-
August 16th, 2004, 11:34 AM
#1
Decoding Jscript.encode?
I'm seeing alot of spam these days with an encoded jscript attached to it. I'd like to decode it to see what it does.
Expample:
Code:
<script language="JScript.Encode">#@~^hQAAAA==~@#@&[Km!:+ YcADbYn`E@!(o"bHA~?"Z'r4OYa)Jz+!+ O, FF+R8*f&^kxV 4YhVr~qq9:C{!P_2&!C:'TPwI)\AAr"92"'!,j/I}SdqHMxE WE@*@!&qwI)\A@*BbI@#@&AyIAAA==^#~@</script>
I've tried Windows Script Decoder but it doesn't seem to work.
Anybody know of other tools that are able to decode it?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 17th, 2004, 03:41 AM
#2
Senior Member
This may be of some help but ill be keeping an eye out for some type of decoder that may work.
http://asimov.fateback.com/library/script.html
Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"
-
August 17th, 2004, 06:41 AM
#3
Checkout: http://www.virtualconspiracy.com/ind...e=scrdec/intro
Download: http://www.virtualconspiracy.com/ind...crdec/download
Personally, I've never run into JScript.Encode. I don't like the M$ version of JavaScript / VB. Good luck decoding it, and please post back here.
-
August 17th, 2004, 11:57 AM
#4
Both your links point to the same Windows Script Decoder I've tried before. Thanx anyway
Two things:
a) the Jscript.encode piece of code may be corrupt.
b) the Windows Script Decoder may be faulty.
To eliminate one or the other I would like to use a different tool to see what happens.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 17th, 2004, 05:13 PM
#5
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
August 17th, 2004, 06:27 PM
#6
i tried to compile this for everyone, it sound like a handy thing to have, but not being a programmer by trade i got
"Error VBS_DEC.PAS 1 7: Must be first token on a line"
tell me how to correct this and ill post the file
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 17th, 2004, 08:13 PM
#7
SirDice, the code in your example appears to be corrupt. I was unable to decrypt it properly with the pascal prog but was able to use it to decrypt other pieces of encoded JScript (I choose a random string from http://62.131.86.111/analysis.htm)
The attached file is the previous Pascal program compiled for linux(x86)
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
August 17th, 2004, 08:58 PM
#8
Assuming that the code runs in the browser properly, without errors, can you simply use the script debugger to see it?
If not, perhaps it's possible to attach a debugger to the browser when the decoded code is in memory and read it out of ram?
Perhaps it's some sort of compiled format, in which case a decompiler would be in order. However in my experience these things are not usually very complex, would just be a simple code.
Slarty
-
August 17th, 2004, 10:48 PM
#9
Well, I am pretty sure that we can't copy/paste the encoded stuff from the quote/code tags because they could be binary, and the board itself is text. Binary into text = corrupted binary data.
SirDice, could you save the message and post it here? You can't copy/paste it because that might corrupt it. We need the original message as an attachment. If you know how (it isn't possible via webmail I think). Otherwise PM me and I'll give you my e-mail so you can forward it to me, and I'll try to attach it here. Good luck, and I didn't realizse my linkage was stuff you tried already.
Edit:
Acturally, Windows Script Encoder *might* have included the rest of the document in making a checksum? I don't know. But attach the message here and we can look at it. Removing the e-mail headers shouldn't hurt.
-
August 18th, 2004, 01:47 PM
#10
Tim: AFAIK the encoding function encodes to ASCII (minus some HTML specific characters) code. It should be regular ASCII as you can embed it in a regular HTML file, just like any other piece of Jscript/Javascript. There should be no problem in copy 'n pasting.
I will check I didn't skip any non-ascii, just to make sure
I was kind of expecting the encoded bit to be currupt. I've seen the exact same spam message with and without the embedded and encoded jscript.
Thanx for all the help guys
For those that just cannot get enough No need to trace it. I know how it works, the received: header with MAIL.OUR.DOMAIN is the only one I trust as it's created by our servers, all the others are fake.
Received: from x.x.x.x (unverified [202.133.196.38]) by MAIL.OUR.DOMAIN
(Content Technologies SMTPRS 4.3.12) with SMTP id <T6b735a0e270a64781971c@MAIL.OUR.DOMAIN>;
Mon, 16 Aug 2004 09:33:02 +0200
X-Message-Info: 828Q3gpJOcc3txqETANQ824Ogab7QWw835e887HhNIp40
Received: from dns17domain.com.tw ([233.40.144.231]) by kqq2-Y6.domain.com.tw with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 16 Aug 2004 09:29:52 +0100
Received: from domain.com.tw [127.0.0.1] by dnsdomain.com.tw
(SMTPD32-7.12 ) id BL9VCN1; Mon, 16 Aug 2004 14:28:52 +0600
Subject: tentative meeting on the 11th
From: Colleen Villarreal
To: some.guy@our.domain
Message-Id: <797997004233.u904474@domain.com.tw>
Content-Type: multipart/alternative;
boundary="--53139806245108445480"
----53139806245108445480
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
Hi
diana told me that marry gets married. isn't that lovely?
when are you bringing mike home to show?
love , mom
blaspheme blusterybombast paleolithic goldsteinniobe
validate illsec disciplinary sandgilligan
foreign monocularmountainous alterman cowmengrid
abelson convivialhideout splurge bizetabduct
dichloride thunderflowerequipping longish permalloyhydroelectric
afferent trashmessage well californiumcurious
matrimony schuylerpaz straddle inexcusableguile
raj kowalskidispersible erie reameuphorbia
guy domainatop defrock contraceptivesprig
control drummondinattention molybdate clockwisedegumming
mart stepwisedustbin cranston wilmingtonhydrophobia
credulous cryptanalyticcorpse notoriety titillateconciliate
buxom ratasproul disparate kendallfibonacci
malady iketorrid feverish parkinsonilona
bless almagestlayton extempore levibureaucratic
delve seedbedmad firewall greenbriarminesweeper
illusive incorrectdelhi racetrack donnellywouldn't
westminster reconditedeputation twill wattswhimper
burgher belvederedeltoid beam bratwurstepstein
<script language=3D"JScript.Encode">#@~^hQAAAA=3D=3D~@#@&[Km!:+ YcADbYn`E@=
!(o"bHA~?"Z'r4OYa)Jz+!+ O, FF+R8*f&^kxV 4YhVr~qq9:C{!P_2&!C:'TPwI)\AAr"92"=
'!,j/I}SdqHMxE WE@*@!&qwI)\A@*BbI@#@&AyIAAA=3D=3D^#~@</script>
----53139806245108445480--
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|