UNPKG

restringer

Version:

Deobfuscate Javascript with emphasis on reconstructing strings

github.com/PerimeterX/Restringer

PerimeterX/restringer

93 lines (87 loc) 2.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
const operators = ['+', '-', '*', '/', '%', '&', '|', '&&', '||', '**', '^', '<=', '>=', '<', '>', '==', '===', '!=', '!==', '<<', '>>', '>>>', 'in', 'instanceof', '??']; const fixes = ['!', '~', '-', '+', 'typeof', 'void', 'delete', '--', '++']; // as in prefix and postfix operators /** * @param {ASTNode} n * @return {boolean} */ function matchBinaryOrLogical(n) { return ['LogicalExpression', 'BinaryExpression'].includes(n.type) && operators.includes(n.operator) && n.parentNode.type === 'ReturnStatement' && n.parentNode.parentNode?.body?.length === 1 && n.left?.declNode?.parentKey === 'params' && n.right?.declNode?.parentKey === 'params'; } /** * @param {ASTNode} c * @param {Arborist} arb */ function handleBinaryOrLogical(c, arb) { const refs = (c.scope.block?.id?.references || []).map(r => r.parentNode); for (const ref of refs) { if (ref.type === 'CallExpression' && ref.arguments.length === 2) arb.markNode(ref, { type: c.type, operator: c.operator, left: ref.arguments[0], right: ref.arguments[1], }); } } /** * @param {ASTNode} n * @return {boolean} */ function matchUnaryOrUpdate(n) { return ['UnaryExpression', 'UpdateExpression'].includes(n.type) && fixes.includes(n.operator) && n.parentNode.type === 'ReturnStatement' && n.parentNode.parentNode?.body?.length === 1 && n.argument?.declNode?.parentKey === 'params'; } /** * @param {ASTNode} c * @param {Arborist} arb */ function handleUnaryAndUpdate(c, arb) { const refs = (c.scope.block?.id?.references || []).map(r => r.parentNode); for (const ref of refs) { if (ref.type === 'CallExpression' && ref.arguments.length === 1) arb.markNode(ref, { type: c.type, operator: c.operator, prefix: c.prefix, argument: ref.arguments[0], }); } } /** * Replace calls to functions that wrap simple operations with the actual operations * @param {Arborist} arb * @param {Function} candidateFilter (optional) a filter to apply on the candidates list * @return {Arborist} */ function unwrapSimpleOperations(arb, candidateFilter = () => true) { const relevantNodes = [ ...(arb.ast[0].typeMap.BinaryExpression || []), ...(arb.ast[0].typeMap.LogicalExpression || []), ...(arb.ast[0].typeMap.UnaryExpression || []), ...(arb.ast[0].typeMap.UpdateExpression || []), ]; for (let i = 0; i < relevantNodes.length; i++) { const n = relevantNodes[i]; if ((matchBinaryOrLogical(n) || matchUnaryOrUpdate(n)) && candidateFilter(n)) { switch (n.type) { case 'BinaryExpression': case 'LogicalExpression': handleBinaryOrLogical(n, arb); break; case 'UnaryExpression': case 'UpdateExpression': handleUnaryAndUpdate(n, arb); break; } } } return arb; } export default unwrapSimpleOperations;