This is from a request by Herbie Zimmerman @HerbieZimmerman to show how my decoding process works to decode a script found on Payload Security by My Online Security @dvk01uk (Twitter Link to Conversation https://twitter.com/Ledtech3/status/894672552341229568)
Link to file download on Payload Security
After downloading the script we first see this . This just looks like a big mess.
If we look at the bottom of this section we find this.
As we can see here is is using “DcyHCgvJUL” as the split then rejoining the sections that were created.
What is is effectively doing is replacing the string “DcyHCgvJUL” with nothing or just remove every instance of the string from the full string.
So after we do that and clean it up so it is readable we get this.
We can see the highlighted in green the function and Char Code that get replaced. In red shows the “String.fromCharCode”.
After we clean that up we see this part.
Here “ivtDmuhkcPSLyzelI” is getting the value of the registry key which is the same for Windows 7 or Windows 10.
So the value is “C:\Users\Public\Music”
Here “rxMIJzwygfbtaPXoR” is using the function “sNIVfMCzcKwAmxOPoEv” to get the char code at index 1 which is decimal 58. Index will start counting at “0” Zero here.
That’s as far as we can go here, so lets take a look at the remaining parts of the script.
Next we see a section that will get the current year.
In the next section it looks similar to the first but if we search for the variable name there is only 1 hit which could indicate that it is only used to confuse the reverser.
After looking further down and not finding anything that would decode and use this function, lets just get rid of this section.
Next we see what the get year does.
It will get the current year and compare it with the value of 2017 and if they match then run eval function. Which we don’t find yet.
The next section down is another large section of scrambled looking text. After looking further this appears to be more junk code so lets get rid of it too.
That leaves us with this final section that appears to decode something . Lets clean it up and see what it does.
This section will take the string in “LIDuvEgKznlBWFkV” and run thru each char and get the char code and add an amount to it and if it equals 1 of 2 amounts or the file path from the registry does not exist or if the file path = 58 then ignore it. Else we take the charCode and get the Char and add it to a new string.
But first we need to reduce that math function to know what values they are working with.
In order to figure out what this will evaluate to we have to understand the order of precedence for the math functions. https://www.w3schools.com/js/js_arithmetic.asp
So going by the order of precedence we would see this.
So this value is “-1”
And the Next 2 values
So now we can get a better idea of what the values are doing.
So now we know we get the char code for each Char and add “–1” (Subtract 1 from char code) if result = 42 or 64 we ignore it and go onto the next Character in the string.
And when Decoded it looks like this.
This could have been done by building a html wrapper around the functions needed to decode but I usually just build a windows program for doing this type of decoding.
But you can also see that it also needs to be “Unescaped”
This is meant to be evaluated so it has extra escapes in it so lets clean it up a little better.
So this is the final script that gets run.
While looking at the code and following all of the eval functions there was 1 variable name that was not found anywhere during the decoding process which suggest to me that this script was called by something else.
This is at the very bottom of the script , it calls this final decoded script to run it.
Well that it for now I hope someone learns for this as I did.