Packing/Unpacking Javascript from DOS

Here’s one way to pack and unpack Javascript from the Windows’ command line. For this we use PhantomJS and Dean Edwards’ Javascript Compressor.

1. Download PhantomJS from here.

2. Download the JSPacker.js file from here.

3. Put everything in a folder or on your desktop then in DOS type the following:

C:\> phantomjs jspacker.js pack in.txt out.txt

-or-

C:\> phantomjs jspacker.js unpack in.txt out.txt

2016-02-06_01

Posted in Tools | Tagged , , , | Comments Off on Packing/Unpacking Javascript from DOS

Javascript Deobfuscator Updated

This program was originally written as a proof of concept but it turned out to work out pretty well so I’ve added several new features to this program to make it more robust and helpful. It still can’t do sophisticated scripts, for those use Revelo.

To show you what’s been added, I’ll go through a few live examples taken from Dynamoo’s pastebin (Conrad has a great site documenting malicious emails — check it out!).

Example #1 (pastebin)
In this latest version, you can click on the “Clues” button and the program will highlight text that will give clues on how to deobfuscate the script. If the script is long, it may take awhile.

You can see that “eval” is highlighted. If I try deobfuscating just on “eval”, it won’t work because of the way the script is written. I now need to find out what’s calling the function “szkmYVRfAFZYusP”.

2016-01-09_01

I click on the “Reset” button to clear the highlights. I type in “szkmYVRfAFZYusP” then click on the “Highlight” button to find all instances of this string. Scroll down to the bottom and you can see what’s calling it.

2016-01-09_02

I double-click on the string “szkmYVRfAFZYusP” and click on “Convert”. The script is now deobfuscated.

2016-01-09_03

Example #2 (pastebin)
This script is somewhat painful to deal with. You need to find out where the eval is called. Let me try searching for “eval”. No luck. Let me try “this”. I find it near the top.

2016-01-09_04

Now let me search for the variable name “mek”. I find that about 2/3rds of the way down.

2016-01-09_05

Finally I search for “wozv”. Going back up, I find it calling the variable “mhnW”.

2016-01-09_06

My guess is “wozv” will evaluate the concatenated script held in “mhnW” (which it is). Highlighting the verb, “wozv” won’t work so let me highlight the function name and variable. To use this method the variable name must be enclosed in single parenthesis.

2016-01-09_07

Since the input textbox is actually a richtext box, selecting the text can be tricky. Hold down ALT while you use your mouse to select the text. Or click on the first letter, hold down the SHIFT key and use the arrow keys to select the text.

Example #3 (pastebin)
For this script, I just searched for “eval” which is found about 1/5th down.

2016-01-09_08

Deobfuscating on “eval” won’t work for this script. But let me try it on the variable name which it’s evaluating. Done.

2016-01-09_09

You can get the updated tool here. And remember to use this in a VM, there’s absolutely no safeguards built in!

Posted in Tools | Tagged , , | Comments Off on Javascript Deobfuscator Updated

Text Decoder Toolkit

Here’s a challenge for you, what does this decode to?

T{4 G=C 9<=E B63 3<3;G /<2 9<=E G=C@A3:4^ G=C <332 <=B 43/@ B63 @3AC:B =4 / 6C<2@32 0/BB:3A` {4 G=C 9<=E G=C@A3:4 0CB <=B B63 3<3;G^ 4=@ 3D3@G D71B=@G 5/7<32 G=C E7:: /:A= AC443@ / 2343/B` {4 G=C 9<=E <37B63@ B63 3<3;G <=@ G=C@A3:4^ G=C E7:: AC11C;0 7< 3D3@G 0/BB:3`T _ !C< "HC^ "63 s@B =4 %/@

I was asked by a couple of folks to help them decode this (this isn't the exact string but it's similar). This was from a CTF and they couldn't figure it out. The challenge already ended so they just wanted to learn how to tackle stuff like this in the future. Unlike the real world, there is often an accompanying script or program that decodes this. You hardly encounter an encoded string and then asked to figure it out cold.

CTF pros could probably do this faster than 10 minutes but that's how long it took me with Calculator and Notepad. I should have used a spreadsheet. After I was done, I thought I would write a program for myself to see if I can decode strings like this much faster.

So how do you even start decoding this? I came up with three methods but I'm sure there are other, better ways.

Method #1 - Character Frequency
Click on the "Statistics" tab then click on the "Get Stats" button. This will count the number of times each letter appears in the script. You see that 3 and = are the most common characters (besides the space).

2015-11-17_01

Using this as a guide we know that the most common English letters are E T A O I N S H R . Let's see what the difference is between 3 and e. Enter those values in the "Difference" section and click on the "Calculate Difference" button. I get "50".

2015-11-17_02

Now click on the "Decoder" tab, enter the value "50", choose "Character Shift" then click on "Decode". Looks like we partially decoded it.

2015-11-17_03

Method #2 - Enumeration
The second method dumps a text file that enumerates through all of the possible values. Choose the "Enumerate to File" action and the "Character Shift" operator.

2015-11-17_04

Examine the resulting file and look for clues. I searched for "the" and found multiple hits but the one at line #50 looks promising. The line #50 means that the character shift value of 50 was used.

2015-11-17_05

At this point you can go to the Decoder tab and do a character shift with a value of 50 like we did above.

Method #3 - Distance Calculator
The number of characters between two letters will be the same as long as the XOR or character shift value remains constant.

For example,
The character distance between the letters h-e-l-l-o is -3, 7, 0, and 3 (i.e. the difference between h and e is -3, between e and l is 7, and so on). If we shifted "hello" with a value of 10, the resulting string is "rovvy" and the distance between r-o-v-v-y is still -3, 7, 0, and 3.

On the "Statistics" tab, you can search for "the" or any other word that has three or more characters and the toolkit will try to find the same character distance in the input string.

2015-11-17_06

Custom Substitution Table
The three different methods revealed the character shift value of 50 as our starting point but we still have some undecoded text to contend with.

2015-11-17_07

In the output box, it looks like the third character is "f" so the preceeding character might be "I" as in "If". There's two other instances so it looks probable but let's test this theory out.

Going back to the "Statistics" tab, I highlight a character that should be an "I" then click on "Get Highlighted Char". The program will extract the corresponding characters from both the input and output boxes.

In this example, I think that the left curly brace should be a capital "I" so I make that change then click on the "Calculate Difference" button. I get "-50".

2015-11-17_08

So it looks like we have two different character shift values. How would I decode using two values? I need to remap characters and I also need to display the ASCII table so I can visually determine what to map. The "Custom Substitution Table" is what I came up with.

If you enter a value on the header row, the values will be copied down the column. If you need to enter a value for a specific character, just enter it into the appropriate box. In this example, the space character in the input string was being shifted to "R". I want to leave this alone so I enter "0" in the "032 - SPC" box.

2015-11-17_09

You can download the program here. If this program is used outside of CTFs, I would really like to know.

Posted in Tools | Tagged , , , | Comments Off on Text Decoder Toolkit

Deobfuscating Magento Guruincsite Javascript

I saw this blog post by the super talented guys over at Sucuri and thought that it was just another URL redirection script hiding behind escaped characters but it turned out to be better than that.

Here’s what the script looks like in its original form:

2015-10-21_01

When you unescape it, it looks like this. Notice that there’s two sections. The self-executing function at the top and another at the bottom. The function at the top deobfuscates the blob of characters in the middle and makes an array out of it. The bottom function takes values from a resulting array to redirect the user to the drive-by site.

2015-10-21_02

In the screenshot above I put an arrow where the main deobfuscation takes place. It reads in the blob of characters, two at a time, and does a base30 decode then subtracts a value from an array. The array is made up of four characters which is the length of the script itself, 1,867 characters. The algorithm subtracts the ASCII representation of those four numbers.

What this means is that if you change anything in the script, the script will break and won’t properly decode the blob.

Let’s deobfuscate this script dynamically and statically.

There are several ways to deob this dynamically but here’s the most straightforward and easiest I think. In this screenshot I add an “alert(LCWEHH);” so I can see the result of the deobfuscation.

2015-10-21_03

When I run it, I get garbage because I modified the length of the script.

2015-10-21_04

Let me try this again. Since the deobfuscation routine is based on the length of the script I need to subtract what I’m adding in. So “alert(LCWEHH);” is 14 characters.

2015-10-21_05

I need to find a place in the script, after it’s done with the deobfuscation, where I can subtract 14 characters to keep the length the same. Here’s something I can replace (highlighted in red). I can remove the “(LCWEHH[2-4+1+3])” without causing an error.

2015-10-21_06

If you notice this string is 17 characters so I need to add 3 characters back to the script. So I just pad my alert call with three spaces. Here’s the final script:

2015-10-21_07

When I run it, I get the deobfuscated results:

2015-10-21_08

Now I can build the redirection function using the values from this array so it looks like this:

2015-10-21_09

Now let’s do the same thing statically. For this I’ll use Converter.

Fire it up and paste in the blob of characters from the middle of the script.

2015-10-21_10

Click on Tools > Convert Base

2015-10-21_11

Make the following selections then click on Convert. I click on “Send Data to Main Form” to send the result to the main screen.

2015-10-21_12

I need to change this to comma delimited so I just click on Search/Replace Text and replace spaces with commas.

2015-10-21_13

Next, I click on the “Copy Output to Input” button then on Tools > Key Search/Convert.

2015-10-21_14

Finally I make these selections and click on Convert.

2015-10-21_15

What I did was use Converter’s built-in expression engine which takes the decimal val(ue), subtract the previous res(ult) then subtract the ASCII value of the first digit of the script’s length which is 49 (remember the total length of the script is 1,867). I add a comma then repeat the expression using the second digit of the script’s length which is 56 and so on. Since I selected the Consecutive action, it will loop through these four expressions across the entire decimal value input.

So basically, Converter is doing this calculation for me:

164 – 49 – 0 = 115 = s
270 – 56 – 115 = 99 = c
267 – 54 – 99 = 114 = r
274 – 55 – 114 = 105 = i
:

Now I can replace the original Javascript with the values from the above results to see how it does the redirection.

By the way, if you need help with the expression engine, click on Extras > Expressions Help

2015-10-21_16

Happy deobfuscating!

Posted in Malscript, Tools | Tagged , , | Comments Off on Deobfuscating Magento Guruincsite Javascript

Javascript Deobfuscator Updated

Just a quick update…I added a Javascript beautification feature. Just click on the “Beautify” button and the results will appear at the bottom.

2015-10-20_01

I did get some people emailing me saying that they got an error message. I compiled this to .NET Framework 4.5 so make sure you have this installed. I tested this version on 32-bit and 64-bit and it works for me.

The new version is available on the Tools page.

Posted in Tools | Tagged | Comments Off on Javascript Deobfuscator Updated