Hackvertor obfuscated code tutorial

I thought I’d post a quick tutorial on how Hackvertor can be used to decode obfuscated javascript. This is based on a real request on sla.ckers. I’ll walk you through the code and tidy it up and show you how to use the advanced tags to easily decode the encoded string.

Warning disclaimer

Do not try and execute the javascript provided, only use it within the Hackvertor input window. I have not executed or tested what the code does I have only decoded. Use this tutorial at your own risk.

Decoding

I’ve tidied up the code if you would like to see how it’s encoded.

The code is quite simple, a large string is used as the payload which I’ve renamed “payload”. “r28” does nothing it is a empty string, I guess it’s there to make decoding more difficult. It doesn’t.

The payload is then looped through until the end of the string and two characters are extracted in each loop. These two characters are passed to a “fromHex” function which I’ve helpfully renamed and the parseInt function is used to transform the characters from hex into decimal numbers.

Then the result is stored in the “decoded” string which again I’ve renamed, before finally passing the decoded string to the document.write call which sends the result to be outputted to the page.

Light work for Hackvertor

Pretty easy so far eh? The code isn’t heavily obfuscated and is pretty easy to understand. I’ve talked about making it more difficult but no matter how difficult it is the encoding will eventually lose the race.

To decode it with Hackvertor we need to first remove any unneeded strings like the “r28” variable which actually contains nothing. We can do this with the replace tag in Hackvertor, look in the HVURL at the bottom and you’ll see the first replace tag. Remember Hackvertor works from the inner part outwards.

<@replace_25("'\+r28\+'",)>

The first part is just the name and number of the tag “replace_25”, the parenthesis indicate that it’s a Hackvertor parameter. In this case replace accepts “find this” as the first param and a second param which is the replace string. So we use “‘\+r28\+'” to find the blank variable and replace it with nothing. It works as a regular expression that’s why the + has been escaped.

Next we use the replace tag again to remove all instances of single quotes or semi-colons

<@replace_26("[';]",)>

Then we use the

<@find_0(.{2},gim)>

tag to extract the two hex characters we require again this is a regular expression. This tag returns the matches as a comma separated list.

We use the comma separated hex values with our next tag

<@hex2dec_0(',')>

which loops through the commas and converts every hex sequence into decimal. The param tells the tag to use a regular expression to split the characters in this case it is commas.

<@fromcharcodes_1>

is used to convert our now decimal sequence of characters into the actual characters from the character code number. This tag does not use params.

Finally I use

<@find_1("'.+'",gim)>

to find the urlencoded sequence, replace any unwanted characters with

<@replace_2("'",)>

which removes all single quotes.

<@d_enc_3>

simple urldecodes the sequence which returns our decoded string.

The final result is available here and the javascript never gets executed only decoded.