search

mindedsecurity / JStillery

Advanced JavaScript Deobfuscation via Partial Evaluation
GNU General Public License v3.0
862 stars 143 forks source link

Implicit String Coercion Not Reliably Handled #5

Closed 0xSobky closed 6 years ago

0xSobky commented 6 years ago

Hi, Stefano!

I see that the tool can now handle this correctly: x = 'al'+(top+0)[4]+'r'+(top+0)[6];eval(x)(1);

However, the tool still fails to handle similar cases:

$ ./jstillery_cli.js obfuscated.js
Original:
====================
eval((typeof!this)[5]+(typeof!this)[3]+(typeof!this)[4]+'rt')(0);
====================
____________________
Deobfuscated Code
undefinedundefinedundefinedrt;(0);

The correct output should rather be alert(0);. I haven't taken a look at the code yet, but I hope it's something trivial to fix.

Thanks!

wisec commented 6 years ago

Hi @0xSobky :) Good catch! Can probably be fixed to some extent

wisec commented 6 years ago

fixed https://github.com/mindedsecurity/JStillery/commit/2758d65d179ff2ab5f2e96b7a2e780fec2753e41#diff-f2bff50c5b25d85d97f783590945ef8c

0xSobky commented 6 years ago

Heya @wisec,

Thanks for the quick fix! However, it's not a complete fix indeed. For instance, if we simply replace this with top:

eval((typeof!top)[5]+(typeof!top)[3]+(typeof!top)[4]+'rt')(0);

The output after the fix is still:

____________________
Deobfuscated Code
undefinedundefinedundefinedrt;(0);

Can we handle this case too? :-)