Monday, February 28, 2022

Javascript Deobfuscation Tips

 



Last week I've had to de-obfuscate a javascript file. The javascript file included about 10K lines of code, and I had to struggle to understand the hidden meaning of the code. After a week of struggle I was success, and I want to share some of the tricks and insights that I've found as part of this process.


First, copy the file to an online deobfuscator site such as de4js or obfuscateIO. The site will handle the first pass of the code, such as removing proxy functions, expression simplifications and more.

The code you get after this step is still a big mess. Don't expect anything that you can work with.

Next copy the code into a javascript editor, such as WebStorm, and format the code, so it would match the editor formatting standard.

You will probably want to simplify some of the common expressions, which are usually based on the minifier actions.

Examples of these are listed below.

  • Change from:  !to: true
  • Change from:  !to: false
  • Change from: void 0 to: undefined


Some obfuscation might be done manually by the code creator, for example, change of all string constants to a base64 encoded strings to hide the real consts, e.g. instead of:


var a = object["left"]


You might find:


const e = '\x95çí'
var a = object[btoa(e)]


In this case, a good approach might be to create a script to automatically translate all of the strings in the obfuscated code.


The last step is the real challenge. In this step we rename the functions to their actual meaningful name. When renaming a function, use the IDE, so it will rename all of the usages as well. 

The best tip for this step is to work bottom up. Look for functions that use items that cannot be renamed, such as document, window, navigator. These functions can be easily deciphered. Then, once the basic functions are handled, you can move up the hierarchy, and understand the next level. 

Make sure to rename not only the functions, but also the parameters names, and the the arguments names in the calling function. This will solve the puzzle piece by piece.

Good luck!


 






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)