Iain Posted July 25, 2008 Share Posted July 25, 2008 I came across some obfuscated JavaScript and I'd like to understand what it does. Basically, there are two functions and the "nitty gritty" is: document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)) It seems that FunctionOne and FunctionTwo take the <Random Array of Letters and Numbers> and decode it, or map it in a predefined manner, before passing it to document.write. QUESTION: I'm familar with VBA in MS Word, Excel etc. and I have a little experience of C++. What's the best way of stepping through the JavaScript (in a controlled manner) to see what happens as the two functions are executed? I know that this is possible (and also set Break Points) in VBA in the MS applications so that's what I'd like to do with the JavaScript. I know there are utilities which will de-obfuscate JavaScript but that's not the issue - I want to know what these complicated functions do to the enormous string of letters and numbers. Quote Link to comment Share on other sites More sharing options...
Sparda Posted July 25, 2008 Share Posted July 25, 2008 You could just look at the code, it usually obvious what JavaScript does or is trying to do as the case usually is. Are these functions on a particular web site? Quote Link to comment Share on other sites More sharing options...
Iain Posted July 25, 2008 Author Share Posted July 25, 2008 You could just look at the code, it usually obvious what JavaScript does or is trying to do as the case usually is. Are these functions on a particular web site? The site is down now. Here's the second function. I've tidied it up in Notepad - sorry there are no indents! EDIT: I've searched for some of the strings in the code and came up with http://www.castlecops.com/p1099532-Sick_hospital.html which has obfuscated JavaScript. It, too, has a whole load of "garbage" and I'm interested to know how it was decoded. function Second(data) { data=data.replace(/[^a-z0-9\+\/=]/ig,''); if(typeof(atob)=='function')return atob(data); var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; var byte1,byte2,byte3; var ch1,ch2,ch3,ch4; var result=new Array(); var j=0; while((data.length%4)!=0) { data+='='; } for(var i=0;i<data.length;i+=4) { ch1=b64_map.indexOf(data.charAt(i)); ch2=b64_map.indexOf(data.charAt(i+1)); ch3=b64_map.indexOf(data.charAt(i+2)); ch4=b64_map.indexOf(data.charAt(i+3)); byte1=(ch1<<2)|(ch2>>4); byte2=((ch2&15)<<4)|(ch3>>2); byte3=((ch3&3)<<6)|ch4; result[j++]=String.fromCharCode(byte1); if(ch3!=64)result[j++]=String.fromCharCode(byte2); if(ch4!=64)result[j++]=String.fromCharCode(byte3); } return result.join(''); }; I realise that it's taking the enormous length of "gobbledegook" as <data> and it goes through a replacement process. That's what I don't understand (atob etc.) so I'd like to be able to step through the code (and also the first function) to see exactly how it's working. Quote Link to comment Share on other sites More sharing options...
digip Posted July 25, 2008 Share Posted July 25, 2008 I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with. http://isc.sans.org/diary.html?storyid=4724 Quote Link to comment Share on other sites More sharing options...
Iain Posted July 25, 2008 Author Share Posted July 25, 2008 I always here people talk about spidermonkey to test javascript, bu I never used it, so not sure how it works. ISC uses it a lot to deobfuscate JS in Iframes from various "bad" sites out there, so maybe google it and see what you come up with. http://isc.sans.org/diary.html?storyid=4724 Yes thanks, I'd seen that diary. I'm afraid I'm getting nowhere fast. I've tried using the script debugger that's with Office 2003 but I can't step through the code. If only I could find a way to step through it as I have done with Office VBA macros :-( Quote Link to comment Share on other sites More sharing options...
digip Posted July 25, 2008 Share Posted July 25, 2008 Can you post the original code, both parts? Quote Link to comment Share on other sites More sharing options...
Iain Posted July 26, 2008 Author Share Posted July 26, 2008 Can you post the original code, both parts? Check this - http://www.castlecops.com/p1099532-Sick_hospital.html I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research. Any more tips to decode the encoded "garbage"? Quote Link to comment Share on other sites More sharing options...
digip Posted July 26, 2008 Share Posted July 26, 2008 Check this - http://www.castlecops.com/p1099532-Sick_hospital.html I realise that this is some form of encryption (possibly AES). I've tried changing document.write( ... ) to alert ( ... ) but nada. As far as I'm aware, there's no easy way of printing the output of the code to a text file for future analysis/research. Any more tips to decode the encoded "garbage"? Sorry, link doesn't seem to work for me. Quote Link to comment Share on other sites More sharing options...
Iain Posted July 28, 2008 Author Share Posted July 28, 2008 Sorry, link doesn't seem to work for me. It's been flaky for me over the weekend but I managed to get the other function: function First(key,pt){ s=new Array(); for(var i=0;i<256;i++) { s[i]=i; } var j=0; var x; for(i=0;i<256;i++) { j=(j+s[i]+key.charCodeAt(i%key.length))%256;x=s[i]; s[i]=s[j]; s[j]=x; } i=0; j=0; var ct = ''; for(var y=0;y<pt.length;y++) { i=(i+1)%256; j=(j+s[i])%256; x=s[i]; s[i]=s[j]; s[j]=x; ct+=String.fromCharCode(pt.charCodeAt(y)^s[(s[i]+s[j])%256]); } return ct; }; I think it's some form of encrypting/decrypting code. As I said in my forst post, the "nitty gritty" is: document.write(FunctionOne(FunctionTwo(<Random Array of Letters and Numbers>)). I've been researching the other function and it seems that atob() isn't available in IE (only Netscape, but I might be wrong). As far as I can tell, atob() relates to decoding Base64 ... but what about the remainder of that function and the other one that I've posted? I hope there are some JavaScript experts who can halp me to solve this. EDIT: I just found something very similar here ---> http://www.pastebin.sk/en/6588/ Quote Link to comment Share on other sites More sharing options...
digip Posted July 28, 2008 Share Posted July 28, 2008 Not sure, but looks like some kind of keylogger, in JS. Never seen one before in JS, so I can't be sure. Maybe one fo the resident guru's might want to take a stab at this? Quote Link to comment Share on other sites More sharing options...
digip Posted July 28, 2008 Share Posted July 28, 2008 The one from the pastbin, if you look at the bottom, it joins two parts. If you parse out the two parts, join them and add == to the end, you can decrypt it as base64, only, it looks like gibberish, becuase it's probably encrypted after undoing the base64. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.