-7

i am wondering how to know what inside this java! so is there a way to know what this javascript code is, i'm sorry if this seems weird.also want to know the type of this encryption.

    var _0x4816=["\x24\x28\x69\x29\x5B\x27\x66\x27\x5D\x28\x35\x28\x29\x7B\x24\x28\x27\x23\x33\x27\x29\x5B\x27\x6A\x27\x5D\x28\x27\x3C\x61\x20\x34\x3D\x22\x32\x3A\x2F\x2F\x36\x2E\x37\x2E\x38\x22\x20\x63\x3D\x22\x64\x22\x20\x65\x3D\x22\x62\x22\x20\x67\x3D\x22\x68\x3A\x39\x21\x30\x3B\x6B\x3A\x31\x21\x30\x3B\x6C\x3A\x6D\x21\x30\x22\x3E\u062A\u0635\u0645\u064A\u0645\x3A\u0639\u0628\u062F\u0648\x20\u062A\u0643\u0646\u0648\u0644\u0648\u062C\u064A\x3C\x2F\x61\x3E\x27\x29\x2C\x6E\x28\x35\x28\x29\x7B\x24\x28\x27\x23\x33\x3A\x39\x27\x29\x5B\x27\x6F\x27\x5D\x7C\x7C\x28\x70\x5B\x27\x71\x27\x5D\x5B\x27\x34\x27\x5D\x3D\x27\x32\x3A\x2F\x2F\x36\x2E\x37\x2E\x38\x27\x29\x7D\x2C\x72\x29\x7D\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x69\x6D\x70\x6F\x72\x74\x61\x6E\x74\x7C\x7C\x68\x74\x74\x70\x7C\x64\x6F\x6E\x74\x65\x64\x69\x74\x7C\x68\x72\x65\x66\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x77\x77\x77\x7C\x61\x62\x64\x6F\x75\x74\x65\x63\x68\x7C\x63\x6F\x6D\x7C\x76\x69\x73\x69\x62\x6C\x65\x7C\x7C\x5F\x62\x6C\x61\x6E\x6B\x7C\x72\x65\x6C\x7C\x64\x6F\x66\x6F\x6C\x6C\x6F\x77\x7C\x74\x61\x72\x67\x65\x74\x7C\x72\x65\x61\x64\x79\x7C\x73\x74\x79\x6C\x65\x7C\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x68\x74\x6D\x6C\x7C\x6F\x70\x61\x63\x69\x74\x79\x7C\x70\x6F\x73\x69\x74\x69\x6F\x6E\x7C\x72\x65\x6C\x61\x74\x69\x76\x65\x7C\x73\x65\x74\x49\x6E\x74\x65\x72\x76\x61\x6C\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x77\x69\x6E\x64\x6F\x77\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x33\x65\x33","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];
eval(function(_0x9bccx1,_0x9bccx2,_0x9bccx3,_0x9bccx4,_0x9bccx5,_0x9bccx6)
    {
    _0x9bccx5= function(_0x9bccx3)
        {
        return _0x9bccx3.toString(_0x9bccx2)
    };
    if(!_0x4816[5][_0x4816[4]](/^/,String))
        {
        while(_0x9bccx3--)
            {
            _0x9bccx6[_0x9bccx5(_0x9bccx3)]= _0x9bccx4[_0x9bccx3]|| _0x9bccx5(_0x9bccx3)
        };
        _0x9bccx4= [function(_0x9bccx5)
            {
            return _0x9bccx6[_0x9bccx5]
        }
        ];
        _0x9bccx5= function()
            {
            return _0x4816[6]
        };
        _0x9bccx3= 1
    };
    while(_0x9bccx3--)
        {
        if(_0x9bccx4[_0x9bccx3])
            {
            _0x9bccx1= _0x9bccx1[_0x4816[4]]( new RegExp(_0x4816[7]+ _0x9bccx5(_0x9bccx3)+ _0x4816[7],_0x4816[8]),_0x9bccx4[_0x9bccx3])
        }
    };
    return _0x9bccx1
}
(_0x4816[0],28,28,_0x4816[3][_0x4816[2]](_0x4816[1]),0,
    {
}
))
Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
k76
  • 11
  • 1
  • 9

1 Answers1

1

the script is not encrypted, but obfuscated, But, to reduce your curiosity, see the script below after I've deobfuscated:

 var z = ["$(i)[\'f\'](5(){$(\'#3\')[\'j\'](\'<a 4=\"2://6.7.8\" c=\"d\" e=\"b\" g=\"h:9!0;k:1!0;l:m!0\">تصميم:عبدو تكنولوجي</a>\'),n(5(){$(\'#3:9\')[\'o\']||(p[\'q\'][\'4\']=\'2://6.7.8\')},r)});", "|", "split", "important||http|dontedit|href|function|www|abdoutech|com|visible||_blank|rel|dofollow|target|ready|style|visibility|document|html|opacity|position|relative|setInterval|length|window|location|3e3", "replace", "", "\\w+", "\\b", "g"];
 eval(function(a, b, c, d, e, f) {
         e = function(g) {
             return g.toString(b)
         };
         if (!z[5][z[4]](/^/, String)) {
             while (g--) {
                 f[e(g)] = d[g] || e(g)
             };
             d = [function(e) {
                 return f[e]
             }];
             e = function() {
                 return z[6]
             };
             g = 1
         };
         while (g--) {
             if (d[g]) {
                 a = a[z[4]](new RegExp(z[7] + e(g) + z[7], z[8]), d[g])
             }
         };
         return a
     }
     (z[0], 28, 28, z[3][z[2]](z[1]), 0, {}))

UPDATE 1:

See:

How does this obfuscated JavaScript work?

for the complete explain :)

UPDATE 2:

Since you ask me the script inside it, here what i've got:

$(document)['ready'](function() {
    $('#dontedit')['html']('<a href="http://www.abdoutech.com" rel="dofollow" target="_blank" style="visibility:visible!important;opacity:1!important;position:relative!important">تصميم:عبدو تكنولوجي</a>'), setInterval(function() {
        $('#dontedit:visible')['length'] || (window['location']['href'] = 'http://www.abdoutech.com')
    }, 3e3)
})

Simplified Code:

$(document).ready(function() {
    $('#dontedit').html('<a href="http://www.abdoutech.com" rel="dofollow" target="_blank" style="visibility:visible!important;opacity:1!important;position:relative!important">تصميم:عبدو تكنولوجي</a>');

    setInterval(function() {
        $('#dontedit:visible').length || (window.location.href = 'http://www.abdoutech.com')
    }, 3e3);
});
Fadhly Permata
  • 1,686
  • 13
  • 26
  • i understood , but i will explain , this is the original code https://rawgit.com/abdelalilebbihi/lebbihi.dz/master/timerbody.js after i unpack it gave me the code above so i need to know what inside – k76 Feb 07 '18 at 09:59
  • not pure the original code, but at least it can be easier to read. because at the time of the obfuscator process, the original data is not stored at all, so we can not return the code to be the original. But in outline, the above script will still run as well as the script you provide. – Fadhly Permata Feb 07 '18 at 10:05
  • I have added a link to how obfuscator works in javascript, please look at the answers I have given – Fadhly Permata Feb 07 '18 at 10:08
  • @k76 : See my latest update. By the way, please do not change your comment, because the discussion is not clear anymore. – Fadhly Permata Feb 07 '18 at 10:31
  • @ Fadhly Permata: i will not change any comment , by the way it gave me the same . but when i post it in template ,it work , but timer does not work , because the original code before timer works,i try too to find exit , also wait your help – k76 Feb 07 '18 at 10:44