

Brain Bleeding JavaScript Obfuscation - nafai
https://blog.korelogic.com/blog/2015/01/12/javascript_deobfuscation

======
tshadwell
Almost all Javascipt obfuscation schemes that I've come across in the wild can
be defeated by Closure Compiler with advanced optimizations and pretty print
turned on & if necessary a little extra manual intervention. It just optimizes
out all the cruft. I'd like to see what it does to this code but the author
hasn't provided a raw file.

Online closure compiler: [http://closure-compiler.appspot.com](http://closure-
compiler.appspot.com)

~~~
ben174
I just tried running some jjencode'd js through your closure compiler and it
didn't clean it up much at all.

[http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)

~~~
pokoleo
I did too - you need to poke around with the compiler settings.

For jjEncode's sample `alert("Hello, JavaScript" )`[0], the first step of the
post's analysis is done for you[1], if you set closure compiler on "advanced
mode".

That being said, double-jjEncoding the sample `alert("Hello, JavaScript" )`
stumps the closure compiler.

[0]
[http://utf-8.jp/public/jjencode.html?src=alert(%22Hello%2C%2...](http://utf-8.jp/public/jjencode.html?src=alert\(%22Hello%2C%20JavaScript%22%20\)&var=%24)
[1] [https://closure-
compiler.appspot.com/code/jsc40b41f282d17ff7...](https://closure-
compiler.appspot.com/code/jsc40b41f282d17ff77479bd0f0b1ef8f97/default.js)

------
secshoggoth
I'm the author of this post. Looks like some of you want the JS used that was
analyzed, so here it is:

[https://blog.korelogic.com/2015/01/12/javascript_deobfuscati...](https://blog.korelogic.com/2015/01/12/javascript_deobfuscation/malJS.zip)
(pass: infected)

------
zamalek
What's particularly cute about the hexadecimal "constants" is that their names
correlate to their binary digits. E.g. 0xA = 1010 = $_$_ ; 0xF = 1111 = $$$$
and so on.

------
prothid
I wanted to tinker with the code but it is all PNGs (I guess to prevent the
original code from executing).

~~~
nafai
I found this article after getting a very similar spam to the one the author
got, so here are the two files from the page the spammer linked to me:

[https://gist.github.com/nafai/32f656a3338dcc792545](https://gist.github.com/nafai/32f656a3338dcc792545)
[https://gist.github.com/nafai/c41de60168b12f8614de](https://gist.github.com/nafai/c41de60168b12f8614de)

------
bshimmin
It's somehow quite reassuring that you can just type complete gibberish in
JavaScript and it usually does something; for example:

    
    
       !~!~1234.5678["constructor"]["constructor"](console.log("foo"))
    

Of course that logs "foo" \- why wouldn't it?!

~~~
nitrogen
Assuming the syntax is valid, tacking (console.log("foo")) on the end of lots
of things should log foo, even if there's an error elsewhere. The
"console.log('foo')" will be evaluated before trying to call the rest as a
function, so even "undefined(console.log('foo'))" logs "foo" when tested in
the Firefox JS console:

    
    
        undefined(console.log('foo'))
        TypeError: undefined is not a function
        "foo"

------
theVirginian
This may be an unpopular opinion especially on HN but the fact that you can do
this sort of thing in JavaScript is one of the reasons that I am not
particularly a fan of the language.

Edit: I was right, it is not a popular opinion and therefore not a valuable
one. Let the downvotes rain.

~~~
choward
That doesn't make any sense. You can do those sorts of terrible things with
any language. There are way better reasons for hating Javascript.

