de-jsfuck icon indicating copy to clipboard operation
de-jsfuck copied to clipboard

Published 20 hours ago verified publisher icon asutoshpalai

Deobfuscate JScrewIt

Open HA-LO opened this issue 7 years ago • 4 comments

I just found this interesting tool and I'm wondering if it would be also possible to deobfuscate JScrewIt (http://jscrew.it). The output looks similar to JSFuck but it's more compact. I tried different deobfuscators but none seems to work. Any help would be greatly appreciated.

HA-LO avatar Mar 27 '17 11:03 HA-LO

Yes, sure.

I tried inspecting the JScrewIt's output. It follows a similar approach but all others deobfuscators fail because mostly they try to remove the last () in JSFuck code and eval the rest. But JScrewIt doesn't wrap all the codes in Function and call it at the end. Instead, it does some form of optimisations.

This can also be deobfuscated with a similar approach. All we need to do is add the corresponding strings for the characters to the mapping.

I added the mappings for the code alert(1) which is now successfully parsed. (It also brought some unseen edge cases which I fixed). For more complex codes, we just need to add the mappings of unknown strings.

P.S. alert(1) translated to Function("return alert")()(1) which is what the output represents.

Edit: Function("return alert")(1) to Function("return alert")()(1)

asutoshpalai avatar Mar 27 '17 18:03 asutoshpalai

There are still some new updates on JScrewIt(anyway I am a contributor). Does de-jsfuck always return code that runs well, but it's possible that it's not fully deobfuscated?

837951602 avatar Jul 11 '17 15:07 837951602

P.S. alert(1) translated to Function("return alert")(1) which is what the output represents.

It's Function("return alert")()(1)

837951602 avatar Jul 11 '17 15:07 837951602

Hi @837951602 !

As mentioned earlier, I didn't add all the mappings for JScrewIt. I just verified (and fixed a few things) with few examples that this approach works for it too and they still work. I will try to add the rest of the mappings if I get some time. Although I suspect that its optimisation may generate new patterns every time, which may mean that we can't put all possible patterns in the map. But for specific use cases, the code will be same which in turn means that the patterns will remain the same. So, for them, the mapping can be added to the map, but it's on the case by case basis.

Does de-jsfuck always return code that runs well, but it's possible that it's not fully deobfuscated?

In case it is not able to deobfuscate any part, it emits <unknown: .. > for them. The intended effect is to invalidate the generated JS, so that it won't be used directly. Then the mapping for the corresponding sections can be added to fix it.

It's Function("return alert")()(1)

Thanks!

asutoshpalai avatar Jul 19 '17 17:07 asutoshpalai