1

I used this tool http://code.google.com/p/cremebrulee/ to make obfuscated code more readable and the output is looking quite nonsensical

function ____(_O0){eval(unescape(_O0))} var l2=window.opera?1:0;function l3(l4){l5=/zc/g;l6=String.fromCharCode(0);l4=l4.replace(l5,l6);var l7=new Array(),l8=_1=l4.length,l9,lI,il=16256,_1=0,I=0,li='';do{l9=l4.charCodeAt(_1);lI=l4.charCodeAt(++_1);l7[I++]=lI+il-(l9<<7)}while(_1++<l8);var l1=new Array(),l0=new Array(),Il=128;do{l0[Il]=String.fromCharCode(Il)}while(--Il);Il=128;l1[0]=li=l0[l7[0]];ll=l7[0];_l=1;var l_=l7.length-1;while(_l<l_){switch(l7[_l]<Il?1:0){case 0 :l0[Il]=l0[ll]+String(l0[ll]).substr(0,1);l1[_l]=l0[Il];if(l2){li+=l0[Il]};break;default:l1[_l]=l0[l7[_l]];if(l2){li+=l0[l7[_l]]};l0[Il]=l0[ll]+String(l0[l7[_l]]).substr(0,1);break};Il++;ll=l7[_l];_l++};if(!l2){return(l1.join(''))}else{return li}};var lO='';for(ii=0;ii<OO0O.length;ii++){lO+=l3(OO0O[ii])};if(naa){document.write('<scr'+'ipt>'+lO+'</sc'+'ript>')};

What might be the next step to do with this code?

update: this is the original code http://pastebin.com/qG4DX7qy

Improve this question
5
  • 3
    I guess it doesn't quite deobfuscate as well as you'd hoped... Commented Jan 29, 2013 at 1:13
  • Yeah, you should just go line by line, or try to find the obfuscated code wherever you found the obfuscated code. Commented Jan 29, 2013 at 1:14
  • 1
    Best you can do is this: pastebin.com/qZuewnUu and then try to go line by line and see what it does.. Commented Jan 29, 2013 at 1:14
  • 2
    jsbeautifier.org Commented Jan 29, 2013 at 1:16
  • @ Lee Taylor - seems you're right Commented Jan 29, 2013 at 1:22

2 Answers 2

Reset to default
2

This is how it looks like after processing by the jsbeautifier:

function ____(_O0) {
    eval(unescape(_O0))
}
var l2 = window.opera ? 1 : 0;

function l3(l4) {
    l5 = /zc/g;
    l6 = String.fromCharCode(0);
    l4 = l4.replace(l5, l6);
    var l7 = new Array(),
        l8 = _1 = l4.length,
        l9, lI, il = 16256,
        _1 = 0,
        I = 0,
        li = '';
    do {
        l9 = l4.charCodeAt(_1);
        lI = l4.charCodeAt(++_1);
        l7[I++] = lI + il - (l9 << 7)
    } while (_1++ < l8);
    var l1 = new Array(),
        l0 = new Array(),
        Il = 128;
    do {
        l0[Il] = String.fromCharCode(Il)
    } while (--Il);
    Il = 128;
    l1[0] = li = l0[l7[0]];
    ll = l7[0];
    _l = 1;
    var l_ = l7.length - 1;
    while (_l < l_) {
        switch (l7[_l] < Il ? 1 : 0) {
            case 0:
                l0[Il] = l0[ll] + String(l0[ll]).substr(0, 1);
                l1[_l] = l0[Il];
                if (l2) {
                    li += l0[Il]
                };
                break;
            default:
                l1[_l] = l0[l7[_l]];
                if (l2) {
                    li += l0[l7[_l]]
                };
                l0[Il] = l0[ll] + String(l0[l7[_l]]).substr(0, 1);
                break
        };
        Il++;
        ll = l7[_l];
        _l++
    };
    if (!l2) {
        return (l1.join(''))
    } else {
        return li
    }
};
var lO = '';
for (ii = 0; ii < OO0O.length; ii++) {
    lO += l3(OO0O[ii])
};
if (naa) {
    document.write('<scr' + 'ipt>' + lO + '</sc' + 'ript>')
};

The next step would be to go through every variable and function and give them better names (left as an exercise for the reader).

Of course this code is not complete - eg. some functions never get called, some arrays are never populated etc.

What this code does is put every element of the OO0O array through the l3() function (that decrypt the text that was encrypted using some naive home-brew encryption algorithm), joins them together and evaluates it all by putting <script>result</script> into the DOM using document.write. Since the OO0O array is not defined in the code you quoted we can't know anything what it does, because the actual (encrypted) code is in the OO0O array.

Actually you don't really need to know how the encryption algorithm works at all since all you need to do is step through this code with a debugger and examine the l0 variable just before the call to document.write - and there you will have all of the actual code in a plain unencrypted form just before it is evaluated.

You can even put:

document.write = console.log;

just before that script is called and see all of the code printed to your console instead of being evaluated. I did it with the code that you posted in the pastebin in the update to your question and there is so many "undefined" strings in it that I think it's broken or incomplete or something went wrong with the charset encoding.

Where did you get it from, anyway?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

document.write('<scr' + 'ipt>'...) Uh oh..I smell something funky going on with this code.
Don't worry, OO0O is undefined.
@Casper Actually the document.write('<scr' + 'ipt>' + lO + '</sc' + 'ript>') is equivalent to eval(lO) (but maybe run after other things in this script are called - here there are no other things). You have to break the </script> string in two parts because otherwise the HTML parser would think that your script ends here. I don't know why the first <script> is broken too - if the intent of putting script tags into the DOM was a secret then I think it would be hidden better - because now it is pretty much the only obvious thing in the original obfuscated code.
0

You can prettify your code:

http://jsbeautifier.org/

But then you're on your own really. Any sense of legibility, variable/function names, etc. are lost forever. The only way around this is to get the original source.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.