diff --git a/packages/webcrack/src/deobfuscate/index.ts b/packages/webcrack/src/deobfuscate/index.ts index 1f4f3ef6..4d17408e 100644 --- a/packages/webcrack/src/deobfuscate/index.ts +++ b/packages/webcrack/src/deobfuscate/index.ts @@ -1,4 +1,3 @@ -import type * as t from '@babel/types'; import debug from 'debug'; import type { AsyncTransform } from '../ast-utils'; import { @@ -31,52 +30,46 @@ export default { if (!sandbox) return; const logger = debug('webcrack:deobfuscate'); - const visitedStringArrays = new Set(); + const stringArray = findStringArray(ast); + logger( + stringArray + ? `String Array: ${stringArray.length} strings` + : 'String Array: no', + ); + if (!stringArray) return; - while (true) { - const stringArray = findStringArray(ast); - logger( - stringArray - ? `String Array: ${stringArray.length} strings` - : 'String Array: no', - ); - if (!stringArray) break; - if (visitedStringArrays.has(stringArray.path.node)) break; - visitedStringArrays.add(stringArray.path.node); + const rotator = findArrayRotator(stringArray); + logger(`String Array Rotate: ${rotator ? 'yes' : 'no'}`); - const rotator = findArrayRotator(stringArray); - logger(`String Array Rotate: ${rotator ? 'yes' : 'no'}`); + const decoders = findDecoders(stringArray); + logger(`String Array Encodings: ${decoders.length}`); - const decoders = findDecoders(stringArray); - logger(`String Array Encodings: ${decoders.length}`); + state.changes += applyTransform(ast, inlineObjectProps).changes; - state.changes += applyTransform(ast, inlineObjectProps).changes; - - for (const decoder of decoders) { - state.changes += applyTransform( - ast, - inlineDecoderWrappers, - decoder.path, - ).changes; - } - - const vm = new VMDecoder(sandbox, stringArray, decoders, rotator); - state.changes += ( - await applyTransformAsync(ast, inlineDecodedStrings, { vm }) + for (const decoder of decoders) { + state.changes += applyTransform( + ast, + inlineDecoderWrappers, + decoder.path, ).changes; + } - if (decoders.length > 0) { - stringArray.path.remove(); - rotator?.remove(); - decoders.forEach((decoder) => decoder.path.remove()); - state.changes += 2 + decoders.length; - } + const vm = new VMDecoder(sandbox, stringArray, decoders, rotator); + state.changes += ( + await applyTransformAsync(ast, inlineDecodedStrings, { vm }) + ).changes; - state.changes += applyTransforms( - ast, - [mergeStrings, deadCode, controlFlowObject, controlFlowSwitch], - { noScope: true }, - ).changes; + if (decoders.length > 0) { + stringArray.path.remove(); + rotator?.remove(); + decoders.forEach((decoder) => decoder.path.remove()); + state.changes += 2 + decoders.length; } + + state.changes += applyTransforms( + ast, + [mergeStrings, deadCode, controlFlowObject, controlFlowSwitch], + { noScope: true }, + ).changes; }, } satisfies AsyncTransform; diff --git a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js b/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js deleted file mode 100644 index 8ac0a4bd..00000000 --- a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js +++ /dev/null @@ -1 +0,0 @@ -function _0x5790(){var _0x34138d=['8317910qSJQfh','3647043GdEdCr','40tyaKSu','shift','1192160tVhFTb','717cFUaGh','271761QgYNOF','9811725IwCJWY','push','5882502wxHvgs','8xPIJVU','3024702QYUYds','1111315GtUQBt','8LnHqTM','2585555iIrrPo','4714HomEMz','9305drJvom','573366PKCBFu','log','383407atVtAg','1581060pwOJvi'];_0x5790=function(){return _0x34138d;};return _0x5790();}(function(_0xb89bae,_0x5bdb43){var _0x33e2f7=_0x510f,_0xe4909f=_0xb89bae();while(!![]){try{var _0x3fe403=-parseInt(_0x33e2f7(0x1c9))/0x1+-parseInt(_0x33e2f7(0x1c0))/0x2*(parseInt(_0x33e2f7(0x1bc))/0x3)+-parseInt(_0x33e2f7(0x1ba))/0x4+-parseInt(_0x33e2f7(0x1ca))/0x5+-parseInt(_0x33e2f7(0x1c7))/0x6+-parseInt(_0x33e2f7(0x1c4))/0x7+parseInt(_0x33e2f7(0x1cd))/0x8*(parseInt(_0x33e2f7(0x1cc))/0x9);if(_0x3fe403===_0x5bdb43)break;else _0xe4909f['push'](_0xe4909f['shift']());}catch(_0x3282a9){_0xe4909f['push'](_0xe4909f['shift']());}}}(_0x5790,0x311f2));function _0x2097(){var _0x2a9b6f=_0x510f,_0x48f452=[_0x2a9b6f(0x1c1),_0x2a9b6f(0x1bf),_0x2a9b6f(0x1c3),_0x2a9b6f(0x1cb),_0x2a9b6f(0x1c6),_0x2a9b6f(0x1c2),_0x2a9b6f(0x1c5),_0x2a9b6f(0x1bd),_0x2a9b6f(0x1bb),'772KuyPSc','11JjLzZt'];return _0x2097=function(){return _0x48f452;},_0x2097();}function _0x3a13(_0x23206f,_0x241129){var _0x56b4c0=_0x2097();return _0x3a13=function(_0x231dfb,_0x3c18dd){_0x231dfb=_0x231dfb-0x6f;var _0x43a52d=_0x56b4c0[_0x231dfb];return _0x43a52d;},_0x3a13(_0x23206f,_0x241129);}(function(_0x381695,_0x34c69d){var _0x239e37=_0x510f,_0xb1cf1e=_0x3a13,_0x1f8af3=_0x381695();while(!![]){try{var _0x102206=parseInt(_0xb1cf1e(0x74))/0x1+parseInt(_0xb1cf1e(0x75))/0x2*(-parseInt(_0xb1cf1e(0x77))/0x3)+-parseInt(_0xb1cf1e(0x78))/0x4*(-parseInt(_0xb1cf1e(0x73))/0x5)+parseInt(_0xb1cf1e(0x70))/0x6+-parseInt(_0xb1cf1e(0x76))/0x7+parseInt(_0xb1cf1e(0x71))/0x8*(-parseInt(_0xb1cf1e(0x6f))/0x9)+-parseInt(_0xb1cf1e(0x72))/0xa*(-parseInt(_0xb1cf1e(0x79))/0xb);if(_0x102206===_0x34c69d)break;else _0x1f8af3[_0x239e37(0x1be)](_0x1f8af3['shift']());}catch(_0x3a7e23){_0x1f8af3[_0x239e37(0x1be)](_0x1f8af3[_0x239e37(0x1ce)]());}}}(_0x2097,0xefa74));function hi(){var _0x30cb53=_0x510f;console[_0x30cb53(0x1c8)]('Hello\x20World!');}function _0x510f(_0x2191fd,_0x195ec6){var _0x5790e3=_0x5790();return _0x510f=function(_0x510f79,_0x4995f8){_0x510f79=_0x510f79-0x1ba;var _0x510a9c=_0x5790e3[_0x510f79];return _0x510a9c;},_0x510f(_0x2191fd,_0x195ec6);}hi(); \ No newline at end of file diff --git a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js.snap b/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js.snap deleted file mode 100644 index 6729f124..00000000 --- a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js.snap +++ /dev/null @@ -1,4 +0,0 @@ -function hi() { - console.log("Hello World!"); -} -hi(); \ No newline at end of file