search

AngeloD2022 / jsxer

Jsxer is a fast and accurate decompiler for Adobe ExtendScript Binary (JSXBIN) files, featuring JSXBlind deobfuscation.
GNU General Public License v3.0
144 stars 25 forks source link

Inline decompilation of Embedded compiled scripts. #29

Open psyirius opened 2 years ago

psyirius commented 2 years ago 
eval("@JSXBIN@ES@2.0@MyBbyBn0ABJAnAARFFdBFdCFdDFdEFdFf0DzABByB");

to

eval(
    /* 
    * Decompiled inline with Jsxbin Decompiler
    * Compiled: "@JSXBIN@ES@2.0@MyBbyBn0ABJAnAARFFdBFdCFdDFdEFdFf0DzABByB"
    */
    "[1, 2, 3, 4, 5];"
);
AngeloD2022 commented 2 years ago

Really good idea!

AngeloD2022 commented 2 years ago

This would involve somehow detecting the function name and ensuring that the argument is a jsxbin-formatted string literal.

AngeloD2022 commented 2 years ago

The question is where to implement this logic. Should it be written in the AST node for function calls?

psyirius commented 2 years ago

The question is where to implement this logic. Should it be written in the AST node for function calls?

Maybe implement in string literal decoder if need to inline decompile every possible embedded scripts. Else in function call with a check to the id or if the arg len is one and if it is string and it matches the jsxbin signature in-case of indirect call to eval.