elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía actualizada para evitar que un ransomware ataque tu empresa


+  Foro de elhacker.net
|-+  Programación
| |-+  Scripting
| | |-+  javascript deobfuscation
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: javascript deobfuscation  (Leído 2,921 veces)
Progmasterbr

Desconectado Desconectado

Mensajes: 18


Ver Perfil
javascript deobfuscation
« en: 4 Mayo 2016, 23:36 pm »

Hello friends,

I have a javascript code and this .js is crypted with a a very strange algorithm.

Then I want any help for try decrypt this script, he contains some functions that I'm needing for implement in a another project.

I had discovered that site used for ofuscate was https://javascriptobfuscator.com/javascript-Obfuscator.aspx

Any help will welcome.

Here is original code: http://pastebin.com/KRQWffhr

obfuscated and I had used this site http://javascriptbeautifier.com/ and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND


En línea

Eleкtro
Ex-Staff
*
Desconectado Desconectado

Mensajes: 9.885



Ver Perfil
Re: javascript deobfuscation
« Respuesta #1 en: 5 Mayo 2016, 16:29 pm »

Here is original code: http://pastebin.com/KRQWffhr

obfuscated and I had used this site http://javascriptbeautifier.com/ and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND

Hi

What more you are expecting to acchieve from the resulting deobfuscated code that you have?.

Take into account that the variable names recovery is not possible since they are lost after obfuscation, that's it, things starting with "_0x" are the new variable names that the obfuscation algorithm assigns to each found var, the original variable names are replaced with new hexadecimal values like that, but they are just that, hex values, they aren't encoded values that contain the old variable name, so you can't rollback something that doesn't exists anymore, in resume, the resulting code that you have should work as expected with those names.

So basically seems that you have totally deobfuscated the code up to the max that it can be done without having the original code.

For variable names as I said it's impossible (the methodology to rollback a replacement is doing another replacement knowing the old data), so what you can do at this point is pick up your favorite text editor and perform a word replacement of all "_0xb257" for whichever friendlly variable name being more readable than the hexadecimal one.



For interest I will explain you that things starting with "\x" are just a escape secuence of characters that are very easy to decode. The rest part after the "\x" is a hex value that you can convert it to decimal then retrieve the corresponding char from ASCII table;
so for example if we have "\x4D", then we remove/ignore the "\x" (because is just trash information), so we have the "4D" that translated into decimal it is "77", which corresponds to the "M" character.

So for example this value can be translated as "Message : " string.
Código:
"\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20"

Regards.


« Última modificación: 5 Mayo 2016, 16:52 pm por Eleкtro » En línea



Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
javascript --> PHP ó PHP --> javascript
PHP
Blue_box 2 3,916 Último mensaje 3 Febrero 2006, 00:18 am
por Blue_box
Ayuda con javascript en mi web(no tengo ni idea de javascript)
Desarrollo Web
jonathanmr 1 3,487 Último mensaje 1 Febrero 2013, 06:14 am
por Shell Root
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines