Revelo Updated

I’ve been noticing obfuscated Javascript using a function that returns the deobfuscated result more and more lately so I added a new method to catch this.

2014-02-06_01

Here’s an obfuscated script. It’s not that difficult but it does look intimidating!

2014-02-06_02

First I loaded the script and made sure that the “<script></script>” tags are present. This is important to Revelo because it uses this exact string as a marker to add content before or after the opening or closing script tag.

Next, I click on the “Highlight Decryption Clues” button. This gives you hints to look for in the script — functions, variable accumulators, and now returns. What this shows is the variable “IBq” is accumulating a result. (This is the only accumulator in the entire script.) Then the results get returned to the calling function.

2014-02-06_03

Just choose the new method called “Intercept Return and Variable” and paste in the actual return statement “return(IBq)”. You need to paste the “return” keyword too because there’s other combinations.

2014-02-06_04

Click on the “Execute” button and go the Results tab to get the deobfuscated text. (Note: the results contain escaped characters but it is essentially deobfuscated.)

2014-02-06_05

The other change was that I updated the JSBeautify script with the latest version from jsbeautifier.org .

You can find Revelo here.

This entry was posted in Malscript, Tools and tagged , . Bookmark the permalink.