Description

Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users. It is embedded in J2SE 6 as the default Java scripting engine.

Rhino-debugger is a Graphical User Interface (GUI) that enables to debug JavaScript. It is convenient to malware analysts to deobfuscate JavaScript.

Installation

$ sudo aptitude install rhino

Usage

Usage: rhino-debugger script.js

Example

Obfuscated JavaScript

Let's deobfuscate a JavaScript:

$ cat /data/tmp/malware/storm.js 
function xor_str(plain_str, xor_key){ var xored_str = "";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i));
 return xored_str; } var plain_str = "\x94\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe
[SNIP]
\xdb\xc3\x9c\x84\x9d\x8f\x94\xc9\xbe\xbe\xc9\xbe\xbe\xc7\xc0\xd5\xc6\xc0\x9c\x9d\x8f\xbe";
var xored_str = xor_str(plain_str, 180);
document.write(xored_str); 

It's important that you set appropriate line breaks where you will put your breakpoints because breakpoints are applied on a given line.

Start Rhino JavaScript Debugger

Now, let's start Rhino JavaScript Debugger:

$ rhino-debugger /data/tmp/malware/storm.js & 

You should see the script in Rhino.

Set a breakpoint

Now, let's set a breakpoint at the line where document.write appears. To do that, right click on the appropriate line and select "Set Breakpoint" from the menu, as follows:

Run script

Then press the "Go" button to run the script. It should stop to your breakpoint:

Evaluate variable

Now, you can evaluate the value of the xored_str variable by double clicking in the expression cell, entering xored_str and pressing "Enter".

The value of the deobfucated code appears in the "value" column. You can copy the content and paste it in a text editor.

Comments