Variable names, lambda functions, and executing safe javascript about javascript-deobfuscator HOT 10 CLOSED

I've also added function evaluation as a somewhat experimental feature, you can read the details here https://github.com/sd-soleaio/javascript-deobfuscator#advanced-usage

from javascript-deobfuscator.

Have added a shuffled list of 25k of those names in latest commits

from javascript-deobfuscator.

Hi, the renaming hex identifiers is a good idea, I'll add that.

As for the array of strings and string decoder function, that's a very common obfuscation pattern, your script is obfuscated with https://obfuscator.io
Since this repo is general purpose and not meant to target any specific obfuscator and there are lots of different variants of string encoding like that (so it would be more effort than it's worth to detect them all), I'm probably not going to add support for removing that.

However adding an option to mark a specific function as the string decoder (_0x5ce7 in your case) is something that could work, I'll consider adding that.

I previously did make a (now outdated) deobfuscator, https://github.com/sd-soleaio/deobfuscator-io-archived which could be useful to take a look at if you're interested in further deobfuscating your script (although word of warning, the code isn't the best in that repo).

from javascript-deobfuscator.

Have added renaming of hex identifiers as an option to https://deobfuscate.io
Thanks for the suggestion

from javascript-deobfuscator.

Thank you for all these great new features! If I may make a small suggestion, perhaps it would be better if the trigger to evaluate a function was not something that could be added by a malicious obfuscator. I'm imagining an out-of-band signal, such as a separate data file listing function names. (The web interface could have checkboxes where the user could select which functions should be evaluated.)

from javascript-deobfuscator.

Oh, and perhaps this isn't possible, but if the deobfuscator can tell which variables are being called as functions, it would be nice if they were given more easily differentiable names. One letter function names are harder for me to quickly scan through the source code.

For example, you might have:

var a = ["href", "310326TemamY", "$1//$2", "3789jqLAjI", "201260CufYBR", "includes", "location", "624856ogdMrz", "28pRWhXX", "10734yvtFqz", "352RuMMpQ", "1339PvpRAh", "392868PctkdY", "indexOf", "596BmZxvY"];
var bravo = function (d, e) {
  d = d - 440;
  var f = a[d];
  return f;
};
var charlie = bravo;
charlie(442);

from javascript-deobfuscator.

I agree there are better names than a,b,c etc however any name list used needs to consist of at least 5k words (so it's unlikely to run out). I couldn't find such a list of suitable words (that's not just the dictionary), if you find a good one I'm happy to add it.

As for the trigger to evaluate a function, adding that option to the web interface is a good idea however I'm not a frontend dev and not able to modify the website substantially (without tearing my hair out).
The reason it's best to have it as a directive within the function is it's often not clear (programmatically) what the name of a function is in obfuscated scripts.

i.e.

var someFunc = somePredicate ? 56 : (() => { return function() { /* this function */ } }();

in this case passing the name someFunc to the deobfuscator wouldn't be helpful (as it can't tell what it actually refers to it without executing that conditional expression), whereas the directive within the function makes it easy to tell.

from javascript-deobfuscator.

Thank for the explanation.

Good point about needing a name list that will not run out. I've created a list of names for you from baby name records.
https://github.com/hackerb9/ssa-baby-names .

I still suggest the first 26 functions should be the NATO phonetic alphabet, but after that, functions can be named in order of most commonly given (in a single year): linda, james, michael, robert, et cetera.

And variables that aren't used as functions should probably remain single letters, but that's just my preference and it sounds like it might be tricky to implement.

from javascript-deobfuscator.

Thanks, will take a look

from javascript-deobfuscator.

For convenience, I've created a list ready to be used as identifiers: identifiers.txt. It contains over 100,000 entries in (roughly) popularity order, but with the NATO phonetic alphabet prepended.

from javascript-deobfuscator.