Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.




I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted in Malscript, Tools | Tagged , , , | Comments Off on Script Deobfuscator Updated

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from (thanks!), sent me this little gem:


In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.


The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.


I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.


Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.


Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1


Example #2


Example #3…for this one, I had to unescape the script first.


In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted in Malicious Email, Malscript | Tagged , | Comments Off on Deobfuscating a Hideous-Looking JS Downloader

Script Deobfuscator Released

The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you.

I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts.

To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts.

Example #1 (unphp)

Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array.


Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button.


The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again.


The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly.

Example #2 (ddecode)

Here’s the script we’ll be working on:


First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.)


Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value.

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:


Example #3 (unphp)

This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them.


Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top.


Example #4 (unphp)

Here’s what the script looks like (I highlighted the key):


This script references an element in an array to build the values for its variables. The elements are based on the character position in the key.

The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option.


Example #5 (ddecode)

In this example, we’re just interested in decoding the base64 strings.


Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script.


Example #6 (pastebin)

This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does.


Paste the script into the Input box and choose the “ASCII” method.


Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again.


Example #7 (pastebin)

This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent.


Paste the script in and choose the “Math” method.


The result shows decimal values but not the text equivalent. 🙁 So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box.


Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box.


The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out.

I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here.

Happy reversing!

Posted in Malscript, Tools | Tagged , , , , , | Comments Off on Script Deobfuscator Released

Packing/Unpacking Javascript from DOS

Here’s one way to pack and unpack Javascript from the Windows’ command line. For this we use PhantomJS and Dean Edwards’ Javascript Compressor.

1. Download PhantomJS from here.

2. Download the JSPacker.js file from here.

3. Put everything in a folder or on your desktop then in DOS type the following:

C:\> phantomjs jspacker.js pack in.txt out.txt


C:\> phantomjs jspacker.js unpack in.txt out.txt


Posted in Tools | Tagged , , , | Comments Off on Packing/Unpacking Javascript from DOS

Javascript Deobfuscator Updated

This program was originally written as a proof of concept but it turned out to work out pretty well so I’ve added several new features to this program to make it more robust and helpful. It still can’t do sophisticated scripts, for those use Revelo.

To show you what’s been added, I’ll go through a few live examples taken from Dynamoo’s pastebin (Conrad has a great site documenting malicious emails — check it out!).

Example #1 (pastebin)
In this latest version, you can click on the “Clues” button and the program will highlight text that will give clues on how to deobfuscate the script. If the script is long, it may take awhile.

You can see that “eval” is highlighted. If I try deobfuscating just on “eval”, it won’t work because of the way the script is written. I now need to find out what’s calling the function “szkmYVRfAFZYusP”.


I click on the “Reset” button to clear the highlights. I type in “szkmYVRfAFZYusP” then click on the “Highlight” button to find all instances of this string. Scroll down to the bottom and you can see what’s calling it.


I double-click on the string “szkmYVRfAFZYusP” and click on “Convert”. The script is now deobfuscated.


Example #2 (pastebin)
This script is somewhat painful to deal with. You need to find out where the eval is called. Let me try searching for “eval”. No luck. Let me try “this”. I find it near the top.


Now let me search for the variable name “mek”. I find that about 2/3rds of the way down.


Finally I search for “wozv”. Going back up, I find it calling the variable “mhnW”.


My guess is “wozv” will evaluate the concatenated script held in “mhnW” (which it is). Highlighting the verb, “wozv” won’t work so let me highlight the function name and variable. To use this method the variable name must be enclosed in single parenthesis.


Since the input textbox is actually a richtext box, selecting the text can be tricky. Hold down ALT while you use your mouse to select the text. Or click on the first letter, hold down the SHIFT key and use the arrow keys to select the text.

Example #3 (pastebin)
For this script, I just searched for “eval” which is found about 1/5th down.


Deobfuscating on “eval” won’t work for this script. But let me try it on the variable name which it’s evaluating. Done.


You can get the updated tool here. And remember to use this in a VM, there’s absolutely no safeguards built in!

Posted in Tools | Tagged , , | Comments Off on Javascript Deobfuscator Updated