Text Decoder Toolkit

Here’s a challenge for you, what does this decode to?

T{4 G=C 9<=E B63 3<3;G /<2 9<=E G=C@A3:4^ G=C <332 <=B 43/@ B63 @3AC:B =4 / 6C<2@32 0/BB:3A` {4 G=C 9<=E G=C@A3:4 0CB <=B B63 3<3;G^ 4=@ 3D3@G D71B=@G 5/7<32 G=C E7:: /:A= AC443@ / 2343/B` {4 G=C 9<=E <37B63@ B63 3<3;G <=@ G=C@A3:4^ G=C E7:: AC11C;0 7< 3D3@G 0/BB:3`T _ !C< "HC^ "63 s@B =4 %/@

I was asked by a couple of folks to help them decode this (this isn't the exact string but it's similar). This was from a CTF and they couldn't figure it out. The challenge already ended so they just wanted to learn how to tackle stuff like this in the future. Unlike the real world, there is often an accompanying script or program that decodes this. You hardly encounter an encoded string and then asked to figure it out cold.

CTF pros could probably do this faster than 10 minutes but that's how long it took me with Calculator and Notepad. I should have used a spreadsheet. After I was done, I thought I would write a program for myself to see if I can decode strings like this much faster.

So how do you even start decoding this? I came up with three methods but I'm sure there are other, better ways.

Method #1 - Character Frequency
Click on the "Statistics" tab then click on the "Get Stats" button. This will count the number of times each letter appears in the script. You see that 3 and = are the most common characters (besides the space).


Using this as a guide we know that the most common English letters are E T A O I N S H R . Let's see what the difference is between 3 and e. Enter those values in the "Difference" section and click on the "Calculate Difference" button. I get "50".


Now click on the "Decoder" tab, enter the value "50", choose "Character Shift" then click on "Decode". Looks like we partially decoded it.


Method #2 - Enumeration
The second method dumps a text file that enumerates through all of the possible values. Choose the "Enumerate to File" action and the "Character Shift" operator.


Examine the resulting file and look for clues. I searched for "the" and found multiple hits but the one at line #50 looks promising. The line #50 means that the character shift value of 50 was used.


At this point you can go to the Decoder tab and do a character shift with a value of 50 like we did above.

Method #3 - Distance Calculator
The number of characters between two letters will be the same as long as the XOR or character shift value remains constant.

For example,
The character distance between the letters h-e-l-l-o is -3, 7, 0, and 3 (i.e. the difference between h and e is -3, between e and l is 7, and so on). If we shifted "hello" with a value of 10, the resulting string is "rovvy" and the distance between r-o-v-v-y is still -3, 7, 0, and 3.

On the "Statistics" tab, you can search for "the" or any other word that has three or more characters and the toolkit will try to find the same character distance in the input string.


Custom Substitution Table
The three different methods revealed the character shift value of 50 as our starting point but we still have some undecoded text to contend with.


In the output box, it looks like the third character is "f" so the preceeding character might be "I" as in "If". There's two other instances so it looks probable but let's test this theory out.

Going back to the "Statistics" tab, I highlight a character that should be an "I" then click on "Get Highlighted Char". The program will extract the corresponding characters from both the input and output boxes.

In this example, I think that the left curly brace should be a capital "I" so I make that change then click on the "Calculate Difference" button. I get "-50".


So it looks like we have two different character shift values. How would I decode using two values? I need to remap characters and I also need to display the ASCII table so I can visually determine what to map. The "Custom Substitution Table" is what I came up with.

If you enter a value on the header row, the values will be copied down the column. If you need to enter a value for a specific character, just enter it into the appropriate box. In this example, the space character in the input string was being shifted to "R". I want to leave this alone so I enter "0" in the "032 - SPC" box.


You can download the program here. If this program is used outside of CTFs, I would really like to know.

Posted in Tools | Tagged , , , | Comments Off on Text Decoder Toolkit

Deobfuscating Magento Guruincsite Javascript

I saw this blog post by the super talented guys over at Sucuri and thought that it was just another URL redirection script hiding behind escaped characters but it turned out to be better than that.

Here’s what the script looks like in its original form:


When you unescape it, it looks like this. Notice that there’s two sections. The self-executing function at the top and another at the bottom. The function at the top deobfuscates the blob of characters in the middle and makes an array out of it. The bottom function takes values from a resulting array to redirect the user to the drive-by site.


In the screenshot above I put an arrow where the main deobfuscation takes place. It reads in the blob of characters, two at a time, and does a base30 decode then subtracts a value from an array. The array is made up of four characters which is the length of the script itself, 1,867 characters. The algorithm subtracts the ASCII representation of those four numbers.

What this means is that if you change anything in the script, the script will break and won’t properly decode the blob.

Let’s deobfuscate this script dynamically and statically.

There are several ways to deob this dynamically but here’s the most straightforward and easiest I think. In this screenshot I add an “alert(LCWEHH);” so I can see the result of the deobfuscation.


When I run it, I get garbage because I modified the length of the script.


Let me try this again. Since the deobfuscation routine is based on the length of the script I need to subtract what I’m adding in. So “alert(LCWEHH);” is 14 characters.


I need to find a place in the script, after it’s done with the deobfuscation, where I can subtract 14 characters to keep the length the same. Here’s something I can replace (highlighted in red). I can remove the “(LCWEHH[2-4+1+3])” without causing an error.


If you notice this string is 17 characters so I need to add 3 characters back to the script. So I just pad my alert call with three spaces. Here’s the final script:


When I run it, I get the deobfuscated results:


Now I can build the redirection function using the values from this array so it looks like this:


Now let’s do the same thing statically. For this I’ll use Converter.

Fire it up and paste in the blob of characters from the middle of the script.


Click on Tools > Convert Base


Make the following selections then click on Convert. I click on “Send Data to Main Form” to send the result to the main screen.


I need to change this to comma delimited so I just click on Search/Replace Text and replace spaces with commas.


Next, I click on the “Copy Output to Input” button then on Tools > Key Search/Convert.


Finally I make these selections and click on Convert.


What I did was use Converter’s built-in expression engine which takes the decimal val(ue), subtract the previous res(ult) then subtract the ASCII value of the first digit of the script’s length which is 49 (remember the total length of the script is 1,867). I add a comma then repeat the expression using the second digit of the script’s length which is 56 and so on. Since I selected the Consecutive action, it will loop through these four expressions across the entire decimal value input.

So basically, Converter is doing this calculation for me:

164 – 49 – 0 = 115 = s
270 – 56 – 115 = 99 = c
267 – 54 – 99 = 114 = r
274 – 55 – 114 = 105 = i

Now I can replace the original Javascript with the values from the above results to see how it does the redirection.

By the way, if you need help with the expression engine, click on Extras > Expressions Help


Happy deobfuscating!

Posted in Malscript, Tools | Tagged , , | Comments Off on Deobfuscating Magento Guruincsite Javascript

Javascript Deobfuscator Updated

Just a quick update…I added a Javascript beautification feature. Just click on the “Beautify” button and the results will appear at the bottom.


I did get some people emailing me saying that they got an error message. I compiled this to .NET Framework 4.5 so make sure you have this installed. I tested this version on 32-bit and 64-bit and it works for me.

The new version is available on the Tools page.

Posted in Tools | Tagged | Comments Off on Javascript Deobfuscator Updated

New Javascript Deobfuscator Tool

This particular spam page redirect was brought to my attention by a colleague because it was getting past the web filters using Javascript obfuscation. In one version, the landing page uses a meta refresh tag. I guess it was getting caught too easily so they upped their game and are now using several layers of Javascript obfuscation.

It starts off with spammy emails with links that look like this:

hxxp://panacheve .com/interest.php?w2n4
hxxp://compareukshops.azurewebsites .net/justice.php?p8hw2

These sites send you to a redirector:

hxxp://it8vn4 .net/?a=353900&c=wl_con&s=doptilazer
hxxp://com-afp .net/?a=362298&c=wl_con

Which in turn redirects you to a spam page which uses a variety of subdomains:

hxxp://136-healthandbeauty.it8vn4 .net/
hxxp://518-healthandbeauty.4pxp0 .net/
hxxp://281-weightloss.gt9dg7 .net/
hxxp://341-weightloss.orelr3 .net/
hxxp://807-weightloss.gt9dg7 .net/
hxxp://948-diet.z3jdra .net/
hxxp://999-diet.z3jdra .net/
hxxp://442-fitness.4pxpo0 .net/

Here’s what the spam pages look like:


If you strip away the URL parameters and visit the site, you should see something like this.


The Javascript base64-decodes a string that’s been reversed. You can see that there’s an eval at the end which executes the result. Before I introduce a new tool, let me show you how to quickly deobfuscate this with Revelo via two methods. With the first method, paste in the script, choose “Redirect Eval to Action”, then click on “Execute”.


Click on the “Results” tab to get the results.


Copy that script and paste it on the main tab. Revelo needs to see the <script></script> tags so make sure it’s there. We can see that the script is packed with eval at the beginning but since this script is packed multiple times, you will notice it has “eval” near the end of the script too. We need to tell Revelo to catch the “eval” at the beginning so click on Options > Replace Starting at Top. Leave the deobfuscation method as-is then click on “Execute” again.


Click on the “Results” tab to get the results. You need to do this a couple more times before you end up with this. You will see the script now using “document.write” so choose “Redirect Do.Write to Action”.


Finally, we get to the deobfuscated script.


If you just want to get to the final redirect URL without going through the above steps then you can select either “Capture HTTP Request via Proxy” or “Capture HTTP Request via IE”. This is the second method.


With either option, Revelo will execute the script and block the HTTP request to the website then show you where it was going to go. This keeps your computer safe but you should always run Revelo in a VM just in case these scripts use exploits or call another app to make the HTTP request.



Introducing Javascript Deobfuscator
I’ve been spending the past several months porting my tools over to .NET. I apparently have written dozens of programs over the years so there’s still a whole bunch more to do. I started to think about Revelo and wondered if I should start from scratch and redesign it to make it easier to use. As a proof of concept, I came up with this tool.

It’s very basic and can probably only handle simple Javascript obfuscation but it might be a good standalone tool for quick and easy deobfuscation.


Let me run it through the above script to show you how this program works. Paste the Javascript code into the input field without any HTML tags. You must also remove the <script></script> tags. Simply identify the verb you want to have the tool deobfuscate. Here, I just select the word “eval”.


I click on “Convert” and the deobfuscated result appears. This is the second layer of obfuscation just as we saw above with Revelo.


I click on the “Copy Output to Input” button so I can work on the resulting script. Once again, I select the word “eval” at the beginning and click on “Convert” again. I do this three more times until I get this. Now I highlight the verb “document.write”. When highlighting the verb make sure you don’t include any stray characters like a parenthesis, comma, etc. You will probably end up with no results.


And I get the final deobfuscated results!


I tried to make it as easy as “Select-Click-Deobfuscate”. In some ways this might be better to use than Revelo since you can specify exactly which verb to target. You can use this to deobfuscate function calls, variables, and other verbs but I haven’t fully tested it yet. I can tell you that this program can’t do DOM so it will be limited compared to Revelo.

A word of caution if you use this tool! There are no safeguards built into this program so if you mess up on a script that has an exploit or shellcode in it, your computer could get hosed. Do this in a virtual machine, preferably without anti-virus running or it will incorrectly flag this tool as being malicious just like Revelo.

You can get Javascript Deobfuscator from the Tools page.

Posted in Malscript, Tools | Tagged , | Comments Off on New Javascript Deobfuscator Tool

Cyber Exercise Tools

For the past two years, I’ve been involved with several cyber exercises and competitions from planning, training, as well as participating in them. I’ve written a dozen or so defensive and offensive tools for these cyber ranges. While there’s better tools out there that do the same thing, I wanted to customize my own for the 64-bit environment and battle-test them to work out any bugs. Rules for some of these exercises and competitions state that any tool can be used as long as it’s publicly available so that’s why I’m posting some of the tools here.

Welcome Mat
This is a program for the blue team. It will try to listen on unused ports from 1 through 1024 where possible. The idea is to make it hard for the red team to figure out which services your server is running.

Here’s what the tool looks like. You can only listen to up to 1024 ports at a time.


When the red team does an nmap scan, here’s what it looks like:


Experienced red teamers should be able to figure out which ports are truly open.

Cover Fire
During these exercises, it’s hard to be slow and quiet since the blue team knows you’re coming. You can do some misdirection here or launch a decoy there but it’s hard to hide. This is a program for the red team. This will perform a series of random GETs and POSTs to specific webpages with a variety of user-agents. This should fill up the web server logs and make it challenging for the opposing side to figure out where your webshells are.

The program takes in a text file of hosts/IPs. The other text file it needs is the URLs to request. Sample files are included. You will need to spider your target website first and generate a list of URLs yourself.


Here’s what the server logs look like when the tool is running. Can you find the webshell?


Blue team members who know their stuff should be able to find the webshell no matter if the logs contain a lot of noise.

Fake Defender Alert
This program attempts to fool the blue team member into granting it admin privileges. It uses the same privilege escalation trick implemented by Beta Bot. I added a screen-dimming feature to make it more convincing.


I started off writing a portknocker program that sniffs network traffic to look for a keyword then open up a reverse or bindshell port but I found a better way to achieve the same goal. This program watches various ingress points on the server and executes commands it receives. This is done without using any listening port so monitoring netstat is useless.

Backdoor Shell Menu
I wrote a reverse shell and during the exercises, I found myself doing the same commands over and over again. In order to be faster, I built capabilities directly into the shell program itself. Here’s a screenshot of what the menu looks like. Instead of typing a series of commands manually, I just type the menu number plus some required parameters and I’m done.


Netstat Interceptor
This program intercepts calls to netstat and can modify or remove anything related to the IP address, port, or PID of my choice. I can do the same thing to tasklist and taskkill.


Capture-The-Flag Jr.
Since I’ve been involved with cyber exercises lately, I thought I would help teach students about cyber security so I started working on a capture the flag for kids. It’s going to be pretty basic but the idea is to introduce them to various security concepts and get them familiar with security tools like a packet sniffer, hex editor, and Linux commands. It’s going to be self-contained and portable so an instructor can run it in class and pass it to the kids to work on it at home.


For the time being, you can get the first two programs from the Tools page.

Posted in Tools | Comments Off on Cyber Exercise Tools