# Analyzing JavaScript in HTML

**1. Analyzing `re_texrjs.html`:**

* **Initial Inspection with Notepad++:**
  * **Aid to be Function:**
    * This is a base64 decoding function.
    * Decodes data passed to `document.write()` function.
    * **`document.write()`** expects HTML, indicating the decoded data is another HTML code.
* **Using CyberChef for Decoding:**
  * **Step 1:** Copy the base64 data from the HTML file.
  * **Step 2:** Use CyberChef to decode the base64 string.
  * **Decoded Output:** Reveals another stage of JavaScript within `<script>` tags.

**2. Analyzing the Decoded JavaScript:**

* **Inspecting with Notepad++:**
  * The JavaScript begins with an `eval()` function.
  * **Key Functions to Look For:**
    * **`document.write()`:** Dynamically writes string arguments into the HTML workspace; expected to be HTML format.
    * **`eval()`:** Executes the passed string as JavaScript code; often used by threat actors for executing obfuscated code.
* **Modifying the Code:**
  * Replace the `eval()` function by storing its argument in a new variable, `two_eval`.
  * Modify the script to include HTML tags for debugging.
  * Save the modified file as `decoded.html`.

**3. Debugging with Google Chrome:**

* **Loading the Modified HTML File:**
  * Drag and drop `decoded.html` into Chrome.
  * **Expectation:** The code executes, resulting in a string stored in `two_eval`.
* **Using Developer Tools:**
  * Press **F12** to open Developer Tools.
  * Navigate to the **Sources** tab and locate the `decoded.html` file.
  * **Inspect Variable Contents:**
    * Enter the `two_eval` variable name in the Console tab to view its content, revealing more JavaScript code.
* **Behavior Analysis:**
  * The final stage displays a message and redirects to a potentially malicious domain, `thisbadsite.com`.

**4. Debugging JavaScript with Visual Studio Code (VS Code):**

* **Installation Issues:**
  * If issues arise with VS Code on Flare VM, reinstall it using the Chocolatey package manager.
  * **Disable Internet:** Avoid conflicts with loopback addresses during debugging.
* **Setting Up Debugging in VS Code:**
  * Open the HTML sample in VS Code.
  * Add a new line before the JavaScript code to enable breakpoint setting.
  * Set a breakpoint by pressing **F9** or clicking next to the line number.
  * Click the **Debug** icon and select **Run and Debug** using Chrome.
* **Debugging Process:**
  * **Breakpoint Hit:** VS Code opens Chrome and stops at the breakpoint.
  * **Using Step Functions:**
    * **F11 (Step Into):** For functions like `document.write()` or `eval()`.
    * **Shift + F11 (Step Out):** To exit loops or functions.
  * **Final Stage Analysis:** Continuously pressing F11 shows the obfuscated text, followed by the final JavaScript stage.

**5. Key Takeaways:**

* **Understanding Functions:**
  * Familiarize with functions like `document.write()` and `eval()` for effective JavaScript analysis.
* **Obfuscation Awareness:**
  * Be cautious of obfuscated JavaScript code, often used by threat actors to hide malicious activity.
* **Tool Utilization:**
  * Use CyberChef for decoding and Notepad++ or VS Code for detailed inspection and debugging.
* **Practical Debugging:**
  * Visual Studio Code offers advanced debugging features, allowing you to control the execution flow and analyze each stage of JavaScript code in detail.