26
Feb
2012

CODEGATE 2012 – Misc-4

The file contains a zipped version of a saved website. Browsing through the files we noticed some suspicious looking javascript:

eval(function (p, a, c, k, e, d) {
    e = function (c) {
        return c
    };
    if (!''.replace(/^/, String)) {
        while (c--) {
            d = k || c
        }
        k = [function (e) {
            return d[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) {
        if (k) {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k)
        }
    }
    return p
}('12 7=["\\10\\8\\26\\21\\16\\25\\8","","\\21\\8\\20\\14\\22\\24","\\23\\27\\30\\23\\22\\10\\29\\20\\14","\\31\\10\\17\\28\\18\\24\\16\\10\\18\\17\\35\\8"];32 37(5){5=5[7[0]](/ /15,1);5=5[7[0]](/\\38/15,0);12 13=5;5=7[1];19(6=0;6<13[7[2]];6++){5=13[7[3]](6,6+1)+5};12 11=7[1];19(6=0;6<5[7[2]];6+=9){11+=36[7[4]](33(5[7[3]](6,6+9),2))};34(11)};', 10, 39, '|||||_0x272dx2|i|_0xfd3a|x65||x72|_0x272dx4|var|_0x272dx3|x67|g|x61|x6F|x43|for|x6E|x6C|x74|x73|x68|x63|x70|x75|x6D|x69|x62|x66|function|parseInt|eval|x64|String|c|t'.split('|'), 0, {}))

Putting this into a new HTML file with only script tags around it and replaced eval with document.write, yields the first layer of decrypted javascript:

var _0xfd3a = ["\x72\x65\x70\x6C\x61\x63\x65", "", "\x6C\x65\x6E\x67\x74\x68", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];

function c(_0x272dx2) {
    _0x272dx2 = _0x272dx2[_0xfd3a[0]](/ /g, 1);
    _0x272dx2 = _0x272dx2[_0xfd3a[0]](/\t/g, 0);
    var _0x272dx3 = _0x272dx2;
    _0x272dx2 = _0xfd3a[1];
    for (i = 0; i < _0x272dx3[_0xfd3a[2]]; i++) {
        _0x272dx2 = _0x272dx3[_0xfd3a[3]](i, i + 1) + _0x272dx2
    };
    var _0x272dx4 = _0xfd3a[1];
    for (i = 0; i < _0x272dx2[_0xfd3a[2]]; i += 9) {
        _0x272dx4 += String[_0xfd3a[4]](parseInt(_0x272dx2[_0xfd3a[3]](i, i + 9), 2))
    };
    eval(_0x272dx4)
};

Replacing eval with document.write again, now yields:

if (new Date().getTime() > 1330268400000) {
    var dummya = '1';
    var dummyb = '1';
    var dummyv = '1';
    var dummyc = '1';
    var dummys = '1';
    var dummyae = '1';
    var dummyasefa = '1';
    var dummeya = '1';
    var dummya = '1';
    var dum3mya = '1';
    var dumm54ya = '1';
    var dumm3ya = '1';
    var dum1mya = '1';
    var p = 'YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT';
    p = p.replace(/T/g, '').replace(/P/g, '').replace(/Y/g, '').replace(/K/g, '%');
    var authkey = unescape(p);
}

Removing the date check and adding document.write(authkey) at the end writes the key to the page:
AHH4mRsK4NGF0r3v3r

Comments are closed.