- 0xdurakiJavascript Deobfuscation
Usually, Javascript files are minified before deploying to production, and such minified scripts are then served to the end user.
Detect Obfuscation
obfuscation-detector detects different types of JS obfuscation by their AST structure.
$ npm install obfuscation-detector
$ vim detect.js
# const fs = require('fs');
# const detectObfuscation = require('obfuscation-detector');
#
# const code = fs.readFileSync('obfuscated.js', 'utf-8');
# // const all_matching_obfuscation_types = detectObfuscation(code, false);
# const most_likely_obfuscation_type = detectObfuscation(code);
# console.log(`Obfuscation type is probably ${most_likely_obfuscation_type}`);
synchrony
synchrony is a javascript-obfuscator cleaner & deobfuscator.
$ npm install --global deobfuscator
$ synchrony deobfuscate ./FILE.js # Pass deobfuscate FILE
$ cat ./FILE.cleaned.js # Dump cleaned/deobfuscated FILE
Restringer
Restringer deobfuscates Javascript files and reconstruct its strings. Simplify cumbersome logic where possible, while adhering to scope limitations. You can use the online version, or if you have multiple files to deobfuscate, then use it locally:
$ npm install restringer
$ restringer
# Usage: restringer input_filename [-h] [-c] [-q | -v] [-m M] [-o [output_filename]]
#
# positional arguments:
# input_filename The obfuscated JS file
#
# optional arguments:
# -h, --help Show this help message and exit.
# -c, --clean Remove dead nodes from script after deobfuscation is complete (unsafe).
# -q, --quiet Suppress output to stdout. Output result only to stdout if the -o option is not set.
# Does not go with the -v option.
# -m, --max-iterations M Run at most M iterations
# -v, --verbose Show more debug messages while deobfuscating. Does not go with the -q option.
# -o, --output [output_filename] Write deobfuscated script to output_filename.
Links to this note
Javascript Deobfuscation