Author Topic: Anyone could help on the deobfuscation of the attached code?  (Read 3100 times)

0 Members and 1 Guest are viewing this topic.

April 19, 2010, 05:51:33 pm
Read 3100 times

valkyriex

  • Jr. Member

  • Offline
  • **

  • 13
Hi fellows,

Anyone could deobfuscate the attached code? Do you mind to list out the step as I can't figure it with Malzilla indeed.

Thanks, mates.

Regards,
Anthony

April 19, 2010, 06:31:29 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
attached.

It would take hours to explain it in details.

General guidelines:
-use "format code" to structure code
-use a second decoder tab to resolve "replace" instructions. you can do this by "eval(some_replace_instruction)". Now code is much more readable.
-transform DOM functions which Malzilla is unable to manage (getElementbyId, document.location.href)

modified script for Malzilla decoding can be found in zip file.
Ruining the bad guy's day

April 20, 2010, 07:12:26 am
Reply #2

valkyriex

  • Jr. Member

  • Offline
  • **

  • 13
Thank you, SsyAdMini, I have replicated it with reference to your guidelines.

In fact, another method suggested by my Taiwan fellow that putting document.write and alert on the the output/return result.

For example:

   document.write(mbtnpoq);
   alert(mbtnpoq);

Regards,
Anthony