Here’s the criteria I used to select the tools:
- Easy to setup and use (i.e. aimed at the novice user)
These are the tools I selected to test with:
- Creme Brulee
- Firebug – Firefox plug-in
- Google Chrome Developer Tools
- Microsoft IE8 Developer Tools
- Microsoft Script Debugger
- SpiderMonkey + V8
- The Mina
Rather straightforward obfuscation that inserts iframes into the page.
Uses DOM to attach a script to the webpage.
Heavily obfuscated with two layers to peel off to get the browser exploits.
This tool is able to handle simple obfuscated scripts but doesn’t do so well with others. Sometimes IE would hang as it tried to process a script.
Firebug (FF plugin)
Firebug deobfuscated all three scripts but the challenge was where to find the deobfuscated code. You may need to understand the malicious script a little bit to determine where the results will end up at.
The other challenge is to pause the page load so you can get to the deobfuscated script before a malicious redirect occurs and overwrites the variables.
Google Chrome Developer Tools
Chrome has a debugger and an array of other tools built right in. Chrome was quickly able to tackle all three scripts and produce the deobfuscated scripts. This tool is arguably the most robust and flexible of them all. You may need to read through the scripts to find out which variables to look out for.
Apple’s Safari has a very similar developer tool (in terms of function and look) which is why I opted not to test it separately.
I did encounter some sluggishness and lock ups after processing multiple scripts but restarting Firefox fixed the problem.
On the last script, only one of the two layers were decrypted. You could do some cutting and pasting at that point but I wanted simple and easy.
Microsoft IE8 Developer Tools
This tool is fairly easy to use but there needs to be some understanding of the script you are working with in order to find the best place to insert breakpoints. The DOM script was only partially deobfuscated.
Microsoft Script Debugger
While not as flexible and powerful as IE8 Developer Tools, I did get the same results. And had the same challenge of finding where to place the breakpoints.
This is a Java-based debugger that allows you to insert breakpoints to catch the deobfuscated values in the variables. As a result, you need to know a little something about the script you are trying to analyze.
SpiderMonkey + V8
In case you are interested, I included an external JS file which contains a one-liner seen below. This helps me to deobfuscate what I can (I still need to work on a method to take on DOM-based scripts). You can also just copy/paste this line to the top of the script you are trying to deobfuscate with SpiderMonkey or V8.
Mina appeared to have deobfuscated two of the three scripts but since the output is limited to exactly 1,000 bytes, the results were truncated.
This tool has a lot of potential. If the startup time was reduced and the output size increased, this would be on par with IE8 Developer Tools and Script Debugger in terms of results but easier to use because you don’t have to worry about breakpoints. The C++ source code is available so if anyone wants to make a new version, I’d love to do more testing.
Here are the final results:
The results are hardly conclusive since the sample was just too small but it should give you some idea of which tools you might want to consider playing with or testing further. There probably won’t be a perfect tool that can deobfuscate everything ever created but there may be a couple of tools that work well enough in certain cases to help you with your analysis.
One other thing to consider is that some very tough obfuscated scripts can be cracked by many of these tools when in the hands of a skilled analyst. You might need to spend a lot of time with the tool to get the results you want.
A few thoughts about this experiment…
A few of these tools require some knowledge of the script. You can’t blindly sprinkle breakpoints everywhere and hope for the best. In some cases, you will need to look for the deobfuscated code in the tool’s interface so your knowledge of the script will help you find the variables.
Most of these tools work only with a specific browser. If the script detects the browser or uses a non-standard function then your results will vary.
Debuggers, Firefox plug-ins, etc will execute potentially malicious scripts on your PC so be careful! You might want to think about disabling your network connection to prevent unwanted redirection and use a VM without Java, Flash, and Acrobat installed.
Finally, be on the look out for anti-debugging code such as the following example. This script will not give you a response if you step through the code. Of course they won’t be written this plainly and there’s dozens of different possibilities and methods.
var a = new Date().getTime();
var b = "%68%65%6C%6C%6F";
var c = new Date().getTime();