webcrack icon indicating copy to clipboard operation
webcrack copied to clipboard

Published 20 hours ago verified publisher icon j4k0xb

control flow switch deobfuscation not triggering without string array

Open Le0Developer opened this issue 8 months ago • 5 comments

Describe the bug

I am currently trying to make a PR for this. If I don't make one within 3 days, assume I gave up. 😆

Expected Behaviour

The control flow should be resolved. The dispatcher functions are a separate issue.

Code

function gl(jd, c, f, g, h, i, j) {
  var d = "13|10|2|9|16|8|3|11|19|20|7|5|4|6|12|1|17|18|15|0|14".split("|");
  var e = 0;
  while (true) {
    switch (d[e++]) {
      case "0":
        c.egybk(fT).appendChild(gk);
        continue;
      case "1":
        h.innerHTML = i;
        continue;
      case "2":
        gk.height = c.mXvlg;
        continue;
      case "3":
        f = eN.createElement(c.vssHG);
        continue;
      case "4":
        g.className = c.PBaOx;
        continue;
      case "5":
        g = eN.createElement("span");
        continue;
      case "6":
        f.appendChild(g);
        continue;
      case "7":
        f.appendChild(j);
        continue;
      case "8":
        gk.setAttribute("role", "alert");
        continue;
      case "9":
        gk.style.display = c.Nrwph;
        continue;
      case "10":
        gk = eN.createElement("div");
        continue;
      case "11":
        f.className = c.hzxlw;
        continue;
      case "12":
        h = eN.createElement(c.OmBmS);
        continue;
      case "13":
        i = c.xRAoj(fG, c.bxfCq);
        continue;
      case "14":
        return j;
      case "15":
        gk.appendChild(f);
        continue;
      case "16":
        gk.className = "cb-c";
        continue;
      case "17":
        h.className = "cb-lb-t";
        continue;
      case "18":
        f.appendChild(h);
        continue;
      case "19":
        j = eN.createElement("input");
        continue;
      case "20":
        j.type = "checkbox";
        continue;
    }
    break;
  }
}

Logs

Le0Developer avatar Mar 08 '25 13:03 Le0Developer

(nvm ignore my comment, didn't read the code properly)

j4k0xb avatar Mar 08 '25 14:03 j4k0xb

My initial assumption also was that it's due to the AssignmentExpressions instead of the VariableDeclarations but even after modifying the script to use var it's still failing. Simplified the initial example, will tackle that in a different issue in the future.

Le0Developer avatar Mar 08 '25 14:03 Le0Developer

Nvm, looks like only the web version is failing. Works locally

Le0Developer avatar Mar 08 '25 14:03 Le0Developer

Ok found the root cause: for optimization webcrack only runs most other deobfuscations if a string array exists: https://github.com/j4k0xb/webcrack/blob/60dbb7fcb1acb9c8561014b08c2512ba58404484/packages/webcrack/src/deobfuscate/index.ts#L39

https://github.com/j4k0xb/webcrack/blob/60dbb7fcb1acb9c8561014b08c2512ba58404484/packages/webcrack/src/deobfuscate/index.ts#L73-L77

If you paste a dummy one in the script it works:

function _0xa94b() { var _0x5a635b = [""]; _0xa94b = function () { return _0x5a635b; }; return _0xa94b(); }

Image

j4k0xb avatar Mar 08 '25 14:03 j4k0xb

That's… funny.

Le0Developer avatar Mar 08 '25 14:03 Le0Developer