On Fri, 20 Apr 2001, Nicolas Villatte wrote:
> I received a blank e-mail with a javascript inserted in the HTML,
> using Outlook 2000.
> I wonder what this code represents and how to decode and understand
> it.
>
> Here follows the source code :
>
> <html>
> <head>
> <title>HardCore</title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
>
> <body bgcolor="#FFFFFF">
> <script>
> function Merlin( s ) { var sRet=""; for(j=0; j< s.length; j++ ){ var
> n= s.charCodeAt(j); if (n>=8364) {n = 128;} sRet +=
> String.fromCharCode( n - 3 ); } return( sRet ); }
> var sJsCmds ="" +
> "?kwpoA?khdgA?wlwohAXqwlwohg#Grfxphqw?2wlwohA?phwd#kwws0htxly@%Frqwhqw
> 0W|sh%#frqwhqw@%wh{w2kwpo>#fkduvhw@lvr0;;8<04%A?2khdgA?erg|#ejfroru@%&
[snip]
> 2wdeohA?sA)qevs>?2sA?2erg|A?2kwpoA" +
> "";
> var s= Merlin( sJsCmds);
> document.write (s);
> </script>
> </body>
> </html>
Well, look at what it does. It reads the string one character at a
time, converts it to a number, subtracts 3, and converts back to a
character. So it's just decrypting a Caesar cipher. I wrote a quick C
program to decrypt it:
#include <stdio.h>
main() {
char c;
while ( ( c = getchar() ) != EOF )
printf("%c", c-3);
}
The first lines start out:
<html><head><title>Untitled Document</title><meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#
and then it goes into what looks like a spam for a porn site.
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscherat_private> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 19:27:22 PDT