|
Título: javascript deobfuscation Publicado por: Progmasterbr en 4 Mayo 2016, 23:36 pm Hello friends,
I have a javascript code and this .js is crypted with a a very strange algorithm. Then I want any help for try decrypt this script, he contains some functions that I'm needing for implement in a another project. I had discovered that site used for ofuscate was https://javascriptobfuscator.com/javascript-Obfuscator.aspx (https://javascriptobfuscator.com/javascript-Obfuscator.aspx) Any help will welcome. Here is original code: http://pastebin.com/KRQWffhr (http://pastebin.com/KRQWffhr) obfuscated and I had used this site http://javascriptbeautifier.com/ (http://javascriptbeautifier.com/) and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND (http://pastebin.com/Laipv8ND) Título: Re: javascript deobfuscation Publicado por: Eleкtro en 5 Mayo 2016, 16:29 pm Here is original code: http://pastebin.com/KRQWffhr (http://pastebin.com/KRQWffhr) obfuscated and I had used this site http://javascriptbeautifier.com/ (http://javascriptbeautifier.com/) and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND (http://pastebin.com/Laipv8ND) Hi What more you are expecting to acchieve from the resulting deobfuscated code that you have?. Take into account that the variable names recovery is not possible since they are lost after obfuscation, that's it, things starting with "_0x" are the new variable names that the obfuscation algorithm assigns to each found var, the original variable names are replaced with new hexadecimal values like that, but they are just that, hex values, they aren't encoded values that contain the old variable name, so you can't rollback something that doesn't exists anymore, in resume, the resulting code that you have should work as expected with those names. So basically seems that you have totally deobfuscated the code up to the max that it can be done without having the original code. For variable names as I said it's impossible (the methodology to rollback a replacement is doing another replacement knowing the old data), so what you can do at this point is pick up your favorite text editor and perform a word replacement of all "_0xb257" for whichever friendlly variable name being more readable than the hexadecimal one. For interest I will explain you that things starting with "\x" are just a escape secuence of characters that are very easy to decode. The rest part after the "\x" is a hex value that you can convert it to decimal then retrieve the corresponding char from ASCII table; so for example if we have "\x4D", then we remove/ignore the "\x" (because is just trash information), so we have the "4D" that translated into decimal it is "77", which corresponds to the "M" character. So for example this value can be translated as "Message : " string. Código: "\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20" Regards. |