How do I debug obfuscated javascript embedded in the middle of a page?

Question

I am trying to figure out how this page marmiton works. Most notably, how the following piece of javascript generates the <a> element that appears towards the end of the page:

<div class="lienPlusCom">[ <script language="JavaScript">jsdchtml3('aºerh "=fecer¦ttr¦settecea-e_sivocikoap-se-sidroiana-serxupep--seti-edcohclo-tais-teored-pac-lemar1_1896psa.3 "x"=ditc00lMhpc_ianoCnnetC_m_trtceRlFettehcisiDelp_yamtH_mAlohcnoVruoTriLsoCsetnemmria "selcssaeil"=PnCsul"mosulP¹d oc etnemmria¦ºse¹a');</script> ]</div>

But my javascript debugging skills are fairly limited. Is there someone who could suggest how I would go in stepping through this code once it has been "de-obfuscated" by the browser ? I am currently using firefox with firebug for most of my debugging but I am quite open to switch to another tool if needed.

Answer 1

That JavaScript is calling a function called jsdchtml3() on this long string:

'aºerh "=fecer¦ttr¦settecea-e_sivocikoap-se-sidroiana-serxupep--seti-edcohclo-tais-teored-pac-lemar1_1896psa.3 "x"=ditc00lMhpc_ianoCnnetC_m_trtceRlFettehcisiDelp_yamtH_mAlohcnoVruoTriLsoCsetnemmria "selcssaeil"=PnCsul"mosulP¹d oc etnemmria¦ºse¹a'

We can de-obfuscate jsdchtml3() a little bit:

jsdchtml3=function(s) {
    if (!jsdchtml3.p) {
        String.prototype.afca=String.prototype['ch'+'ar'+'At'];
        jsdchtml3.k='243524534235';
        jsdchtml3.ra=Array('º<','¹>','¦/');
        jsdchtml3.u=function(s) {
            if (!jsdchtml3.u.r) {
                jsdchtml3.u.r=Array();
                for (var i=0,a;i<jsdchtml3.ra.length;i++) {
                    a=jsdchtml3.ra[i].split('');
                    jsdchtml3.u.r[i]=Array(new RegExp(a[0],'gi'),a[1]);
                }
            }
            for (var i=0;i<jsdchtml3.u.r.length;i++)
                s=s.replace(jsdchtml3.u.r[i][0],jsdchtml3.u.r[i][1]);
            return s; 
        };
        jsdchtml3.r=function(a,b,c) {
            for (var j=c-1,o='';j>=0;j--)
                o+=a.afca(b+j);
            return o;
        };
        jsdchtml3.p=function(f,a) {
            var t=jsdchtml3.u(f),i=0,p=0,n,o='';
            while(p<t.length) {
                n=parseInt(a.afca(i++ % a.length));
                o+=jsdchtml3.r(t,p,n);
                p+=n;
            }
            return o;
        };
    }
    document.write(jsdchtml3.p(s,jsdchtml3.k));
};

This will do a document.write of jsdchtml3.p(s,jsdchtml3.k), where s is the long string. Follow this control flow through the functions...it's a bit confusing!

Answer 2

Put

debugger;

where you want the script to stop at. And then you can look at all those variables and elements and all kind of that stuff to see where the problem is.