    try {
        if (typeof(document.documentURI) != 'undefined') {
            _i_cr.__if_fc("INTLOC", document.documentURI.split("?")[0]);
        }
        _i_cr.__if_fc("INTLOC", document.URL.split("?")[0]);
    } catch (e1) {}
    __if_l();
} catch (excp) {
    __if_b("io_collect", excp);
}

There is a swf file that is being loaded ( with a cripted name) it uses an exploit for the shockwave flash plugin...
If you scroll down the code, this string ( which is ofcourse the name of the js file)
Code:

aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==c2NyaXB0L2xvZ28uanM=

It's encrypted somehow, btw I guess it includes an exploit for the shockwave flash plugin... The virus uses it to run malicious stuff on windows
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites