Requirement:
- js knowledge
- knowing how to use the terminal (install + run programs)
- a code editor
- a brain
Step 1: Obtain the obfuscated script:
In this example, I'll use BetterCriticals.
Before deobfuscation:
Step 2: Basic deobfuscator and formatter
- install
nodejs
(only once) - install
synchrony
- create a
config
file with the following content:
rename: true
loose: true
sourceType: "script"
- put the obfuscated script and the above
config
file in the same directory, opencmd.exe
/terminal and runsynchrony -c config [NAME]
where name is the file name of the obfuscated script.
Now the script should look like this:
Step 3: use brain
Quick reminder:
var flyModule = moduleManager.getModule('Fly')
can be obfuscated into
var flyModule = moduleManager['getModule']('Fly')
and then those strings can be hidden inside a table and used via a decode function (a function that takes an index into the strings table and return the deobfuscated string).
Use your brain now: what's the decode function in this script:
If you can't see that the decode function is axolotl_b
, stop reading this, else proceed to step 4.
Step 4: transformer
Wouldn't it be nice if we can write a program that convert
into
by replacing each call of axototl_b
with the result of that call?
4.1: transformer base
The variable axototl_a
contains the encrypted string table for this script so copy that into a new file called transformer.js
4.2: remove anti debugger and anti formatter:
Take a look at the decode function:
Again, if you can't see the part that prevents debugging and formatting, quit reading. For everyone else it's this part:
WCaJFG
only succeeds if tPYtSP
is a obfuscated function (in this case, have no newline which our deobfuscated one does). So uhm, remove it I guess.
fS
here is also another anti debug function:
So by now, you should know what to copy and what to not copy to your transformer.js
. Mine look like this.
4.3: processing input
First, read read from stdin line by line and String.replace()
, particularly the part that cover Specifying a function as the replacement.
Now add this to your transformer.js
:
function replacer(match, p1, offset, string) {
return "'" + axolotl_b(p1) + "'";
}
function processLine(line) {
line = line.replaceAll(
/axolotl_b\('([0-9A-Fa-fxX]+)'\)/g,
replacer
);
console.log(line) // print modified
}
process.stdin.pipe(require('split')()).on('data', processLine) // for each line, run ProcessLine
Now your transformer.js
should look like this. Before running your transformer, run npm install split
first.
Now, run node transformer.js < crits.cleaned.js > crits.js
(pretty sure this works on windows too, tested on linux) with crits.cleaned.js
being the file produced in step 2 and crits.js
is the name of the new file.
The (almost) deobfuscated script should look like this file or this image:
Feel free to remove everything before the line
var scriptName = 'BetterCriticals'
as that is the beginning of most normal script and everything before it have no use from now.
Step 5: last synchrony
Repeat step 2 on the file produced by step 4. You should get something similar to this:
Step 6: Rename variables
You read the entire thing and have a working brain, I believe you can do this yourself.
Questions u may have:
- I need more example: check out my other post in which I deobfuscated? using the same technique.
- Bad english: yes ik english is not my first language.
- Setup: images taken from Code OSS with Atom One Dark color scheme, running on Artix Linux.
Questions I have:
- What's the name (and creator) of this obfuscator?