admin管理员组

文章数量:1025244

Now simple hex deob is simple, I am curious if there is a tool to rename usages of variables. For example:

Is there a tool that will take the variable names from the array, and rename usages within the body of the code?

Now simple hex deob is simple, I am curious if there is a tool to rename usages of variables. For example:

http://pastebin./8m6bvaiu

Is there a tool that will take the variable names from the array, and rename usages within the body of the code?

  • javascript
  • deobfuscation
Share Improve this question asked Jun 22, 2016 at 19:12 stoXestoXe 3136 silver badges13 bronze badges 7
  • $('#abrpm').html($('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'})) – Dimava Commented Jun 22, 2016 at 19:26
  • While that's great for deobbing the variable names, but it does not solve the problem of renaming the usages. such as _x3853[12] (random); – stoXe Commented Jun 22, 2016 at 19:34
  • $('#abrpm').html($('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'})) – Dimava Commented Jun 22, 2016 at 19:39
  • renaming the usages is a bit harder – Dimava Commented Jun 22, 2016 at 19:40
  • $('#abrpm').html(h=$('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'}).replace(/'/g,"\\'").replace(/\["/g,"['").replace(/"\]/g,"']").replace(/","/g,"','")); eval($('#abrpm').text().replace(/\n/g,'').split('$')[0]) – Dimava Commented Jun 22, 2016 at 19:52
 |  Show 2 more ments

3 Answers 3

Reset to default 3

Using this website, most of the code can be formatted and bee readable: http://jsbeautifier/

However that leaves an enormous array at the top that contains most of the variables/strings used in the code. To insert its contents throughout the code, you can use the following JavaScript that will search and replace each instance:

for (var i=0; i<keywords.length; i++) {
    if (keywords[i].match(/^[a-zA-Z][a-zA-Z0-9_]*$/)) { // Could be a standalone variable
       // Replace any instances the string is used in an array accessor ['x'] with a dot .x
       code = code.replace(new RegExp('\\['+arrayName+'\\['+i+'\\]\\]','g'),'.'+keywords[i]);
    }
    // Insert as strings throughout code, escaping anything necessary
    code = code.replace(new RegExp(arrayName+'\\['+i+'\\]','g'),'\''+
       keywords[i].replace(/\\/g,'\\\\').replace(/\r/g,'\\r').replace(/\n/g,'\\n').replace(/'/g,'\\\'')+
    '\'');
} console.log(code);

Be sure to create three variables for that code, arrayName (a string of '_0x67a5'), keywords (the array), and code (the code after the array). In order to accurately contain the code in a string, I remend using Notepad++ to replace all backslashes, quotes, and newlines (find with extended/regex: \r\n, replace with: \\r\\n\\\r\n).

This leaves a few hex-named variables, but they're all local to specific functions and are much easier to follow. The result can be seen here: http://pastebin./kQjz2T0P

If you do python, deal with the big array at the top using:

import re
#first open the file and read into the variable 'text'
result = re.sub(r"\\x([0-9A-F]{2})", lambda m: chr(int(m.group(1), 16)), text)

Yes. String.replace(regex,function(found,selected)) method. 

h0=$('.de1').text();
h1=h0.split('$')[0].split('=')[1];
h2=h0.slice(h1.length+12);
eval('ar='+h1);
h3=h2.replace(/_0x67a5\[(\d*)\]/g,function(a,b){return '"'+ar[parseInt(b)]+'"'});
h4=h3.replace(/;(?!=['"])/g,';<br>').replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'})
$('#abrpm').html(h4);

Now simple hex deob is simple, I am curious if there is a tool to rename usages of variables. For example:

Is there a tool that will take the variable names from the array, and rename usages within the body of the code?

Now simple hex deob is simple, I am curious if there is a tool to rename usages of variables. For example:

http://pastebin./8m6bvaiu

Is there a tool that will take the variable names from the array, and rename usages within the body of the code?

  • javascript
  • deobfuscation
Share Improve this question asked Jun 22, 2016 at 19:12 stoXestoXe 3136 silver badges13 bronze badges 7
  • $('#abrpm').html($('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'})) – Dimava Commented Jun 22, 2016 at 19:26
  • While that's great for deobbing the variable names, but it does not solve the problem of renaming the usages. such as _x3853[12] (random); – stoXe Commented Jun 22, 2016 at 19:34
  • $('#abrpm').html($('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'})) – Dimava Commented Jun 22, 2016 at 19:39
  • renaming the usages is a bit harder – Dimava Commented Jun 22, 2016 at 19:40
  • $('#abrpm').html(h=$('.de1').html().replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'}).replace(/'/g,"\\'").replace(/\["/g,"['").replace(/"\]/g,"']").replace(/","/g,"','")); eval($('#abrpm').text().replace(/\n/g,'').split('$')[0]) – Dimava Commented Jun 22, 2016 at 19:52
 |  Show 2 more ments

3 Answers 3

Reset to default 3

Using this website, most of the code can be formatted and bee readable: http://jsbeautifier/

However that leaves an enormous array at the top that contains most of the variables/strings used in the code. To insert its contents throughout the code, you can use the following JavaScript that will search and replace each instance:

for (var i=0; i<keywords.length; i++) {
    if (keywords[i].match(/^[a-zA-Z][a-zA-Z0-9_]*$/)) { // Could be a standalone variable
       // Replace any instances the string is used in an array accessor ['x'] with a dot .x
       code = code.replace(new RegExp('\\['+arrayName+'\\['+i+'\\]\\]','g'),'.'+keywords[i]);
    }
    // Insert as strings throughout code, escaping anything necessary
    code = code.replace(new RegExp(arrayName+'\\['+i+'\\]','g'),'\''+
       keywords[i].replace(/\\/g,'\\\\').replace(/\r/g,'\\r').replace(/\n/g,'\\n').replace(/'/g,'\\\'')+
    '\'');
} console.log(code);

Be sure to create three variables for that code, arrayName (a string of '_0x67a5'), keywords (the array), and code (the code after the array). In order to accurately contain the code in a string, I remend using Notepad++ to replace all backslashes, quotes, and newlines (find with extended/regex: \r\n, replace with: \\r\\n\\\r\n).

This leaves a few hex-named variables, but they're all local to specific functions and are much easier to follow. The result can be seen here: http://pastebin./kQjz2T0P

If you do python, deal with the big array at the top using:

import re
#first open the file and read into the variable 'text'
result = re.sub(r"\\x([0-9A-F]{2})", lambda m: chr(int(m.group(1), 16)), text)

Yes. String.replace(regex,function(found,selected)) method. 

h0=$('.de1').text();
h1=h0.split('$')[0].split('=')[1];
h2=h0.slice(h1.length+12);
eval('ar='+h1);
h3=h2.replace(/_0x67a5\[(\d*)\]/g,function(a,b){return '"'+ar[parseInt(b)]+'"'});
h4=h3.replace(/;(?!=['"])/g,';<br>').replace(/\\x(..)/g,function(a,b){return '&#x'+b+';'}).replace(/\\u(....)/g,function(a,b){return '&#x'+b+';'}).replace(/_0x(....)/g,function(a,b){return '&#x'+b+';'})
$('#abrpm').html(h4);

本文标签: deobfuscationDeobfuscating Javascript Hex Encoded VariablesStack Overflow

版权声明:本文标题:deobfuscation - Deobfuscating Javascript Hex Encoded Variables - Stack Overflow 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://it.en369.cn/questions/1745620044a2159519.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。