Tuesday, December 4, 2012

Reverse engineering some javascript

A couple of days ago I had to reverse engineer some javascript. The classics in the encoding are hexadecimal or decimal encoding but this time the was something else. It looked basically like this:

a = ["3f","15","f4","22","4o","4g","17", ... ]

I changed the actual values to make sure that I don't give anything away on the actual investigation, so yes, if you try it on these values it will not make any sense.

It was clear that the nasty stuff was hidden in that array. At the end of the code I found a function called parseInt that actually interacted with the array. It looked like this:


Again this is altered code, but the real value that was there instead of 36 was hard coded and the i was a variable used in a loop to run over the array. What is interesting is that the loop was written like this:


The value was hard coded but the classical way of looping which you get thought in programming classes was not used.

I had a look at parseInt() and what it basically does is that it takes a string (the value in the array) and turns it into an integer. But there are things that resemble nothing like integers so something had to be up with that hard coded value 36. 36 represents a radix. The radix represents the numerical system you are working in. If it would have been 16, it would have been hexadecimal, a 10 would represent the decimal system, an 8 the octal system. To make things for a human a bit more complicated our attacker chose 36. The radix parameter has to be a value between 2 and 36.

I wrote some code and made it appear to me as an array of decimal numbers. After this transformation the next step was the String.fromCharCode(). This javascript function transforms the character code to a string. Thus i ordered my system to do that and transformed my array into characters.

When I made the program print the characters one after the other the content of the obfuscated malicious javascript code revealed itself and I could go on with the investigation.

No comments: