Malware Domain List

Malware Related => Malware Analysis => Topic started by: valkyriex on April 19, 2010, 05:51:33 pm

Title: Anyone could help on the deobfuscation of the attached code?
Post by: valkyriex on April 19, 2010, 05:51:33 pm
Hi fellows,

Anyone could deobfuscate the attached code? Do you mind to list out the step as I can't figure it with Malzilla indeed.

Thanks, mates.

Regards,
Anthony
Title: Re: Anyone could help on the deobfuscation of the attached code?
Post by: SysAdMini on April 19, 2010, 06:31:29 pm
attached.

It would take hours to explain it in details.

General guidelines:
-use "format code" to structure code
-use a second decoder tab to resolve "replace" instructions. you can do this by "eval(some_replace_instruction)". Now code is much more readable.
-transform DOM functions which Malzilla is unable to manage (getElementbyId, document.location.href)

modified script for Malzilla decoding can be found in zip file.
Title: Re: Anyone could help on the deobfuscation of the attached code?
Post by: valkyriex on April 20, 2010, 07:12:26 am
Thank you, SsyAdMini, I have replicated it with reference to your guidelines.

In fact, another method suggested by my Taiwan fellow that putting document.write and alert on the the output/return result.

For example:

   document.write(mbtnpoq);
   alert(mbtnpoq);

Regards,
Anthony