UNPKG

restringer

Version:

Deobfuscate Javascript with emphasis on reconstructing strings

github.com/PerimeterX/Restringer

PerimeterX/restringer

65 lines (59 loc) 2.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import {Sandbox} from './sandbox.js'; import {badValue} from '../config.js'; import {getObjType} from './getObjType.js'; import {generateHash} from './generateHash.js'; import {createNewNode} from './createNewNode.js'; // Types of objects which can't be resolved in the deobfuscation context. const badTypes = ['Promise']; const matchingObjectKeys = { [Object.keys(console).sort().join('')]: {type: 'Identifier', name: 'console'}, [Object.keys(console).sort().slice(1).join('')]: {type: 'Identifier', name: 'console'}, // Alternative console without the 'Console' object }; const trapStrings = [ // Rules for diffusing code traps. { trap: /while\s*\(\s*(true|1)\s*\)\s*\{\s*}/gi, replaceWith: 'while (0) {}', }, { trap: /debugger/gi, replaceWith: 'debugge_', }, { // TODO: Add as many permutations of this in an efficient manner trap: /["']debu["']\s*\+\s*["']gger["']/gi, replaceWith: `"debu" + "gge_"`, }, ]; let cache = {}; const maxCacheSize = 100; /** * Eval a string in an ~isolated~ environment * @param {string} stringToEval * @param {Sandbox} [sb] (optional) an existing sandbox loaded with context. * @return {ASTNode|string} A node based on the eval result if successful; badValue string otherwise. */ function evalInVm(stringToEval, sb) { const cacheName = `eval-${generateHash(stringToEval)}`; if (cache[cacheName] === undefined) { if (Object.keys(cache).length >= maxCacheSize) cache = {}; cache[cacheName] = badValue; try { // Break known trap strings for (let i = 0; i < trapStrings.length; i++) { const ts = trapStrings[i]; stringToEval = stringToEval.replace(ts.trap, ts.replaceWith); } let vm = sb || new Sandbox(); let res = vm.run(stringToEval); if (vm.isReference(res) && !badTypes.includes(getObjType(res))) { // noinspection JSUnresolvedVariable res = res.copySync(); // If the result is a builtin object / function, return a matching identifier const objKeys = Object.keys(res).sort().join(''); if (matchingObjectKeys[objKeys]) cache[cacheName] = matchingObjectKeys[objKeys]; else cache[cacheName] = createNewNode(res); } } catch {} } return cache[cacheName]; } export {evalInVm};