Deobfuscating JavaScript shellcode

[justcrypto]

Hello Folks,

I don't do reversing for a living so the questions may be noobish.

Trying to convert the shellcode in the attached html file to an executable. Its unicode, so I converted to HEX and then used the shellcode2exe.py tool to convert it to executable. When I run the shellcode in a debugger it terminates. Although strings shows it has LoadLibrary(). I see that there are two eval functions calling two different shellcodes. Are these two shellcodes interconnected. Do I need to combine them to analyze. Any other pointers to run it successfully in a debugger.

Any help would be great!!

Sign-in.zip

[Extreme Coders]

This isn't shellcode. This is url encoded javascript. You can analyze this in jsunpack to get to the actual payload.

function g32c00168(s) {
    var r = "";
    var tmp = s.split("8164911");
    s = unescape(tmp[0]);
    k = unescape(tmp[1] + "598995");
    for( var i = 0; i < s.length; i++) {
        r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-7);
    }
    return r;
}

document.write(g32c00168(........))

From appearance, this looks like a phishing page.

Spoiler

 

 

 

Edited April 4, 2017 by Extreme Coders

[skypeaful]

@Justcrypto: please provide password zip file?