Nytro Posted June 18, 2011 Report Posted June 18, 2011 Javascript Deobfuscation Tools (Part 1)Posted on June 17, 2011 by darryl Deobfuscating Javascript can be tricky so why not make the job easier by using a tool? There’s several tools that can help you deobfuscate Javascript. Before I get to those tools, I wanted to show you how to deobfuscate them manually. I’ve been getting a lot of requests from folks who want to learn how to deobfuscate malscripts so this article is for you.Let’s have a look at the malicious scripts. These scripts were found in the wild and randomly selected based on its difficulty. I’ve uploaded these scripts to Pastebin.com so you can play along (warning, these are real malicious scripts so take the necessary precautions!).Sample 1This script is simple and should be easy for the tools to handle. There are interweaving comments that do nothing but throw you off visually. The script concatenates a long string of hex characters which are converted to text and reversed. Each text character is then searched for in a string and a corresponding new character is referenced.Here’s the string that the characters are searched for and the second line is the converted value:SP%cpH2W5C83fEX:1rjF9AQdMlKi/sk4GuvtxJOBm_U.NqzY7aw&nhgZoVT=0IbRDye?6-L0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%For example, if the first value is “L”, it will be converted to “%”. These new characters are joined together to form another string of hex characters which are finally unescaped to form the final script.Here’s what you can do to see the final script:And this is what you get:ince this article is about tools, here’s a program that I wrote. It’s called Revelo (which is Latin for “reveal”) but it’s not quite ready for public release. This tool automates some of the manual changes I make to the scripts to deobfuscate the code. It’s not a debugger and more like a set of tools.Revelo has a built-in packet sniffer and proxy so I can capture the resulting HTTP request and see the URLs without actually visiting the site. It also has a built-in firewall to protect my PC from accidental redirects.Besides that, it can also reveal the actual deobfuscated code. I select the “Enclose Javascript in TextArea” option and get the resulting code:Mai sunt inca 2 exemple.Articol complet:http://www.kahusecurity.com/2011/javascript-deobfuscation-tools-part-1/ Quote
