Since the web 2.0 update of the World Wide Web, some desperate morons are still here. Despite the open source wave, and despite the concepts of World Wide Web & http, they strongly believe they can execute a code on client and hide its source.
I was looking a website giving a code sample for IBAN number check. So I found one, I checked the code in Firebug, then decided to save the complete web page. As you could expect, Firefox created a "xxx.html" file, and a "xxx_files" folder with the "validate_iban.js" inside.
I was cleaning the html page to remove all ads script when I found this one :
<script type="text/javascript" language="javascript1.1">function dc(){var i,j,x,y,x=
"x=\"z?$2z;?9^$w4y^^7^^64f:w9:z=?xwvg7^^:^$,|nei7;A-&?h49;4^^|^$t=i7A8`{,?g" +
":&8;)6)677i:=+z)6:78?+w;9:67p8g:6;66u/e|6jj:c2r9;7=:g;*<7=f;zw+y:;:9=fh;5:" +
"74q8t64;78*wkx:hg:?v2j:9f9=:ke`g&6>,zm?:=i00n::;86g5p;}6A4i6v-+8:6j-=:5i;:" +
"k:-5+g?:-?+#j;8;}}l&:;95??zns:vi0Aei,69:jzcej=::tpE,m;A;q|f24;=8ggCl::69ve" +
"*v?:m5kE+x@9:6/,445<::=-k-|;2:h?*|p6i6lA>|67i9524wi7rh+ylfkg:;-w?xe7;9;v6," +
"xgl6=5{-?:77-??}9;g6UAv+m:/et+k?A66:pjis6=6:0vh,65-;tmqA!;44o4E?;;8:jmc@}:" +
"/5t|E2A8;6qpfi=4;;gr*ky7r:lx+li;47!?{m^$;=7l/?Ag;x6c:n-*6z:0!e}j7c:t/CAv=*" +
";2|+2+7=hzw?yz904ufwwd;u8vxtv*g36+,=m{6?9)0)7=gh6q-t?*:k5?#2j=:k6>szv06n4g" +
",pmi:v:jA=7k7-:??6m+8}:{@-|?9zj02upw:d9uivrt:*:kk.x4e+;=l!?h7q:tm*/k9?;4A=" +
":k6>jz-0!n7g6p}i/v7ji=Ak|-4?:62+w}7{7-y?fzg06uwwxd7u9vvt,*:kj.m40+;=7!7{-?" +
"e{70?u#w<d:u}vAt7*;l}+2=$=l?gxcn*z0ejctCv*2++=z?z0uwduvt*3+={?))=hqt*k?2=k" +
">z0ngpivj=k-?4+}{-?z0uwduvt*k.3+=!hqt*k?3=k>z0ngpivj=k-?4+}{-?z0uwduvt*k.3" +
"+=!{?{0uwduvt*l+=\";y='';x=unescape(x);for(i=0;i<x.length;i++){j=x.charCod" +
"eAt(i)-2;if(j<32)j+=94;y+=String.fromCharCode(j)}y";while(x=eval(x));}dc();
</script>
WTF ? It must be one of those guilty ad script sending confidential info to a commercial third party ! But wait... At first, you see an incomprehensible pie. Looking closely, this is easy :
- some variables are declared, "x" being filled with the big pie. At the end, you see javascript instructions.
- a "while" is evaluating x until it returns false or null or undefined or 0.
So I opened Firebug, copy-pasted the code and executed the "x variable decrypting". First iteration gave something like : "x="z?$2z;?9^$w4y^^7^^64f:w9:z=?xwvg7^^:^$,|nei7;A-&?h49;4^^|^$t=i7A8`{,?g:&8;)6)677i:=+z)6:78?+w;9:67p8g:6;66u/e|6jj:c2r9;7=:g;*<7=f;zw+y:;:9=fh;5:74q8t64;78*wkx:hg:?v2j:9f9=:ke`g&6>,zm?:=i00n::;86g5p;}6A4i6v-+8:6j-=:5i;:k:-5+g?:-?+#j;8;}}l&:;95??zns:vi0Aei,69:jzcej=::tpE,m;A;q|f24;=8ggCl::69ve*v?:m5kE+x@9:6/,445<::=-k-|;2:h?*|p6i6lA>|67i9524wi7rh+ylfkg:;-w?xe7;9;v6,xgl6=5{-?:77-??}9;g6UAv+m:/et+k?A66:pjis6=6:0vh,65-;tmqA!;44o4E?;;8:jmc@}:/5t|E2A8;6qpfi=4;;gr*ky7r:lx+li;47!?{m^$;=7l/?Ag;x6c:n-*6z:0!e}j7c:t/CAv=*;2|+2+7=hzw?yz904ufwwd;u8vxtv*g36+,=m{6?9)0)7=gh6q-t?*:k5?#2j=:k6>szv06n4g,pmi:v:jA=7k7-:??6m+8}:{@-|?9zj02upw:d9uivrt:*:kk.x4e+;=l!?h7q:tm*/k9?;4A=:k6>jz-0!n7g6p}i/v7ji=Ak|-4?:62+w}7{7-y?fzg06uwwxd7u9vvt,*:kj.m40+;=7!7{-?e{70?u#w<d:u}vAt7*;l}+2=$=l?gxcn*z0ejctCv*2++=z?z0uwduvt*3+={?))=hqt*k?2=k>z0ngpivj=k-?4+}{-?z0uwduvt*k.3+=!hqt*k?3=k>z0ngpivj=k-?4+}{-?z0uwduvt*k.3+=!{?{0uwduvt*l+=";y='';x=unescape(x);for(i=0;i<x.length;i++){j=x.charCodeAt(i)-2;if(j<32)j+=94;y+=String.fromCharCode(j)}y"
Then I extracted x and re-evaluated its content about 10 times, then x ended up with value :"document.write("<script src=\"afc_js/0c5j8u3n4b5/validate_iban.js\" type=\"text/javascript\" language=\"javascript\" defer></script>");0;"
Yeeeaaah, men. All this bullshit only to insert in the page an obfuscated script source I had already !