Nytro Posted September 24, 2014 Report Share Posted September 24, 2014 (edited) Javascript Deobfuscation Tools Redux Posted on September 23, 2014 by darryl Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention. Here are the tools I’ll be testing:AutomatedJSUnpackJavascript Deobfuscator (Firefox Add-On) SpiderMonkey Semi-Automated/ManualJSDetoxJavascript Debugger (all are similar; using Script Debugger for this test): Microsoft Script Debugger, Chrome Developer Tools, Firefox Developer Tools, Firebug (Firefox Add-On)Revelo Here are the obfuscated scripts:Sample 1 Dean Edwards Packer Sample 2HiveLogic Enkoder Sample 3For this sample, I used the same original HTML code as the above and obfuscated it using three online obfuscators in the following order: obfuscatorjavascript.com, www.gaijin.at/en/olsjse.php, www.atasoyweb.net/Javascript_Encrypter/javascript_encrypter_eng.php Sample 4Speed-Trap JS Sample 5Gong Da EK Sample 6RIG EK Sample 7Angler EK Sample 8Nuclear EK PreludeMy plan is simple. Use the tools to try to deobfuscate the above scripts without spending more than a few minutes on each one. If I can’t figure it out by making obvious tweaks along the way then I move on. To be honest, I’m no expert with all of these tools so I’m not taking full advantage of its capabilities but this should give you some idea of what you can expect. I would encourage you to play along (the scripts are here) . Be sure you do this in a virtual machine because many of the scripts are real and very malicious. JSUnpackJSUnpack is fully automated and can deal with a lot of scripts except the complex ones. Javascript DeobfuscatorThis Firefox add-on is quite robust and also completely automated. Interestingly, it is able to deobfuscate the hard ones but trips up on an easy one. This tool won’t be able to handle scripts that target Internet Explorer for obvious reasons. You might be able to comment out some browser sniffing routines though. SpiderMonkeyThe SpiderMonkey tool would be similar to using Rhino or V8 engines but Didier Stevens adds some mods that has beefed up SpiderMonkey’s capabilities. DOM-based scripts tend to pose a problem for these engines but you can make several tweaks to the script and define objects to get around this. JSDetoxThis tool has a lot of capability and potential. The main reason it can’t deob the malicious scripts is probably because I suck at using it. Javascript DebuggerPretty much all of the Javascript debuggers work the same way so I just lumped them together as a single class of tools. Using a debugger can be slow because you have to follow along with the script and know where to place breakpoints but it is often the most effective way of deobfuscating scripts. ReveloI would have hoped my own tool would do pretty well against these scripts and it did. The main challenge with using Revelo is that you need to understand the script you are working on and be able to recognize entry and exit points to inspect. This tool is definitely not for everyone but it has the capability to do just as well as a debugger. Conclusion and ScorecardAs I mentioned earlier, I’m probably not making the most of every tool as they are quite capable and powerful in their own right. The end result is probably more of a reflection of my abilities rather than the tool so take this with a barrel of salt. Sursa: Javascript Deobfuscation Tools Redux | Kahu Security Edited September 24, 2014 by Nytro Quote Link to comment Share on other sites More sharing options...
