javascript deobfuscation

Iniciado por Progmasterbr, 4 Mayo 2016, 23:36 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

Progmasterbr

4 Mayo 2016, 23:36 PM
Hello friends,

I have a javascript code and this .js is crypted with a a very strange algorithm.

Then I want any help for try decrypt this script, he contains some functions that I'm needing for implement in a another project.

I had discovered that site used for ofuscate was https://javascriptobfuscator.com/javascript-Obfuscator.aspx

Any help will welcome.

Here is original code: http://pastebin.com/KRQWffhr

obfuscated and I had used this site http://javascriptbeautifier.com/ and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND

Eleкtro

#1
5 Mayo 2016, 16:29 PM Ultima modificación: 5 Mayo 2016, 16:52 PM por Eleкtro
Cita de: Progmasterbr en  4 Mayo 2016, 23:36 PMHere is original code: http://pastebin.com/KRQWffhr

obfuscated and I had used this site http://javascriptbeautifier.com/ and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND

Hi

What more you are expecting to acchieve from the resulting deobfuscated code that you have?.

Take into account that the variable names recovery is not possible since they are lost after obfuscation, that's it, things starting with "_0x" are the new variable names that the obfuscation algorithm assigns to each found var, the original variable names are replaced with new hexadecimal values like that, but they are just that, hex values, they aren't encoded values that contain the old variable name, so you can't rollback something that doesn't exists anymore, in resume, the resulting code that you have should work as expected with those names.

So basically seems that you have totally deobfuscated the code up to the max that it can be done without having the original code.

For variable names as I said it's impossible (the methodology to rollback a replacement is doing another replacement knowing the old data), so what you can do at this point is pick up your favorite text editor and perform a word replacement of all "_0xb257" for whichever friendlly variable name being more readable than the hexadecimal one.



For interest I will explain you that things starting with "\x" are just a escape secuence of characters that are very easy to decode. The rest part after the "\x" is a hex value that you can convert it to decimal then retrieve the corresponding char from ASCII table;
so for example if we have "\x4D", then we remove/ignore the "\x" (because is just trash information), so we have the "4D" that translated into decimal it is "77", which corresponds to the "M" character.

So for example this value can be translated as "Message : " string.
Código [Seleccionar]
"\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20"

Regards.







Imprimir
Ir Arriba Páginas1
Acciones del Usuario