search

j4k0xb / webcrack

Deobfuscate obfuscator.io, unminify and unpack bundled javascript
https://webcrack.netlify.app
MIT License
663 stars 72 forks source link

support decoder is FunctionExpression #27

Closed kuizuo closed 7 months ago

kuizuo commented 7 months ago 
function hi() {
  var _0x4c1b3b = _0x1b20;
  console['log'](_0x4c1b3b(0x0));
}

hi();

function _0x1b20(_0x107060, _0x1b2020) {
  var _0x4c3a62 = _0x1070();

  return _0x1b20 = function (_0x2a3d13, _0x5768cc) {
    _0x2a3d13 = _0x2a3d13 - 0x0;
    var _0x4e2495 = _0x4c3a62[_0x2a3d13];
    return _0x4e2495;
  }, _0x1b20(_0x107060, _0x1b2020);
}

function _0x1070() {
  var _0x349c11 = ['Hello\x20World!'];

  _0x1070 = function () {
    return _0x349c11;
  };

  return _0x1070();
}

The above code is generated by a obfuscator.

But when I changed the FunctionDeclaration with FunctionExpression of the decoder (_0x1b20) like this:

- function _0x1b20(_0x107060, _0x1b2020) {
+ var _0x1b20 = function (_0x107060, _0x1b2020) {
   // ...
}

At this time, deobfuscate won't work.

This is especially common in some of the obfuscated code I've seen. So I hope you will support this feature.

By the way, I read the source code and noticed that you commented TODO in the findDecoder to support this feature, but that was 8 months ago.

j4k0xb commented 7 months ago

By the way, I read the source code and noticed that you commented TODO in the findDecoder to support this feature, but that was 8 months ago.

I didn't come across many scripts like that but its now supported You can test it on https://deploy-preview-25--webcrack.netlify.app (npm package won't be updated for a while due to the ongoing refactor)