Web2Secure: Web Security Blog

We are non-funded group of security enthusiast who contributes and updates to community with latest security treats. Use and handle whatever links shared within website could be harmful to your systems with own risks. Feel free to use the contents for commercial or non-commercial purposes. We're very appreciating if using our useful information’s to your website by referring back to this original website. Donation or clicking on ads is most welcome to continue maintains costs for this website.

Monday, December 29, 2008

Deobfuscating javascript eval() function in ix7.htm

I need to update the detail on how to deobfuscate coding inside the ix7.htm, this is requested by my friend who view my blog "http://www.web2secure.com/2008/12/exploit-ie0day-ms08-078-to-dumeteexe.html"

Tool:
1. Malzilla

Steps:
1. Find and Replace "a1" with "cuteqqcn"

2. Search "cuteqqcn" and replace with "%u" unicode, this because there have a variable define var infect=unescape(sc.replace(/cuteqqcn/g,"\x25\x75"));

3. You may get the output like this.

4. Press "Decode UCS2 (%u)" to decode the unicode and you may get result like this.

5. For analysis eval() function code, we modified the eval() function to document.write() function. This because we don't want to execute malicious code in our systems.

6. Press "Run script" to execute the code and you may see the result

Web2Secure: Web Security Blog

Pages

Monday, December 29, 2008

Deobfuscating javascript eval() function in ix7.htm

0 comments: