2014/08/05

Deobfuscating JavaScript and Shellcode: Debugging + Dedicated Tools – Part 1/2

Welcome to Part I of a two-part series on JavaScript and shellcode deobfuscation!

In this first video, I explore a few different methods using which one can deobfuscate JavaScript. I cover using a browser-based debugger along with various Windows and Linux tools to decode scripts. We explore deobfuscating JavaScript in a real-world environment using readily-available tools.

The following is a list of tools covered in this video:


Part One: Online “Beautifier” + Firebug debugger

Tool Name Author(s) Link Notes
JS Beautifier (Web) Lielmanis & Newman http://jsbeautifier.org/ Available in non-Web formats; see site
FireFox Mozilla https://www.mozilla.org/en-US/firefox/all/ Offline installers for the most current localized versions of Firefox
FireBug Mozilla https://getfirebug.com/ FireFox add-in that adds many features, including a handy JS debugger

Notes:

  • I happened to be using FireFox 31 in the video
  • I was using FireBug v2.0.2, which is compatible with FF 30-32

Part Two: Windows Tools

Tool Name Author(s) Link Notes
Revelo Kahu Security http://www.kahusecurity.com/tools/ Kahu makes some amazing tools, check them all out!
Malzilla Boban Spasic (a.k.a bobby) http://malzilla.sourceforge.net/ Last release: 2008/11/02 (Nov 2008) <– reaching EOL
PDF Stream Dumper David Zimmer http://sandsprite.com/blogs/index.php?uid=7&pid=57 Fantastic PDF stream dumping + JS/shellcode analysis tool

Part Three: Linux Tools

Tool Name Author(s) Link Notes
js-beautify Lielmanis & Sanfilippo https://github.com/beautify-web/js-beautify Installed in REMnux: Simply run js-beautify"
SpiderMonkey Mozilla https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey Installed in REMnux: Simply run js
vi Bill Joy et al. http://en.wikipedia.org/wiki/Vi While not technically a coreutil, vi is bundled with and/or is available for most *nix-based systems
REMnux Lenny Zeltser http://zeltser.com/remnux/ I used REMnux 5 under VMware Fusion in the video, but Oracle VirtualBox works great too

Notes:

  • I got the idea of using an array to override document.write with print from the SANS 610 Reverse Engineering Malware (REM) course. More info here: http://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques.
  • Replace document.write with print manually, or check here for alternatives: http://www.aldeid.com/wiki/SpiderMonkey#Modified_versions

OK, now that you have the links, check out the video!


I look forward to any and all feedback, so please do not hesitate to drop a comment!

Also, stay tuned for Part II, in which I will cover analyzing the shellcode that we find in Part I! Part II will focus on understanding the intent of the deobfuscated attack script and will include a few different ways to debug the identified shellcode.

Thanks gang!

– 8bits0fbr@in


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22