Firebug-Firefox-extension

From aldeid
Jump to: navigation, search

Description

Firebug is a popular and powerful web development tool that is able to inspect and modify HTML in real-time and that has an advanced JavaScript debugger. It will be convenient to analyze obfuscated JavaScript code thanks to the breakpoint feature.

Installation

Firebug can be downloaded here: https://getfirebug.com/downloads/

Usage example

Obfuscated JavaScript

The below example shows the beginning of a page containing an obfuscated JavaScript:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="#KEYWORDS#" />
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<title>...Berlin with the appointed export lotus notes address book of...</title>
<script>
var arr = "76617220726566203d20646f63756d656e742e72656665727265723b0d[SNIP]7d0d0a0909097d0d0a09097d0d0a097d0d0a7d0d0a";
var table = new Array();
table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;
table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;
table['8'] = 8;table['9'] = 9;table['a'] = 10;table['b'] = 11;
table['c'] = 12;table['d'] = 13;table['e'] = 14;table['f'] = 15;
function markCounter(a) {
	var txt = ""; var c = 0;
	while (c < a.length) {txt += String.fromCharCode(table[a[c]] * 16 + table[a[c + 1]]); c += 2;}
	eval(txt);
}
demo = ""+false;details = "false";
if (demo == details) {
	markCounter(arr);
}

</script>

The content of the arr variable has been shortened.

We notice that the markCounter function is iterating through the arr variable (while loop) and that it then evaluates (eval statement) the txt variable.

We are interested in the value of this variable. It can be easily done with Firebug.

Make sure Firebug takes control of the script when it is loaded

To ensure that Firebug will take control of the script when it will be loaded, we have to add a debugger; statement at the very first line of our script as follows:

[SNIP]
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<title>...Berlin with the appointed export lotus notes address book of...</title>
<script>
debugger;
var arr = "76617220726566203d20646f63[SNIP]d0d0a09097d0d0a097d0d0a7d0d0a";
var table = new Array();
table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;
table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;
[SNIP]

Load the script into Firefox

Then load your script into Firefox. To do so, open Firefox and go to "File > Open file...".

Set a breakpoint

When the script loads into Firefox, you should see a similar screen:

  1. Notice that the script should have stopped at the debugger; location
  2. As we are interested in the txt variable, we right click on this line and set a breakpoint
  3. Notice the red dot on the left indicating the presence of a breakpoint on this line
  4. Now, run the script. It should stop at the next breakpoint

Firebug-001.png

Deobfuscate the txt variable

Now that the script stopped at our breakpoint, we should be able to decode the value of the txt variable:

Firebug-002.png

It could be more convenient to go to the console tab and enter console.log(txt) in the prompt, to see the content of the txt variable:

Firebug-003.png

Comments

blog comments powered by Disqus