Deobfuscating Magento Guruincsite Javascript

I saw this blog post by the super talented guys over at Sucuri and thought that it was just another URL redirection script hiding behind escaped characters but it turned out to be better than that.

Here’s what the script looks like in its original form:

2015-10-21_01

When you unescape it, it looks like this. Notice that there’s two sections. The self-executing function at the top and another at the bottom. The function at the top deobfuscates the blob of characters in the middle and makes an array out of it. The bottom function takes values from a resulting array to redirect the user to the drive-by site.

2015-10-21_02

In the screenshot above I put an arrow where the main deobfuscation takes place. It reads in the blob of characters, two at a time, and does a base30 decode then subtracts a value from an array. The array is made up of four characters which is the length of the script itself, 1,867 characters. The algorithm subtracts the ASCII representation of those four numbers.

What this means is that if you change anything in the script, the script will break and won’t properly decode the blob.

Let’s deobfuscate this script dynamically and statically.

There are several ways to deob this dynamically but here’s the most straightforward and easiest I think. In this screenshot I add an “alert(LCWEHH);” so I can see the result of the deobfuscation.

2015-10-21_03

When I run it, I get garbage because I modified the length of the script.

2015-10-21_04

Let me try this again. Since the deobfuscation routine is based on the length of the script I need to subtract what I’m adding in. So “alert(LCWEHH);” is 14 characters.

2015-10-21_05

I need to find a place in the script, after it’s done with the deobfuscation, where I can subtract 14 characters to keep the length the same. Here’s something I can replace (highlighted in red). I can remove the “(LCWEHH[2-4+1+3])” without causing an error.

2015-10-21_06

If you notice this string is 17 characters so I need to add 3 characters back to the script. So I just pad my alert call with three spaces. Here’s the final script:

2015-10-21_07

When I run it, I get the deobfuscated results:

2015-10-21_08

Now I can build the redirection function using the values from this array so it looks like this:

2015-10-21_09

Now let’s do the same thing statically. For this I’ll use Converter.

Fire it up and paste in the blob of characters from the middle of the script.

2015-10-21_10

Click on Tools > Convert Base

2015-10-21_11

Make the following selections then click on Convert. I click on “Send Data to Main Form” to send the result to the main screen.

2015-10-21_12

I need to change this to comma delimited so I just click on Search/Replace Text and replace spaces with commas.

2015-10-21_13

Next, I click on the “Copy Output to Input” button then on Tools > Key Search/Convert.

2015-10-21_14

Finally I make these selections and click on Convert.

2015-10-21_15

What I did was use Converter’s built-in expression engine which takes the decimal val(ue), subtract the previous res(ult) then subtract the ASCII value of the first digit of the script’s length which is 49 (remember the total length of the script is 1,867). I add a comma then repeat the expression using the second digit of the script’s length which is 56 and so on. Since I selected the Consecutive action, it will loop through these four expressions across the entire decimal value input.

So basically, Converter is doing this calculation for me:

164 – 49 – 0 = 115 = s
270 – 56 – 115 = 99 = c
267 – 54 – 99 = 114 = r
274 – 55 – 114 = 105 = i
:

Now I can replace the original Javascript with the values from the above results to see how it does the redirection.

By the way, if you need help with the expression engine, click on Extras > Expressions Help

2015-10-21_16

Happy deobfuscating!

This entry was posted in Malscript, Tools and tagged , , . Bookmark the permalink.