...

View Full Version : De-Obsfucating JS Code



Mostly Ghostly
08-20-2010, 11:44 AM
Hello all,

I am working on a website for an online store, and all has been going well for the past few months - the site has been running successfully for a while now.

Unfortunately, some git has hacked the site and inserted obfuscated JS code at the bottom of several pages of code. I need to find out what this code is doing in order to find out what's going on and who is doing this.

I have seen other people looking to de-obsfucate JS code, and they seem to get accused of stealing code. I have to insist that what I am doing is completely ethical and honest, and given half a chance I'd like to see these f**kers crucified.

Thanks for any pointers or suggestions you guys can give me.

MG

Fou-Lu
08-20-2010, 06:48 PM
Despite the similar sounding names, Java is not the same as Javascript. Moving from Java forum to Javascript forum.
Interpreted languages still need to be interpreted, so it must follow the rule of standard syntax. So the answer is yes you can always reverse any obfuscated code.
The code can also be followed as a normal block of programming code; the problem with it is that your variable names have been altered and you must follow it ignoring what the variable names are and viewing it only as code. Not fun, but doable. JS, PHP and Perl don't really suffer from this as much since the languages are all datatype weak, so you needn't care about what variable is of what type, only what is actually being assigned to it.

A better option than worrying about what is in the JS code is to worry about why the code is there in the first place. Injections are usually caused by an insecure server language that is allowing the writing to these files. Instead, remove the JS completely and scour your access logs to determine how it got there; I'd start by looking at anything that has been put or post to your site. That will tell you where to start looking.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum