JScript/VBScript deobfuscator


(root@sarius:~#) #1

Servus.

Lucrez la un proiect personal și am nevoie de ceva tool-uri pentru decodarea unor mostre de cod malware, a folosit cineva dintre voi așa ceva? Dacă da, aș aprecia 2-3 recomandări înainte de a mă apuca de research pe măritul Gugăl. Las mai jos două mostre extrase din codul obfuscat.

1. JScript

var vFIu4 = new Function("\x76\x5f\x73", ‘\x7b\x76\x61\x72\x20\x76\x5f\x64\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x65\x28\x29\x3b\x76\x5f\x64\x5b\x22\x73\x65\x74\x55\x54\x43\x22\x2b\x22\x46\x75\x6c\x6c\x59\x65\x61\x72\x22\x5d\x28\x22\x32\x30\x30\x33\x22\x29\x3b\x69\x66\x20\x28\x76\x5f\x64\x2e\x67\x65\x74\x55\x54\x43\x46\x75\x6c\x6c\x59\x65\x61\x72\x28\x29\x2e\x74\x6f\x53\x74\x72\x69\x6e\x67\x28\x31\x30\x29\x20\x3d\x3d\x20\x22\x32\x30\x30\x33\x22\x29\x20\x7b\x76\x61\x72\x20\x76\x5f\x61\x72\x72\x20\x3d\x20\x76\x5f\x73\x2e\x73\x70\x6c\x69\x74\x28\x22\x3f\x22\x29\x3b\x20\x72\x65\x74\x75\x72\x6e\x20\x76\x5f\x61\x72\x72\x2e\x6a\x6f\x69\x6e\x28\x22\x22\x29\x3b\x7d\x20\x65\x6c\x73\x65\x20\x72\x65\x74\x75\x72\x6e\x20\x22\x22\x3b\x7d’);

var vZp8 = new Function("\x76\x5f\x73", ‘\x7b\x72\x65\x74\x75\x72\x6e\x20\x76\x4e\x45\x6f\x39\x5b\x22\x73\x70\x22\x2b\x22\x6c\x69\x74\x22\x5d\x28\x22\x2c\x22\x29\x5b\x22\x6a\x6f\x22\x2b\x22\x69\x6e\x22\x5d\x28\x22\x22\x29\x3b\x7d’);

2. VBScript

Dim OtVorotDoVorotnightlifeRombickom
OtVorotDoVorotnightlifePLdunay = Split(OtVorotDoVorotnightlife2, “HOSHneHOSH”)
Set OtVorotDoVorotnightlifeTechnoShouws = CreateObject(OtVorotDoVorotnightlifePLdunay(1))
Set OtVorotDoVorotnightlifeGMAKO = CreateObject(OtVorotDoVorotnightlifePLdunay(5 - 3))
Set XPCOM = GetRef(“F”)
sVis = OtVorotDoVorotnightlifePLdunay(13) & OtVorotDoVorotnightlifePLdunay(14)
Function get_cypher_arr( str )
Dim i, arrCode( )
ReDim arrCode( Len( str ) - 1 )
For i = 0 To UBound( arrCode )
arrCode(i) = Asc( Mid( str, i + 1, 1 ) )
Next
get_cypher_arr = arrCode
End Function
Set OtVorotDoVorotnightlifeDAcdaw = CreateObject(OtVorotDoVorotnightlifePLdunay(0))
Set OtVorotDoVorotnightlife1DASH1solo = CreateObject(OtVorotDoVorotnightlifePLdunay(3))
Function F§
Set OtVorotDoVorotnightlifeWshShellExec = OtVorotDoVorotnightlifeRombickom.Exec(mambaFRUTISsInSosin)
End Function
Function encryptor( in_file, out_file, cypher )


(Ionuț Staicu) #2

Prima parte zice așa:

function anonimă(v_s) {
  var v_d = new Date();
  v_d["setUTC"+"FullYear"]("2003");
  if (v_d.getUTCFullYear().toString(10) == "2003") {
    var v_arr = v_s.split("?");
    return v_arr.join("");
  } else return "";
}

Cum am făcut? Dacă evaluezi în consola chrome string-urile astea: "\x76\x5f\x73" & co (fără new Function...) le va afișa într-un mod citibil. \x76 este unicode pentru v, \x5f e pentru _ șamd.

VBS-ul nu mi se mare chiar obfuscat, ci doar pare a avea denumiri mai… deosebite.