My Authors
Read all threads
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
This is really easy to deobfuscate completely, using beautifier.io, but if you just want to know what’s in that array of strings, just copy the [ … ] into your devtools and hit enter and presto, your work is done.
Next up: base64 encoded. This one is easy as well. First, grab the array (the bits in the square brackets [...]), drop it into devtools, and see what happens. Nothing magical, right? Just spits it back at you. gist.github.com/krautface/e5a5…
Unlike Octal and Hex encoding, Javascript doesn’t just magically handle base64 encoding. So you simply need to decode it using the atob function. Take the array again, paste it into devtools, but now append the following: .map(atob)
And, finally, the difficult one: RC4. It looks like the previous base64 example, but if you try and utilize the previous technique, you’ll end up with a mess. That’s because RC4 is a stream cipher, if you’re bored you can read more here: en.wikipedia.org/wiki/RC4
Here’s an example of a skimmer utilized RC4 encoding. Each string of sufficient length is encoded using a specific string: gist.github.com/krautface/69e8…
If you take that array at the top and try our previous methods you’ll get nowhere, so let’s look at the code a little bit. Since we know that each string needs to be decoded again, there must be a function that will do the decoding and that function must be called repeatedly.
And because of how RC4 works, that function likely takes two arguments. In the example code, there’s only one good candidate: the _0x35cb function.
It takes two arguments, is called repeatedly, and, if you start looking at it, you see some juicy functions being used: atob, replace, charAt, fromCharCode, indexOf, etc
Scroll down a little farther and there’s an array named _0xf97f being built with the output of that function. It takes an index in hex and a key. Drop a debugger; on line 140, run the code, and look at its contents and you’ll see most of the interesting bits of this basic skimmer
And there you go: how to quickly get some of the interesting bits out of this type of obfuscated Javascript code, which is used widely in digital skimmers/#magecart.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Affable Kraut

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!