Post Reply 
Removing obfuscation before modifying script?
May. 20, 2012, 05:10 PM
Post: #1
Removing obfuscation before modifying script?
If code in a web page looks like this for 200k (one long line):

Code:
<script type="text/javascript">document.write(String.fromCharCode(parseInt(0x3c)));document.write(String.fromCharCode(parseInt(0x73)));document.write(String.fromCharCode(parseInt(0x63)));         .... </script>

Is there a filter I can activate that undoes that obfuscation and lets me modify the unobfuscated result to prevent popups/divs/iframes?

IE9 if it matters.
Add Thank You Quote this message in a reply
May. 21, 2012, 01:57 PM
Post: #2
RE: Removing obfuscation before modifying script?
there will ALWAYS be "ways" for 'script-kiddies' to "obfuscate" that WILL make it past the best-written script-blockers...

your BEST (and in many ways, ONLY) line of true defense is to NOT ALLOW SCRIPTS BY DEFAULT by enabling the "! |||||||||||| 7.1 Block all Scripts 10.10.16 [sd] (o.3) (Out)" filter...

the simple fact is that if the "coder" feels a need to HIDE behind "obfuscated" code, then should that code be TRUSTED in the first place? i say NO, a TEN-FOLD NO! Smile!
Add Thank You Quote this message in a reply
May. 22, 2012, 01:42 AM
Post: #3
RE: Removing obfuscation before modifying script?
No. We can try to block obfuscated scripts, "JS Kill: Specific Escaped Code", and neutralize some Javascript commands, however.
Add Thank You Quote this message in a reply
Nov. 24, 2012, 01:37 PM (This post was last modified: Nov. 24, 2012 03:30 PM by neverwasinparis.)
Post: #4
RE: Removing obfuscation before modifying script?
I wonder about the answers, 'cause it is possible.
the solution for this request is in the basics of JavaScript. you will have to get into the slipstream. ever wondered what the '{}' in JavaScript are for? they make sure the commands within are executed 'together'. so all you have to do is to inject a '{' at the very beginning and a '}' at the very end of all JavaScripts and put function calls of own functions in these slipstream. the functions should be stored in a js-file in the html folder of Proxomitron. another filter injects a script at the beginning of each site that loads this file. make sure that script deletes itself. you don't want to leave any traces. the best trick of a Proxomitron user is to make the webmaster believe he does not exist. so make also sure you remove your function calls. otherwise a webmaster could see them for example with innerHTML, outerHTML or firstChild. be careful to not disintegrate anything. the molecular structure of the scripts have to stay completely intact.
manipulating JavaScript that way is the best I can imagine. that way it is irrelevant HOW JavaScript code you want to mainpulate is written, if it uses specific commands, tries to hide or whatever. your own functions concentrate on WHAT has been done not on HOW it has been done. if for example you want to remove a specific div element you can remove it before it has been displayed. or you can remove images or iFrames before they are sending a http-request. the limit of possibilities depends on your JavaScript skills.

here a filter to do this for external scripts:

Code:
Name = "Manipulate external Scripts"
Active = TRUE
Multi = TRUE
URL = "$SET(a=1)"
Bounds = "($TYPE(js)|$TYPE(vbs))(^$IHDR(Content-Disposition:( ) attachment))(((?)\0(^?)$SET(1=\0\n/**/}if(self.ProxManipulateEnd)ProxManipulateEnd()})$STOP())|($TST(a=1)(?)\0$SET(1={{if(self.ProxManipulateBeginning)ProxManipulateBeginning();\0)$SET(a=)))"
Limit = 2
Match = "*"
Replace = "\1"

it's a really shiny filter. it needs only 2 bytes and injects

Code:
{{if(self.ProxManipulateBeginning)ProxManipulateBeginning();

at the beginning and

Code:
\n/**/}if(self.ProxManipulateEnd)ProxManipulateEnd()}

at the end with no matter of the size of the script.

it's much harder to manipulate internal scripts if you want to manipulate all of them and in a safe way. to do so you need to set the byte limit to infinity. that is tricky 'cause you need filters that emulate a primitive HTML parser.
but for today I stop here. test manipulating external scripts. you will love it.
Add Thank You Quote this message in a reply
Nov. 24, 2012, 09:50 PM
Post: #5
RE: Removing obfuscation before modifying script?
(Nov. 24, 2012 01:37 PM)neverwasinparis Wrote:  I wonder about the answers, 'cause it is possible.

I think all the answers are OK for what was asked.

The question I see is
'Is there a filter in sidki's set that can deobfuscate scripts, so they can be filtered?'
ProxRocks: You can't deobfuscate or trust all of them so block them all...
JJoe: The set doesn't have such a filter but...
neverwasinparis: Here is how you can...

'Here is how you can' posts are always welcome Smile! but I don't think you are suggesting deobfuscation?

I'm not a javascript expert. I think the sidki set's 'proxjs-full.js' and other injected scripts do some of what you are suggesting. It feels like doing more could be very difficult, not complete, and for too little reward. I'll keep it in mind tho. Thanks.
Add Thank You Quote this message in a reply
Nov. 27, 2012, 11:40 AM
Post: #6
RE: Removing obfuscation before modifying script?
(Nov. 24, 2012 09:50 PM)JJoe Wrote:  but I don't think you are suggesting deobfuscation?

sort of. I don't like the idea to deactivate or not to filter JavaScript code just because it is obfuscated in whatever way or located in an inline script that exceeds the byte limit of Proxomitron.
if you use the self created function 'ProxManipulateEnd' you have access to the deobfuscated code right before anything is displayed or http requests are sent. there is no need to deobfuscat something.

(Nov. 24, 2012 09:50 PM)JJoe Wrote:  I'm not a javascript expert. I think the sidki set's 'proxjs-full.js' and other injected scripts do some of what you are suggesting.

what scripts/functions do you mean? I will have a look.
Add Thank You Quote this message in a reply
Nov. 27, 2012, 09:02 PM
Post: #7
RE: Removing obfuscation before modifying script?
(Nov. 27, 2012 11:40 AM)neverwasinparis Wrote:  if you use the self created function 'ProxManipulateEnd' you have access to the deobfuscated code right before anything is displayed or http requests are sent. there is no need to deobfuscat something.

do you have an example web page that could demonstrate this?
i'm confused and seeing the HTML code is like a picture, worth a thousand words Smile!
Add Thank You Quote this message in a reply
Nov. 28, 2012, 02:17 AM
Post: #8
RE: Removing obfuscation before modifying script?
(Nov. 27, 2012 11:40 AM)neverwasinparis Wrote:  what scripts/functions do you mean? I will have a look.

proxjs-full.js attached


Attached File(s)
.js  proxjs-full.js (Size: 74.44 KB / Downloads: 286)
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: