search

j4k0xb / webcrack

Deobfuscate obfuscator.io, unminify and unpack bundled javascript
https://webcrack.netlify.app
MIT License
870 stars 100 forks source link

string splitting prevents the deobfuscator from minimising flattened code #73

Open 9382 opened 5 months ago

9382 commented 5 months ago

String concatenations prevent the deobfuscator from realising it could simplify table references to be inlined The below scripts have string arrays enabled (obfuscator.io stuff) since otherwise the deobfuscator wont even attempt to minify the table references Flattened (deobfuscation is perfectly fine):

function main(){var _0x475a8b=_0x2f09;var _0x525a5a={'jzSnL':_0x475a8b(0x0),'kiVev':function(_0x1c95e2,_0x3dcadd){return _0x1c95e2+_0x3dcadd;}};console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x2)]);for(var _0x317c4c in[0x1,0x2,0x3,0x4]){console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x3)](_0x317c4c,0x5));}}main();function _0x2f09(_0x24c0b8,_0x2f0965){var _0x45ec21=_0x24c0();_0x2f09=function(_0x3ae4a4,_0x15035f){_0x3ae4a4=_0x3ae4a4-0x0;var _0x183ba9=_0x45ec21[_0x3ae4a4];return _0x183ba9;};return _0x2f09(_0x24c0b8,_0x2f0965);}function _0x24c0(){var _0x56f23c=['Running','log','jzSnL','kiVev'];_0x24c0=function(){return _0x56f23c;};return _0x24c0();}

Flattened + Split strings (doesn't deobfuscate well):

function _0x79aa(_0x52b12d,_0x79aa97){var _0x28c17a=_0x52b1();_0x79aa=function(_0x43b4f5,_0x533fd5){_0x43b4f5=_0x43b4f5-0x0;var _0x2d7d34=_0x28c17a[_0x43b4f5];return _0x2d7d34;};return _0x79aa(_0x52b12d,_0x79aa97);}function _0x52b1(){var _0x3ad461=['Runn','ing','log','EIrI','nFgH'];_0x52b1=function(){return _0x3ad461;};return _0x52b1();}function main(){var _0x37295b=_0x79aa;var _0x4fa635={'EIrIY':_0x37295b(0x0)+_0x37295b(0x1),'nFgHG':function(_0x4a2455,_0x1fc706){return _0x4a2455+_0x1fc706;}};console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x3)+'Y']);for(var _0x26704d in[0x1,0x2,0x3,0x4]){console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x4)+'G'](_0x26704d,0x5));}}main();

(I assume its essentially an order of operations issue. I'd attempted to look into this myself but couldn't get the build process to cooperate at all)

j4k0xb commented 5 months ago

generally it merges strings and inlines objects at the same time to avoid this:

https://github.com/j4k0xb/webcrack/blob/13564f6b457fafc56f62ba12c19b431b50d83412/packages/webcrack/src/deobfuscate/index.ts#L69-L71

but when looking up properties (_0x4fa635["EIrI" + 'Y']), they aren't visited/merged yet:

function main() {
  var _0x4fa635 = {
    'EIrIY': "Running",
    'nFgHG': function (_0x4a2455, _0x1fc706) {
      return _0x4a2455 + _0x1fc706;
    }
  };
  console["log"](_0x4fa635["EIrI" + 'Y']);
  for (var _0x26704d in [0x1, 0x2, 0x3, 0x4]) {
    console["log"](_0x4fa635["nFgH" + 'G'](_0x26704d, 0x5));
  }
}

haven't seen that happen before because https://obfuscator.io/#splitstringschunklength defaults to 10, but these properties always have length 5

maybe I'll merge strings earlier when decoding _0x37295b(3) + "Y" -> "EIrIY"