Puzzle solving. Writing custom JavaScript deobfuscator

In my humble opinion, script obfuscation is a much more exciting area than assembler and other low-level magic. Plenty of ready-made deobfuscators are available online, but what if none of them can help you in a specific situation? Under such circumstances, you have no choice but to remove obfuscation yourself, and this article explains how this can be done.

Automatic deobfuscators

Let’s take some JavaScript web app as an example. It’s some three megabytes in size and mostly consists of severely obfuscated code that begins as shown below.

The end of the code looks as follows.

The characteristic names of identifiers (_0x58cd18, _0x2f8935_0x321d33, _0x1e0595) imply that this code has been obfuscated using obfuscator.io. However, all attempts to deobfuscate it using this standard online deobfuscator fail regardless of the settings used: readable code doesn’t appear in the right window.

Deobfuscation attempts involving other publicly available tools, including the de4js universal deobfuscator, don’t produce meaningful results either.

It seems that automatic deobfuscators are useless, and you have to do the job manually.

Manual deobfuscation

First of all, let’s apply JS Beautifier to the raw code to make it more readable. If you go through the now-structured code, you’ll notice numerous function calls with ten hexadecimal constants acting as parameters:

It’s logical to assume that these are encrypted constants that should be somehow translated into a readable form. As usual, let’s start from the end. The code ends with the following fragment:

Logic suggests that this is a console.log(_0x321d33) (i.e. _0x1e0595(0x4f3, 0x854, 0x1210, 0x19e1, 0x3ca, 0x992, 0x665, 0xf98, 0x185b, 0x1073) == "log"). Let’s try to restore meat from mince by looking for the string function _0x1e0595 in the code:

As you can see, it refers to another identifier called _0x340121. Let’s find it, too:

_0x340121, in turn, refers to something called _0x3a86. Fortunately, this is the last (or more precisely, first) link in this chain:

So far, everything is simple. All that remains is to find the array of string constants returned by _0x5e2d:

It seems that the minimum piece of code that generates obfuscated strings using the _0x1e0595 function has been isolated:

Later, such code searches for each similar function should be automated somehow (despite their large number, all of them are of the same type). But for now, let’s make sure that everything is correct. Press F12 in the browser and paste the isolated code fragment to the console to calculate the expression _0x1e0595(0x4f3, 0x854, 0x1210, 0x19e1, 0x3ca, 0x992, 0x665, 0xf98, 0x185b, 0x1073).

At this point, you can see that the returned string is not log, but quite the opposite: awal (although the log string is also present in the original array). This means that either the above calculations were incorrect, or the authors of this obfuscator are smarter than one could expect…

Let’s examine the code in more detail. The upper code fragment starting with the comment IT IS NOT SAFE TO MAKE CHANGES IN THE CODE BELOW intricately shuffles the array of string constants _0x552e21 after its initialization.

Interestingly, the while condition contains the (!![])==true construct. A closer examination reveals that such constants, together with the inverse variant, (![])==false, frequently occur throughout the obfuscated code. Make a note to yourself to replace them in the code using global replacement, then insert the fragment shown in the previous screenshot at the beginning of the ‘core’ code, and run the test again. This time, everything matches, and the result is correct: _0x1e0595(0x4f3, 0x854, 0x1210, 0x19e1, 0x3ca, 0x992, 0x665, 0xf98, 0x185b, 0x1073) == "log".

This is where the exciting and breathtaking research stage ends and routine coding begins.

Writing deobfuscator

The plan is as follows.

Similar to the above-described analysis of the _0x1e0595 function, let’s form the ‘core’ of functions that will decode string constants. To do this, you have to search for all functions that match the template:

Using regular expressions, this can be implemented in JavaScript as follows:

where string is the source code; the output is functions (i.e. function code that should be added to the ‘core’ code and concurrently removed from the source code); and names is the list of function names.

Let’s search for functions having the following format:

where Name1 is the function name from the names list obtained in step 1. The code looks as follows:

As a result, you get new lists containing functions (functions1) and their names (names1) that are also added to the core and removed from the source code.

This procedure (i.e. search for functions, and every time the names list is substituted with the names1 list obtained in the previous step) is repeated until the list becomes empty at the next step. The final code looks something like this:

At the output, functions are all the parasitic functions generated by the obfuscator; while names are their names.

Now that the ‘core’ is formed, you simply iterate over all the enumerable expressions in the format:

Name1 is the function name from the names list obtained at previous stages. These names can be calculated using the following code:

The output represents an expressions array containing enumerable expressions in the format _0x4a0111(0xa0c, 0xc0b, 0x13ef, 0x1e3e, 0x15e2, 0x1a29, 0x1b08, 0x94b, 0x968, 0x753) and respective constants. All you have to do is replace the former ones in the obfuscated code with the latter ones using global replacement.

As a result, you get partially deobfuscated code where at least string constants and names of standard methods are presented in an explicit form. This code can be analyzed and edited; to make it more readable, some of its parts can be loaded to other deobfuscators.

Of course, it isn’t that the original app has been completely deobfuscated. To refine its code further, expressions like Class["MethodName"] can be converted to Class.MethodName. Below is a slightly more advanced version of the code in Object.MethodName:

Finally, you can perform a series of dictionary transformations like these:

Ultimately, you’ll get almost readable code missing only the original names of variables and functions.

Conclusions

As usual, I fibbed a little and described the simplest and fastest technique that can be used to partially deobfuscate JavaScript code. Of course, to write a fully-functional deobfuscator, a simple search and replacement of regular expressions won’t be enough. Generally speaking, you have to write your own JavaScript machine emulator (similar to the one implemented in the above-mentioned webcrack deobfuscator). In future articles, I intend to cover this topic; in the meanwhile, you can examine the source code of this project on your own: it contains plenty of interesting stuff.

Good luck in your endeavors!