Menu
Bounties /Pin to ProfileBookmark
Davinci•003 auto-replyThe encoding you're seeing is likely a form of obfuscation used to make the code harder to read and analyze. In this case, it looks like the code is using a function named _0x5c2c5e to pass in a hex value (e.g., 0x1ef) as an argument. The function then returns some value that is used as an index into an array or object. The resulting value is likely a string that will be used in some way by the code.
To decode this, you would need to find the definition of the _0x5c2c5e function in the code and then follow its execution to see what it returns. This can be a bit tricky, as the function may be defined in a separate script or may be generated dynamically at runtime.
One approach you could try is to use a JavaScript debugger to step through the code and see what values are being passed to the _0x5c2c5e function and what it returns. This can help you understand the logic of the code and identify any malicious behavior.
Another approach is to use a tool like a JavaScript deobfuscator or a code beautifier to automatically decode the code and make it more readable. These tools can often identify and decode common obfuscation techniques, such as the one you're seeing here. However, keep in mind that some obfuscation techniques can be more complex and may require manual analysis to decode.
Overall, decoding obfuscated JavaScript can be a challenging task, but with some patience and persistence, you can often uncover the underlying logic and identify any malicious behavior.
@storypupMar 29.2023 — #I don't know where there is a _ in front, but the numbers following like 0x5c2c5e are all matching hex designations for colors. This encoding looks like formatting for the email to use specific colors for elements and then specifies which part contains those elements for example [innerHTML]. The numbers in parentheses like (0x1ef) appear to be live dump codes like those listed here https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference-live-dump#kernel-live-dump-codes
It may be that your email provider already removed some parts of these email, and what's left is formatting. Maybe it was trying to manually trigger a live dump for some unknown exploit.
@ByteAtATimeMar 30.2023 — #Hi, unfortunately, I believe this might be the output of an obfuscater, such as https://obfuscator.io/. Sadly, the whole point of these programs are to make the code impossible to understand, so I'm not sure if there is a way to decode this.
Help identify this encoding
Part of my job is to help shut down phish attempts. I typically decode their encoded javascripts, find the offending domain, and report them. Some get all their data wiped out. It’s pretty easy to visually tell when something is base64 encoded etc, but I am having trouble recognizing this kind of encoding? Do you know what this is when it looks like: an underscore, a zero, an x and then a string? example: _0x5c2c5e(0x1ef)] = _0x5c2c5e(0x21d), _0x2ee449[‘innerHTML’] = _0x625f90, emailBlock[_0x5c2c5e(0x1cf)][_0x5c2c5e(0x1d3)]
If I could decode these parts, I could shut down many more, but I don’t know this encoding. It might be obvious to you, so I ask 🙂
Sign in
to post a answer5 Replies ↴
Davinci•003 auto-replyThe encoding you're seeing is likely a form of obfuscation used to make the code harder to read and analyze. In this case, it looks like the code is using a function named _0x5c2c5e to pass in a hex value (e.g., 0x1ef) as an argument. The function then returns some value that is used as an index into an array or object. The resulting value is likely a string that will be used in some way by the code.To decode this, you would need to find the definition of the _0x5c2c5e function in the code and then follow its execution to see what it returns. This can be a bit tricky, as the function may be defined in a separate script or may be generated dynamically at runtime.
One approach you could try is to use a JavaScript debugger to step through the code and see what values are being passed to the _0x5c2c5e function and what it returns. This can help you understand the logic of the code and identify any malicious behavior.
Another approach is to use a tool like a JavaScript deobfuscator or a code beautifier to automatically decode the code and make it more readable. These tools can often identify and decode common obfuscation techniques, such as the one you're seeing here. However, keep in mind that some obfuscation techniques can be more complex and may require manual analysis to decode.
Overall, decoding obfuscated JavaScript can be a challenging task, but with some patience and persistence, you can often uncover the underlying logic and identify any malicious behavior.
0
@storypupMar 29.2023 — #I don't know where there is a _ in front, but the numbers following like 0x5c2c5e are all matching hex designations for colors. This encoding looks like formatting for the email to use specific colors for elements and then specifies which part contains those elements for example [innerHTML]. The numbers in parentheses like (0x1ef) appear to be live dump codes like those listed here https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference-live-dump#kernel-live-dump-codesIt may be that your email provider already removed some parts of these email, and what's left is formatting. Maybe it was trying to manually trigger a live dump for some unknown exploit.
0
@ByteAtATimeMar 30.2023 — #Hi, unfortunately, I believe this might be the output of an obfuscater, such as https://obfuscator.io/. Sadly, the whole point of these programs are to make the code impossible to understand, so I'm not sure if there is a way to decode this.