The Revoluti0n
last article table of contents next article

Strange Article - don't hide, come out! (jscript encryption, a humble approach) by jackie

                                                        ?    ?    ?
                                                           ?  ____  
                                                             /    \ ?
  don't hide, come out!                                  ?  / \ _  \  ?
  (jscript encryption, a humble approach)                  ( .o o.  ) ___
   .by jackie                                            __/   ^    \/   \
                                                        /  \___o____      \


 First of all, hola a todos!  My joined project with antistate is on the run
and it's really on time to put out some meaningful and innovativ stuff. Well
I know it's going down, but don't hesitate reading on and learning something
new while spending a lil time with these lines.

 This time we are going to  take a short introduction  into the non existing
world of encrypted jscript viruses and technics how to do it. Don't yell now
because I haven't seen a piece of encrypted jscript code until today. If you
got some ideas, feel free to mail me.

 While I've been thinking about how to realise my ideas about encrypted bugs
written in jscript carried on,  I remembered a lot of  things  rajaat and me
where talking about ages ago, so thanks fly out to rajaat at that point.  To
make a long story short: let's get it on!

 Please note that a basic knowledge  of programming jscript  is a good start,
because jscript is a lil bitch sometimes. Not like your decent vbscript. xD=
It really does make no sense if you are going to copy/paste parts of the code
published here into 'your' creations, it won't bring you any further. Go out
and download the jscript documentation and samples and try find your own way
thru jscript. I made it, so your are going to do so too. xD=

 Uhm, one last thing for introduction, this paper contains a lot of old code
I've bothered  with and where never released.  Finally they found their very
own destiny. xD= Enjoy.

.facing east

 I've already showed  how to do apply encryption stuff  on vbscript in on of
my latest papers,  but while researching on the jscript topic,  it was not a
real helping hand,  because the main function my vbscript code was built on,
was the 'Execute()' statement of wsh and guess what? It doesn't exist in our
new target jscript.  But, that's not the end of the story,  let's take a
short look on the description of the 'eval()' statement in the documentation
provided by ms.



 Evaluates JScript code and executes it. 



 The codestring argument is a String object that contains valid JScript code.
 This string is parsed by the JScript parser and executed. 


 The eval function allows dynamic execution of JScript source code. For
 example, the following code creates a new variable mydate that contains a
 Date object: 

  eval("var mydate = new Date();");

 The code passed to the eval method is executed in the same context as the
 call to the eval method. 


 Alright, as we can see, this function will help us out and so one two three
our encrypted jscript virus dream will come true.  Ok, let's think about how
we could get this whole thing started. Basically I include my encrypted code
as a comment  within the  original code,  but it's just the way I personally
like it, because I feel code stored in arrays is kinda gay, so I'm not going
to cover it here,  but anyway it's pretty simple to do it on your own with a
lil bit of jscript skills. So,  here's some basic example how it could  look


 or living example



 Did you get the idea? Basically it can be done like this too:



 Just use  your imagination,  everything is possible  it just depends on the
lines of code you wanna spend for the decrypting routine.  Heh,  good point.
Time to switch to an important topic.

.i've got the key, i've got the secret!

 As these topic pretty much says,  we are going to mess up with code pieces,
which are going to do the encryption for us. For our meanings, I used simple
xor encryption,  because it works fine for en/decryption without extra code.


 function encrypt(str,key) { 
 var x = '';
 for (var i = 0; i < str.length; i++)
  x = x + String.fromCharCode(str.charCodeAt(i) ^ key);
 return(x) }


 All the magic is done here,  so it's basically nothing else than a simple &
plain xor routine for jscript. The ' fromCharCode() ' and the ' charCodeAt '
functions  are basically the same like ' Chr()' & 'Asc()' functions  you can
find within vbscript.  Please consult the jscript documentation if something
is unclear about these functions.

.collecting the stars at night

 As showed above, I'm going to store my encrypted code within a comment, so
this chapter  here is going to cover some basic ideas about how to deal with
strings and how to get the values with need, the encrypted code and the key,
from our host file.

 JScript supplies a few commands we can use for our manner.  The 'indexOf()'
function  equals to the 'InStr()'  function and  'substr()' is basically the
same as 'Mid()'. Because I not want to bore you with too much theory, here's
some code snippet:


 var start_e=y.indexOf(String.fromCharCode(47)+String.fromCharCode(42));
 var end_e=y.indexOf(String.fromCharCode(42)+String.fromCharCode(47));
 var key=y.substr(end_e-3,3);
 var code=y.substr(start_e+4,end_e-9-start_e);

 Well,  the snippet  above does not more  than get the start  and end of our
encrypted code plus the key for the xor function.

 Finally,  here's some complete very basic example showing all the discussed
technics in one snippet,  just to show a working example. I guess there's no
real need to comment everything, because it's kinda selfexplaining after you
read this paper. xD=



 // very basic js encryption sample
 // (c) 2000 jackie
 var fs=new ActiveXObject('Scripting.FileSystemObject');
 var f=fs.OpenTextFile(WScript.ScriptFullName,1);
 var y=f.ReadAll();
 var s=y.indexOf(String.fromCharCode(47)+String.fromCharCode(42));
 var e=y.indexOf(String.fromCharCode(42)+String.fromCharCode(47));
 var k=y.substr(e-3,3);
 var z=y.substr(s+4,e-9-s);
 function l(s,d) { 
 var x = '';
 for (var i = 0; i < s.length; i++)
  x = x + String.fromCharCode(s.charCodeAt(i) ^ d);
 return(x) }

 Ah, yes something to note.  Not like the undocumented function in  vbscript
'ExecuteGlobal()',  the 'eval()' function isn't able to use code declared in
the jscript file, ie:  if you declare  some object like  filesystemobject or
something similar in your normal code, you MUST declare it in your encrypted
code too, because it can use it. Other than the undocumented function in vbs
where you could declare some var or object in your normal code and access it
in your executed code on the fly too.  Just try to toy around a  bit with it
for yourself and you will understand what I'm talking about. xD=

Uhm, yes, please keep in mind, that everything in jscript is case sensitive,
but, i guess you know that. xD=


 Another story ends and I hope this  paper got you a  clue what an encrypted
jscript virus could look like. Basically, the methods and technics showed in
this paper could be  used for any other manner,  for example doing something
with polymorphism on the fly, o r anything else related to code execution on
the fly.

 So, I hope you liked this one and you are yet trying to improve your coding
in a new an fresh way.  Scene is nearly dead, it's just yet another question
of time until the last of the old ones disappears.  I guess our  new project
will take shapes soon,  right now it's  just talking and stuff,  yes writing
stuff for it too, but watch out for us, as soon as we get alive.  Well, take
care gals and boys and sleep tight. xD=

 lost on a far far away green planet,

                                         carinthia/austria/europe 09/03/2002


 . babie               . collecting stars for ya tonight
 . antistate           . when we gonna start tantrum, huh? xD=
 . rajaat              . take care man. xD= catch you.
 . capoeira            . vote 4 president.
 . all oldskewlers     . keep the spirit before it's too late. :/
                         but I guess it's just a part of the process. :/

 The chance to reach me via any  media increases and decreases all the time,
 so prolly the best way is to try the latest resources ie:

 . worldwideweb :
 . irc          : undernet #virus (hardly)

.good music

 . air      : moon safari
 . calexico : hot rail
                  yet another tantrum production (c) 2002