[TUTORIAL] How to deobfuscate (most) scripts on this forum
-
Requirement:
- js knowledge
- knowing how to use the terminal (install + run programs)
- a code editor
- a brain
Step 1: Obtain the obfuscated script:
In this example, I'll use BetterCriticals.
Before deobfuscation:
Step 2: Basic deobfuscator and formatter
- install
nodejs(only once) - install
synchrony - create a
configfile with the following content:
rename: true loose: true sourceType: "script"- put the obfuscated script and the above
configfile in the same directory, opencmd.exe/terminal and runsynchrony -c config [NAME]where name is the file name of the obfuscated script.
Now the script should look like this:
Step 3: use brain
Quick reminder:
var flyModule = moduleManager.getModule('Fly')can be obfuscated into
var flyModule = moduleManager['getModule']('Fly')and then those strings can be hidden inside a table and used via a decode function (a function that takes an index into the strings table and return the deobfuscated string).
Use your brain now: what's the decode function in this script:
If you can't see that the decode function is
axolotl_b, stop reading this, else proceed to step 4.Step 4: transformer
Wouldn't it be nice if we can write a program that convert
into
by replacing each call of
axototl_bwith the result of that call?4.1: transformer base
The variable
axototl_acontains the encrypted string table for this script so copy that into a new file calledtransformer.js
4.2: remove anti debugger and anti formatter:
Take a look at the decode function:
Again, if you can't see the part that prevents debugging and formatting, quit reading. For everyone else it's this part:
WCaJFGonly succeeds iftPYtSPis a obfuscated function (in this case, have no newline which our deobfuscated one does). So uhm, remove it I guess.fShere is also another anti debug function:
So by now, you should know what to copy and what to not copy to your
transformer.js. Mine look like this.4.3: processing input
First, read read from stdin line by line and
String.replace(), particularly the part that cover Specifying a function as the replacement.
Now add this to yourtransformer.js:function replacer(match, p1, offset, string) { return "'" + axolotl_b(p1) + "'"; } function processLine(line) { line = line.replaceAll( /axolotl_b\('([0-9A-Fa-fxX]+)'\)/g, replacer ); console.log(line) // print modified } process.stdin.pipe(require('split')()).on('data', processLine) // for each line, run ProcessLineNow your
transformer.jsshould look like this. Before running your transformer, runnpm install splitfirst.Now, run
node transformer.js < crits.cleaned.js > crits.js(pretty sure this works on windows too, tested on linux) withcrits.cleaned.jsbeing the file produced in step 2 andcrits.jsis the name of the new file.The (almost) deobfuscated script should look like this file or this image:
Feel free to remove everything before the line
var scriptName = 'BetterCriticals'as that is the beginning of most normal script and everything before it have no use from now.
Step 5: last
synchronyRepeat step 2 on the file produced by step 4. You should get something similar to this:
Step 6: Rename variables
You read the entire thing and have a working brain, I believe you can do this yourself.
Questions u may have:
- I need more example: check out my other post in which I deobfuscated? using the same technique.
- Bad english: yes ik english is not my first language.
- Setup: images taken from Code OSS with Atom One Dark color scheme, running on Artix Linux.
Questions I have:
- What's the name (and creator) of this obfuscator?
-
Requirement:
- js knowledge
- knowing how to use the terminal (install + run programs)
- a code editor
- a brain
Step 1: Obtain the obfuscated script:
In this example, I'll use BetterCriticals.
Before deobfuscation:
Step 2: Basic deobfuscator and formatter
- install
nodejs(only once) - install
synchrony - create a
configfile with the following content:
rename: true loose: true sourceType: "script"- put the obfuscated script and the above
configfile in the same directory, opencmd.exe/terminal and runsynchrony -c config [NAME]where name is the file name of the obfuscated script.
Now the script should look like this:
Step 3: use brain
Quick reminder:
var flyModule = moduleManager.getModule('Fly')can be obfuscated into
var flyModule = moduleManager['getModule']('Fly')and then those strings can be hidden inside a table and used via a decode function (a function that takes an index into the strings table and return the deobfuscated string).
Use your brain now: what's the decode function in this script:
If you can't see that the decode function is
axolotl_b, stop reading this, else proceed to step 4.Step 4: transformer
Wouldn't it be nice if we can write a program that convert
into
by replacing each call of
axototl_bwith the result of that call?4.1: transformer base
The variable
axototl_acontains the encrypted string table for this script so copy that into a new file calledtransformer.js
4.2: remove anti debugger and anti formatter:
Take a look at the decode function:
Again, if you can't see the part that prevents debugging and formatting, quit reading. For everyone else it's this part:
WCaJFGonly succeeds iftPYtSPis a obfuscated function (in this case, have no newline which our deobfuscated one does). So uhm, remove it I guess.fShere is also another anti debug function:
So by now, you should know what to copy and what to not copy to your
transformer.js. Mine look like this.4.3: processing input
First, read read from stdin line by line and
String.replace(), particularly the part that cover Specifying a function as the replacement.
Now add this to yourtransformer.js:function replacer(match, p1, offset, string) { return "'" + axolotl_b(p1) + "'"; } function processLine(line) { line = line.replaceAll( /axolotl_b\('([0-9A-Fa-fxX]+)'\)/g, replacer ); console.log(line) // print modified } process.stdin.pipe(require('split')()).on('data', processLine) // for each line, run ProcessLineNow your
transformer.jsshould look like this. Before running your transformer, runnpm install splitfirst.Now, run
node transformer.js < crits.cleaned.js > crits.js(pretty sure this works on windows too, tested on linux) withcrits.cleaned.jsbeing the file produced in step 2 andcrits.jsis the name of the new file.The (almost) deobfuscated script should look like this file or this image:
Feel free to remove everything before the line
var scriptName = 'BetterCriticals'as that is the beginning of most normal script and everything before it have no use from now.
Step 5: last
synchronyRepeat step 2 on the file produced by step 4. You should get something similar to this:
Step 6: Rename variables
You read the entire thing and have a working brain, I believe you can do this yourself.
Questions u may have:
- I need more example: check out my other post in which I deobfuscated? using the same technique.
- Bad english: yes ik english is not my first language.
- Setup: images taken from Code OSS with Atom One Dark color scheme, running on Artix Linux.
Questions I have:
- What's the name (and creator) of this obfuscator?
Wildwest
-
Requirement:
- js knowledge
- knowing how to use the terminal (install + run programs)
- a code editor
- a brain
Step 1: Obtain the obfuscated script:
In this example, I'll use BetterCriticals.
Before deobfuscation:
Step 2: Basic deobfuscator and formatter
- install
nodejs(only once) - install
synchrony - create a
configfile with the following content:
rename: true loose: true sourceType: "script"- put the obfuscated script and the above
configfile in the same directory, opencmd.exe/terminal and runsynchrony -c config [NAME]where name is the file name of the obfuscated script.
Now the script should look like this:
Step 3: use brain
Quick reminder:
var flyModule = moduleManager.getModule('Fly')can be obfuscated into
var flyModule = moduleManager['getModule']('Fly')and then those strings can be hidden inside a table and used via a decode function (a function that takes an index into the strings table and return the deobfuscated string).
Use your brain now: what's the decode function in this script:
If you can't see that the decode function is
axolotl_b, stop reading this, else proceed to step 4.Step 4: transformer
Wouldn't it be nice if we can write a program that convert
into
by replacing each call of
axototl_bwith the result of that call?4.1: transformer base
The variable
axototl_acontains the encrypted string table for this script so copy that into a new file calledtransformer.js
4.2: remove anti debugger and anti formatter:
Take a look at the decode function:
Again, if you can't see the part that prevents debugging and formatting, quit reading. For everyone else it's this part:
WCaJFGonly succeeds iftPYtSPis a obfuscated function (in this case, have no newline which our deobfuscated one does). So uhm, remove it I guess.fShere is also another anti debug function:
So by now, you should know what to copy and what to not copy to your
transformer.js. Mine look like this.4.3: processing input
First, read read from stdin line by line and
String.replace(), particularly the part that cover Specifying a function as the replacement.
Now add this to yourtransformer.js:function replacer(match, p1, offset, string) { return "'" + axolotl_b(p1) + "'"; } function processLine(line) { line = line.replaceAll( /axolotl_b\('([0-9A-Fa-fxX]+)'\)/g, replacer ); console.log(line) // print modified } process.stdin.pipe(require('split')()).on('data', processLine) // for each line, run ProcessLineNow your
transformer.jsshould look like this. Before running your transformer, runnpm install splitfirst.Now, run
node transformer.js < crits.cleaned.js > crits.js(pretty sure this works on windows too, tested on linux) withcrits.cleaned.jsbeing the file produced in step 2 andcrits.jsis the name of the new file.The (almost) deobfuscated script should look like this file or this image:
Feel free to remove everything before the line
var scriptName = 'BetterCriticals'as that is the beginning of most normal script and everything before it have no use from now.
Step 5: last
synchronyRepeat step 2 on the file produced by step 4. You should get something similar to this:
Step 6: Rename variables
You read the entire thing and have a working brain, I believe you can do this yourself.
Questions u may have:
- I need more example: check out my other post in which I deobfuscated? using the same technique.
- Bad english: yes ik english is not my first language.
- Setup: images taken from Code OSS with Atom One Dark color scheme, running on Artix Linux.
Questions I have:
- What's the name (and creator) of this obfuscator?
@segv-segv said in [TUTORIAL] How to deobfuscate (most) scripts on this forum:
Questions I have:
What's the name (and creator) of this obfuscator?
People most likely use
https://github.com/CCBlueX/LiquidScript/tree/master/obfuscatorwhich uses
https://github.com/javascript-obfuscator/javascript-obfuscator
or the online website
https://obfuscator.io/ -
@Aftery XD
can you try deobfuscating it?
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login