View previous topic :: View next topic |
Author |
Message |
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Fri Mar 10, 2017 6:27 pm Post subject: |
|
|
Use a site like:
http://jsbeautifier.org/
This will make the code readable again by adding linebreaks etc.
The code is partially obfuscated and 'protected'. Simple Google search shows parts of this code are considered malware. I don't know why you would want to run it.
_________________
- Retired. |
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Sat Mar 11, 2017 2:47 am Post subject: |
|
|
Thanks.
I'll want to run it because i need the unique HWID it generates. This code is part of a MMO launcher
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Sat Mar 11, 2017 9:00 am Post subject: |
|
|
this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser)
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Sat Mar 11, 2017 10:07 am Post subject: |
|
|
This js code is executed both from their windows launcher and their web ID login.
I am using chrome and even though I don't know javascript it does seem like my computer is executing this code when I login from their website.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Sat Mar 11, 2017 6:49 pm Post subject: |
|
|
Viloresi wrote: | this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser) |
If they embed something like V8 into the launcher to execute the JS themselves or a customized version of a web element such as Chromium, they can allow it to execute anything as needed. Given that it is running within a launcher, I'd assume they have customized things to do what they need within their own bindings exposed to the JS language.
_________________
- Retired. |
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Sun Mar 12, 2017 2:00 am Post subject: |
|
|
Ok guys but what I meant with plugin, was application software or everything similar to it, it's nearly impossible to run an application on your pc from a web page without having something installed ( that you may have installed when you first logged in that site).
Because it would be a security breach, everyone could infect people easily if that would be possible ( in some of the modern browsers these security checks can be disabled manually by the user).
The code seems encrypted so it's hard to read for me btw
[/u]
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Sun Mar 12, 2017 5:16 pm Post subject: |
|
|
atom0s wrote: | Viloresi wrote: | this is from a launcher inside a web page? There is no way to run an executable with js from a webpage loaded by a "modern" browser (mozilla, chrome, IE ).
You must have a plugin installed to be able to do that, or you can try to make an hta file and run execute the script locally. (with a browser) |
If they embed something like V8 into the launcher to execute the JS themselves or a customized version of a web element such as Chromium, they can allow it to execute anything as needed. Given that it is running within a launcher, I'd assume they have customized things to do what they need within their own bindings exposed to the JS language. |
Yes, the launcher uses chromium.
But I am fairly sure this code is executing even without launcher, just from chrome web browser :
1/ The mmo website make us send a resquest to the security company that answers with this java script code i posted in this thread.
2/My browser generates an Hwid such as
Mod Edited to stop format breaking.
And loging in through website does not require any specific software installation on the computer
|
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Sun Mar 12, 2017 6:54 pm Post subject: |
|
|
If the page is already loaded with this JS running/ran, you can just use the console of your web browser to force execute functions that are registered to the current environment. Given that things are partially obfuscated and encrypted you are going to have to walk through the code visually to get to the parts that you feel are needed for your goal and decode the various strings.
There are various things being used in this code such as SHA1 hashing, base64 encoding/decoding, Triple DES, and so on. You can also debug the code as needed through your browser if you are able to load the site/page that this JS loads from etc too.
Viloresi wrote: | Ok guys but what I meant with plugin, was application software or everything similar to it, it's nearly impossible to run an application on your pc from a web page without having something installed ( that you may have installed when you first logged in that site).
Because it would be a security breach, everyone could infect people easily if that would be possible ( in some of the modern browsers these security checks can be disabled manually by the user).
The code seems encrypted so it's hard to read for me btw
[/u] |
I'm not sure you quite understand how people get infected in the first place from websites. Downloading and executing things on someones system is not impossible or hard to do at all. They are commonly known as drive-by attacks where you could be browsing a site for not even a few seconds and leave but already be infected simply because 1 script was able to run.
Modern browsers attempt to keep up with these types of attacks, along with anti-virus' but new methods of exploiting are found daily. Not to mention this Javascript code is not only running by itself, it loads Flash objects which are also well known to be insecure and able to infect peoples systems.
Web-based infection would not exist at all if it were how you are thinking.
Because of these types of attacks a lot of browsers now, by default, disable Flash objects from auto-playing and instead attempt to enforce HTML5 based objects when valid and possible. Some browsers have Javascript disabled or highly locked down when possible. Some shipping with NoScript type addons etc.
_________________
- Retired. |
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Sun Mar 12, 2017 7:11 pm Post subject: |
|
|
I've cleaned up the topic to fix the formatting and such since the long lines were breaking the template. Main post is linked to code pastes of the original topic, but in a 'pretty' format that is more readable.
For the obfuscation that is being done you can trace back to how things are being encoded and undo them, for example strings such as:
Code: | var _i_fh = _i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==").match(/^(\w+:\/\/(?::\d+)*)[^.]+(.*)/); |
You can see that this is calling:
_i_o object's function __if_ap, which can be traced to the _i_o object here:
Code: |
var _i_o = {
_i_ft: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
__if_ai: function(_i_al) {
var _i_e = "";
for (var _i_g = 0; _i_g < _i_al.length; _i_g += 3) {
var _i_p = _i_al.charCodeAt(_i_g);
var _i_q = _i_al.charCodeAt(_i_g + 1);
var _i_r = _i_al.charCodeAt(_i_g + 2);
var _i_s = _i_p >> 2;
var _i_t = ((_i_p & 3) << 4) | (_i_q >> 4);
var _i_u = ((_i_q & 15) << 2) | (_i_r >> 6);
var _i_v = _i_r & 63;
if (isNaN(_i_q)) {
_i_u = _i_v = 64;
} else if (isNaN(_i_r)) {
_i_v = 64;
}
_i_e = _i_e + this._i_ft.charAt(_i_s) + this._i_ft.charAt(_i_t) + this._i_ft.charAt(_i_u) + this._i_ft.charAt(_i_v);
}
return _i_e;
},
__if_ap: function(_i_al) {
var _i_w = "";
var _i_x, chr2, chr3 = "";
var _i_s, _i_t, _i_u, _i_v = "";
var _i_g = 0;
var _i_y = /[^A-Za-z0-9\+\/\=]/g;
if (_i_y.exec(_i_al)) return "";
do {
_i_s = this._i_ft.indexOf(_i_al.charAt(_i_g++));
_i_t = this._i_ft.indexOf(_i_al.charAt(_i_g++));
_i_u = this._i_ft.indexOf(_i_al.charAt(_i_g++));
_i_v = this._i_ft.indexOf(_i_al.charAt(_i_g++));
_i_x = (_i_s << 2) | (_i_t >> 4);
chr2 = ((_i_t & 15) << 4) | (_i_u >> 2);
chr3 = ((_i_u & 3) << 6) | _i_v;
_i_w = _i_w + String.fromCharCode(_i_x);
if (_i_u != 64) _i_w = _i_w + String.fromCharCode(chr2);
if (_i_v != 64) _i_w = _i_w + String.fromCharCode(chr3);
_i_x = chr2 = chr3 = "";
_i_s = _i_t = _i_u = _i_v = "";
} while (_i_g < _i_al.length);
return _i_w;
}
};
|
In Chrome you can directly paste this entire block into the console and use its code. So paste that then do:
Code: | _i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==") |
And Chrome will print the result of the string decryption, in this example:
Do the same for the rest, or create a decryption script to auto-replace things within the JS that use these functions to create a more readable base script.
Just skimming through some of the decrypted strings this really does not look like anything related to the MMO and instead the site is infected or not from an MMO website to begin with.
_________________
- Retired. |
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 13, 2017 1:06 am Post subject: |
|
|
You are right, I'm just trying to state a point of view
Atomos I maybe wrong but isn't this the function that loads the javascript virus inside the page?
Code: | }
return true;
}
try {
var _i_fm = new __if_f("io_temp");
var _i_fn = new __if_e("io_temp");
var _i_fo = new __if_g(_i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==") + "stmgwb2.swf", (__if_h()) ? "" : "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=");
io_cm.push(_i_fm, _i_fn, io_adp, _i_fo);
if (__if_h()) _i_cr.__if_fc("FLRTD", "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=");
else _i_fm._if_hn = _i_fn._if_hn = "Fi/p4mRvGLDH3fGNt7jjh7zuklT4HaJc/ejERCCbaZg=";
try {
var _i_dl = document.getElementsByTagName('head')[0];
var _i_fp = document.createElement("script");
_i_fp.setAttribute("language", "javascript");
_i_fp.setAttribute("type", "text/javascript");
_i_fp.setAttribute("src", _i_o.__if_ap("aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==c2NyaXB0L2xvZ28uanM="));
_i_dl.appendChild(_i_fp);
} catch (e) {}
try {
if (typeof(document.documentURI) != 'undefined') {
_i_cr.__if_fc("INTLOC", document.documentURI.split("?")[0]);
}
_i_cr.__if_fc("INTLOC", document.URL.split("?")[0]);
} catch (e1) {}
__if_l();
} catch (excp) {
__if_b("io_collect", excp);
}
|
There is a swf file that is being loaded ( with a cripted name) it uses an exploit for the shockwave flash plugin...
If you scroll down the code, this string ( which is ofcourse the name of the js file)
Code: |
aHR0cHM6Ly9tcHNuYXJlLmllc25hcmUuY29tLw==c2NyaXB0L2xvZ28uanM=
|
It's encrypted somehow, btw I guess it includes an exploit for the shockwave flash plugin... The virus uses it to run malicious stuff on windows
|
|
Back to top |
|
|
|