Jump to content

Step through Obfuscated JavaScript


Iain

Recommended Posts

I came across some obfuscated JavaScript and I'd like to understand what it does. Basically, there are two functions and the "nitty gritty" is:

document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>))

It seems that FunctionOne and FunctionTwo take the <Random Array of Letters and Numbers> and decode it, or map it in a predefined manner, before passing it to document.write.

QUESTION: I'm familar with VBA in MS Word, Excel etc. and I have a little experience of C++. What's the best way of stepping through the JavaScript (in a controlled manner) to see what happens as the two functions are executed? I know that this is possible (and also set Break Points) in VBA in the MS applications so that's what I'd like to do with the JavaScript.

I know there are utilities which will de-obfuscate JavaScript but that's not the issue - I want to know what these complicated functions do to the enormous string of letters and numbers.

Link to comment
Share on other sites

You could just look at the code, it usually obvious what JavaScript does or is trying to do as the case usually is. Are these functions on a particular web site?

The site is down now. Here's the second function. I've tidied it up in Notepad - sorry there are no indents!

EDIT: I've searched for some of the strings in the code and came up with http://www.castlecops.com/p1099532-Sick_hospital.html which has obfuscated JavaScript. It, too, has a whole load of "garbage" and I'm interested to know how it was decoded.

function Second(data)

{

data=data.replace(/[^a-z0-9\+\/=]/ig,'');

if(typeof(atob)=='function')return atob(data);

var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

var byte1,byte2,byte3;

var ch1,ch2,ch3,ch4;

var result=new Array();

var j=0;

while((data.length%4)!=0)

{

data+='=';

}

for(var i=0;i&lt;data.length;i+=4)

{

ch1=b64_map.indexOf(data.charAt(i));

ch2=b64_map.indexOf(data.charAt(i+1));

ch3=b64_map.indexOf(data.charAt(i+2));

ch4=b64_map.indexOf(data.charAt(i+3));

byte1=(ch1&lt;&lt;2)|(ch2&gt;&gt;4);

byte2=((ch2&amp;15)&lt;&lt;4)|(ch3&gt;&gt;2);

byte3=((ch3&amp;3)&lt;&lt;6)|ch4;

result[j++]=String.fromCharCode(byte1);

if(ch3!=64)result[j++]=String.fromCharCode(byte2);

if(ch4!=64)result[j++]=String.fromCharCode(byte3);

}

return result.join('');

};

I realise that it's taking the enormous length of "gobbledegook" as <data> and it goes through a replacement process. That's what I don't understand (atob etc.) so I'd like to be able to step through the code (and also the first function) to see exactly how it's working.

Link to comment
Share on other sites

I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with.

http://isc.sans.org/diary.html?storyid=4724

Link to comment
Share on other sites

I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with.

http://isc.sans.org/diary.html?storyid=4724

Yes thanks, I'd seen that diary.

I'm afraid I'm getting nowhere fast. I've tried using the script debugger that's with Office 2003 but I can't step through the code. If only I could find a way to step through it as I have done with Office VBA macros :-(

Link to comment
Share on other sites

Can you post the original code, both parts?

Link to comment
Share on other sites

Can you post the original code, both parts?

Check this - http://www.castlecops.com/p1099532-Sick_hospital.html

I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research.

Any more tips to decode the encoded "garbage"?

Link to comment
Share on other sites

Check this - http://www.castlecops.com/p1099532-Sick_hospital.html

I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research.

Any more tips to decode the encoded "garbage"?

Sorry, link doesn't seem to work for me.

Link to comment
Share on other sites

Sorry, link doesn't seem to work for me.

It's been flaky for me over the weekend but I managed to get the other function:

function First(key,pt){

s=new Array();

for(var i=0;i&lt;256;i++)

{
s[i]=i;
}

var j=0;
var x;

for(i=0;i&lt;256;i++)

{
j=(j+s[i]+key.charCodeAt(i%key.length))%256;x=s[i];
s[i]=s[j];
s[j]=x;
}

i=0;
j=0;
var ct = '';
for(var y=0;y&lt;pt.length;y++)

{
i=(i+1)%256;
j=(j+s[i])%256;
x=s[i];
s[i]=s[j];
s[j]=x;
ct+=String.fromCharCode(pt.charCodeAt(y)^s[(s[i]+s[j])%256]);
}

return ct;
};

I think it's some form of encrypting/decrypting code. As I said in my forst post, the "nitty gritty" is:

document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)).

I've been researching the other function and it seems that atob() isn't available in IE (only Netscape, but I might be wrong). As far as I can tell, atob() relates to decoding Base64 ... but what about the remainder of that function and the other one that I've posted?

I hope there are some JavaScript experts who can halp me to solve this.

EDIT: I just found something very similar here ---> http://www.pastebin.sk/en/6588/

Link to comment
Share on other sites

Not sure, but looks like some kind of keylogger, in JS. Never seen one before in JS, so I can't be sure. Maybe one fo the resident guru's might want to take a stab at this?

Link to comment
Share on other sites

The one from the pastbin, if you look at the bottom, it joins two parts. If you parse out the two parts, join them and add == to the end, you can decrypt it as base64, only, it looks like gibberish, becuase it's probably encrypted after undoing the base64.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...