Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
New JavaScript obfuscator: JScrambler
Posted by: fsilva
Date: March 05, 2010 08:07AM

Hello guys,

There is a new JavaScript obfuscation service (www.jscrambler.com) opened for beta test register atm. Testing the available transformations might be an interesting thing to do :) so here it goes an enumeration of the features, transformations and techniques that can be found there:

* Size code reduction transformations
* Potent and resilient obfuscation transformations
* Anti-debugging techniques
* Lexical and syntactic analysis of the JavaScript source code

* Remove code comments, white spaces and newlines
* Replace identifiers for smaller and randomly created ones
* Replace common DOM calls for associative array selection

Example:

Source:

document.write(navigator.plugins.length);

Obfuscated:

var H8_o=this;
for (H in H8_o){
if (H.length==9){
if (H.charCodeAt(0)==110){
if (H.charCodeAt(8)==114){
break;
}
}
}
}
for (J3a in H8_o[H]){
if (J3a.length==7){
if (J3a.charCodeAt(0)==112){
if (J3a.charCodeAt(6)==115){
break;
}
}
}
}
var s=this;
for (K in s){
if (K.length==8){
if (K.charCodeAt(0)==100){
if (K.charCodeAt(7)==116){
break;
}
}
}
}
s[K]["write"](H8_o[H][J3a]["length"]);

* Replace literals for a randomly number of conditional operators (?:)

Example:

Source:

i=0

Obfuscated:

i=253.23>0xfe?this:2e1>13?0:15<0x3?1:Math

* Dead code insertion protected by hardly determinable predicates by static code analysis
* Reorder of function definitions
* Codify the source code and protect it from debugging
* Checksum verifications of the source code to detect attempts of code changes

More examples and information can be found at the JScrambler website.

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: March 05, 2010 10:45AM

It sucks.

Using for..in loops for objects is bad because it will break code whenever a object prototype is modified and is trivial to decode. You use ternary operations to obfuscate numbers??? <hugeSarcasm>Yeah that's really good</hugeSarcasm>

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#aT08QGRfamF2YXNjcmlwdF80PjI1My4yMz4weGZlP3RoaXM6MmUxPjEzPzA6MTU8MHgzPzE6TWF0aCA8QC9kX2phdmFzY3JpcHRfND4%3D

You might want to look at this:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBoYXNlZ2F3YV8wKCKqwMHCw8TGyMnKy8zNzs%2FQ0dLT1NXW2Nna29zd3t%2Fg4eLj5OXm5%2Bjp6uvs7e7v8PHy8%2FT19vj5%2Bvv8%2Ff4kXyIpPmFsZXJ0KCdXYWtlIHVwIGFuZCBzbWVsbCB0aGUgbm9uLWFscGhhbnVtZXJpYyBjb2RlJyk8QC9oYXNlZ2F3YV8wPg%3D%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: fsilva
Date: March 06, 2010 08:07AM

Gareth Heyes Wrote:
-------------------------------------------------------
> Using for..in loops for objects is bad because it
> will break code whenever a object prototype is
> modified

But when? After obfuscation or before obfuscation? If it is after obfuscation forget it, because there is no point trying to change the object prototype after obfuscation. If it is before obfuscation, no worries because the transformation you are referring to targets only DOM objects and you are not able to mess with internal DOM prototypes so easily. Even if doing so it would work for a specific browser, it would not work for all, and that is what I would call break the code - even before the transformation is applied.

So the use of for..in loops to access DOM properties by enumerating associative arrays that represent the content of DOM objects are not condemned to fail because of that. They would fail more easily if the differences between the content of those associative arrays in all the existing browsers are not taken in consideration.

Gareth Heyes Wrote:
-------------------------------------------------------
> is trivial to decode

Anything of that size or anything using only one obfuscation transformation is, in most cases, easily de-obfuscated. Now, when using a set of transformations (more than one) that go further than what can be called polymorphic transformations, e.g., transformations that change the execution flow, data structures, even the introduction of anti-debugging techniques, make the "is trivial to decode" argument disappear.

Gareth Heyes Wrote:
-------------------------------------------------------
> You use...

Do not make it personal because I'm just sharing information. I'm not the inventor. But since you did...

Gareth Heyes Wrote:
-------------------------------------------------------
> ...ternary operations to obfuscate numbers???

Transformation like that one produce the base for others to act. Anyone that knows what obfuscation quality means, knows that this particular transformation it is not an enough resilient transformation on its own. Maybe with (as an example) hardly predictable variables in the place of the literals found at the ternary operations' arguments would make the trick.

Gareth Heyes Wrote:
-------------------------------------------------------
> http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#aT08QGRfamF2YXNjcmlwdF80PjI1My4yMz4weGZlP3RoaXM6MmUxPjEzPzA6MTU8MHgzPzE6TWF0aCA8QC9kX2phdmFzY3JpcHRfND4%3D

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#aT08QGRfamF2YXNjcmlwdF80PigoKDB4NDQzNSw3Lik%2BPSguNjEsOS4xMmUyKT8oMSw0LjAzM2UzKTooMjY2LDcuMWUxKSksKCgweDk3PD0uMT83LjYxNmUzOjIuMTc2ZTMpLCguMzk8OGUwPzA6MjAzMikpKTxAL2RfamF2YXNjcmlwdF80Pg%3D%3D

Gareth Heyes Wrote:
-------------------------------------------------------
> It sucks.

I find hard to believe when that is said so ligthly, even more when a chance to try a solution was not given yet. <sharingWisdom> A wise man once told me that we should not express or opinion as fast as we take a shit </sharingWisdom>. That is something that always comes to my mind when reading something like "it sucks.".

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: thornmaker
Date: March 06, 2010 07:17PM

hm...

*5 minute pause*

yeah, it still sucks

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: sirdarckcat
Date: March 06, 2010 08:29PM

would you mind if I make a website called www.unjscrambler.com that deobfuscates your code?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: March 08, 2010 04:05AM

@fsilva

It's not personal that your obfuscation sucks. Please read this section of the forums to understand why. I like obfuscation I didn't want your code to suck but it does

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: SAS
Date: March 08, 2010 07:27PM

I do must give fsilva some credit for putting this up for peer review, that is to be encouraged in my opinion.

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: March 09, 2010 02:41AM

@SAS

Absolutely maybe I was a bit harsh but it smell like spam

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: SAS
Date: March 09, 2010 09:36PM

@Gareth Heyes

Ah yes, that might be a good consideration as well. Personally I have no clue if his obfuscation is any good, I don't feel very at home at obfuscating stuff, let alone de-obfuscating it, although I do know that it's pretty much all the time pointless to pursuit cloaking JavaScript it from an attackers standpoint. Not to mention the valid argument of yours that it can break all sorts of things, plus some AV scanners might go berserk on a blob of random code that changes all the time. ;-)

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Anonymous User
Date: June 29, 2010 01:17PM

JScrambler beta test results:

original:
with(location)if(hash){eval(hash.slice(1));}else{with(document)confirm(domain + ' is vulnerable to xss\\n'+cookie);}

becomes:
(function (){var v=0,r=0,S='~',o="",Z=new Array(743,72,63,116,15,49,93,53,76,105,103,106,28,41,20,33,109,83,3,87,26,104,99,12,5,24,34,46,23,61,96,77,38,74,13,47,32,113,78,10,52,88,40,69,115,59,112,30,2,35,71,100,19,95,107,14,58,97,91,43,16,64,25,11,39,27,79,92,68,55,66,98,42,18,36),I=arguments.callee.toString().replace(/[\s\'\"\)\}\]\[\;\.\{\(]/g,"").length;function f(w,C){return w-C;}z="v`shfui!)tldour/mb`mnbmdd/un`Ruushofh)(/sdqnom`(bhgd)!.)iZ]`rr]&i](#]z(]d|w]\\]Z`m)]i`r:]i//]zr])\\.f-mh##(/mbdd)of)ui031/=<)92/8D0-1y0GC(>)9/-0(;)1y07C-1yE((((:|dmrd!zvhui!)enbtldou(bnoghsl)enl`ho*&!hr!wtmods`cmd!un!yrr]]o&*bnnjhd(:|";Q=Z.sort(f);q=Q[Z.length-1];while (v<Z.length-1){o=o+String.fromCharCode(z.charCodeAt(Q[v]-(I-q))^1);v++;}h=eval(o);D="";for (var b=0;b<z.length;b+=h-q){if (b==Q[r]-1&&r<Z.length-1){r++;}else {if (z.charAt(b)==S){D=D+S;}else {
D=D+String.fromCharCode(z.charCodeAt(b)^1);}}};eval(D);})();

now do this:
xxxx=function(ø)alert(Function(ø).toSource(ø));
(function (){var v=0,r=0,S='~',o="",Z=new Array(743,72,63,116,15,49,93,53,76,105,103,106,28,41,20,33,109,83,3,87,26,104,99,12,5,24,34,46,23,61,96,77,38,74,13,47,32,113,78,10,52,88,40,69,115,59,112,30,2,35,71,100,19,95,107,14,58,97,91,43,16,64,25,11,39,27,79,92,68,55,66,98,42,18,36),I=arguments.callee.toString().replace(/[\s\'\"\)\}\]\[\;\.\{\(]/g,"").length;function f(w,C){return w-C;}z="v`shfui!)tldour/mb`mnbmdd/un`Ruushofh)(/sdqnom`(bhgd)!.)iZ]`rr]&i](#]z(]d|w]\\]Z`m)]i`r:]i//]zr])\\.f-mh##(/mbdd)of)ui031/=<)92/8D0-1y0GC(>)9/-0(;)1y07C-1yE((((:|dmrd!zvhui!)enbtldou(bnoghsl)enl`ho*&!hr!wtmods`cmd!un!yrr]]o&*bnnjhd(:|";Q=Z.sort(f);q=Q[Z.length-1];while (v<Z.length-1){o=o+String.fromCharCode(z.charCodeAt(Q[v]-(I-q))^1);v++;}h=eval(o);D="";for (var b=0;b<z.length;b+=h-q){if (b==Q[r]-1&&r<Z.length-1){r++;}else {if (z.charAt(b)==S){D=D+S;}else {
D=D+String.fromCharCode(z.charCodeAt(b)^1);}}};xxxx(D);})();

result:
  function anonymous() {
      with (location) {
          if (hash) {
              eval(hash.slice(120 <= (839, 507) ? (8, 1) : (363, 13)));
          } else {
              with (document) {
                  confirm(domain + (" is vulnerable to xss\\n" + cookie));
              }
          }
      }
  }

reported - let's see what they come up with. Contest idea: gives us an obfuscation that we cannot defeat with one line of JS!

:)



Edited 2 time(s). Last edit at 06/29/2010 02:08PM by .mario.

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: June 30, 2010 11:17AM

(function x(c){
var hexcase=0;
var b64pad="";
function hex_md5(s){return rstr2hex(rstr_md5(str2rstr_utf8(s)));}
function hex_hmac_md5(k,d)
{return rstr2hex(rstr_hmac_md5(str2rstr_utf8(k),str2rstr_utf8(d)));}

function rstr_md5(s)
{
return binl2rstr(binl_md5(rstr2binl(s),s.length*8));
}
function rstr_hmac_md5(key,data)
{
var bkey=rstr2binl(key);
if(bkey.length>16)bkey=binl_md5(bkey,key.length*8);
var ipad=Array(16),opad=Array(16);
for(var i=0;i<16;i++)
{
ipad=bkey^0x36363636;
opad=bkey^0x5C5C5C5C;
}
var hash=binl_md5(ipad.concat(rstr2binl(data)),512+data.length*8);
return binl2rstr(binl_md5(opad.concat(hash),512+128));
}
function rstr2hex(input)
{
try{hexcase}catch(e){hexcase=0;}
var hex_tab=hexcase?"0123456789ABCDEF":"0123456789abcdef";
var output="";
var x;
for(var i=0;i<input.length;i++)
{
x=input.charCodeAt(i);
output+=hex_tab.charAt((x>>>4)&0x0F)
+hex_tab.charAt(x&0x0F);
}
return output;
}
function rstr2b64(input)
{
try{b64pad}catch(e){b64pad='';}
var tab="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var output="";
var len=input.length;
for(var i=0;i<len;i+=3)
{
var triplet=(input.charCodeAt(i)<<16)
|(i+1<len?input.charCodeAt(i+1)<<8:0)
|(i+2<len?input.charCodeAt(i+2):0);
for(var j=0;j<4;j++)
{
if(i*8+j*6>input.length*8)output+=b64pad;
else output+=tab.charAt((triplet>>>6*(3-j))&0x3F);
}
}
return output;
}
function rstr2any(input,encoding)
{
var divisor=encoding.length;
var i,j,q,x,quotient;
var dividend=Array(Math.ceil(input.length/2));
for(i=0;i<dividend.length;i++)
{
dividend=(input.charCodeAt(i*2)<<8)|input.charCodeAt(i*2+1);
}
var full_length=Math.ceil(input.length*8/
(Math.log(encoding.length)/Math.log(2)));
var remainders=Array(full_length);
for(j=0;j<full_length;j++)
{
quotient=Array();
x=0;
for(i=0;i<dividend.length;i++)
{
x=(x<<16)+dividend;
q=Math.floor(x/divisor);
x-=q*divisor;
if(quotient.length>0||q>0)
quotient[quotient.length]=q;
}
remainders[j]=x;
dividend=quotient;
}
var output="";
for(i=remainders.length-1;i>=0;i--)
output+=encoding.charAt(remainders);
return output;
}
function str2rstr_utf8(input)
{
var output="";
var i=-1;
var x,y;
while(++i<input.length)
{
x=input.charCodeAt(i);
y=i+1<input.length?input.charCodeAt(i+1):0;
if(0xD800<=x&&x<=0xDBFF&&0xDC00<=y&&y<=0xDFFF)
{
x=0x10000+((x&0x03FF)<<10)+(y&0x03FF);
i++;
}
if(x<=0x7F)
output+=String.fromCharCode(x);
else if(x<=0x7FF)
output+=String.fromCharCode(0xC0|((x>>>6)&0x1F),
0x80|(x&0x3F));
else if(x<=0xFFFF)
output+=String.fromCharCode(0xE0|((x>>>12)&0x0F),
0x80|((x>>>6)&0x3F),
0x80|(x&0x3F));
else if(x<=0x1FFFFF)
output+=String.fromCharCode(0xF0|((x>>>18)&0x07),
0x80|((x>>>12)&0x3F),
0x80|((x>>>6)&0x3F),
0x80|(x&0x3F));
}
return output;
}
function str2rstr_utf16le(input)
{
var output="";
for(var i=0;i<input.length;i++)
output+=String.fromCharCode(input.charCodeAt(i)&0xFF,
(input.charCodeAt(i)>>>8)&0xFF);
return output;
}
function str2rstr_utf16be(input)
{
var output="";
for(var i=0;i<input.length;i++)
output+=String.fromCharCode((input.charCodeAt(i)>>>8)&0xFF,
input.charCodeAt(i)&0xFF);
return output;
}
function rstr2binl(input)
{
var output=Array(input.length>>2);
for(var i=0;i<output.length;i++)
output=0;
for(var i=0;i<input.length*8;i+=8)
output[i>>5]|=(input.charCodeAt(i/8)&0xFF)<<(i%32);
return output;
}
function binl2rstr(input)
{
var output="";
for(var i=0;i<input.length*32;i+=8)
output+=String.fromCharCode((input[i>>5]>>>(i%32))&0xFF);
return output;
}
function binl_md5(x,len)
{
x[len>>5]|=0x80<<((len)%32);
x[(((len+64)>>>9)<<4)+14]=len;
var a=1732584193;
var b=-271733879;
var c=-1732584194;
var d=271733878;
for(var i=0;i<x.length;i+=16)
{
var olda=a;
var oldb=b;
var oldc=c;
var oldd=d;
a=md5_ff(a,b,c,d,x[i+0],7,-680876936);
d=md5_ff(d,a,b,c,x[i+1],12,-389564586);
c=md5_ff(c,d,a,b,x[i+2],17,606105819);
b=md5_ff(b,c,d,a,x[i+3],22,-1044525330);
a=md5_ff(a,b,c,d,x[i+4],7,-176418897);
d=md5_ff(d,a,b,c,x[i+5],12,1200080426);
c=md5_ff(c,d,a,b,x[i+6],17,-1473231341);
b=md5_ff(b,c,d,a,x[i+7],22,-45705983);
a=md5_ff(a,b,c,d,x[i+8],7,1770035416);
d=md5_ff(d,a,b,c,x[i+9],12,-1958414417);
c=md5_ff(c,d,a,b,x[i+10],17,-42063);
b=md5_ff(b,c,d,a,x[i+11],22,-1990404162);
a=md5_ff(a,b,c,d,x[i+12],7,1804603682);
d=md5_ff(d,a,b,c,x[i+13],12,-40341101);
c=md5_ff(c,d,a,b,x[i+14],17,-1502002290);
b=md5_ff(b,c,d,a,x[i+15],22,1236535329);
a=md5_gg(a,b,c,d,x[i+1],5,-165796510);
d=md5_gg(d,a,b,c,x[i+6],9,-1069501632);
c=md5_gg(c,d,a,b,x[i+11],14,643717713);
b=md5_gg(b,c,d,a,x[i+0],20,-373897302);
a=md5_gg(a,b,c,d,x[i+5],5,-701558691);
d=md5_gg(d,a,b,c,x[i+10],9,38016083);
c=md5_gg(c,d,a,b,x[i+15],14,-660478335);
b=md5_gg(b,c,d,a,x[i+4],20,-405537848);
a=md5_gg(a,b,c,d,x[i+9],5,568446438);
d=md5_gg(d,a,b,c,x[i+14],9,-1019803690);
c=md5_gg(c,d,a,b,x[i+3],14,-187363961);
b=md5_gg(b,c,d,a,x[i+8],20,1163531501);
a=md5_gg(a,b,c,d,x[i+13],5,-1444681467);
d=md5_gg(d,a,b,c,x[i+2],9,-51403784);
c=md5_gg(c,d,a,b,x[i+7],14,1735328473);
b=md5_gg(b,c,d,a,x[i+12],20,-1926607734);
a=md5_hh(a,b,c,d,x[i+5],4,-378558);
d=md5_hh(d,a,b,c,x[i+8],11,-2022574463);
c=md5_hh(c,d,a,b,x[i+11],16,1839030562);
b=md5_hh(b,c,d,a,x[i+14],23,-35309556);
a=md5_hh(a,b,c,d,x[i+1],4,-1530992060);
d=md5_hh(d,a,b,c,x[i+4],11,1272893353);
c=md5_hh(c,d,a,b,x[i+7],16,-155497632);
b=md5_hh(b,c,d,a,x[i+10],23,-1094730640);
a=md5_hh(a,b,c,d,x[i+13],4,681279174);
d=md5_hh(d,a,b,c,x[i+0],11,-358537222);
c=md5_hh(c,d,a,b,x[i+3],16,-722521979);
b=md5_hh(b,c,d,a,x[i+6],23,76029189);
a=md5_hh(a,b,c,d,x[i+9],4,-640364487);
d=md5_hh(d,a,b,c,x[i+12],11,-421815835);
c=md5_hh(c,d,a,b,x[i+15],16,530742520);
b=md5_hh(b,c,d,a,x[i+2],23,-995338651);
a=md5_ii(a,b,c,d,x[i+0],6,-198630844);
d=md5_ii(d,a,b,c,x[i+7],10,1126891415);
c=md5_ii(c,d,a,b,x[i+14],15,-1416354905);
b=md5_ii(b,c,d,a,x[i+5],21,-57434055);
a=md5_ii(a,b,c,d,x[i+12],6,1700485571);
d=md5_ii(d,a,b,c,x[i+3],10,-1894986606);
c=md5_ii(c,d,a,b,x[i+10],15,-1051523);
b=md5_ii(b,c,d,a,x[i+1],21,-2054922799);
a=md5_ii(a,b,c,d,x[i+8],6,1873313359);
d=md5_ii(d,a,b,c,x[i+15],10,-30611744);
c=md5_ii(c,d,a,b,x[i+6],15,-1560198380);
b=md5_ii(b,c,d,a,x[i+13],21,1309151649);
a=md5_ii(a,b,c,d,x[i+4],6,-145523070);
d=md5_ii(d,a,b,c,x[i+11],10,-1120210379);
c=md5_ii(c,d,a,b,x[i+2],15,718787259);
b=md5_ii(b,c,d,a,x[i+9],21,-343485551);
a=safe_add(a,olda);
b=safe_add(b,oldb);
c=safe_add(c,oldc);
d=safe_add(d,oldd);
}
return Array(a,b,c,d);
}
function md5_cmn(q,a,b,x,s,t)
{
return safe_add(bit_rol(safe_add(safe_add(a,q),safe_add(x,t)),s),b);
}
function md5_ff(a,b,c,d,x,s,t)
{
return md5_cmn((b&c)|((~b)&d),a,b,x,s,t);
}
function md5_gg(a,b,c,d,x,s,t)
{
return md5_cmn((b&d)|(c&(~d)),a,b,x,s,t);
}
function md5_hh(a,b,c,d,x,s,t)
{
return md5_cmn(b^c^d,a,b,x,s,t);
}
function md5_ii(a,b,c,d,x,s,t)
{
return md5_cmn(c^(b|(~d)),a,b,x,s,t);
}
function safe_add(x,y)
{
var lsw=(x&0xFFFF)+(y&0xFFFF);
var msw=(x>>16)+(y>>16)+(lsw>>16);
return(msw<<16)|(lsw&0xFFFF);
}
function bit_rol(num,cnt)
{
return(num<<cnt)|(num>>>(32-cnt));
}
try{delete eval;}catch(e){}
var o = '';
var k = hex_md5(x+'')+'';
for(var i=0;i<c.length;i++) {
 o+=String.fromCharCode(c.charCodeAt()^k.charCodeAt());
}
eval(o);
})(decodeURIComponent('%04_UDMN%08%1E'));

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/30/2010 11:17AM by Gareth Heyes.

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Anonymous User
Date: July 01, 2010 03:05AM

@Gareth Lol - nice alert(1) - but.. I was rather addressing the JScrambler guys. Who btw did not respond so far :P

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: July 01, 2010 06:19AM

@mario

Yeah but my point was for your jsdecoder:-
try{delete eval;}catch(e){}

How would you get round that? And then modifying the function inside in any way will break the payload. Of course the entire function should be obfuscated but I was just making it more clear.

Two possible ways to auto decode it:-
1. Rewrite the function then grab the hash of the x function. Could be made more difficult by using chained functions and closures.
2. Spy on String.fromCharCode etc if try{delete String;}catch(e){} returned the original function this wouldn't work

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Anonymous User
Date: July 01, 2010 02:40PM

I know - we have a partially working solution for it :)

Options: ReplyQuote
Re: New JavaScript obfuscator: JScrambler
Posted by: Gareth Heyes
Date: July 02, 2010 05:28AM

Here's another technique, modifying the function with toString/valueOf place the original code in a anon function and store the original.

<script>
(function(){
window.x = function(){alert(x);}
var code=window.x+'';
alert(code);
window.x.valueOf = window.x.toString = function() { return 123; };
})();alert(x);x();
</script>

Now if both functions check themselves by hashing themselves it makes it difficult to decode. You could even change the toString/valueOf to modify one character thus breaking the hash. The decoder would have to specifically look for toString/valueOf of a hashed function in order to remove it.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.