Here are the tools I'll be using:
JSUnpack - https://code.google.com/p/jsunpack-n/
SpiderMonkey - http://blog.didierstevens.com/2014/09/14/update-spidermonkey/
Microsoft Script Debugger - http://www.microsoft.com/en-us/download/details.aspx?id=22185
Chrome Developer Tools - https://www.google.com/chrome/
Firefox Developer Tools - https://www.mozilla.org/en-US/firefox/
Firebug (Firefox Add-On) - https://addons.mozilla.org/en-US/firefox/addon/firebug/
Revelo - http://www.kahusecurity.com/tools
Here are the obfuscated scripts:
Dean Edwards Packer (http://dean.edwards.name/packer/)
HiveLogic Enkoder (http://hivelogic.com/enkoder/)
For this sample, I used the same original HTML code as the above and obfuscated it using three online obfuscators in the following order:
Speed-Trap JS (http://www.speed-trap.com)
Gong Da EK
My plan is simple. Use the tools to try to deobfuscate the above scripts without spending more than a few minutes on each one. If I can't figure it out by making obvious tweaks along the way then I move on. To be honest, I'm no expert with all of these tools so I'm not taking full advantage of its capabilities but this should give you some idea of what you can expect.
I would encourage you to play along (the scripts are here). Be sure you do this in a virtual machine because many of the scripts are real and very malicious.
JSUnpack is fully automated and can deal with a lot of scripts except the complex ones.
This Firefox add-on is quite robust and also completely automated. Interestingly, it is able to deobfuscate the hard ones but trips up on an easy one. This tool won't be able to handle scripts that target Internet Explorer for obvious reasons. You might be able to comment out some browser sniffing routines though.
The SpiderMonkey tool would be similar to using Rhino or V8 engines but Didier Stevens adds some mods that has beefed up SpiderMonkey's capabilities. DOM-based scripts tend to pose a problem for these engines but you can make several tweaks to the script and define objects to get around this.
This tool has a lot of capability and potential. The main reason it can't deob the malicious scripts is probably because I suck at using it.
I would have hoped my own tool would do pretty well against these scripts and it did. The main challenge with using Revelo is that you need to understand the script you are working on and be able to recognize entry and exit points to inspect. This tool is definitely not for everyone but it has the capability to do just as well as a debugger.
Conclusion and Scorecard
As I mentioned earlier, I'm probably not making the most of every tool as they are quite capable and powerful in their own right. The end result is probably more of a reflection of my abilities rather than the tool so take this with a barrel of salt.
Posted on: 09/23/2014