webcrack icon indicating copy to clipboard operation
webcrack copied to clipboard

Published 20 hours ago verified publisher icon j4k0xb

string splitting prevents the deobfuscator from minimising flattened code

Open 9382 opened this issue 10 months ago • 1 comments

String concatenations prevent the deobfuscator from realising it could simplify table references to be inlined The below scripts have string arrays enabled (obfuscator.io stuff) since otherwise the deobfuscator wont even attempt to minify the table references Flattened (deobfuscation is perfectly fine):

function main(){var _0x475a8b=_0x2f09;var _0x525a5a={'jzSnL':_0x475a8b(0x0),'kiVev':function(_0x1c95e2,_0x3dcadd){return _0x1c95e2+_0x3dcadd;}};console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x2)]);for(var _0x317c4c in[0x1,0x2,0x3,0x4]){console[_0x475a8b(0x1)](_0x525a5a[_0x475a8b(0x3)](_0x317c4c,0x5));}}main();function _0x2f09(_0x24c0b8,_0x2f0965){var _0x45ec21=_0x24c0();_0x2f09=function(_0x3ae4a4,_0x15035f){_0x3ae4a4=_0x3ae4a4-0x0;var _0x183ba9=_0x45ec21[_0x3ae4a4];return _0x183ba9;};return _0x2f09(_0x24c0b8,_0x2f0965);}function _0x24c0(){var _0x56f23c=['Running','log','jzSnL','kiVev'];_0x24c0=function(){return _0x56f23c;};return _0x24c0();}

Flattened + Split strings (doesn't deobfuscate well):

function _0x79aa(_0x52b12d,_0x79aa97){var _0x28c17a=_0x52b1();_0x79aa=function(_0x43b4f5,_0x533fd5){_0x43b4f5=_0x43b4f5-0x0;var _0x2d7d34=_0x28c17a[_0x43b4f5];return _0x2d7d34;};return _0x79aa(_0x52b12d,_0x79aa97);}function _0x52b1(){var _0x3ad461=['Runn','ing','log','EIrI','nFgH'];_0x52b1=function(){return _0x3ad461;};return _0x52b1();}function main(){var _0x37295b=_0x79aa;var _0x4fa635={'EIrIY':_0x37295b(0x0)+_0x37295b(0x1),'nFgHG':function(_0x4a2455,_0x1fc706){return _0x4a2455+_0x1fc706;}};console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x3)+'Y']);for(var _0x26704d in[0x1,0x2,0x3,0x4]){console[_0x37295b(0x2)](_0x4fa635[_0x37295b(0x4)+'G'](_0x26704d,0x5));}}main();

(I assume its essentially an order of operations issue. I'd attempted to look into this myself but couldn't get the build process to cooperate at all)

9382 avatar Apr 21 '24 17:04 9382

generally it merges strings and inlines objects at the same time to avoid this:

https://github.com/j4k0xb/webcrack/blob/13564f6b457fafc56f62ba12c19b431b50d83412/packages/webcrack/src/deobfuscate/index.ts#L69-L71

but when looking up properties (_0x4fa635["EIrI" + 'Y']), they aren't visited/merged yet:

function main() {
  var _0x4fa635 = {
    'EIrIY': "Running",
    'nFgHG': function (_0x4a2455, _0x1fc706) {
      return _0x4a2455 + _0x1fc706;
    }
  };
  console["log"](_0x4fa635["EIrI" + 'Y']);
  for (var _0x26704d in [0x1, 0x2, 0x3, 0x4]) {
    console["log"](_0x4fa635["nFgH" + 'G'](_0x26704d, 0x5));
  }
}

haven't seen that happen before because https://obfuscator.io/#splitstringschunklength defaults to 10, but these properties always have length 5

maybe I'll merge strings earlier when decoding _0x37295b(3) + "Y" -> "EIrIY"

j4k0xb avatar Apr 21 '24 17:04 j4k0xb