5

I found this code in my website sourcecode:

var _0xd28d=["\x5F\x30\x78\x33\x32\x6C\x73\x6A\x39","\x5F\x78\x6C\x74","\x5F\x78\x38\x66\x6B\x63\x33","\x66\x6C\x6F\x6F\x72","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68"]; var _0x9ae4=[_0xd28d[0],12,_0xd28d[1],_0xd28d[2],2,31,Math,_0xd28d[3]]; var _0xcd6e=[_0x9ae4[5],_0x9ae4[0],_0x9ae4[_0x9ae4[4]],_0x9ae4[3],4,_0xd28d[4]]; var _0xr6g0={}; _0xr6g0[_0xcd6e[2]]=0; _0xr6g0[_0x9ae4[4]]=function (){ var _0x4c68x4={}; _0x4c68x4[_0xd28d[0]]=_0x9ae4[0]; do{ _0x4c68x4[_0x9ae4[0]]+=_0x4c68x4[_0xd28d[0]][_0x9ae4[6][_0x9ae4[7]](_0x9ae4[6][_0xcd6e[5]]()*_0x4c68x4[_0xd28d[0]][_0xd28d[5]])]; }while(_0x4c68x4[_0xd28d[0]][_0xd28d[5]]<_0xcd6e[0]); _0x4c68x4[_0x4c68x4[_0x9ae4[0]]]=function (){ _0xr6g0[_0xcd6e[2]]++; _0xr6g0[_0xcd6e[2]]%=_0x9ae4[1]; return _0x4c68x4[_0x4c68x4[_0x9ae4[0]]]; }; return _0x4c68x4[_0x4c68x4[_0xcd6e[1]]]; }; _0xr6g0[_0x9ae4[_0xcd6e[4]]]()()()()()()()()()()()()()()()();

I was wondering, what is it? And What does it does?

Improve this question
1

3 Answers 3

Reset to default
6

By itself, the code does nothing useful nor dangerous.

After manually deobfuscating:

count = 0; func_a = function() { func_b = function() { count++; count %= 12; return func_b; }; return func_b; }; func_a()()()()()()()()()()()()()()()();

Looks like more an invalid attempt to keep the browser busy. But very valid to keep people curious.

UPDATE: fixed the deobfuscation.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Technically I think you need to leave the original string alone in the line var5[100] = "_0x32lsj9", since later on the code tests the length of that string.
"By itself, the code does nothing useful nor dangerous." - It is possible that this is an attempted exploit using a (hypothetical) bug in certain implementations of Javascript ...
3

The first 5 lines initialize variables. After decrypting the \x escapes and indexing to other arrays, we get:

_0xd28d = ['_0x32lsj9', '_xlt', '_x8fkc3', 'floor', 'random', 'length'] _0x9ae4 = ['_0x32lsj9', 12, '_xlt', '_x8fkc3', 2, 31, Math, 'floor'] _0xcd6e = [31, '_0x32lsj9', '_xlt', '_x8fkc3', 4, 'random'] _0xr6g0 = {'_xlt': 0}

Lines 6-18 create a function (after expanding the array indexing):

_0xr6g0[2] = function() { var _0x4c68x4={}; _0x4c68x4['_0x32lsj9'] = '_0x32lsj9'; do{ _0x4c68x4['_0x32lsj9']+=_0x4c68x4['_0x32lsj9'][Math['floor'](Math['random']()*_0x4c68x4['_0x32lsj9']['length'])]; } while(_0x4c68x4['_0x32lsj9']['length'] < 31); _0x4c68x4[_0x4c68x4['_0x32lsj9']] = function (){ _0xr6g0['_xlt']++; _0xr6g0['_xlt'] %= 12; return _0x4c68x4[_0x4c68x4['_0x32lsj9']]; }; return _0x4c68x4[_0x4c68x4['_0x32lsj9']]; };

Javascript allows a['b'] as an alternate syntax for a.b, so this is equivalent to:

 _0xr6g0[2] = function() { var _0x4c68x4 = {'_0x32lsj9': '_0x32lsj9'}; do{ _0x4c68x4._0x32lsj9 += _0x4c68x4._0x32lsj9[Math.floor(Math.random()*_0x4c68x4._0x32lsj9.length)]; } while(_0x4c68x4._0x32lsj9.length < 31); _0x4c68x4[_0x4c68x4._0x32lsj9] = function (){ _0xr6g0._xlt++; _0xr6g0._xlt %= 12; return _0x4c68x4[_0x4c68x4._0x32lsj9]; }; return _0x4c68x4[_0x4c68x4._0x32lsj9]; };

The inner function has a randomly-generated 31-character name that doesn't matter, so it can be simplified to:

_0xr6g0[2] = function() { function f() { _0xr6g0._xlt++; _0xr6g0._xlt %= 12; return f; }; return f; };

The last line calls _0xr6g0[2] 16 times, and this is an obfuscated way of writing

_0xr6g0._xlt = 4
Improve this answer

Comments

0

The hex in this code is creating a string with the text "_0x32lsj9_xlt_x8fkc3floorrandomlength"

The rest is parsing that to run some sort of javascript.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.