2013年4月27日 星期六

Acrobat JavaScript Deobfuscation

http://elsonmath.blogspot.com/

After reading Eric Romang's blog,I try to find a new way to deobfuscate malicious Acrobat JavaScript because using document.write() is some really dirty work.

1. Basic Methods to Deobfuscate Acrobat JavaScript
1.1 document.write()
Pros: using Firebug, Dev tools,
Cons:
     can't recognize PDF-specific objects
     dirty work(possibly)

1.2  console.println()
Pros: can recognize PDF-specific objects(poor man's debugger, :) )
Cons: when analyzing Acrobat JavaScript,this way need add console.println() to
      PDF file, which is boring!  

1.3 Writing script
We can program a script with Python or Perl to do text processing in order to deobfucate Acrobat JavaScript.

Pros: flexible
Cons:
     spend time to write the script
     the script possibly can be used once

1.4 Emulator
e.g., PDF Dissector

Pros: awesome
Cons: no longer available now

2.Using Adobe Reader to debug Acrobat JavaScript
2.1 Adobe Reader
  1). Download debugger.js from http://adobe.ly/Snwvx ,then put the file to Adobe Reader's Javascripts folder.

  2). Modify Registry
   
 
 3). Add menuitem
    
After done these 3 steps above, Adobe Reader will have a new menuitem: Debugger,



then we can debug Acrobat JavaScript.




2.2 Using the method to deobfuscate malicious Acrobat JavaScript

We can the same result as Eric's oTHERWISE, but this way seems more easy, right?

3. Limitation
When los of JavaScript code is displayed in the debugger console, the cosnole will give an error message "cannot continue printing to the console". (hope Adobe can solve the problem! )

沒有留言:

張貼留言