Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
New Ownership - Policies and Changes Going Forward
Thread Rating:
  • 0 Vote(s) - 0 Average


Decoding JS using aes.js/CryptoJSAesJson filter_list
Author
Message
tedownyiskinm Offline
Member
Five Years of Service
Posts: 102
Threads: 14
Reputation: 0
Currency: 133 NSP
Decoding JS using aes.js/CryptoJSAesJson 08-12-2019, 03:19 PM #1
Is there anyone on here that is able to decode some JS code i have into plain text that seems to be obfuscated using cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js and is using CryptoJSAesJson

An example of the code that's basically the same is : https://malwaredecoder.com/result/146649...855b00f705

Just looking to understand what the JS code is doing.

Reply

tedownyiskinm Offline
Member
Five Years of Service
Posts: 102
Threads: 14
Reputation: 0
Currency: 133 NSP
RE: Decoding JS using aes.js/CryptoJSAesJson 08-13-2019, 09:35 AM #2
I managed to decode the file into readable code using a couple of online tools and a lot of trial and error on my part and also stripped parts of the code that i dont need.

Code:
<?php



//$code = 'b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=';

echo '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script><script>'use strict';
var _0x4800 = ["enc", "ciphertext", "iv", "salt", "s", "stringify", "parse", "ct", "Base64", "create", "CipherParams", "lib", "Hex", '{"ct":"', "substr", '","iv":"', '","s":"', '"}', "2e35f242a46d67eeb74aabc37d5e5d05", "decrypt", "AES", "referrer", "document", "defineProperty"];
var CryptoJSAesJson = {
  stringify : function(cipherParams) {
    var data = {
      ct : cipherParams.ciphertext.toString(CryptoJS.enc.Base64)
    };
    if (cipherParams.iv) {
      data.iv = cipherParams.iv.toString();
    }
    if (cipherParams.salt) {
      data.s = cipherParams.salt.toString();
    }
    return JSON.stringify(data);
  },
  parse : function(file) {
    var options = JSON.parse(file);
    var p = CryptoJS.lib.CipherParams.create({
      ciphertext : CryptoJS.enc.Base64.parse(options.ct)
    });
    if (options.iv) {
      p.iv = CryptoJS.enc.Hex.parse(options.iv);
    }
    if (options.s) {
      p.salt = CryptoJS.enc.Hex.parse(options.s);
    }
    return p;
  }
};

var country = function(options) {
  delete options;
};

var resolve = function(dep) {
  var signature = '{"ct":"' + dep.substr(48) + '","iv":"' + dep.substr(0, 32) + '","s":"' + dep.substr(32, 16) + '"}';
  return JSON.parse(CryptoJS.AES.decrypt(signature, "2e35f242a46d67eeb74aabc37d5e5d05", {
    format : CryptoJSAesJson
  }).toString(CryptoJS.enc.Utf8));
};

var statscounter = function(deps) {
  deps = resolve(deps);
  region(deps, window);
};

var unique = function(options) {
  country(options.document.referrer);
};

var region = function(name, node) {
  unique(node);
  node.document.__defineGetter__("referrer", function() {
    return name;
  });
  Object.defineProperty(document, "referrer", {
    get : function() {
      return name;
    }
  });
};
</script>';
echo "<script>statscounter('b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=');</script>";
?>

My JS is poor so i have limited understanding of how this code is working but im pretty sure its decoding the string "b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=" using CryptoJS.

If anyone is able to help me decode this string that would be awesome, not even sure its possible but hopefully one of you clever lot can help.
(This post was last modified: 08-13-2019, 09:36 AM by tedownyiskinm.)

Reply







Users browsing this thread: 1 Guest(s)