Excellent Manual Javascript Deobfuscation Walk through

Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html).

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below



















The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. 
Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows


and part 2 of the code as follows


In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing 
automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string 
can be done. Check the string passed to variable "n".

Step 3: Extract the Logic 
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have 
to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code
a bit as presented below:

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to 
dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i br="" i="">        {
            j=i;
            ss=ss+s[f](-h*(1+1*n[j]));
        }

   
    if(1)q=ss;
    if(s)e(q);

To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of 
the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
write a following python script to compute the loop


The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the 
end. So we need to build up the final code as presented below


So here we have the final script as follows
A good methodology always  helps to attain the target.