justcrypto Posted April 3, 2017 Share Posted April 3, 2017 Hello Folks, I don't do reversing for a living so the questions may be noobish. Trying to convert the shellcode in the attached html file to an executable. Its unicode, so I converted to HEX and then used the shellcode2exe.py tool to convert it to executable. When I run the shellcode in a debugger it terminates. Although strings shows it has LoadLibrary(). I see that there are two eval functions calling two different shellcodes. Are these two shellcodes interconnected. Do I need to combine them to analyze. Any other pointers to run it successfully in a debugger. Any help would be great!! Sign-in.zip Link to comment Share on other sites More sharing options...
Extreme Coders Posted April 4, 2017 Share Posted April 4, 2017 (edited) This isn't shellcode. This is url encoded javascript. You can analyze this in jsunpack to get to the actual payload. function g32c00168(s) { var r = ""; var tmp = s.split("8164911"); s = unescape(tmp[0]); k = unescape(tmp[1] + "598995"); for( var i = 0; i < s.length; i++) { r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-7); } return r; } document.write(g32c00168(........)) From appearance, this looks like a phishing page. Spoiler Edited April 4, 2017 by Extreme Coders 1 Link to comment Share on other sites More sharing options...
skypeaful Posted April 4, 2017 Share Posted April 4, 2017 @Justcrypto: please provide password zip file? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now