Decoding non-alphanumeric code with Hackvertor

Wednesday, 3 August 2011

I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way 🙂 so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like?


$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Produced by my friend Yosuke Hasegawa using his JJEncode.

How the hell do you decode that Gareth? (I hear you say). Quite easily actually. First off I extend the Hackvertor environment to allow sandboxed code to call the JSReg parser.


parser.extendWindow("$sandbox$", function(code){});

This makes “sandbox” a global function within each tag, I need to do this because I want to listen for any calls to “Function” and instead of eval’ing the results I simply want to return the string generated. To do this I add more code to the “sandbox” function to create an instance of JSReg and execute the code:-


parser.extendWindow("$sandbox$", function(code){
var js = JSReg.create(), result;
js.setDebugObjects({doNotFunctionEval:true,functionCode: function(code) {
code = code.replace("J.F();var $arguments$=J.A(arguments);",'');
result = code;
}});
try {
js.eval(code);
} catch(e){
return e;
}
return result;
});

So as you can see the magic happens in the debug objects of JSReg, I use the “doNotFunctionEval” to listen to Function but not eval the code sent. Then I use another listener to “functionCode” to intercept the results.

The final Hackvertor tag is dead simple:-

(function(){
return sandbox(code);
})();

The final results can be seen here:-
Decode non-alpha please feel free to go whoa now. That’s sandboxed code calling a unsandboxed function, sending a non-alpha string, sandboxing it, listening to the results and returning the decoded code. In the blink of an eye 🙂

Credits as always to Lever one and Jonas Magazinius for testing JSReg and making this possible.

The entry 'Decoding non-alphanumeric code with Hackvertor' was posted on August 3rd, 2011 at 1:53 pm and is filed under hackvertor, javascript, JSReg, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.

«
»