I came across this code in a .js file. What is this code ??
I have downloaded that file onto my localhost webserver.Keeping this code in the .js file redirects me to google.com and when i am commenting this code the page runs perfectly !!
I can understand that this is done to enforce that the page is to be executed from a server link only !!!
How can i decode this js ???
[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65']('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29'))()
Python happens to use the same way of encoding, so I just threw it at a Python shell.
>>> '\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'
'constructor'
>>> '\x75\x6e\x65\x73\x63\x61\x70\x65'
'unescape'
>>> import urllib
>>> urllib.unquote('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29')
"if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')"
So this code boils down to (adding whitespace for clarity):
[]['constructor']['constructor'](
"if (~location.protocol.indexOf('http:') &&
~location.host.indexOf('template-help.com'))
{}
else
(location.href='http://www.google.com')")()
So what does this actually do? Node.js to the rescue:
> [].constructor
[Function: Array]
> [].constructor.constructor
[Function: Function]
>
So []
is simply an empty array, [].constructor
gives us the array constructor (which is a Function
object), and finally, [].constructor.constructor
gives us the constructor of the Function
object. That constructor accepts a string containing some code, and turns it into a callable function, that then gets called (note the ()
at the very end). So this eventually just executes this code:
if (~location.protocol.indexOf('http:') &&
~location.host.indexOf('template-help.com'))
{}
else
(location.href='http://www.google.com')
Yeah, if I wrote code like that, I'd obfuscate it too! ;)
Try this...
<html>
<head>
<script type="text/javascript">
var a="[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65'](" + unescape('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29') + "))()";
</script>
</head>
<body>
<input type=button value=click onclick="javascript:alert(a);">
</body>
</html>
The answer, as already pointed out, is...
[]['constructor']['constructor'](self['unescape'](if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')))()
It is doubly-coded, first as %nn URL-style characters, then as \xnn string characters. It decodes to
[]['constructor']['constructor'](
self['unescape']('
if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}
else(location.href='http://www.google.com')
'))()
Note that the quotes no longer nest properly after decoding, and the ['unescape']
has already been done.
i found this code while downloading one of the template from templatemonster.com.
I tried each and every step but i wasnt make that website availbale on either my local/own server. I then thought it might be some JS if not flash.
tried removing every js One after Another and then found that they paste this code at the last of their file to not let you download the pages. :)
to understand the code i searched Google and found this thread. Gr8 article.
happy now! I'm a cracker now. :)
The code they paste is :
[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']'\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'()
and in jquery^version.js
I would suggest use this next time URL DECODE
You could easily decode that string.
if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')
It's a way to hide code, and check if the script is running on specific domain. if not redirect it somewhere. in this case google.com
That js file you are talking about is a piece of js code that http://templates.entheosweb.com/ uses to secure it's web scripts and themes from being stolen from their website. Wherever you got that file means that the theme or files it was included with was stolen from that website.
Its Happen once you copy/paste or save as template files from template-help.com
simply delete that section to run perfectly. If we decode the code , its looks like this -
[]['constructor']['constructor'](
"if (~location.protocol.indexOf('http:') &&
~location.host.indexOf('template-help.com'))
{}
else
(location.href='http://www.google.com')")()
So delete it n enjoy.