CODEWITHSUNDEEP
javascriptdeobfuscation
KmanOfficial
KmanOfficial

Reputation: 77

Deobfuscating Javascript - How to replace random variable names?

So I'm tackling the task of de-obfuscating some javascript code and using www.jsbeautifier.org I have got my code. Is it possible to make a search and replace query of some sort or another method to replace the random variable names with this actual content e.g:

O7 = "string";
o9 = "test";    
function o9(O7) {
       .... etc
    }

to 

function test(string) {
    ...... etc.
}

Thanks

Upvotes: 1

Views: 2007

Answers (1)

Mateus
Mateus

Reputation: 5362

You can't do this in pure regex, or in language-agnostic, just by the fact that you can't use conditional replacements (or substitutions). Which means you can't do something like:

  • b(a)?, and say: if a is empty, then replace the whole match to "c"; otherwise, to "d".

Why is it useful? Keep reading to see what we'll be using to match the right text.

Currently, some regex flavors allow you to use different 'variables' within the substitution text.
(e.g.: $n, $', $&, $`...) - Take a look at Substitutions in Regular Expressions.

However, assuming you're deobfuscating Javascript code with Javascript, the regex you're searching for is:

/"[^"]*"|'[^']*'|\/\*[\s\S]*?\*\/|\/\/.*$|\b(<text>)\b/mg

Explanation

If you use it in Regex101, you'll see it's matching the same as \b<text>\b, any other comment
(/* foo */, // bar), and any other quoted text ("baz", 'qux'), which is actually the expected. The first two parts of the regex will be responsible to match any string:

  • "[^"]*" - matches: "..."
  • '[^']*' - matches: '...'

And that's okay because we want to exclude the possibility of replacing a 'variable' if it's actually inside the string.
And then the third, which will be responsible for the multiline comments, and the fourth (normal comments) part shall work like this:

  • \/\*[\s\S]*?\*\/ - matches: /*...*/
  • \/\/.*$ - matches: //... until the line breaks

And now, the text we'll be searching for, will not simply be matched by the regex, but also will be captured. Take a look at the last part:

  • \b(<text>)\b - captures the <text> (those that haven't been captured before).

Now, in our script, we can simply match all the occurrences of the desired input, and replace to the output when our code detects that group one ($1) is not empty.

Result (TL;DR)

function deobfuscate(code, from, to){
    var re = RegExp('"[^"]*"|\'[^\']*\'|\\/\\*[\\s\\S]*?\\*\\/|\\/\\/.*$|\\b('+ from +')\\b', 'gm');
    return code.replace(re, function(match, g1) { return (g1) ? to:match; });
}

With that function, you can do what you want, for example, parsing:

O7 = "string";
o9 = "test";    
function o9(O7) { ...

And retrieving <toFind> = <toReplace> in the start, and then use it (inside a loop or something) like this: 

code = deobfuscate(code, toFind[i], toReplace[i]);

Working Example

/* Textarea & Inputs' DOMs */
var code = document.getElementById("code");
var from = document.getElementById("from");
var to = document.getElementById("to");
code.placeholder = "Code goes here...";
from.placeholder = "From";
to.placeholder = "To";

/* Example Values */
code.value = "Example:			//Switch(?):\n"+
"function o9(o9) {		//true, true\n"+
"	o9 = 'o9';  		//true, false\n"+
"	/*\n"+
"		o9		//false\n"+
"	*/\n"+
"	var test = o9+\"o9\"+o9;	//true, false, true\n"+
"	return o9;	//o9	//true, false\n"+
"}\n";
from.value = "o9";
to.value = "ok";

/* Called onclick action */
function doStuff(){
    code.value = deobfuscate(code.value, from.value, to.value);
}

function deobfuscate(code, from, to){
    var re = RegExp('"[^"]*"|\'[^\']*\'|\\/\\*[\\s\\S]*?\\*\\/|\\/\\/.*$|\\b('+ from +')\\b', 'gm');
    return code.replace(re, function(match, g1) { return (g1) ? to:match; });
}
<html>
<body>
  <textarea id="code" rows="10" cols="55"></textarea> <br>
  <input id="from"/> &rarr; <input id="to"/>          <br><br>
  <button onclick="doStuff()">Deobfuscate</button>
</body>
</html>

OBS

As your question is not clear enough, I can't tell what you are searching for, a lot is possible. For example, should it search for random variables in the code and then replace it all? That would require a dictionary for words, so wouldn't really deobfuscate the code, as you must specify the input and output. If there's something you think I'm missing, please add it to the comment section.

Upvotes: 1

Related Questions