search

j4k0xb / webcrack

Deobfuscate obfuscator.io, unminify and unpack bundled javascript
https://webcrack.netlify.app
MIT License
1.07k stars 129 forks source link

A code with webpackChunkuxp_plugin wrapper doesn't seem to unwrap #128

Open chameleonuser opened 16 hours ago

chameleonuser commented 16 hours ago

Describe the bug

So, webcrack fails to deobfuscate any vars or messed string arrays. Some other deobfuscators just throw eval error. Any advice? There is a webpackChunkuxp_plugin function in the very end of file, but how to work it around? TIA

Expected Behaviour

unwrap webpack chunks?

Code

https://pixeldrain.com/u/tEwbudsA

Logs

No response

j4k0xb commented 10 hours ago

only the first module (560) contains obfuscated code, so unpacking doesn't seem that useful. (but can still be done with this experimental branch: https://deploy-preview-50--webcrack.netlify.app/)

var r = {
  560: (n, r, t) => {
    // ...
  },
  87: (n) => {
    n.exports = require("os");
  },
  826: (n) => {
    n.exports = require("photoshop");
  },
  878: (n) => {
    n.exports = require("uxp");
  },
};

the primary issue is that it's using an old obfuscator version, which isn't being detected you can work around it by changing the structure from something like this

var d = ["qqAoh", "QlvpL", "construc", /* ... */];

(function (n, r) {
  function t(n, r, t, u) {
    return y(n - 444, u);
  }
  function u(n, r, t, u) {
    return y(n - 444, u);
  }
  while (true) {
    try {
      if (parseInt(t(906, 0, 0, 935)) + -parseInt(t(922, 0, 0, 895)) * -parseInt(t(1008, 0, 0, 1058)) + -parseInt(t(884, 0, 0, 966)) + parseInt(u(892, 0, 0, 787)) * parseInt(t(824, 0, 0, 918)) + -parseInt(u(901, 0, 0, 856)) * parseInt(u(974, 0, 0, 1070)) + parseInt(t(813, 0, 0, 897)) * -parseInt(u(985, 0, 0, 1061)) + parseInt(u(809, 0, 0, 772)) * parseInt(u(894, 0, 0, 958)) === 196615) {
        break;
      }
      n.push(n.shift());
    } catch (r) {
      n.push(n.shift());
    }
  }
})(d);

function y(n, r) {
  return (y = function (n, r) {
    return d[n -= 357];
  })(n, r);
}

to

function stringArray() {
  var d = ["qqAoh", "QlvpL", "construc", /* ... */];
  return (stringArray = function() { return d })()
}
(function (n, r) {
  n = n();
  function t(n, r, t, u) {
    return y(n - 444, u);
  }
  function u(n, r, t, u) {
    return y(n - 444, u);
  }
  while (true) {
    try {
      if (parseInt(t(906, 0, 0, 935)) + -parseInt(t(922, 0, 0, 895)) * -parseInt(t(1008, 0, 0, 1058)) + -parseInt(t(884, 0, 0, 966)) + parseInt(u(892, 0, 0, 787)) * parseInt(t(824, 0, 0, 918)) + -parseInt(u(901, 0, 0, 856)) * parseInt(u(974, 0, 0, 1070)) + parseInt(t(813, 0, 0, 897)) * -parseInt(u(985, 0, 0, 1061)) + parseInt(u(809, 0, 0, 772)) * parseInt(u(894, 0, 0, 958)) === 196615) {
        break;
      }
      n.push(n.shift());
    } catch (r) {
      n.push(n.shift());
    }
  }
})(stringArray);

function y(n, r) {
  var d = stringArray();
  return (y = function (n, r) {
    return d[n -= 357];
  })(n, r);
}

but it will be much work as the code has been obfuscated 40x in a row, so there are 40 different string arrays