-3

I have this stange Javascript which actually just outputs html, but the source can not be readed that easily. Maybe someone knows how to decode this or convert it to usual html.

Check this out:

<div class="address"><script id="ob_address">var _0x1cb159=["\x77\x72\x69\x74\x65","\x47\x6c\x6f\x62\x61\x6c\x20\x50\x65\x72\x73\x6f\x6e\x61\x6c\x20\x50\x61\x72\x74\x6e\x65\x72\x20\x41\x47\x3c\x62\x72\x20\x2f\x3e\x20\x20\x46\x72\x61\x75\x20\x41\x6e\x69\x74\x61\x20\x4f\x6d\x6c\x69\x6e\x3c\x62\x72\x20\x2f\x3e\x20\x20\x53\x65\x6e\x69\x6f\x72\x20\x52\x65\x63\x72\x75\x69\x74\x69\x6e\x67\x20\x43\x6f\x6e\x73\x75\x6c\x74\x61\x6e\x74\x3c\x62\x72\x20\x2f\x3e\x20\x20\x41\x6c\x62\x65\x72\x74\x73\x74\x72\x61\x73\x73\x65\x20\x32\x3c\x62\x72\x20\x2f\x3e\x20\x20\x35\x34\x33\x32\x20\x4e\x65\x75\x65\x6e\x68\x6f\x66\x3c\x62\x72\x20\x2f\x3e\x20\x20\x30\x35\x36\x20\x34\x31\x36\x20\x30\x39\x20\x30\x39\x3c\x62\x72\x20\x2f\x3e\x20\x20","\x64\x6f\x63\x75\x6d\x65\x6e\x74"];window[_0x1cb159[2]][_0x1cb159[0]](_0x1cb159[1]);</script>

My precessor did this and i need to convert/deobfuscate this either with PHP or Javascript. Hows to do that Javascipt Ninjas?? I also don't see a advantage doing it like this.?

Gerome Gerardo
  • 35
  • 1
  • 7
  • Those are hex codes which translate to ASCII characters. There's a bunch of [readily available](http://www.jsnice.org/) deobfuscators. – Mike Cluck Aug 19 '16 at 17:31
  • Take a look at this, and input that Javascript to the input box: http://string-functions.com/hex-string.aspx – A.Sharma Aug 19 '16 at 17:33
  • @mike i don't want to use a service since i have to programmatically do it. Also i am interested; watch the last snippet window[_0x1cb159[2]][_0x1cb159[0]](_0x1cb159[1]. So its no real obfuscation since it doesnt use additional scripts or complex algorhythm. Can you advise on this? – Gerome Gerardo Aug 19 '16 at 17:34
  • Then download a deobfuscator. Also, take a look at the array after it's been deobfuscated. Find out what value is in the 2nd, 0th, and 1st position. It's a simple substitution. – Mike Cluck Aug 19 '16 at 17:35
  • You can create some script that takes the input as hexadecimal string, split them into an array with the delimiter being `\\`. Then parse through it convert and store into a new data structure. This should be a pretty script to create. This doesn't even seem like obfuscation to me. If any of you have used VS dotfuscator, you will know that this is just some attempt to hide the script from someone that has no idea how to code. – A.Sharma Aug 19 '16 at 17:35
  • @sharma like told, i need a own solution either in javascript or php. thx i knew this service but i already knew the output since u just have to paste the html/js and any browser encodes easily. – Gerome Gerardo Aug 19 '16 at 17:36
  • @GeromeGerardo If you intend to write your own solution completely from scratch then I hope you've got a Javascript parser written because that's what you'll need first. Not exactly an inconsequential piece of software. – Mike Cluck Aug 19 '16 at 17:36
  • what makes window[array[2]][array[0]](array[1]);? Can't i just explode to make the 3 dimensional array and reproduce what window makes? – Gerome Gerardo Aug 19 '16 at 17:41
  • @MikeC thats funny, it's on my plan to write a javascript parser, right after achieving world peace – Gerome Gerardo Aug 19 '16 at 17:45
  • @GeromeGerardo Writing a parser is much easier to achieve than world peace ;) But just look at the contents of the array. It tells you what it's doing after you've converted the hex characters. – Mike Cluck Aug 19 '16 at 17:46
  • @MikeC i tried with hex2bin (php) but no success so far. I then thought maybe first demath by mixin the arrays and then hex2bin, sadly also not. – Gerome Gerardo Aug 19 '16 at 17:51
  • Take a look at this: https://jsfiddle.net/75yktb58/. You can log the text and it will return the HTML. You do NOT need some fancy parser for this. The browser does the hard work for you already. – A.Sharma Aug 19 '16 at 17:51
  • @A.Sharma thx. i know that. I created a bookmarklet to first include jquery and than simply get the result. BUT I DO NEED TO DO IT with the source programmatically, i don't have access to the browser with php. There are lot of files like this... – Gerome Gerardo Aug 19 '16 at 18:07
  • You could probably use a regex like `/"((?:\\x[0-9a-f]{2})+)"/` to find the strings, and then use `hex2bin(preg_replace("/\\\\x([0-9a-f]{2})/", "$1", $code))` to turn it into a string. – Gray Aug 19 '16 at 19:02
  • @GeromeGerardo You keep saying you need to do this programmatically but you don't even say in what context. If you're running this in a browser or in Node.js then you can do as 101100111001 suggested. Otherwise, you can download a 3rd party deobfuscator and run that program from your program. Other than that, you need to write your own deobfuscator which requires parsing the Javascript and performing intelligent replacements. Unless you *only* need to replace hex characters which is a pretty simple thing to put together. – Mike Cluck Aug 19 '16 at 19:20

1 Answers1

1

You can simply just print the string to the console.

console.log(_0x1cb159.map(e => e));

console.log("window['"+_0x1cb159[2]+"']['"+_0x1cb159[0]+"']('"+_0x1cb159[1]+"')");
<div class="address"><script id="ob_address">var _0x1cb159=["\x77\x72\x69\x74\x65","\x47\x6c\x6f\x62\x61\x6c\x20\x50\x65\x72\x73\x6f\x6e\x61\x6c\x20\x50\x61\x72\x74\x6e\x65\x72\x20\x41\x47\x3c\x62\x72\x20\x2f\x3e\x20\x20\x46\x72\x61\x75\x20\x41\x6e\x69\x74\x61\x20\x4f\x6d\x6c\x69\x6e\x3c\x62\x72\x20\x2f\x3e\x20\x20\x53\x65\x6e\x69\x6f\x72\x20\x52\x65\x63\x72\x75\x69\x74\x69\x6e\x67\x20\x43\x6f\x6e\x73\x75\x6c\x74\x61\x6e\x74\x3c\x62\x72\x20\x2f\x3e\x20\x20\x41\x6c\x62\x65\x72\x74\x73\x74\x72\x61\x73\x73\x65\x20\x32\x3c\x62\x72\x20\x2f\x3e\x20\x20\x35\x34\x33\x32\x20\x4e\x65\x75\x65\x6e\x68\x6f\x66\x3c\x62\x72\x20\x2f\x3e\x20\x20\x30\x35\x36\x20\x34\x31\x36\x20\x30\x39\x20\x30\x39\x3c\x62\x72\x20\x2f\x3e\x20\x20","\x64\x6f\x63\x75\x6d\x65\x6e\x74"];window[_0x1cb159[2]][_0x1cb159[0]](_0x1cb159[1]);</script>

Here is the source code: 

window["document"]["write"]('Global Personal Partner AG<br />  Frau Anita Omlin<br />  Senior Recruiting Consultant<br />  Albertstrasse 2<br />  5432 Neuenhof<br />  056 416 09 09<br />  ');
10100111001
  • 1,832
  • 1
  • 11
  • 7
  • why do i need the console when it just decodes in browser? see my snippet. The problem here is to programmatically convert the SOURCE CODE... not the output. And automatically (count(files) > 10'000) – Gerome Gerardo Aug 19 '16 at 17:48
  • 2
    I don't understand what you're talking about. The second console.log in my first snippet clearly does show the SOURCE CODE that is being executed. – 10100111001 Aug 19 '16 at 17:55
  • i start from the SOURCE which is encoded. I need to convert this SOURCE programmatically, not in a browser (which, and also the console, outputs the result unencoded, thats what browser do!). It seems to go down to access somehow a javascript parser like mikeC suggested. I don't use selenium. I could just write a bookmarklet (js) which uses the browser to decode BUT there is no intention doing this since i need to do it in HIGH AMOUNTS. – Gerome Gerardo Aug 19 '16 at 18:03
  • @GeromeGerardo They're not using the browser to decode it. They're just running some Javascript. This can also be done using something like Node.js. However, it is specific to this particular chunk of code. – Mike Cluck Aug 19 '16 at 19:24