Excellent Manual Javascript Deobfuscation Walk through
Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html).
Saturday, April 7, 2012
JavaScript Obfuscation - Manual Armor (1)
Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below
The methodology goes like this:
Step1: Beautify Your JavaScript:
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
The methodology goes like this:
Step1: Beautify Your JavaScript:
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript.
Always do this step before proceeding further.
Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
analyze the code in small snippet for better grasp.
Applying step 1 and step 2 to the given JavaScript code, we get part 1 of the code as follows
and part 2 of the code as follows
In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing
Applying step 1 and step 2 to the given JavaScript code, we get part 1 of the code as follows
and part 2 of the code as follows
In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing
automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string
can be done. Check the string passed to variable "n".
Step 3: Extract the Logic
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
Step 3: Extract the Logic
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
compute the value of "h" we get : h=-2*Math.log(Math.E); // h = -2 //
The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have
The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have
to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code
a bit as presented below:
At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to
On executing this code in JavaScript interpreter we get the output as follows,
dissect the loop present in the part 2 as follows
for(i=0;-n.length<-i br="" i=""> {
j=i;
ss=ss+s[f](-h*(1+1*n[j]));
}
if(1)q=ss;
if(s)e(q);
To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of
for(i=0;-n.length<-i br="" i=""> {
j=i;
ss=ss+s[f](-h*(1+1*n[j]));
}
if(1)q=ss;
if(s)e(q);
To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of
the code.
Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
write a following python script to compute the loop
The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the
The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the
end. So we need to build up the final code as presented below
So here we have the final script as follows
So here we have the final script as follows
A good methodology always helps to attain the target.
