feat: repeated deobfuscation

j4k0xb · Sep 24, 2024 · 404a331 · 404a331
1 parent 646b724
commit 404a331
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 33 deletions.
diff --git a/packages/webcrack/src/deobfuscate/index.ts b/packages/webcrack/src/deobfuscate/index.ts
@@ -1,3 +1,4 @@
+import type * as t from '@babel/types';
 import debug from 'debug';
 import type { AsyncTransform } from '../ast-utils';
 import {
@@ -30,46 +31,52 @@ export default {
     if (!sandbox) return;
 
     const logger = debug('webcrack:deobfuscate');
-    const stringArray = findStringArray(ast);
-    logger(
-      stringArray
-        ? `String Array: ${stringArray.length} strings`
-        : 'String Array: no',
-    );
-    if (!stringArray) return;
+    const visitedStringArrays = new Set<t.Node>();
 
-    const rotator = findArrayRotator(stringArray);
-    logger(`String Array Rotate: ${rotator ? 'yes' : 'no'}`);
+    while (true) {
+      const stringArray = findStringArray(ast);
+      logger(
+        stringArray
+          ? `String Array: ${stringArray.length} strings`
+          : 'String Array: no',
+      );
+      if (!stringArray) break;
+      if (visitedStringArrays.has(stringArray.path.node)) break;
+      visitedStringArrays.add(stringArray.path.node);
 
-    const decoders = findDecoders(stringArray);
-    logger(`String Array Encodings: ${decoders.length}`);
+      const rotator = findArrayRotator(stringArray);
+      logger(`String Array Rotate: ${rotator ? 'yes' : 'no'}`);
 
-    state.changes += applyTransform(ast, inlineObjectProps).changes;
+      const decoders = findDecoders(stringArray);
+      logger(`String Array Encodings: ${decoders.length}`);
 
-    for (const decoder of decoders) {
-      state.changes += applyTransform(
-        ast,
-        inlineDecoderWrappers,
-        decoder.path,
+      state.changes += applyTransform(ast, inlineObjectProps).changes;
+
+      for (const decoder of decoders) {
+        state.changes += applyTransform(
+          ast,
+          inlineDecoderWrappers,
+          decoder.path,
+        ).changes;
+      }
+
+      const vm = new VMDecoder(sandbox, stringArray, decoders, rotator);
+      state.changes += (
+        await applyTransformAsync(ast, inlineDecodedStrings, { vm })
       ).changes;
-    }
 
-    const vm = new VMDecoder(sandbox, stringArray, decoders, rotator);
-    state.changes += (
-      await applyTransformAsync(ast, inlineDecodedStrings, { vm })
-    ).changes;
+      if (decoders.length > 0) {
+        stringArray.path.remove();
+        rotator?.remove();
+        decoders.forEach((decoder) => decoder.path.remove());
+        state.changes += 2 + decoders.length;
+      }
 
-    if (decoders.length > 0) {
-      stringArray.path.remove();
-      rotator?.remove();
-      decoders.forEach((decoder) => decoder.path.remove());
-      state.changes += 2 + decoders.length;
+      state.changes += applyTransforms(
+        ast,
+        [mergeStrings, deadCode, controlFlowObject, controlFlowSwitch],
+        { noScope: true },
+      ).changes;
     }
-
-    state.changes += applyTransforms(
-      ast,
-      [mergeStrings, deadCode, controlFlowObject, controlFlowSwitch],
-      { noScope: true },
-    ).changes;
   },
 } satisfies AsyncTransform<Sandbox>;
diff --git a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js b/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js
diff --git a/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js.snap b/packages/webcrack/src/deobfuscate/test/samples/obfuscator.io-multiple-passes.js.snap
@@ -0,0 +1,4 @@
+function hi() {
+  console.log("Hello World!");
+}
+hi();