Deobfuscating generic BlackHole 2 with JsADO

I wrote this article to describe how to use JsADO (JS-Auto-DeObfuscator), a little project that I’m developing so as automatically deobfuscate javascript code: JsADo hooks a js function as eval to get the code to be executed, or element.appendChild to dump the HTML Object to be inserted into page

I’m going to explain how to use JsADO on this example, a Blackhole exploit kit 2.0 obfuscated script and remember to use wget (on linux) if you want to download a sample from a bad site.

Step 1: Use Js Beutifier to understand the code!
Open the file in your preferred editor, copy the code and paste it into jsBeautifier: you have to analyze the script to understand how it works:

   < body>
    < div dqa="asd">
        < /div>
                asd3 = function () {
                    a = a.replace(/ [ ^ 0 - 9a - z] /
                    g, k);
                g = "getEleme";
                p = "Int";
                cc = "co";
                ss = String["fromCharCode"];
                gg = "Attribute";
                ggg = "google";

                function asd() {
                    e = window["eval"];
                    e("if(1)" + s);
                ddd = "ad".substr(1);
                sss = "sub" + "str";

                function asd2() {
                    r = a["get" + gg](i);
                qa2 = 2;

                function asd5() {
                    s += ss(p(a[sss](i, qa2), qa));
                } < /script>
<u id="google" 32="k25)501k ....h5b5c)59551j5b"></u > 
< script > g += "ntById";
                if (window.document) {
                    if (021 == 0x11) d = window.document;
                    try {
                        asd3 * f2
                    } catch (dsgdsg) {
                        a = d[g](ggg);
                    p = eval("parse" + p);
                    s = "";
                    for (i = 0;; i++) {
                        if (r) {
                            s = s + r;
                        } else break;
                    a = s;
                    s = "";
                    k = "";
                    qa = 0x15;
                    for (i = 0; i < a.length; i += 2) {
                                } < /script>
</body > < /html>

Briefly: the script uses getElementById to get “google” div, it uses eval a first time: “p = eval(“parse” + p);” to joke programs like JsADO, and then it calculates the string “s“, that  will be evalutate, using eval, into asd() function, called at the end.

 Step 2: Use JsADO to deobfuscate
I suggest you to set up environment with selenium  support if you don’t want to use F5 into browser, or you can set useS when run jsado in console , and if you are on Windows you should set the absolute path of Firefox and remember to replace ‘\’ with ‘\\’ !

After that we can start to using jsado: put test5.html into the same directory where there’s jsado and run in console:

python test5.html eval useJB” <– see the readme for description

You should see firefox opening (if you don’t changed the script and you have configured the environment)  showing you: 1) parseInt, as expected.
Seen a moment the console, there’s this: “Do you want to increment the eval execution times? y/n :, press y and look what happen into firefox, you should see something like this:

1) parseInt

2) if (1) try {
    var PluginDetect = {
        version: "0.7.8",
        name: "PluginDetect",
... //other code

The code is deobfuscated, now you can analyze it to understand what it does 😉

Final consideration
It was just a briefly description on how to deofuscate a script with my jsado, if you see that it doesn’t work fine on a script and you want to help me to improve it, contact me on the forum 🙂