+- Sinisterly (https://sinister.ly)
+-- Forum: Coding (https://sinister.ly/Forum-Coding)
+--- Forum: Java, JVM, & JRE (https://sinister.ly/Forum-Java-JVM-JRE)
+--- Thread: Decoding JS using aes.js/CryptoJSAesJson (/Thread-Decoding-JS-using-aes-js-CryptoJSAesJson)
Decoding JS using aes.js/CryptoJSAesJson - tedownyiskinm - 08-12-2019
Is there anyone on here that is able to decode some JS code i have into plain text that seems to be obfuscated using cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js and is using CryptoJSAesJson
An example of the code that's basically the same is : https://malwaredecoder.com/result/146649c8a2022ebf8b61e3855b00f705
Just looking to understand what the JS code is doing.
RE: Decoding JS using aes.js/CryptoJSAesJson - tedownyiskinm - 08-13-2019
I managed to decode the file into readable code using a couple of online tools and a lot of trial and error on my part and also stripped parts of the code that i dont need.
Code:
<?php
//$code = 'b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=';
echo '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script><script>'use strict';
var _0x4800 = ["enc", "ciphertext", "iv", "salt", "s", "stringify", "parse", "ct", "Base64", "create", "CipherParams", "lib", "Hex", '{"ct":"', "substr", '","iv":"', '","s":"', '"}', "2e35f242a46d67eeb74aabc37d5e5d05", "decrypt", "AES", "referrer", "document", "defineProperty"];
var CryptoJSAesJson = {
stringify : function(cipherParams) {
var data = {
ct : cipherParams.ciphertext.toString(CryptoJS.enc.Base64)
};
if (cipherParams.iv) {
data.iv = cipherParams.iv.toString();
}
if (cipherParams.salt) {
data.s = cipherParams.salt.toString();
}
return JSON.stringify(data);
},
parse : function(file) {
var options = JSON.parse(file);
var p = CryptoJS.lib.CipherParams.create({
ciphertext : CryptoJS.enc.Base64.parse(options.ct)
});
if (options.iv) {
p.iv = CryptoJS.enc.Hex.parse(options.iv);
}
if (options.s) {
p.salt = CryptoJS.enc.Hex.parse(options.s);
}
return p;
}
};
var country = function(options) {
delete options;
};
var resolve = function(dep) {
var signature = '{"ct":"' + dep.substr(48) + '","iv":"' + dep.substr(0, 32) + '","s":"' + dep.substr(32, 16) + '"}';
return JSON.parse(CryptoJS.AES.decrypt(signature, "2e35f242a46d67eeb74aabc37d5e5d05", {
format : CryptoJSAesJson
}).toString(CryptoJS.enc.Utf8));
};
var statscounter = function(deps) {
deps = resolve(deps);
region(deps, window);
};
var unique = function(options) {
country(options.document.referrer);
};
var region = function(name, node) {
unique(node);
node.document.__defineGetter__("referrer", function() {
return name;
});
Object.defineProperty(document, "referrer", {
get : function() {
return name;
}
});
};
</script>';
echo "<script>statscounter('b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=');</script>";
?>My JS is poor so i have limited understanding of how this code is working but im pretty sure its decoding the string "b08b4ef4d042d4d7dd3746831514d1e00aedc630cf6855a9eFcjMIbcAxxtGmK0OYWCoAOyiOxfak2a0v2GUyVPibM=" using CryptoJS.
If anyone is able to help me decode this string that would be awesome, not even sure its possible but hopefully one of you clever lot can help.