How would you reverse engineer this?

Question

I\'ve got some code that was at the bottom of a php file that is in javascript. It goes through lots of weird contortions like converting hex to ascii then doing regex replacem

Answer 1

Whilst you can decode manually, it can soon get tedious when you have many stages of decoding. I usually replace eval/write to see each step:

However this particular script is protected against this by deliberate inspection of window.eval. Use of arguments.callee also means the script relies on a particular browser's Function.toString format, in this case IE's - it won't work on other browsers. You can put workarounds in the replacement eval function to give the script what it expects in this case, but it's still a bit of a pain.

You could use the Script Debugger to step through the code, or what I did in this case was allow the code to run, in a virtual machine with no networking that I could afford to write off. By looking at document.body.innerHTML after the code had run I found it added an invisible iframe pointed at:

hxxp://62bc13b764ad2799.bbe4e7d3df5fdea8.axa3.cn/elanguage.cn/

which redirects to:

hxxp://google.com.upload.main.update.originalcn.cn/ebay.cn/index.php

which, viewed in suitable conditions in IE, gives you a load of exploits. Don't go to these URLs.

In short your server has been hacked by axa3.cn, one of the many Chinese-hosted but Russian-operated malware gangs in operation at the moment.