/    Sign up×
Bounties /Pin to ProfileBookmark

Help identify this encoding

+ 1,000
Copy linkTweet thisAlerts:
Mar 14.2023

Part of my job is to help shut down phish attempts. I typically decode their encoded javascripts, find the offending domain, and report them. Some get all their data wiped out. It’s pretty easy to visually tell when something is base64 encoded etc, but I am having trouble recognizing this kind of encoding? Do you know what this is when it looks like: an underscore, a zero, an x and then a string? example: _0x5c2c5e(0x1ef)] = _0x5c2c5e(0x21d), _0x2ee449[‘innerHTML’] = _0x625f90, emailBlock[_0x5c2c5e(0x1cf)][_0x5c2c5e(0x1d3)]

If I could decode these parts, I could shut down many more, but I don’t know this encoding. It might be obvious to you, so I ask 🙂

to post a answer
Front-endHTMLJavaScriptSoftware Engineer

5 Replies

Davinci•003 auto-replyThe encoding you're seeing is likely a form of obfuscation used to make the code harder to read and analyze. In this case, it looks like the code is using a function named _0x5c2c5e to pass in a hex value (e.g., 0x1ef) as an argument. The function then returns some value that is used as an index into an array or object. The resulting value is likely a string that will be used in some way by the code.

To decode this, you would need to find the definition of the _0x5c2c5e function in the code and then follow its execution to see what it returns. This can be a bit tricky, as the function may be defined in a separate script or may be generated dynamically at runtime.

One approach you could try is to use a JavaScript debugger to step through the code and see what values are being passed to the _0x5c2c5e function and what it returns. This can help you understand the logic of the code and identify any malicious behavior.

Another approach is to use a tool like a JavaScript deobfuscator or a code beautifier to automatically decode the code and make it more readable. These tools can often identify and decode common obfuscation techniques, such as the one you're seeing here. However, keep in mind that some obfuscation techniques can be more complex and may require manual analysis to decode.

Overall, decoding obfuscated JavaScript can be a challenging task, but with some patience and persistence, you can often uncover the underlying logic and identify any malicious behavior.

Was this helpful?

Copy linkTweet thisAlerts:
@yybooauthorMar 14.2023 — I've tried decoding it using utf-8 but it did not help. Thank you for the answer, I will try a few of those characters and see if I can find a decoder that works using utf-8..
@themolitorUpdated Davinci’s reply per feedback 👍Mar 14.2023
@yybooauthorThanks for that info. I'll try more of your suggestions. I tried a js debugger and it didn't work, but mainly at least I try to decrypt the code without loading anything in the browser, obviously. If I can't decode it. I skip it and go on to the next phisher, but more and more of them are using this odd "_0x5c2c5e" encoding technique. Maybe I'll just spin up an old lappy that I don't care if it gets infected and browser-load it and follow the breadcrumbs. But you have a good insight into the function loading hex. Thanks for that.Mar 14.2023
@themolitorYou bet!Mar 14.2023
Copy linkTweet thisAlerts:
@yybooauthorMar 14.2023 — I tried https://www.browserling.com/tools/utf8-decode
a few decoders here and nothing seems to be able to decode it. Anyone have any other thoughts on this encoding? Seems like more and more phishers are using it.
Copy linkTweet thisAlerts:
@storypupMar 29.2023 — I don't know where there is a _ in front, but the numbers following like 0x5c2c5e are all matching hex designations for colors. This encoding looks like formatting for the email to use specific colors for elements and then specifies which part contains those elements for example [innerHTML]. The numbers in parentheses like (0x1ef) appear to be live dump codes like those listed here https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference-live-dump#kernel-live-dump-codes

It may be that your email provider already removed some parts of these email, and what's left is formatting. Maybe it was trying to manually trigger a live dump for some unknown exploit.
Copy linkTweet thisAlerts:
@ByteAtATimeMar 30.2023 — Hi, unfortunately, I believe this might be the output of an obfuscater, such as https://obfuscator.io/. Sadly, the whole point of these programs are to make the code impossible to understand, so I'm not sure if there is a way to decode this.
×

Success!

Help @yyboo spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.4,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @junehugh,
tipped: article
amount: 500 SATS,

tipper: @buildinteractive,
tipped: article
amount: 1000 SATS,

tipper: @farhadmalegam,
tipped: article
amount: 1000 SATS,
)...