Need hints on how to de-obfuscate this JavaScript code

Discussion on reverse-engineering and debugging.
Post Reply
User avatar
GhostLight
Posts: 4
Joined: Mon Oct 17, 2011 2:51 pm

Mon Oct 21, 2013 8:04 pm

Hi,

The attached javascript came from http : / / 77977db0 (dot) linkbucks (dot) com/
McAfee recognizes this as "Exploit-PDF.rt.gen", which I find unusual for a JavaScript.

Any hints on how to de-obfuscate it would be welcome.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Mon Oct 21, 2013 9:00 pm

https://github.com/einars/js.decrypt.javacrypt should work if it's JavaCrypt, and if not try online services like http://jsunpack.jeek.org http://wepawet.iseclab.org

edit:
ok i used the scratchpad of firefox to decode it after removing JavaCrypt.
It give me a md5 hash at the end: 40badeec8a0ee2cfff89a6e0d933f24d
it's probably a legit stuff used by linkbucks.
You do not have the required permissions to view the files attached to this post.
User avatar
GhostLight
Posts: 4
Joined: Mon Oct 17, 2011 2:51 pm

Tue Oct 22, 2013 8:21 pm

Thanks,

it turns out this hash is used in a request to download a very tiny .gif file.
Post Reply