Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor deobfuscate Method for Easier Customization and Module Replacement #88

Closed
lanvent opened this issue Sep 4, 2023 · 2 comments
Closed

Refactor deobfuscate Method for Easier Customization and Module Replacement #88

lanvent opened this issue Sep 4, 2023 · 2 comments

Comments

@lanvent
Copy link
Contributor

lanvent commented Sep 4, 2023

Description:

Hello, I've been using your excellent JavaScript deobfuscation library one day and found it to be extremely useful. While the deobfuscate method is comprehensive, it performs several steps like determineObfuscationType and _loopSafeAndUnsafeDeobfuscationMethods which essentially determine which processors and modules to use. However, this design doesn't easily allow for the replacement or augmentation of specific modules.
For example, if I want to add a filter to resolveLocalCalls, I have to override the function and include a lot of boilerplate code, such as:

restringer._unsafeDeobfuscationMethods= () => {
  return [
    // ... other modules
    (n) => resolveLocalCalls(n, n => !(n.callee?.name?.includes('rand')|| n.callee?.name?.includes('Rand'))),
    // ... other modules
  ];
}

This makes it hard to replace or customize specific processors or deobfuscation methods.

Suggestion:

If the exported class could allow configuring all the methods used in the deobfuscate function during its construction, users could easily replace or extend specific modules or processors.

Example:
class REstringer {
  constructor() {
    this.determineObfuscationType(); // determine default processors.
    this.unsafeDeobfuscationMethods = [/* default methods */];
    // ...
  }
}
...
// my code
const restringer = new REstringer(code);
let index = restringer.unsafeDeobfuscationMethods.indexOf(resolveLocalCalls);
if (index !== -1) {
  restringer._preprocessors.splice(index, 1, (n) => resolveLocalCalls(n, n => !(n.callee?.name?.includes('rand') || n.callee?.name?.includes('Rand'))));
}
// customize processors or modules needed
restringer.deobfuscate();

This way, we can maintain the benefits of the existing class architecture while enabling users to make minimal necessary modifications.

If you agree with this proposal but don't have the time to implement it, I'd be happy to contribute a PR. Thank you for considering this improvement.
@BenBaryoPX BenBaryoPX mentioned this issue Sep 11, 2023
Merged
@BenBaryoPX
Copy link
Collaborator

#93 externalizes the deob methods as requested. There's a usage example in the README.md file.
I added a disable option for the obfuscation type detection, meaning the pre and post processors won't run if turned off.
I hope this solves this issue

@lanvent
Copy link
Contributor Author

lanvent commented Sep 11, 2023

Thank you for your latest commit! It looks like it will fulfill my need. Great work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lanvent @BenBaryoPX