I am trying my hand a reversing a malicious js script to find out what it does. the script is really long but there is one part I dont fully understand and hope you can help. I will only show a small part of the script with the relevant parts to help with this problem so as to avoid anyone accidentally running it.
The following line calls the function UU multiple times:
ib[0] = O(Arw,UU(1017-980)+UU(19+81)+UU(32*3)+UU(51+25)+UU(4508/98+0)+UU(671-606)+UU(1677/43+0)+UU(631-522)+UU(5*23)+UU(7719/83-0)+UU(6+93)+UU(4*23));
The function UU has the following setup:
function UU(s)
{
var Ea = ",!)Q ;Zrvz2^@HgS{I~1(O`ba'&l%$mqVCXG9#w0]d.-8W_34[kA5<n/RBDLsFN\\tpY6E7fy?oi|+\"xJ>ThUc=uKjeM:}*P";
var h=30090;
var yz=h+29060;
var mm=yz/650;
var PF=mm-60; 31
var i = Ea[L(s)](s-PF);
return i;
}
Part of the operation to get the return value "i" calls the function L:
function L(R)
{
return "\x63\x68\x61\x72A\x74";
}
Question: what is function L returning?
I believe the function L is trying to obfuscate its return value so as to make analysis harder. I am not sure if I need to convert this to ASCII or Decimal in order to accurately complete the string lookup in function UU
Those are escape characters. It is fairly easy to look up the values in the ASCII table, but you can also console.log the string to see the resulting value.
console.log("\x63\x68\x61\x72A\x74");It evaluates to charAt.