Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

string splitting prevents the deobfuscator from minimising flattened code #73

Open
9382 opened this issue Apr 21, 2024 · 1 comment
Open

string splitting prevents the deobfuscator from minimising flattened code #73

9382 opened this issue Apr 21, 2024 · 1 comment
Labels
bug Something isn't working deobfuscate

Comments

@9382
Copy link

9382 commented Apr 21, 2024

String concatenations prevent the deobfuscator from realising it could simplify table references to be inlined
The below scripts have string arrays enabled (obfuscator.io stuff) since otherwise the deobfuscator wont even attempt to minify the table references
Flattened (deobfuscation is perfectly fine):

function main(){var _0x475a8b=_0x2f09;var _0x525a5a={'jzSnL':_0x475a8b(0x0),'kiVev':function(_0x1c95e2,_0x3dcadd){return _0x1c95e2+_0x3dcadd;}};console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x2)]);for(var _0x317c4c in[0x1,0x2,0x3,0x4]){console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x3)](_0x317c4c,0x5));}}main();function _0x2f09(_0x24c0b8,_0x2f0965){var _0x45ec21=_0x24c0();_0x2f09=function(_0x3ae4a4,_0x15035f){_0x3ae4a4=_0x3ae4a4-0x0;var _0x183ba9=_0x45ec21[_0x3ae4a4];return _0x183ba9;};return _0x2f09(_0x24c0b8,_0x2f0965);}function _0x24c0(){var _0x56f23c=['Running','log','jzSnL','kiVev'];_0x24c0=function(){return _0x56f23c;};return _0x24c0();}

Flattened + Split strings (doesn't deobfuscate well):

function _0x79aa(_0x52b12d,_0x79aa97){var _0x28c17a=_0x52b1();_0x79aa=function(_0x43b4f5,_0x533fd5){_0x43b4f5=_0x43b4f5-0x0;var _0x2d7d34=_0x28c17a[_0x43b4f5];return _0x2d7d34;};return _0x79aa(_0x52b12d,_0x79aa97);}function _0x52b1(){var _0x3ad461=['Runn','ing','log','EIrI','nFgH'];_0x52b1=function(){return _0x3ad461;};return _0x52b1();}function main(){var _0x37295b=_0x79aa;var _0x4fa635={'EIrIY':_0x37295b(0x0)+_0x37295b(0x1),'nFgHG':function(_0x4a2455,_0x1fc706){return _0x4a2455+_0x1fc706;}};console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x3)+'Y']);for(var _0x26704d in[0x1,0x2,0x3,0x4]){console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x4)+'G'](_0x26704d,0x5));}}main();

(I assume its essentially an order of operations issue. I'd attempted to look into this myself but couldn't get the build process to cooperate at all)
@j4k0xb j4k0xb added bug Something isn't working deobfuscate labels Apr 21, 2024
@j4k0xb
Copy link
Owner

j4k0xb commented Apr 21, 2024

generally it merges strings and inlines objects at the same time to avoid this:

webcrack/packages/webcrack/src/deobfuscate/index.ts

Lines 69 to 71 in 13564f6

state.changes += applyTransforms(
ast,
[mergeStrings, deadCode, controlFlowObject, controlFlowSwitch],

but when looking up properties (_0x4fa635["EIrI" + 'Y']), they aren't visited/merged yet:

function main() {
  var _0x4fa635 = {
    'EIrIY': "Running",
    'nFgHG': function (_0x4a2455, _0x1fc706) {
      return _0x4a2455 + _0x1fc706;
    }
  };
  console["log"](_0x4fa635["EIrI" + 'Y']);
  for (var _0x26704d in [0x1, 0x2, 0x3, 0x4]) {
    console["log"](_0x4fa635["nFgH" + 'G'](_0x26704d, 0x5));
  }
}

haven't seen that happen before because https://obfuscator.io/#splitstringschunklength defaults to 10, but these properties always have length 5

maybe I'll merge strings earlier when decoding _0x37295b(3) + "Y" -> "EIrIY"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working deobfuscate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@9382 @j4k0xb