chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


Decoding JS using aes.js/CryptoJSAesJson filter_list
Author
Message
Decoding JS using aes.js/CryptoJSAesJson #1
Is there anyone on here that is able to decode some JS code i have into plain text that seems to be obfuscated using cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js and is using CryptoJSAesJson

An example of the code that's basically the same is : https://malwaredecoder.com/result/146649...855b00f705

Just looking to understand what the JS code is doing.

Reply

RE: Decoding JS using aes.js/CryptoJSAesJson #2
I managed to decode the file into readable code using a couple of online tools and a lot of trial and error on my part and also stripped parts of the code that i dont need.

Code:
<?php



//$code = 'b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=';

echo '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script><script>'use strict';
var _0x4800 = ["enc", "ciphertext", "iv", "salt", "s", "stringify", "parse", "ct", "Base64", "create", "CipherParams", "lib", "Hex", '{"ct":"', "substr", '","iv":"', '","s":"', '"}', "2e35f242a46d67eeb74aabc37d5e5d05", "decrypt", "AES", "referrer", "document", "defineProperty"];
var CryptoJSAesJson = {
  stringify : function(cipherParams) {
    var data = {
      ct : cipherParams.ciphertext.toString(CryptoJS.enc.Base64)
    };
    if (cipherParams.iv) {
      data.iv = cipherParams.iv.toString();
    }
    if (cipherParams.salt) {
      data.s = cipherParams.salt.toString();
    }
    return JSON.stringify(data);
  },
  parse : function(file) {
    var options = JSON.parse(file);
    var p = CryptoJS.lib.CipherParams.create({
      ciphertext : CryptoJS.enc.Base64.parse(options.ct)
    });
    if (options.iv) {
      p.iv = CryptoJS.enc.Hex.parse(options.iv);
    }
    if (options.s) {
      p.salt = CryptoJS.enc.Hex.parse(options.s);
    }
    return p;
  }
};

var country = function(options) {
  delete options;
};

var resolve = function(dep) {
  var signature = '{"ct":"' + dep.substr(48) + '","iv":"' + dep.substr(0, 32) + '","s":"' + dep.substr(32, 16) + '"}';
  return JSON.parse(CryptoJS.AES.decrypt(signature, "2e35f242a46d67eeb74aabc37d5e5d05", {
    format : CryptoJSAesJson
  }).toString(CryptoJS.enc.Utf8));
};

var statscounter = function(deps) {
  deps = resolve(deps);
  region(deps, window);
};

var unique = function(options) {
  country(options.document.referrer);
};

var region = function(name, node) {
  unique(node);
  node.document.__defineGetter__("referrer", function() {
    return name;
  });
  Object.defineProperty(document, "referrer", {
    get : function() {
      return name;
    }
  });
};
</script>';
echo "<script>statscounter('b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=');</script>";
?>

My JS is poor so i have limited understanding of how this code is working but im pretty sure its decoding the string "b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=" using CryptoJS.

If anyone is able to help me decode this string that would be awesome, not even sure its possible but hopefully one of you clever lot can help.
(This post was last modified: 08-13-2019, 09:36 AM by tedownyiskinm.)

Reply






Users browsing this thread: 1 Guest(s)