CODEWITHSUNDEEP
javascriptpythonobfuscationdeobfuscation
Mehcs85
Mehcs85

Reputation: 37

Reversing XOR Javascript Obfuscation Function with Python

So I was looking at a compromised WordPress site and saw this injected js. It basically had one round of obfuscation (charCodeAt(13-3,9-2, etc). Then, it output the following:

var key = 'eooquewZmf';
var enced = '<encoded_base64_blob>';

function xor_enc(string, key) {
  var res = '';
  for (var i = 0; i < string.length; i++) {
    res += String.fromCharCode(string.charCodeAt(i) ^ key.charCodeAt(i % key.length));
  }
  return res;
}

I really was trying to understand the obfuscation technique by writing a deobfuscator in Python, rather than just getting the clear text data by running the JS file and getting the clear text.

So I first tried to understand what was happening with the code:

Variables

key = xor key, enced = the text to decode

Function

xor_enc appears to take two arguements, "string" and "key". A variable "res" is an emptry string A for loop is initialised and will go from 0 to the length of the string, one character at a time The "res" variable will be populated by:

a) Each character of "string" will be converted to a char b) The position of i % (modulo) by the complete length of the key (10 characters)

Then a XOR b. Which will then be returned.

So I think my main issue is understanding b and replicating it in Python. This is what I have so far: https://repl.it/repls/CluelessUnsungDisc, but it's fubar and is returning the following error:

File "main.py", line 8, in <module>
    newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
TypeError: ord() expected string of length 1, but int found

I don't know if its my brackets or nesting, but ord is not seeing the character position properly.

The original JS is here: https://pastebin.com/yMz6aP7V ((Remember, its JS from a compromised WordPress site, so can be malicious)

Anyhelp will be appreciated!

based ="<base64>"
dec = base64.b64decode(based)
print(dec)
key = 'eooquewZmf'
newstring = ''
for letter in range(len(dec)):
    newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
    print(newstring)

File "main.py", line 8, in <module>
    newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
TypeError: ord() expected string of length 1, but int found

Upvotes: 0

Views: 771

Answers (1)

Barmar
Barmar

Reputation: 782166

You're supposed to be XORing with an element of key. letter % len(key) is the index of that element (it just cycles through the key with wraparound).

b64decode() returns a bytes object rather than a string, so you can just access the elements as integers, you don't need to call ord().

import base64

def b64_xor(b64,key):
  dec = base64.b64decode(b64)
  newstring = ''
  for i, letter in enumerate(dec):
    newstring += chr(letter ^ ord(key[i % len(key)]))
  print(newstring)

DEMO

Upvotes: 1

Related Questions