Javascript Deobfuscation Tools Redux
Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today's obfuscated scripts with the least amount of intervention.
Here are the tools I'll be using:
Automated
JSUnpack - https://code.google.com/p/jsunpack-n/Javascript Deobfuscator (Firefox Add-On) - https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/SpiderMonkey - http://blog.didierstevens.com/2014/09/14/update-spidermonkey/Semi-Automated/Manual
JSDetox -http://www.relentless-coding.com/projects/jsdetox/Javascript Debugger
Microsoft Script Debugger - http://www.microsoft.com/en-us/download/details.aspx?id=22185
Chrome Developer Tools - https://www.google.com/chrome/
Firefox Developer Tools - https://www.mozilla.org/en-US/firefox/
Firebug (Firefox Add-On) - https://addons.mozilla.org/en-US/firefox/addon/firebug/
Revelo - http://www.kahusecurity.com/tools
Here are the obfuscated scripts:
Sample 1
Dean Edwards Packer (http://dean.edwards.name/packer/)
Sample 2
HiveLogic Enkoder (http://hivelogic.com/enkoder/)
Sample 3
For this sample, I used the same original HTML code as the above and obfuscated it using three online obfuscators in the following order:
http://obfuscatorjavascript.com/
http://www.gaijin.at/en/olsjse.php
http://www.atasoyweb.net/Javascript_Encrypter/javascript_encrypter_eng.php
Sample 4
Speed-Trap JS (http://www.speed-trap.com)
Sample 5
Gong Da EK
Sample 6
RIG EK
Sample 7
Angler EK
Sample 8
Nuclear EK
Prelude
My plan is simple. Use the tools to try to deobfuscate the above scripts without spending more than a few minutes on each one. If I can't figure it out by making obvious tweaks along the way then I move on. To be honest, I'm no expert with all of these tools so I'm not taking full advantage of its capabilities but this should give you some idea of what you can expect.
I would encourage you to play along (the scripts are here). Be sure you do this in a virtual machine because many of the scripts are real and very malicious.
JSUnpack
JSUnpack is fully automated and can deal with a lot of scripts except the complex ones.
Javascript Deobfuscator
This Firefox add-on is quite robust and also completely automated. Interestingly, it is able to deobfuscate the hard ones but trips up on an easy one. This tool won't be able to handle scripts that target Internet Explorer for obvious reasons. You might be able to comment out some browser sniffing routines though.
SpiderMonkey
The SpiderMonkey tool would be similar to using Rhino or V8 engines but Didier Stevens adds some mods that has beefed up SpiderMonkey's capabilities. DOM-based scripts tend to pose a problem for these engines but you can make several tweaks to the script and define objects to get around this.
JSDetox
This tool has a lot of capability and potential. The main reason it can't deob the malicious scripts is probably because I suck at using it.
Javascript Debugger
Pretty much all of the Javascript debuggers work the same way so I just lumped them together as a single class of tools. Using a debugger can be slow because you have to follow along with the script and know where to place breakpoints but it is often the most effective way of deobfuscating scripts.
Revelo
I would have hoped my own tool would do pretty well against these scripts and it did. The main challenge with using Revelo is that you need to understand the script you are working on and be able to recognize entry and exit points to inspect. This tool is definitely not for everyone but it has the capability to do just as well as a debugger.
Conclusion and Scorecard
As I mentioned earlier, I'm probably not making the most of every tool as they are quite capable and powerful in their own right. The end result is probably more of a reflection of my abilities rather than the tool so take this with a barrel of salt.
Posted on: 09/23/2014