CODEWITHSUNDEEP
javascriptdeobfuscation
stoXe
stoXe

Reputation: 313

Deobfuscating Javascript Hex Encoded Variables

Now simple hex deob is simple, I am curious if there is a tool to rename usages of variables. For example:

http://pastebin.com/8m6bvaiu

Is there a tool that will take the variable names from the array, and rename usages within the body of the code?

Upvotes: 1

Views: 6143

Answers (3)

Matt
Matt

Reputation: 49

If you do python, deal with the big array at the top using:

import re
#first open the file and read into the variable 'text'
result = re.sub(r"\\x([0-9A-F]{2})", lambda m: chr(int(m.group(1), 16)), text)

Upvotes: 1

Pluto
Pluto

Reputation: 3026

Using this website, most of the code can be formatted and become readable: http://jsbeautifier.org/

However that leaves an enormous array at the top that contains most of the variables/strings used in the code. To insert its contents throughout the code, you can use the following JavaScript that will search and replace each instance:

for (var i=0; i<keywords.length; i++) {
    if (keywords[i].match(/^[a-zA-Z][a-zA-Z0-9_]*$/)) { // Could be a standalone variable
       // Replace any instances the string is used in an array accessor ['x'] with a dot .x
       code = code.replace(new RegExp('\\['+arrayName+'\\['+i+'\\]\\]','g'),'.'+keywords[i]);
    }
    // Insert as strings throughout code, escaping anything necessary
    code = code.replace(new RegExp(arrayName+'\\['+i+'\\]','g'),'\''+
       keywords[i].replace(/\\/g,'\\\\').replace(/\r/g,'\\r').replace(/\n/g,'\\n').replace(/'/g,'\\\'')+
    '\'');
} console.log(code);

Be sure to create three variables for that code, arrayName (a string of '_0x67a5'), keywords (the array), and code (the code after the array). In order to accurately contain the code in a string, I recommend using Notepad++ to replace all backslashes, quotes, and newlines (find with extended/regex: \r\n, replace with: \\r\\n\\\r\n).

This leaves a few hex-named variables, but they're all local to specific functions and are much easier to follow. The result can be seen here: http://pastebin.com/kQjz2T0P

Upvotes: 3

Dimava
Dimava

Reputation: 10841

Yes. String.replace(regex,function(found,selected)) method. 

h0=$('.de1').text();
h1=h0.split('$')[0].split('=')[1];
h2=h0.slice(h1.length+12);
eval('ar='+h1);
h3=h2.replace(/_0x67a5\[(\d*)\]/g,function(a,b){return '"'+ar[parseInt(b)]+'"'});
h4=h3.replace(/;(?!=['"])/g,';<br>').replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'})
$('#abrpm').html(h4);

Upvotes: 0

Related Questions