Deobfuscating the Facebook Spam Script
My first thought was “wow, nice obfuscation but should be easy to get around”. Ha, no such luck. The second layer is worst than the first. Do you see the fifth line from the top on the right-hand side? It’s callee!
There are a couple of techniques to get around this. SANS and others provide the various techniques. One of the easiest to deploy is to add a new function outside of the original one (seen here in the red box).
Down at the bottom of the script is an “eval” function. We change that to “evla”. By doing this, we don’t change the length.
So when the code is executed, the value of n$ gets sent up to the new function we created where we get to see what’s there. Which is….another layer of obfuscated code!
Since there’s no callee function here, we can beautify it. Here we see variables getting loaded up after some tricky conditional statements.
After three layers of heavy obfuscation, we are finally treated with an excerpt of the script that’s causing all the spam.
You can see the complete source of the script here: http://pastebin.com/nkBx8GbH