Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improperly detected unpack deletes part of input #1350

Open
felleg opened this issue Feb 22, 2018 · 2 comments · May be fixed by #2105
Open

Improperly detected unpack deletes part of input #1350

felleg opened this issue Feb 22, 2018 · 2 comments · May be fixed by #2105
Labels
good first issue implementation: javascript implementation: python type: bug
Milestone
v1.15.2 (next rel...

Comments

@felleg
Copy link

felleg commented Feb 22, 2018
edited

Using http://jsbeautifier.org/, you can replicate the issue seen below. I noted a few things:

  • Changing the variable name (e.g., test=["testing"];), the issue is gone
  • Removing the semi-colon, the issue is gone
  • Keeping the variable name, but assigning an int, the issue is gone

This also happens with the version downloaded from pip this morning on my local machine (Ubuntu 16.04 LTS)

Input

The code looked like this before beautification:

var _0x3e5f=['testing'];
// This is just a sample script. Paste your real code (javascript or HTML) here.

if ('this_is'==/an_example/){of_beautifier();}else{var a=b?(c%d):e[f];}

Expected Output

The code should have looked like this after beautification:

var _0x3e5f = ['testing'];     
// This is just a sample script. Paste your real code (javascript or HTML) here.
if ('this_is' == /an_example/) {
    of_beautifier();
} else {
    var a = b ? (c % d) : e[f];
}

Actual Output

The code actually looked like this after beautification:

// This is just a sample script. Paste your real code (javascript or HTML) here.
if ('this_is' == /an_example/) {
    of_beautifier();
} else {
    var a = b ? (c % d) : e[f];
}

Steps to Reproduce

Use jsbeautifier.org, paste the code above and see for yourself

Environment

OS: n/a
@bitwiseman bitwiseman added this to the v1.7.x milestone Mar 1, 2018
@bitwiseman
Copy link
Member

That specific string at the start of the input will cause the deobfuscation to run, which produces an empty output.

This does not reproduce on the website if "Detect packers and obfuscators?" is unchecked.
It does not happen at all from the node.js cli (deobfuscators are not included).

This happens in python because there is no option to not try unpacking (see https://github.com/beautify-web/js-beautify/blob/master/python/jsbeautifier/javascript/beautifier.py#L196). The placement of that call also means it happens on the commandline and when included as library. 😭

@bitwiseman bitwiseman mentioned this issue Mar 22, 2018
Closed
@bitwiseman bitwiseman changed the title Global variable (array) not kept? Improperly detected unpack deletes part of input Mar 22, 2018
@bitwiseman
Copy link
Member

See this code for the root of the problem:
https://github.com/beautify-web/js-beautify/blob/4ee8f02ae51576f77027c35cac4a4d0e0e619a30/js/src/unpackers/javascriptobfuscator_unpacker.js#L43-L50

Code generated with the obfuscator usually has ];function. If we add that to the detect check that should address this issue.

@bitwiseman bitwiseman mentioned this issue Dec 13, 2018
Open
@bitwiseman bitwiseman mentioned this issue Feb 28, 2019
Closed
@bitwiseman bitwiseman modified the milestones: v1.9.x, v1.10.x Apr 29, 2019
@bitwiseman bitwiseman modified the milestones: v1.10.x, v1.10.xx Jan 14, 2020
@bitwiseman bitwiseman modified the milestones: v1.10.x, v1.11.x Apr 5, 2020
@bitwiseman bitwiseman modified the milestones: v1.11.x, v1.12.x Aug 13, 2020
@bitwiseman bitwiseman modified the milestones: v1.12.x, 1.13.x Aug 20, 2020
@bitwiseman bitwiseman modified the milestones: v1.13.1, v1.13.x Jan 8, 2021
@bitwiseman bitwiseman modified the milestones: v1.13.6, v1.13.x Jan 26, 2021
@bitwiseman bitwiseman mentioned this issue Mar 29, 2021
Closed
@bitwiseman bitwiseman modified the milestones: v1.13.7, v1.13.x Apr 13, 2021
@bitwiseman bitwiseman modified the milestones: v1.14.1, v1.14.x, v1.15.x Mar 28, 2022
@bitwiseman bitwiseman modified the milestones: v1.14.3, 1.14.x Apr 9, 2022
Donovan55 added a commit to Donovan55/js-beautify that referenced this issue Oct 2, 2022
@Donovan55
Update javascriptobfuscator_unpacker.js
3c2ac28 
Fixes issue beautifier#1350 by properly identifying obfuscated text
@Donovan55 Donovan55 mentioned this issue Oct 2, 2022
Closed
6 tasks
Donovan55 added a commit to Donovan55/js-beautify that referenced this issue Oct 2, 2022
@Donovan55
Fixes issue beautifier#1350 by properly identifying obfuscated text
da09339
@bitwiseman bitwiseman linked a pull request Oct 21, 2022 that will close this issue
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue implementation: javascript implementation: python type: bug
Projects
None yet
Milestone
v1.15.2 (next release)
Development

Successfully merging a pull request may close this issue.

Fixes issue #1350 by properly identifying obfuscated text Donovan55/js-beautify
2 participants
@bitwiseman @felleg