Monday, April 1, 2013

Acrobat JavaScript Deobfuscation

After reading Eric Romang's blog,I try to find a new way to deobfuscate malicious Acrobat JavaScript because using document.write() is some really dirty work.

1. Basic Methods to Deobfuscate Acrobat JavaScript
1.1 document.write()
Pros: using Firebug, Dev tools,
Cons:
     can't recognize PDF-specific objects
     dirty work(possibly)

1.2  console.println()
Pros: can recognize PDF-specific objects(poor man's debugger, :) )
Cons: when analyzing Acrobat JavaScript,this way need add console.println() to 
      PDF file, which is boring!    

1.3 Writing script
We can program a script with Python or Perl to do text processing in order to deobfucate Acrobat JavaScript.

Pros: flexible
Cons:
     spend time to write the script 
     the script possibly can be used once

1.4 Emulator
e.g., PDF Dissector

Pros: awesome
Cons: no longer available now

2.Using Adobe Reader to debug Acrobat JavaScript
2.1 Adobe Reader
  1). Download debugger.js from http://adobe.ly/Snwvx ,then put the file to Adobe Reader's Javascripts folder.

  2). Modify Registry
   
 
 3). Add menuitem
    
After done these 3 steps above, Adobe Reader will have a new menuitem: Debugger,



then we can debug Acrobat JavaScript.




2.2 Using the method to deobfuscate malicious Acrobat JavaScript
 
We can the same result as Eric's oTHERWISE, but this way seems more easy, right?

3. Limitation
When los of JavaScript code is displayed in the debugger console, the cosnole will give an error message "cannot continue printing to the console". (hope Adobe can solve the problem! )

  
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)