The function's code is created by substituting values that were constructed earlier in the JavaScript. Since this code is currently a string of concatenations, we can bring the string together to be a bit more readable. The code still isn't entirely clear, but it is much better than before. A number of characters in the obfuscated code above are in the format backslash followed by a number.
In JavaScript, this is the format used to represent a character by its octal base 8 value. This leaves us with the unobfuscated code that is executed within the anonymous function. The obfuscation makes use of non-standard and repetitive variable names, and strings constructed in odd methods to fool analysts into thinking that it is much harder to deobfuscate than it actually is. However, by moving slowly and taking the code one line at a time, we can remove the obfuscation to get at the actual code beneath.
While there are automatic decoders for JJEncode available, the next obfuscation technique you come across might not have a decoder.
Tools help, but they only get so far and won't work all the time so being able to perform deobfuscation manually is a skill worth having. Excellent article. After reading this, i got the confidence of decoding the greek JS to understandable one :. Funny but it only works with some small files it seems. The emails contain a link to a web page that loads two obfuscated JavaScript pages - each of which look like this: If there ever was obfuscated JavaScript that made you want to crawl under your desk and cry, this is it.
The Obfuscated Code This JavaScript hurts to look at - mostly due to the lack of line breaks and the obfuscated variable names. As we shall see during the analysis, JJEncode is essentially a substitution encoding that goes through three phases: Initialization, where characters and values are assigned to variables. Substitution, where the variables are used to construct code. Execution, where the constructed code is executed.
As each line is analyzed, we will see these phases and construct the deobfuscated code. Iterations for the explanation above are shown below to better illustrate the process. Line 3 The next three lines construct more variables used for substition. Fourth is! This obtains the 4th letter of the string created by!
Performing a boolean NOT the '! The fourth letter is "s". The 7th letter is "t". The value assigned is the 2nd letter of! In JavaScript, an empty string is considered another representation of false, so a logical NOT of false is the value true. The operaton! These values are "t", "o", and "r", respectively. Line 4 Lines 4 and 5 construct two strings in a similar fashion. Keywords none. Install npm i grunt-jjencode Repository Git github.
Homepage github. Downloads Weekly Downloads 7. Version 0. License none. Last publish 8 years ago. Try on RunKit. Report malware. Active Oldest Votes. Improve this answer. George Stocker Marijn 9, 5 5 gold badges 53 53 silver badges 75 75 bronze badges.
Holger Ohmacht Holger Ohmacht 11 1 1 bronze badge. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Explaining the semiconductor shortage, and how it might end. Does ES6 make JavaScript frameworks obsolete?
0コメント