willnode / deobfuscator Goto Github PK

Online Javascript Deobfuscator Tool

Home Page: https://willnode.github.io/deobfuscator/

JavaScript 87.66% HTML 12.34%

deobfuscator javascript-deobfuscator eval

deobfuscator's Introduction

Javascript Deobfuscator

Need to edit an obfuscated Javascript? This repo is the way to de-obfuscate any kind of obfuscated Javascript, especially if it comes from automatic tools like https://obfuscator.io/.

Because obfuscation varies wildly in the internet, the process is not automatic. It won't give you one-click-and-it-done but instead it gives you a script editor with tools necessary to deobfucate any kind of javascript (provided you also familiar with how JS works of course).

Your work is automatically saved to SessionStorage so don't worry about accidental refresh or page navigation.

The Editor

This tool uses Monaco. The editor that powers VSCode. It itself can do Find + Replace, Undo + Redo, Syntax + Error highlighting, unused variables detection, and other neat stuff.

Formatting Tools

All formatting tools affects selected text, or all text in editor if none selected.

Format Document

Beautify javascript for all text in editor.

You should format your document first before doing other tasks so it reduces chance of your code become corrupt.

Simplify String `simplifyString()`

This reformats string '' and "". Example "\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74" becomes "use strict".

Currently doesn't work with literal string. Also, it uses regex, so beware with complex string (e.g. '\'').

Simplify Number `simplifyNumber()`

This reformats hex number. Example 0xff becomes 255.

Simplify Object Access `simplifyAccess()`

This reformats object access. Example document["body"]["style"]["color"]="black"; becomes document.body.style.color="black";

Simplify Hex Name `simplifyHex()`

This renames all variables _0x[Hex code] to it's shorter name (a, b, c, etc.).

Beware that this method isn't 100% safe. It can't detect any variable name collision yet.

Evaluation Tools

This is a powerful tool to let you evaluate javascript code and reveal it's hidden content.

It's advised for you to open Browser Console (Ctrl+Shift+I, tab Console) for helpful information.

Push `evalPush()` and Pop `evalPop()`

Push selected text to "code stack", or pop it.

It means to be used with eval buttons (explained below). These buttons does nothing on it's own.

Pushing to code stack means if there's line A then you push B, then the current stack will be A\nB (A followed by B in next line).

Eval Selected `evalStr()`

Evaluate selected code along with current variables stack on. If it returns any valid JSON value (includes array and object) it will replaces the selected code.

A practical example is like this:

var foo = {'baz' => 'bar'};
var result = foo['baz'];

If you push the first line to stack and then evalStr the text foo['baz'], it will replaced as "bar".

Eval Auto `evalAuto()`

Harnessing the power of regex, this "intelligently" replaces any "captured" variable in the selected code, like if you do evalStr on each one of them. If it used correctly it will definitely saves you a lot of time.

The captured variables are based on the current stack. It will detect all var/const/let. If the evaluation returns string or number, it will be replaced.

Sync Vars `syncVar()`

Select a word variable and any derived variable names will be magically recusively replaced. Example select foo and then let bar = foo; let baz = bar; console.log(baz) will simply become console.log(foo). Combined with evalAuto both are destructive yet very time saving operation.

Hidden Evaluation Tools

These tools are experimental. Although it's useful in certain cases. To access it you need to call the function in browser console.

`evalBareStr`

Similar like evalStr, but without JSON.stringify. This is useful for extracting code out of eval string, for example.

`simplifyStringExp`

Similar like simplifyString, but also merges string concatenation (e.g. "foo" + "bar"). Because it's flexibility, it only detects double quote "" right now. Proceed with caution.

`simplifyNumberExp`

Similar like simplifyNumber, but also merges number operations (e.g. -1 + 2). Because it's flexibility, it only detect regular number. Proceed with caution.

`splitVar`

Split two or more concatenated const/let/var definitions in a selected single expression. It does not simply naively replace ,, it's aware about array/object presence. Because of that you can't just select multiple functions and expect it gots the effect too. Still kinda useful for readability.

Feel free to requests other operation ideas in Issue Tracker.

deobfuscator's People

Contributors

Stargazers

Watchers

Forkers

su-action 453483289 edisonlee55 joxers-dev lcsouzamenezes jeganad miguelramosfdz crackercat jbzhang99 zhouao phatdatpq z3db0y tehmasta timeslover1520 tdr-1000 npc2000 ethicalsecurity-agency manox0

deobfuscator's Issues

[feature request] eval specific function returns

for example the script has a string obfuscate function for access, defined like this:

var _0x131 = function(index, key){return obfs();}

then access becomes:

this[_0x131('0x2', '3W*K')](_0x131('0x3', '8uoO'))

there will be tons of _0x131 call, but currently I need to:

copy _0x131 definition to console and eval
select one full call, click eval
select next....

Simplify Hex Name add more characters

I think it is good idea if it replace _0xZZZ with readable names like namora/potato/mokaro/kalimu instead of short names a/b/ab/cb

here an idea to generate the names

function generateName() {
    let result = '';
    let chars = '';
    for (let i = 0; i < 6; i++) {
        chars = i % 2 == 0 ? 'bcdfghjklmnprstwy' : 'aiueo';
        result += chars.charAt(Math.floor(Math.random() * chars.length));
    }
    return result;
}
generateName();
// namora/potato/mokaro/kalimu

Do you need a tutorial?

I keep forgetting that I should write some tutorials here.

If you know which buttons to be pressed in order, you can deobfuscate any JS quickly.

npm build error

parcel build ./node_modules/monaco-editor/esm/vs/language/typescript/ts.worker.js --no-source-maps

× Build failed.
@parcel/optimizer-terser: Unexpected token: operator ()
24828 | /** @returns {number}/

24829 | /**//
| ^ Unexpected token: operator ()
24830 | /var x = function(name) { return name.length; }/
24831 | } else // Try to recognize this pattern when node is initializer of variable declaration and JSDoc comments ar
It's likely that Terser doesn't support this syntax yet.
[Error: Error opening directory]
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! deobfuscator@ build-worker: parcel build ./node_modules/monaco-editor/esm/vs/language/typescript/ts.worker.js --no-source-maps
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the deobfuscator@ build-worker script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\JINHYEOK\AppData\Roaming\npm-cache_logs\2021-01-22T21_58_21_024Z-debug.log
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! deobfuscator@ start: npm run build-worker && parcel serve src/index.html
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the deobfuscator@ start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\JINHYEOK\AppData\Roaming\npm-cache_logs\2021-01-22T21_58_21_044Z-debug.log

npm install and npm start....

debug.log

0 info it worked if it ends with ok
1 verbose cli [
1 verbose cli 'C:\Program Files\nodejs\node.exe',
1 verbose cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
1 verbose cli 'run',
1 verbose cli 'build-worker'
1 verbose cli ]
2 info using [email protected]
3 info using [email protected]
4 verbose run-script [ 'prebuild-worker', 'build-worker', 'postbuild-worker' ]
5 info lifecycle deobfuscator@~prebuild-worker: deobfuscator@
6 info lifecycle deobfuscator@~build-worker: deobfuscator@
7 verbose lifecycle deobfuscator@~build-worker: unsafe-perm in lifecycle true
8 verbose lifecycle deobfuscator@~build-worker: PATH: C:\Users\JINHYEOK\AppData\Roaming\nvm\v14.10.0\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin;C:\Users\JINHYEOK\Documents\카카오톡 받은 파일\deobfuscator-master\node_modules.bin;C:\Users\JINHYEOK\AppData\Roaming\nvm\v14.10.0\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin;C:\Users\JINHYEOK\Documents\카카오톡 받은 파일\deobfuscator-master\node_modules.bin;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Python39\Scripts;C:\Python39;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.0\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.0\libnvvp;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.2\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.2\libnvvp;C:\Program Files\Python38\Scripts;C:\Program Files\Python38;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v9.0\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v9.0\libnvvp;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\OpenSSH;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\Program Files\Tesseract-OCR;C:\Program Files\Git\cmd;C:\Program Files\Git\mingw64\bin;C:\Program Files\Git\usr\bin;C:\Gradle\gradle-4.8.1\bin;C:\ProgramData\chocolatey\bin;C:\Users\JINHYEOK\AppData\Roaming\nvm;C:\Program Files\nodejs;C:\Program Files\Java\jre1.8.0_231\bin;;C:\Program Files (x86)\Universal Extractor;C:\Program Files (x86)\Universal Extractor\bin;C:\Users\JINHYEOK\anaconda3;C:\Users\JINHYEOK\anaconda3\Library\mingw-w64\bin;C:\Users\JINHYEOK\anaconda3\Library\usr\bin;C:\Users\JINHYEOK\anaconda3\Library\bin;C:\Users\JINHYEOK\anaconda3\Scripts;C:\Users\JINHYEOK\AppData\Local\Microsoft\WindowsApps;C:\Program Files\JetBrains\PyCharm Edu 2020.1.1\bin;;C:\Users\JINHYEOK\AppData\Local\GitHubDesktop\bin;C:\Program Files\Bandizip;C:\Users\JINHYEOK\AppData\Roaming\npm;C:\Users\JINHYEOK\AppData\Roaming\nvm;C:\Program Files\nodejs;C:\Users\JINHYEOK\AppData\Local\Programs\Microsoft VS Code\bin
9 verbose lifecycle deobfuscator@~build-worker: CWD: C:\Users\JINHYEOK\Documents\카카오톡 받은 파일\deobfuscator-master
10 silly lifecycle deobfuscator@~build-worker: Args: [
10 silly lifecycle '/d /s /c',
10 silly lifecycle 'parcel build ./node_modules/monaco-editor/esm/vs/language/typescript/ts.worker.js --no-source-maps'
10 silly lifecycle ]
11 silly lifecycle deobfuscator@~build-worker: Returned: code: 1 signal: null
12 info lifecycle deobfuscator@~build-worker: Failed to exec build-worker script
13 verbose stack Error: deobfuscator@ build-worker: parcel build ./node_modules/monaco-editor/esm/vs/language/typescript/ts.worker.js --no-source-maps
13 verbose stack Exit status 1
13 verbose stack at EventEmitter. (C:\Users\JINHYEOK\AppData\Roaming\nvm\v14.10.0\node_modules\npm\node_modules\npm-lifecycle\index.js:332:16)
13 verbose stack at EventEmitter.emit (events.js:314:20)
13 verbose stack at ChildProcess. (C:\Users\JINHYEOK\AppData\Roaming\nvm\v14.10.0\node_modules\npm\node_modules\npm-lifecycle\lib\spawn.js:55:14)
13 verbose stack at ChildProcess.emit (events.js:314:20)
13 verbose stack at maybeClose (internal/child_process.js:1047:16)
13 verbose stack at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)
14 verbose pkgid deobfuscator@
15 verbose cwd C:\Users\JINHYEOK\Documents\카카오톡 받은 파일\deobfuscator-master
16 verbose Windows_NT 10.0.19041
17 verbose argv "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" "run" "build-worker"
18 verbose node v14.10.0
19 verbose npm v6.14.8
20 error code ELIFECYCLE
21 error errno 1
22 error deobfuscator@ build-worker: parcel build ./node_modules/monaco-editor/esm/vs/language/typescript/ts.worker.js --no-source-maps
22 error Exit status 1
23 error Failed at the deobfuscator@ build-worker script.
23 error This is probably not a problem with npm. There is likely additional logging output above.
24 verbose exit [ 1, true ]

Need to switch to Rollup or something

This project still uses the old parcel-bundler and we stuck can't update to the latest Monaco version.

Parcel 2 is too destructive I have tried it.

Suggest New UI Design

The current layout has 2 problems:

Doesn't look good on mobile
Requires you to open Inspector console

A minimalistic menu bar with a sidebar to open some related info (like current pop/push stack) would be cool, but I don't know how to do that easily.

Might be the job to use some (light) UI framework.

rename short identifiers

is it possible to correct short variable names? for example with JADX, it has this option:

 --deobf                             - activate deobfuscation

which will turn short variables such as a into a1234 or something, for easier searching

willnode / deobfuscator Goto Github PK

deobfuscator's Introduction

Javascript Deobfuscator

The Editor

Formatting Tools

Format Document

Simplify String simplifyString()

Simplify Number simplifyNumber()

Simplify Object Access simplifyAccess()

Simplify Hex Name simplifyHex()

Evaluation Tools

Push evalPush() and Pop evalPop()

Eval Selected evalStr()

Eval Auto evalAuto()

Sync Vars syncVar()