Published 12 years 8 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
@fkadev Challenged me to decode some complex non-alpha. See here http://t.co/z7lWyIu5ka. Luckily the techniques I've used previously such as monitoring the Function constructor calls would work in a sandboxed environment. I will walk you through how I did it. Hackvertor runs on a older sandbox I created called JSReg which runs much slower than Mental JS (the newer sandbox) but it still worked perfectly fine to decode the JavaScript.
First step is decode the first layer of non-alpha like so: Decode jjencode
The next step is to replaced the sandboxed accessor calls using find & replace because we need to run the code in the sandbox again. Find replace.
Then finally we need to take the replaced code and execute again in the sandboxed environment and call the anon function to see the hidden variable. This will take a while because the parse time of the sandbox is quite slow. Decoded.
That's it. The backdoored function constructor is very good for decoding JavaScript like this since we can record what's being sent before it's executed.