Step through Obfuscated JavaScript

[Iain]

I came across some obfuscated JavaScript and I'd like to understand what it does. Basically, there are two functions and the "nitty gritty" is:

document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>))

It seems that FunctionOne and FunctionTwo take the <Random Array of Letters and Numbers> and decode it, or map it in a predefined manner, before passing it to document.write.

QUESTION: I'm familar with VBA in MS Word, Excel etc. and I have a little experience of C++. What's the best way of stepping through the JavaScript (in a controlled manner) to see what happens as the two functions are executed? I know that this is possible (and also set Break Points) in VBA in the MS applications so that's what I'd like to do with the JavaScript.

I know there are utilities which will de-obfuscate JavaScript but that's not the issue - I want to know what these complicated functions do to the enormous string of letters and numbers.

[Sparda]

You could just look at the code, it usually obvious what JavaScript does or is trying to do as the case usually is. Are these functions on a particular web site?

[Iain]

You could just look at the code, it usually obvious what JavaScript does or is trying to do as the case usually is. Are these functions on a particular web site?

The site is down now. Here's the second function. I've tidied it up in Notepad - sorry there are no indents!

EDIT: I've searched for some of the strings in the code and came up with http://www.castlecops.com/p1099532-Sick_hospital.html which has obfuscated JavaScript. It, too, has a whole load of "garbage" and I'm interested to know how it was decoded.

function Second(data)

{

data=data.replace(/[^a-z0-9\+\/=]/ig,'');

if(typeof(atob)=='function')return atob(data);

var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

var byte1,byte2,byte3;

var ch1,ch2,ch3,ch4;

var result=new Array();

var j=0;

while((data.length%4)!=0)

{

data+='=';

}

for(var i=0;i<data.length;i+=4)

{

ch1=b64_map.indexOf(data.charAt(i));

ch2=b64_map.indexOf(data.charAt(i+1));

ch3=b64_map.indexOf(data.charAt(i+2));

ch4=b64_map.indexOf(data.charAt(i+3));

byte1=(ch1<<2)|(ch2>>4);

byte2=((ch2&15)<<4)|(ch3>>2);

byte3=((ch3&3)<<6)|ch4;

result[j++]=String.fromCharCode(byte1);

if(ch3!=64)result[j++]=String.fromCharCode(byte2);

if(ch4!=64)result[j++]=String.fromCharCode(byte3);

}

return result.join('');

};

I realise that it's taking the enormous length of "gobbledegook" as <data> and it goes through a replacement process. That's what I don't understand (atob etc.) so I'd like to be able to step through the code (and also the first function) to see exactly how it's working.

[digip]

I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with.

http://isc.sans.org/diary.html?storyid=4724

[Iain]

I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with.

http://isc.sans.org/diary.html?storyid=4724

Yes thanks, I'd seen that diary.

I'm afraid I'm getting nowhere fast. I've tried using the script debugger that's with Office 2003 but I can't step through the code. If only I could find a way to step through it as I have done with Office VBA macros :-(

[digip]

Can you post the original code, both parts?

[Iain]

Can you post the original code, both parts?

Check this - http://www.castlecops.com/p1099532-Sick_hospital.html

I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research.

Any more tips to decode the encoded "garbage"?

[digip]

Check this - http://www.castlecops.com/p1099532-Sick_hospital.html

I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research.

Any more tips to decode the encoded "garbage"?

Sorry, link doesn't seem to work for me.

[Iain]

Sorry, link doesn't seem to work for me.

It's been flaky for me over the weekend but I managed to get the other function:

function First(key,pt){

s=new Array();

for(var i=0;i<256;i++)

{
s[i]=i;
}

var j=0;
var x;

for(i=0;i<256;i++)

{
j=(j+s[i]+key.charCodeAt(i%key.length))%256;x=s[i];
s[i]=s[j];
s[j]=x;
}

i=0;
j=0;
var ct = '';
for(var y=0;y<pt.length;y++)

{
i=(i+1)%256;
j=(j+s[i])%256;
x=s[i];
s[i]=s[j];
s[j]=x;
ct+=String.fromCharCode(pt.charCodeAt(y)^s[(s[i]+s[j])%256]);
}

return ct;
};

I think it's some form of encrypting/decrypting code. As I said in my forst post, the "nitty gritty" is:

document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)).

I've been researching the other function and it seems that atob() isn't available in IE (only Netscape, but I might be wrong). As far as I can tell, atob() relates to decoding Base64 ... but what about the remainder of that function and the other one that I've posted?

I hope there are some JavaScript experts who can halp me to solve this.

EDIT: I just found something very similar here ---> http://www.pastebin.sk/en/6588/

[digip]

Not sure, but looks like some kind of keylogger, in JS. Never seen one before in JS, so I can't be sure. Maybe one fo the resident guru's might want to take a stab at this?

[digip]

The one from the pastbin, if you look at the bottom, it joins two parts. If you parse out the two parts, join them and add == to the end, you can decrypt it as base64, only, it looks like gibberish, becuase it's probably encrypted after undoing the base64.