Closed awakened9879 closed 4 years ago
I have previously attempted to deobfuscate Shape's VM (sample available at https://static1.st8fm.com/en_US/b2c_dvts/common/js/lib/StateFarmCommon.js?seed=AED81Gl0AQAALEz8hIvHvZeXQkQK86AUN7Y6IcUKEPYR88JgTb0AIuagh-Ma&J5odCIZGx--z=q) but I did not get very far.
But here's a few things I picked up on (first pass the script into https://beautifier.io/):
This is the function (yW) that actually executes the instructions. yB is basically the VM context. The "i" function of yB is the one that runs the next instruction.
function yW(yB) { var yV, yy; for (;;) { if (Mr !== X) { yy = Mr; Mr = X; return yy } yV = yB.i(); if (yB.K.length === 0) { Xn[yV](yB) } else { jC(Xn[yV], yB) } } }
Also, the big array of functions is all of the opcodes for the VM.
The big blob of data passed to the function F is the VM "binary" (encoded of course).
var jP = F("HwGCmLkNAL4WtrM...."
The strings used in the VM
var H = ["Rmgz0NiizkdOIuLbNz5yWqxr", "ogU6wvy3sEIhOqePW2g8Guk8vqFYYQva", "1PnfdBZS", ...
All are obfuscated with a combination of base64 and XOR.
I do not have much experience with VM based obfuscation but I think if you look around you could probably find some very talented people willing to help (maybe even moreso if you offer them payment).
You can please add deobfuscator Shape Security virtual machine???