Reversing XOR Javascript Obfuscation Function with Python
Question
So I was looking at a compromised WordPress site and saw this injected js. It basically had one round of obfuscation (charCodeAt(13-3,9-2, etc). Then, it output the following:
var key = 'eooquewZmf';
var enced = '<encoded_base64_blob>';
function xor_enc(string, key) {
var res = '';
for (var i = 0; i < string.length; i++) {
res += String.fromCharCode(string.charCodeAt(i) ^ key.charCodeAt(i % key.length));
}
return res;
}
I really was trying to understand the obfuscation technique by writing a deobfuscator in Python, rather than just getting the clear text data by running the JS file and getting the clear text.
So I first tried to understand what was happening with the code:
Variables
key = xor key, enced = the text to decode
Function
xor_enc appears to take two arguements, "string" and "key". A variable "res" is an emptry string A for loop is initialised and will go from 0 to the length of the string, one character at a time The "res" variable will be populated by:
a) Each character of "string" will be converted to a char b) The position of i % (modulo) by the complete length of the key (10 characters)
Then a XOR b. Which will then be returned.
So I think my main issue is understanding b and replicating it in Python. This is what I have so far: https://repl.it/repls/CluelessUnsungDisc , but it's fubar and is returning the following error:
File "main.py", line 8, in <module>
newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
TypeError: ord() expected string of length 1, but int found
I don't know if its my brackets or nesting, but ord is not seeing the character position properly.
The original JS is here: https://pastebin.com/yMz6aP7V ((Remember, its JS from a compromised WordPress site, so can be malicious)
Anyhelp will be appreciated!
based ="<base64>"
dec = base64.b64decode(based)
print(dec)
key = 'eooquewZmf'
newstring = ''
for letter in range(len(dec)):
newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
print(newstring)
File "main.py", line 8, in <module>
newstring += chr(ord(dec[letter]) ^ ord(letter % len(key)))
TypeError: ord() expected string of length 1, but int found
1 answers
solution1
1 ACCPTED 2019-08-12 20:00:38
You're supposed to be XORing with an element of key . letter % len(key) is the index of that element (it just cycles through the key with wraparound).
b64decode() returns a bytes object rather than a string, so you can just access the elements as integers, you don't need to call ord() .
import base64
def b64_xor(b64,key):
dec = base64.b64decode(b64)
newstring = ''
for i, letter in enumerate(dec):
newstring += chr(letter ^ ord(key[i % len(key)]))
print(newstring)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.