Javascript Deobfuscation Tools Redux

Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.

Here are the tools I’ll be testing:
Automated
JSUnpack
Javascript Deobfuscator (Firefox Add-On)
SpiderMonkey

Semi-Automated/Manual
JSDetox
Javascript Debugger (all are similar; using Script Debugger for this test): Microsoft Script Debugger, Chrome Developer Tools, Firefox Developer Tools, Firebug (Firefox Add-On)
Revelo

Here are the obfuscated scripts:
Sample 1
Dean Edwards Packer

2014-09-23_01

Sample 2
HiveLogic Enkoder

2014-09-23_02

Sample 3
For this sample, I used the same original HTML code as the above and obfuscated it using three online obfuscators in the following order: obfuscatorjavascript.com, www.gaijin.at/en/olsjse.php, www.atasoyweb.net/Javascript_Encrypter/javascript_encrypter_eng.php

2014-09-23_03

Sample 4
Speed-Trap JS

2014-09-23_04

Sample 5
Gong Da EK

2014-09-23_05

Sample 6
RIG EK

2014-09-23_06

Sample 7
Angler EK

2014-09-23_07

Sample 8
Nuclear EK

2014-09-23_08

Prelude
My plan is simple. Use the tools to try to deobfuscate the above scripts without spending more than a few minutes on each one. If I can’t figure it out by making obvious tweaks along the way then I move on. To be honest, I’m no expert with all of these tools so I’m not taking full advantage of its capabilities but this should give you some idea of what you can expect.

I would encourage you to play along (the scripts are here) . Be sure you do this in a virtual machine because many of the scripts are real and very malicious.

JSUnpack
JSUnpack is fully automated and can deal with a lot of scripts except the complex ones.

2014-09-23_09

2014-09-23_10

2014-09-23_11

2014-09-23_12

2014-09-23_13

2014-09-23_14

2014-09-23_15

Javascript Deobfuscator
This Firefox add-on is quite robust and also completely automated. Interestingly, it is able to deobfuscate the hard ones but trips up on an easy one. This tool won’t be able to handle scripts that target Internet Explorer for obvious reasons. You might be able to comment out some browser sniffing routines though.

2014-09-23_16

2014-09-23_17

2014-09-23_18

2014-09-23_19

2014-09-23_20

2014-09-23_21

2014-09-23_22

2014-09-23_23

SpiderMonkey
The SpiderMonkey tool would be similar to using Rhino or V8 engines but Didier Stevens adds some mods that has beefed up SpiderMonkey’s capabilities. DOM-based scripts tend to pose a problem for these engines but you can make several tweaks to the script and define objects to get around this.

2014-09-23_24

2014-09-23_25

2014-09-23_26

2014-09-23_27

2014-09-23_28

2014-09-23_29

2014-09-23_30

2014-09-23_31

JSDetox
This tool has a lot of capability and potential. The main reason it can’t deob the malicious scripts is probably because I suck at using it.

2014-09-23_32

2014-09-23_33

2014-09-23_34

2014-09-23_35

2014-09-23_36

2014-09-23_37

2014-09-23_38

2014-09-23_39

Javascript Debugger
Pretty much all of the Javascript debuggers work the same way so I just lumped them together as a single class of tools. Using a debugger can be slow because you have to follow along with the script and know where to place breakpoints but it is often the most effective way of deobfuscating scripts.

2014-09-23_40

2014-09-23_41

2014-09-23_42

2014-09-23_43

2014-09-23_44

2014-09-23_45

2014-09-23_46

2014-09-23_47

Revelo
I would have hoped my own tool would do pretty well against these scripts and it did. The main challenge with using Revelo is that you need to understand the script you are working on and be able to recognize entry and exit points to inspect. This tool is definitely not for everyone but it has the capability to do just as well as a debugger.

2014-09-23_48

2014-09-23_49

2014-09-23_50

2014-09-23_51

2014-09-23_52

2014-09-23_53

2014-09-23_54

2014-09-23_55

Conclusion and Scorecard
As I mentioned earlier, I’m probably not making the most of every tool as they are quite capable and powerful in their own right. The end result is probably more of a reflection of my abilities rather than the tool so take this with a barrel of salt.

2014-09-23_56

This entry was posted in Malscript, Tools and tagged , , , , , , . Bookmark the permalink.