Malicious code will use a variety of methods to hamper attempts at reverse engineering them. Obfuscation is common, but other methods include purposefully crashing the application that you’re using to inspect the code.
One of the first things that is done when examining malicious code may be to prettify it in and IDE or using an online tool like prettifyjs.net. But if you do that with this code, and then run in in your browser’s devtools, it’ll crash the tab it’s in. But if you don’t clean it up, it’s a big mess. So what do you do?
First, open your devtools and push the Pause script execution
button here.
Next, drop the original unprettified code in your console and hit enter.
When you do, the code you just ran should start to be executed and then the debugger should stop.
Now, click the Prettify
button, which is the “{ }”.
Doing so will make the code nice and readable, and you can run it without it messing with your browser.
Add some breakpoints and then use F10 to step through your code.
In this example, if you stop on line 35 you can then run the functions that decode the encoded payload. Do note that each function will typically first rename the decoding function, _0x5c67
in this example.
Their are various techniques that can be used by obfuscators and code compactors that can detect if the code itself has been messed with, which includes prettification. This gets around that by running the code first, and then just having a prettified version to examine in the browser’s tooling. And that’s it. As always you should do this type of thing in a VM.
A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1448313414296784899