mindedsecurity / jstillery Goto Github PK
View Code? Open in Web Editor NEWAdvanced JavaScript Deobfuscation via Partial Evaluation
License: GNU General Public License v3.0
Advanced JavaScript Deobfuscation via Partial Evaluation
License: GNU General Public License v3.0
Try this one:
a = String.fromCharCode`41`;
b = a
Expected result:
a = ')';
b = ')';
Π‘urrent result:
a = String.fromCharCode`41`;
b = String.fromCharCode`41`;
I'm creating a JavaScript module for DVWA and this is the high security level JS code:
https://github.com/digininja/DVWA/blob/javascript/vulnerabilities/javascript/source/high.js
I've just ran it through JStillery and got a few errors including this repeated for 7, 8 and 9:
EXC [TypeError: Cannot read property '9' of undefined] TypeError: Cannot read property '9' of undefined
And this:
[RangeError: Maximum call stack size exceeded]
I'm running nodejs in Ubuntu 16.04 which seems to be quite an old version (v4.2.6) so it may be that that is causing the problems. I know it doesn't have the ** operator so had to fudge that a bit to get the script to run.
Love this project! Finally, a way to deobfuscate JSFuck π
But not all my code gets cleaned up. Eg test this one:
γ¦="" ,γ’= !γ¦+ γ¦,γ =!γ’ +γ¦, γ=γ¦
+{}, γ=γ’ [γ¦++ ],γ»= γ’[γ =γ¦] ,γ=
++γ +γ¦, γ=γ [γ+γ ],γ’[ γ+= γ[γ¦
]+(γ .γ+γ )[γ¦] +γ[γ ]+γ+ γ»+γ’ [γ]+
γ+γ +γ[ γ¦]+γ» ][γ] (γ[
γ¦]+ γ[γ ]+γ’ [γ]+
γ»+γ+ "(γ¦)"
)()
It will to an alert(1)
, too β but the resulting code can't be evaluated.
PS: Taken from http://aem1k.com/
var x = 0; for (var i = 0; i < 1; i++) x++
if (x) alert("a");
var x = 0;
for (var i = 0; i < 1; i++)
x++;
if (0)
alert('a');
Example code:
var x = { y: { foo:42} }
return x.y.foo;
It does replace the x
but then fails due to the object having no name which makes it search in the global scope. Possibly also/instead when foo
is a function (returning a const)
Hello.
Defining an array, then writing to it and using it causes invalid result. Here is a minimal example showing the behavior:
Original:
====================
var a = ["hello"];
a[0] = "bye";
console.log(a[0]);
====================
____________________
Deobfuscated Code
var a = ['hello'];
'hello' = 'bye';
console.log('hello');
I'm interested in why the custom scope implementation was done and what exactly it does. There are other scope-resolving implementations (e.g. escope
) which could be used instead. Why are they not?
example:
return e[n].call(o.exports, o, o.exports, t),
o.loaded = !0,
o.exports
what i want :
e[n].call(o.exports, o, o.exports, t);
o.loaded = !0;
return o.exports;
I found that function foo(){return 1;}.toString()
is not transformed while ""+function foo(){return 1;}
is.
However there is also a major problem in that not the original function including formatting is returned which breaks further code.
// original
Ye = ['p', 'r', 'o', 't', 'o', 't', 'y', 'p', 'e'].join('');
// deobfuscate
Ye = 'p,r,o,t,o,t,y,p,e';
// expect
Ye = 'prototype';
great repo! and i have some suggest to improve it!
one user case:
var a = Math.ramdom();
var b = Math.ramdom();
if (a = a + 0.2, b = b + 0.1, a > b) {
console.log('haha');
}
i want it to
var a = Math.ramdom();
var b = Math.ramdom();
a = a + 0.2;
b = b + 0.1;
if (a > b) {
console.log('haha');
}
does it easy to do it?
Just a snippet
'\x4d\x6f\x75\x73\x65\x4d\x6f\x76\x65\x6d\x65\x6e\x74': {
'\x66\x69\x65\x6c\x64\x73': {
'\x74\x69\x6d\x65': {
'\x74\x79\x70\x65': p7b,
'\x69\x64': +X0x.y1B
},
'\x78': {
'\x74\x79\x70\x65': I0x.w3y(+c0x.i0B),
'\x69\x64': X0x.I7B * I0x.f5l
},
'\x79': {
'\x74\x79\x70\x65': I0x.r3y(+c0x.i0B),
'\x69\x64': +c0x.b5B
},
'\x77\x78': {
'\x74\x79\x70\x65': I0x.w3y(+c0x.i0B),
'\x69\x64': I0x.x5l
},
'\x77\x79': {
'\x74\x79\x70\x65': I0x.w3y(c0x.i0B - I0x.J5l),
'\x69\x64': +G0x.f6B
}
}
},
It could be very usefull to do replace of hex chars to ascii equivalent.
Be aware, if you will try, to avoid replacing of escaped one !
So \x3a need to be replaced, but \x3a not !
Hi, Stefano!
I see that the tool can now handle this correctly:
x = 'al'+(top+0)[4]+'r'+(top+0)[6];eval(x)(1);
However, the tool still fails to handle similar cases:
$ ./jstillery_cli.js obfuscated.js
Original:
====================
eval((typeof!this)[5]+(typeof!this)[3]+(typeof!this)[4]+'rt')(0);
====================
____________________
Deobfuscated Code
undefinedundefinedundefinedrt;(0);
The correct output should rather be alert(0);
. I haven't taken a look at the code yet, but I hope it's something trivial to fix.
Thanks!
Input:
x = 1;
if (false) {
x--;
}
if (x == 0) {
alert(1);
}
Output:
x = 1;
if (false) {
1;
}
if (true) {
alert(1);
}
Converting a function to a string can give different results depending on which environment is running the code.
"" + console.log
gives
"function () { [native code] }"
in JStillery while in chrome it gives
"function log() { [native code] }"
and in firefox
"function log() {\n [native code]\n}"
"" + function() {/* Hello world */}
should also return
"function() {/* Hello world */}"
instead of
"function () {\n}"
like it does right now.
I think it would be great if options were added to JStillery where you could specify which environment should be emulated, where you could choose a browser for example.
hi, i meet som problem in translate Trinocular operator.
offsetPoint.x > 0 && 0 === offsetPoint.y ? a = 0 : 0 === offsetPoint.x && offsetPoint.y < 0 ? a = 270 : offsetPoint.x < 0 && 0 === offsetPoint.y ? a = 180 : offsetPoint.x < 0 && offsetPoint.y < 0 ? a = 180 + r : offsetPoint.x < 0 && offsetPoint.y > 0 ? a = 180 - r : offsetPoint.x > 0 && offsetPoint.y > 0 ? a = r : offsetPoint.x > 0 && offsetPoint.y < 0 && (a = 360 - r)
what i want is
if (0 === offsetPoint.x && offsetPoint.y > 0) {
let a = 90;
} else {
if (offsetPoint.x > 0 && 0 === offsetPoint.y) {
a = 0;
} else {
if (0 === offsetPoint.x && offsetPoint.y < 0) {
a = 270;
} else {
if (offsetPoint.x < 0 && 0 === offsetPoint.y) {
a = 180;
} else {
if (offsetPoint.x < 0 && offsetPoint.y < 0) {
a = 180 + r;
} else {
if (offsetPoint.x < 0 && offsetPoint.y > 0) {
a = 180 - r
} else {
if (offsetPoint.x > 0 && offsetPoint.y > 0) {
a = r;
} else {
if (offsetPoint.x > 0 && offsetPoint.y < 0) {
a = 360 - r
}
}
}
}
}
}
}
}
or
if (0 === offsetPoint.x && offsetPoint.y > 0) {
let a = 90;
} else if (offsetPoint.x > 0 && 0 === offsetPoint.y) {
a = 0;
} else if (0 === offsetPoint.x && offsetPoint.y < 0) {
a = 270;
} else if (offsetPoint.x < 0 && 0 === offsetPoint.y) {
a = 180;
} else if (offsetPoint.x < 0 && offsetPoint.y < 0) {
a = 180 + r;
} else if (offsetPoint.x < 0 && offsetPoint.y > 0) {
a = 180 - r
} else if (offsetPoint.x > 0 && offsetPoint.y > 0) {
a = r;
} else if (offsetPoint.x > 0 && offsetPoint.y < 0) {
a = 360 - r
}
it may so hard to make this, but it is helpful to debundle js. thanks!
""+{toString:function(){ return "" }}
or ""+{valueOf:function(){ return "" }}
should return ""
but JStillery returns "[object Object]"
.
The following code should execute alert(/pass/)
but due to this behavior an inifinity loop happens on JStillery.
x = ""+{
toString: function() {
return "";
}
};
if (x) {
Function("while(1){};return;")();
} else {
alert(/pass/);
}
js error:deobfuscate is not defined
I don't know if opaque predicates are in bound, but in the REPL,
const a = !!(Math.random() < 2)
const b = !!(new Date().getYear())
const c = !!Date.now()
const d = !((+c/0) == (+c/0))
deobfuscates to
const a = !!(Math.random() < 2);
const b = !!new Date().getYear();
const c = !!Date.now();
const d = !(+!!Date.now() / 0 == +!!Date.now() / 0);
JSFuck'd x = 'a'
:
[].filter.constructor('x = ' + [].filter.constructor('return unescape')()('undefined27') + 'a' + [].filter.constructor('return unescape')()('undefined27'))();
undefined + 2;
NaN + 2;
Infinity + 2;
results in:
'undefined2';
'NaN2';
'Infinity2';
Expected result:
NaN;
NaN;
Infinity;
Also when Infinity is evaluated, it is printed as 1e+400:
1 / 0
1e+400;
Eval places an unnecessary semicolon leading to a syntax error:
([] + eval("5 + 5"))[0]
([] + 10;)[0];
Other unexpected behavior:
eval("5") + "test";
eval("") + "test";
'undefinedtest';
({
}); + 'test';
It would also be great if more complex forms of function construction were supported, like:
[].filter.constructor("return 5 + 5")();
Array.prototype.filter.constructor("return 5 + 5")();
Array.prototype.constructor.constructor("return 5 + 5")();
++[[]][0]
results in
++[]
which is invalid syntax.
When chained together
++[++[++[[]][0]][0]][0]
it results in
++++++[];
Expected result would be 1
and 3
respectively.
Hi there, can you add some test case other than this one?
echo 'a= String.fromCharCode(41);b=a'| ./jstillery_cli.js
Perhaps some malicious example downloaded from Virustotal etc.
It would help people understand the advantage of JStillery
tool
JSFuck'd x = 5
, deobfuscated result is
[].filter.constructor('x undefined 5')();
i don't know if it is my problem...because it worked for you...but i do face the problem.
i was started in powershell.
command:
echo 'a= String.fromCharCode(41);b=a'| node ./jstillery_cli.js
*command:
npm start
*command:
node ./jstillery_cli.js
node version: v6.11.2
npm version: 3.10.10
OS: windows 10 1709 x64
function h(a) {
e(a);
return H(a) ? (d.push(l), A(a, b, [!1, !1], d)) : a
}
function k() {
var a = {},
c;
for (c in x) a[c] = !0;
for (c in b) a[c] = !0;
return a
}
function g(){throw"TheLanguage PANIC";}function aa(a,b){return[11,a,b]}function m(a){return 11===a[0]}function ba(a){for(;m(a);)a=a[2];return a}function n(a){return 0===a[0]}function p(a,b){return a===b?!0:a[1]===b[1]?(q(a,b),!0):!1}function ca(a,b){return[1,a,b]}function r(a){return 1===a[0]}function t(a){return a[1]}function da(a){return a[2]}function u(a){return 2===a[0]}function ea(a,b){return[3,a,b]}function v(a){return 3===a[0]}function fa(a){return a[1]}function ia(a){return a[2]}
function ja(a,b){return[4,a,b]}function w(a){return 4===a[0]}function la(a){return a[1]}function ma(a){return a[2]}function na(a){return 5===a[0]}function pa(a){return a[2]}function y(a,b){return[7,a,b]}function qa(a,b){return[9,a,b]}function z(a){a=A(a);if(v(a)||w(a)||r(a)||m(a))a[1]=z(a[1]),a[2]=z(a[2]);return a}function ra(a){var b=sa(a);if(v(b)||w(b)||r(b))if(b[1]=z(b[1]),b[2]=z(b[2]),m(b[1])||m(b[2])){a=[10];ta(a,b);var c=b[2];b=ra(b[1]);c=ra(c);a[1]=b;a[2]=c}else a=b;else a=b;return a}
function q(a,b){a!==b&&(a===B&&(a=b,b=B),a[0]=5,a[1]=b,a[2]=!1,a[3]=!1)}function ta(a,b){10===a[0]||g();10!==b[0]||g();a[0]=b[0];a[1]=b[1];a[2]=b[2];a[3]=b[3]}function C(a){for(var b=B,c=a.length-1;0<=c;c--)b=[1,a[c],b];return b}function ua(a,b,c){for(var d=[];r(a);)d.push(a[1]),a=a[2];return u(a)?b(d):c(d,a)}function D(a){return ua(a,function(a){return a},function(){return!1})}function E(){for(var a=[],b=0;b<arguments.length;b++)a[b]=arguments[b];return C(a)}
function G(a){if(!na(a))return a;for(var b=[];na(a);)b.push(a),a=a[1];for(var c=0;c<b.length;c++)q(b[c],a);return a}function va(a){return 6===a[0]||8===a[0]||7===a[0]||9===a[0]}function H(a){return na(a)||va(a)}function wa(a){if(6===a[0])return a;if(8===a[0])throw"WIP";if(7===a[0])throw"WIP";if(9===a[0])throw"WIP";return g()}
function A(a,b,c,d){function e(a){q(l,a);for(var b=0;b<d.length;b++)q(d[b],a);return a}function f(){c[1]=!0;return h(ya)}function h(a){e(a);return H(a)?(d.push(l),A(a,b,[!1,!1],d)):a}function k(){var a={},c;for(c in x)a[c]=!0;for(c in b)a[c]=!0;return a}void 0===b&&(b={});void 0===c&&(c=[!1,!1]);void 0===d&&(d=[]);var x={},l=a;for(a=0;H(l)&&32>a;a++)d.push(l),l=I(l);for(;H(l);){a=J(l);if(!0===b[a])return f();if(!0===x[a]){c[0]=!0;if(6===l[0])return f();if(7===l[0]){a=l[1];for(var F=l[2],X=!1,Y=0,
ha=[za,Aa,Ba,Ca,Da,Ea,Fa,Ga,Ha,Ia,Ja];Y<ha.length;Y++)if(K(ha[Y],a)){X=!0;break}if(X)return 1===F.length||g(),!1===c[1]||g(),F=A(F[0],k(),c),c[1]?h(y(a,[F])):g();if(K(a,Ka)||K(a,La)||K(a,Ma))return f();if(K(a,Na)&&(3===F.length||g(),!1===c[1]||g(),a=A(F[0],k(),c),c[1]))return h(y(Na,[a,F[1],F[2]]))}else if(8===l[0]||9===l[0])return f();return g()}x[a]=!0;d.push(l);l=I(l)}return e(l)}
function I(a){var b=G(a);!na(b)||g();a=6===b[0]?Oa(b[1],b[2],a):8===b[0]?Pa(b[1],b[2],b[3]):7===b[0]?Qa(b[1],b[2],a):9===b[0]?Ra(b[1],b[2],a):b;a=G(a);q(b,a);return a}function sa(a){for(;H(a)||m(a);)a=A(ba(a));return a}function Sa(a,b,c){for(var d=[],e=0;e<a.length;e+=2){if(K(a[e],b)){d[e]=b;d[e+1]=c;for(e+=2;e<a.length;e+=2)d[e]=a[e],d[e+1]=a[e+1];return d}d[e]=a[e];d[e+1]=a[e+1]}d[a.length]=b;d[a.length+1]=c;return d}
function Ta(a,b,c){for(var d=0;d<a.length;d+=2)if(K(a[d],b))return a[d+1];return c}function Ua(a,b){for(var c=0;c<a.length;c+=2)if(K(a[c],b))return a[c+1];return g()}function M(a){for(var b=B,c=0;c<a.length;c+=2)b=[1,E(a[c],a[c+1]),b];return[3,Va,E(b)]}function Wa(a,b){for(var c=0;c<a.length;c+=2)b(a[c],a[c+1])}
function cb(a){a=A(a);if(!v(a))return!1;var b=A(a[1]);if(!n(b)||!p(b,Va))return!1;b=A(a[2]);if(!r(b)||!u(A(b[2])))return!1;a=[];for(b=A(b[1]);!u(b);){if(!r(b))return!1;var c=A(b[1]);b=A(b[2]);if(!r(c))return!1;var d=c[1];c=A(c[2]);if(!r(c))return!1;var e=c[1];if(!u(A(c[2])))return!1;c=!0;for(var f=0;f<a.length;f+=2)if(K(a[f],d)){a[f+1]=e;c=!1;break}c&&(a.push(d),a.push(e))}return a}
function db(a,b,c,d){var e=[],f=[];a=G(a);for(var h=!0;;){if(u(a))return d(f,e);if(m(a))f.push(a[1]),a=a[2];else if(r(a))e.push(a[1]),a=a[2];else if(H(a))if(h)h=!1,a=I(a);else return c();else return b()}}
function Oa(a,b,c){function d(){return[4,N,E(eb,E(Ma,E(M(a),e)))]}var e=I(b);return H(e)?c:r(e)?db(e,d,function(){return c},function(b,e){if(0!==b.length)throw"WIP";if(K(e[0],fb)){if(1===e.length)return d();for(var k=e[1],h=[],f=2;f<e.length;f++)h.push(e[f]);return[8,a,k,h]}if(K(e[0],gb)){if(1===e.length)return d();k=A([6,a,e[1]]);if(!v(k))return d();h=I(k[1]);if(H(h))return c;if(!n(h)||!p(h,O))return d();h=I(k[2]);if(H(h))return c;if(!r(h))return d();k=h[1];h=I(h[2]);if(H(h))return c;if(!u(h))return d();
h=[M(a)];for(f=2;f<e.length;f++)h.push(e[f]);return[9,k,h]}if(K(e[0],eb)){if(1===e.length)return d();k=e[1];h=[];for(f=2;f<e.length;f++)h.push([6,a,e[f]]);return[7,k,h]}k=[6,a,e[0]];h=[];for(f=1;f<e.length;f++)h.push([6,a,e[f]]);return[9,k,h]}):u(e)?e:n(e)||v(e)?Ta(a,e,d()):w(e)?d():g()}
function Ra(a,b,c){function d(){return[4,N,E(eb,E(La,E(a,C(b))))]}a=I(a);if(H(a))return c;if(!v(a))return d();c=A(a[1]);if(!n(c)||!p(c,P))return d();var e=A(a[2]);if(!r(e))return d();c=z(e[1]);e=A(e[2]);if(!r(e)||!u(A(e[2])))return d();e=e[1];for(var f=hb,h=0;!u(c);)if(n(c)||v(c)){for(var k=B,x=b.length-1;x>=h;x--)k=[1,b[x],k];f=Sa(f,c,k);h=b.length;c=B}else if(r(c))if(h<b.length)k=b[h],h++,f=Sa(f,c[1],k),c=c[2];else return d();else return d();return b.length!==h?d():[6,f,e]}
function Qa(a,b,c){function d(){return[4,N,E(eb,E(a,C(b)))]}for(var e=0;e<ib.length;e++){var f=ib[e];if(K(a,f[0])){if(b.length!==f[1])break;return 1===f[1]?f[2](b[0],d,c):2===f[1]?f[2](b[0],b[1],d,c):3===f[1]?f[2](b[0],b[1],b[2],d,c):g()}}return d()}function Pa(a,b,c){function d(){return[4,N,E(fb,E(M(a),b,C(c)))]}return K(b,jb)?1!==c.length?d():c[0]:K(b,kb)?2!==c.length?d():lb(a,c[0],c[1],d):K(b,mb)?2!==c.length?d():[11,c[0],[6,a,c[1]]]:d()}
function lb(a,b,c,d){b=z(b);for(var e=[],f=!1,h=b;!u(h);)if(n(h)||v(h))e.push(h),f=!0,h=B;else if(r(h))e.push(h[1]),h=h[2];else return d();h=f?C(e):b;var k=[];Wa(a,function(a){for(var b=0;b<e.length;b++)if(K(e[b],a))return;k.push(a)});d=h;for(f=k.length-1;0<=f;f--)d=[1,k[f],d];for(f=k.length-1;0<=f;f--)h=ca(E(fb,jb,Ua(a,k[f])),h);return[3,P,E(b,[1,E(fb,jb,[3,P,E(d,c)]),h])]}
function K(a,b){function c(a,b,c,h){return K(c(a),c(b))&&K(h(a),h(b))?(q(a,b),!0):!1}if(a===b)return!0;a=A(a);b=A(b);if(a===b)return!0;if(u(a)){if(!u(b))return!1;q(a,b);return!0}return n(a)?n(b)?p(a,b):!1:r(a)?r(b)?c(a,b,t,da):!1:w(a)?w(b)?c(a,b,la,ma):!1:v(a)?v(b)?c(a,b,fa,ia):!1:g()}
function Q(a,b){function c(a,b,c,h){return Q(c(a),c(b))&&Q(h(a),h(b))?(q(a,b),!0):!1}if(a===b)return!0;a=G(a);b=G(b);if(a===b)return!0;if(u(a)){if(!u(b))return!1;q(a,B);q(b,B);return!0}return n(a)?n(b)?p(a,b):!1:r(a)?r(b)?c(a,b,t,da):!1:w(a)?w(b)?c(a,b,la,ma):!1:v(a)?v(b)?c(a,b,fa,ia):!1:va(a)?!1:g()}
function J(a){a=G(a);var b;if(u(a))return"()";if(r(a)){var c="(";for(b="";r(a);)c+=b+J(a[1]),b=" ",a=G(a[2]);return u(a)?c+")":c+(" . "+J(a)+")")}return v(a)?"#"+J([1,a[1],a[2]]):w(a)?"!"+J([1,a[1],a[2]]):n(a)?a[1]:m(a)?";("+J(a[1])+" "+J(a[2])+")":6===a[0]?"$("+J(M(a[1]))+" "+J(a[2])+")":7===a[0]?"%("+J(a[1])+" "+J(C(a[2]))+")":8===a[0]?"@("+J(M(a[1]))+" "+J(a[2])+" "+J(C(a[3]))+")":9===a[0]?"^("+J(a[1])+" "+J(C(a[2]))+")":g()}
function nb(a){function b(){return Xa.length===oa}function c(){!b()||g();var a=Xa[oa];oa++;return a}function d(a){Xa[oa-1]===a||g();oa--}function e(a){void 0===a&&(a="");throw"TheLanguage parse ERROR!"+a;}function f(a){return" "===a||"\n"===a||"\t"===a||"\r"===a}function h(){if(b())return!1;var a=c();if(!f(a))return d(a),!1;for(;f(a)&&!b();)a=c();f(a)||d(a);return!0}function k(){if(b())return!1;var a=c(),e="";if(!Y(a))return d(a),!1;for(;Y(a)&&!b();)e+=a,a=c();Y(a)?e+=a:d(a);return[0,e]}function x(){if(b())return!1;
var a=c();if("("!==a)return d(a),!1;for(var f=[10],k=f;;){h();if(b())return e();a=c();if(")"===a)return ta(f,B),k;if("."===a){h();a=ha();ta(f,a);h();if(b())return e();a=c();return")"!==a?e():k}d(a);a=ha();var x=[10];ta(f,[1,a,x]);f=x}}function l(){if(b())return!1;var a=c();if("#"!==a)return d(a),!1;a=x();return!1!==a&&r(a)?[3,a[1],a[2]]:e()}function F(){if(b())return!1;var a=c();if("!"!==a)return d(a),!1;a=x();return!1!==a&&r(a)?[4,a[1],a[2]]:e()}function X(a,h){return function(){if(b())return!1;
var f=c();if(f!==a)return d(f),!1;f=x();if(!1===f||!r(f))return e();var k=f[2];return r(k)&&u(k[2])?h(f[1],k[1]):e()}}function Y(a){if(f(a))return!1;for(var b=0,c="()!#.$%^@~/->_:?[]&;".split("");b<c.length;b++)if(c[b]===a)return!1;return!0}function ha(){h();for(var a=0,b=[x,Kb,l,F,Ya,Za,$a,ab,bb];a<b.length;a++){var c=(0,b[a])();if(!1!==c)return c}return e()}function xa(a){return!1===a?e():a}function ka(a){xa(!b());xa(c()===a)}function L(a){function b(){ka("[");var a=L();ka("]");return a}void 0===
a&&(a=!1);var c=0;for(a=a?[x,k,b,l,F,Ya,Za,$a,ab,bb]:[x,qb,l,F,Ya,Za,$a,ab,bb];c<a.length;c++){var d=(0,a[c])();if(!1!==d)return d}return e()}function rb(a){if(b())return a;var e=c();if("."===e)return e=L(),E(R,E(P,E(a),S),e);if(":"===e)return e=L(),E(R,e,a);if("~"===e)return E(T,a);if("@"===e)return e=L(),E(R,E(P,[1,a,S],S),e);if("?"===e)return E(R,P,E(T,a));if("/"===e){for(a=[a];;){e=L(!0);a.push(e);if(b())break;e=c();if("/"!==e){d(e);break}}return E(ob,C(a))}d(e);return a}function qb(){if(b())return!1;
var a=c();if("&"===a){xa(!b());a=c();if("+"===a)return a=L(),E(O,E(N,a));d(a);a=L();return E(O,a)}if(":"===a){xa(!b());a=c();if("&"===a)return ka(">"),a=L(),E(R,E(O,E(P,S,a)),U);if(">"===a)return a=L(),E(R,E(P,S,a),U);d(a);a=L();return E(R,a,U)}if("+"===a)return a=L(),E(N,a);if("["===a)return a=L(),ka("]"),rb(a);if("_"===a)return ka(":"),a=L(),E(R,a,S);d(a);a=k();return!1===a?!1:rb(a)}function Kb(){var a=qb();return!1===a?!1:n(a)?a:[3,V,[1,N,[1,a,B]]]}var Xa=a,oa=0,Ya=X("$",function(a,b){var c=cb(a);
return!1===c?e():[6,c,b]}),Za=X("%",function(a,b){var c=ua(b,function(a){return a},function(){return e()});return[7,a,c]}),$a=function(a,h){return function(){if(b())return!1;var f=c();if(f!==a)return d(f),!1;f=x();if(!1===f||!r(f))return e();var k=f[2];if(!r(k))return e();var l=k[2];return r(l)&&u(l[2])?h(f[1],k[1],l[1]):e()}}("@",function(a,b,c){c=ua(c,function(a){return a},function(){return e()});a=cb(a);return!1===a?e():[8,a,b,c]}),ab=X("^",function(a,b){var c=ua(b,function(a){return a},function(){return e()});
return[9,a,c]}),bb=X(";",function(a,b){return[11,a,b]});return ha()}
function W(a){function b(a,c){function e(a){return c?"["+a+"]":a}if(n(a))return a[1];var d=D(a);if(!1!==d&&3===d.length&&Q(d[0],R)){var f=D(d[1]);if(!1!==f&&3===f.length&&Q(f[0],P)){var l=f[1],F=D(l);if(!1!==F&&1===F.length&&Q(f[2],S))return e(b(F[0],!0)+"."+b(d[2],!0));if(r(l)&&Q(l[2],S)&&Q(f[2],S))return e(b(l[1],!0)+"@"+b(d[2],!0));if(Q(l,S)&&Q(d[2],U))return e(":>"+b(f[2],!0))}l=D(d[2]);if(Q(d[1],P)&&!1!==l&&2===l.length&&Q(l[0],T))return e(b(l[1],!0)+"?");if(!1!==f&&2===f.length&&Q(d[2],U)&&
Q(f[0],O)&&(f=D(f[1]),!1!==f&&3===f.length&&Q(f[0],P)&&Q(f[1],S)))return e(":&>"+b(f[2],!0));f=void 0;f=Q(d[2],S)?"_":Q(d[2],U)?"":b(d[2],!0);return e(f+":"+b(d[1],!0))}if(!1!==d&&2===d.length){if(Q(d[0],O))return f=D(d[1]),!1!==f&&2===f.length&&Q(f[0],N)?e("&+"+b(f[1],!0)):e("&"+b(d[1],!0));if(Q(d[0],T))return e(b(d[1],!0)+"~");if(Q(d[0],N))return e("+"+b(d[1],!0));if(Q(d[0],ob)&&(d=D(d[1]),!1!==d&&1<d.length)){f=b(d[0],!0);for(l=1;l<d.length;l++)f+="/"+b(d[l],!0);return e(f)}}return c?J(a):J([3,
V,[1,N,[1,a,B]]])}a=nb(J(a));var c="",d="";if(u(a))return"()";if(r(a)){c="(";for(d="";r(a);)c+=d+W(a[1]),d=" ",a=a[2];return c=u(a)?c+")":c+(" . "+W(a)+")")}return v(a)?(c=a[1],a=a[2],d=D(a),!1!==d&&2===d.length&&Q(c,V)&&Q(d[0],N)?b(d[1],!1):"#"+W([1,c,a])):w(a)?"!"+W([1,a[1],a[2]]):n(a)?a[1]:m(a)?";("+W(a[1])+" "+W(a[2])+")":6===a[0]?"$("+W(M(a[1]))+" "+W(a[2])+")":7===a[0]?"%("+W(a[1])+" "+W(C(a[2]))+")":8===a[0]?"@("+W(M(a[1]))+" "+W(a[2])+" "+W(C(a[3]))+")":9===a[0]?"^("+W(a[1])+" "+W(C(a[2]))+
")":g()}function pb(a){return function(){return[!1,a]}}function sb(a){return function(){return[!0,a()]}}function tb(a){for(a=a();a[0];)a=a[1]();return a[1]}
function ub(a,b,c,d,e){void 0===e&&(e=!1);c=A(c);if(v(c)){var f=c[1],h=c[2];if(K(f,vb)){if(h=A(h),r(h)&&(f=h[1],h=A(h[2]),u(h))){if(!1===e){var k=f;f=function(){return a(k,d)}}else{var x=f;f=function(){return ub(a,b,[9,e,x],d)}}return sb(f)}}else if(K(f,wb)&&(h=A(h),r(h)&&(f=h[1],h=A(h[2]),r(h)))){var l=h[1];h=A(h[2]);if(u(h)){if(!1===e){var F=f;f=function(){return ub(a,b,F,d,l)}}else f=function(){throw"WIP";};return sb(f)}}}return!1===e?sb(function(){return b(c,d,a)}):sb(function(){return b(c,d,
function(c,d){return sb(function(){return ub(a,b,qa(e,[c]),d)})})})}function xb(a,b,c){c=I(c);return H(c)?y(a,[c]):b(c)?yb:Z}function zb(a,b,c,d,e){d=I(d);return H(d)?y(a,[d]):b(d)?c(d):e()}
var B=[2],N=[0,"\u592a\u59cb\u521d\u6838"],S=[0,"\u7701\u7565\u4e00\u7269"],ya=[4,N,[1,[0,"\u5b87\u5b99\u4ea1\u77e3"],[1,S,B]]],V=[0,"\u7b26\u540d"],O=[0,"\u5f0f\u5f62"],P=[0,"\u5316\u6ec5"],eb=[3,V,[1,N,[1,[1,O,[1,[1,N,[1,P,B]],B]],B]]],R=[0,"\u4e00\u985e\u4f55\u7269"],Ma=[3,V,[1,N,[1,[1,R,[1,P,[1,[0,"\u89e3\u7b97"],B]]],B]]],Va=[0,"\u6620\u8868"],fb=[3,V,[1,N,[1,[1,O,[1,[1,N,[1,O,B]],B]],B]]],gb=[3,V,[1,N,[1,[1,O,[1,O,B]],B]]],jb=[3,V,[1,N,[1,[1,R,[1,O,[1,[0,"\u5f15\u7528"],B]]],B]]],U=[0,"\u7279\u5b9a\u5176\u7269"],
kb=[3,V,[1,N,[1,[1,R,[1,[1,O,[1,[1,P,[1,S,[1,P,B]]],B]],[1,U,B]]],B]]],Ab=[0,"\u8a3b\u758f"],mb=[3,V,[1,N,[1,[1,R,[1,O,[1,Ab,B]]],B]]],T=[0,"\u662f\u975e"],Bb=[0,"\u69cb\u7269"],Ba=[3,V,[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[1,R,[1,Bb,[1,S,B]]],B]],B]]],B]]],Cb=[0,"\u723b\u967d"],yb=[3,Cb,B],Db=[0,"\u723b\u9670"],Z=[3,Db,B],za=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Bb,B],[1,S,B]]],[1,V,B]]],B]]],Eb=[0,"\u5217\u5e8f"],Aa=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Bb,B],[1,S,B]]],[1,Eb,B]]],B]]],Fb=[0,"\u8b2c\u8aa4"],Ea=[3,V,
[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[1,R,[1,Fb,[1,S,B]]],B]],B]]],B]]],Ca=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Fb,B],[1,S,B]]],[1,V,B]]],B]]],Da=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Fb,B],[1,S,B]]],[1,Eb,B]]],B]]],Ja=[3,V,[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[1,R,[1,[0,"\u9593\u7a7a"],[1,S,B]]],B]],B]]],B]]],Gb=[0,"\u9023\u9838"],Fa=[3,V,[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[1,R,[1,Gb,[1,S,B]]],B]],B]]],B]]],Ga=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Gb,B],[1,S,B]]],[1,[0,"\u9996\u59cb"],B]]],B]]],Ha=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Gb,B],
[1,S,B]]],[1,[0,"\u5c3e\u672b"],B]]],B]]],Ka=[3,V,[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[0,"\u7b49\u540c"],B]],B]]],B]]],Na=[3,V,[1,N,[1,[1,R,[1,P,[1,[0,"\u5982\u82e5"],B]]],B]]],La=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,P,S],[1,S,B]]],[1,[0,"\u61c9\u7528"],B]]],B]]],Ia=[3,V,[1,N,[1,[1,R,[1,P,[1,[1,T,[1,[1,R,[1,[0,"\u8a5e\u7d20"],[1,S,B]]],B]],B]]],B]]],Hb=[0,"\u4e4b\u7269"],Ib=[3,V,[1,N,[1,[1,R,[1,[1,P,[1,[1,Eb,B],[1,S,B]]],[1,[1,R,[1,Hb,[1,S,B]]],B]]],B]]],ib=[[Ba,1,function(a){return xb.call(this,Ba,v,a)}],[[3,
V,[1,N,[1,[1,R,[1,[1,P,[1,S,[1,Bb,B]]],[1,U,B]]],B]]],2,ea],[za,1,function(a,b){return zb.call(this,za,v,fa,a,b)}],[Aa,1,function(a,b){return zb.call(this,Aa,v,ia,a,b)}],[Ea,1,function(a){return xb.call(this,Ea,w,a)}],[[3,V,[1,N,[1,[1,R,[1,[1,P,[1,S,[1,Fb,B]]],[1,U,B]]],B]]],2,ja],[Ca,1,function(a,b){return zb.call(this,Ca,w,la,a,b)}],[Da,1,function(a,b){return zb.call(this,Da,w,ma,a,b)}],[Ja,1,function(a){return xb.call(this,Ja,u,a)}],[[3,V,[1,N,[1,[1,R,[1,[1,P,[1,S,[1,Gb,B]]],[1,U,B]]],B]]],2,ca],
[Fa,1,function(a){return xb.call(this,Fa,r,a)}],[Ga,1,function(a,b){return zb.call(this,Ga,r,t,a,b)}],[Ha,1,function(a,b){return zb.call(this,Ha,r,da,a,b)}],[Ka,2,function(a,b){function c(a,b,c,h){c=y(Ka,[c(a),c(b)]);a=y(Ka,[h(a),h(b)]);return y(Na,[c,a,Z])}if(a===b)return yb;a=I(a);b=I(b);if(H(a)||H(b))return y(Ka,[a,b]);if(a===b)return yb;!H(a)||g();return u(a)?u(a)?yb:Z:n(a)?n(b)?p(a,b)?yb:Z:Z:v(a)?v(b)?c(a,b,fa,ia):Z:r(a)?r(b)?c(a,b,t,da):Z:w(a)?w(b)?c(a,b,la,ma):Z:g()}],[La,2,function(a,b,c){var d=
[];for(b=A(b);r(b);)d.push(b[1]),b=A(b[2]);return u(b)?[9,a,d]:c()}],[Ma,2,function(a,b,c){a=cb(a);return!1===a?c():[6,a,b]}],[Ia,1,function(a){return xb.call(this,Ia,n,a)}],[Ib,1,function(a,b){a=I(a);return H(a)?y(Ib,[a]):r(a)?a[1]:b()}],[Na,3,function(a,b,c,d){a=I(a);if(H(a))return y(Na,[a,b,c]);if(!v(a))return d();a=A(a[1]);return n(a)?p(a,Cb)?b:p(a,Db)?c:d():d()}],[[3,V,[1,N,[1,[1,R,[1,P,[1,Ab,B]]],B]]],2,aa]],hb=[],ob=[0,"\u5176\u5b50"],Jb=[0,"\u6548\u61c9"],vb=[3,V,[1,N,[1,[1,ob,[1,[1,Jb,[1,
[1,R,[1,Hb,[1,S,B]]],B]],B]],B]]],wb=[3,V,[1,N,[1,[1,ob,[1,[1,Jb,[1,Gb,B]],B]],B]]];
module.exports={new_comment:aa,comment_p:m,comment_comment:function(a){return a[1]},comment_x:function(a){return a[2]},un_comment_all:ba,atom_p:n,new_atom:function(a){return[0,a]},un_atom:function(a){return a[1]},atom_equal_p:p,new_construction:ca,construction_p:r,construction_head:t,construction_tail:da,null_v:B,null_p:u,new_data:ea,data_p:v,data_name:fa,data_list:ia,new_error:ja,error_p:w,error_name:la,error_list:ma,just_p:na,evaluate:function(a,b){return[6,a,b]},apply:qa,force_all_rec:z,force_uncomment_all_rec:ra,
jsArray_to_list:C,maybe_list_to_jsArray:D,new_list:E,un_just_all:G,un_just_comment_all:function(a){for(;na(a)||m(a);)a=G(ba(a));return a},delay_p:va,delay_just_p:H,delay_env:function(a){return wa(a)[1]},delay_x:function(a){return wa(a)[2]},force1:I,force_all:function(a){return A(a)},force_uncomment_all:sa,force_uncomment1:function(a){return m(a)?a[2]:I(a)},env_null_v:hb,env_set:Sa,env_get:Ta,env2val:M,env_foreach:Wa,val2env:cb,equal_p:K,simple_print:J,complex_parse:nb,complex_print:W,machinetext_parse:function(a){function b(a){void 0===
a&&(a="");throw"MT parse ERROR "+a;}function c(a){if(!a)return b()}function d(){c(0!==f);f--;return a[f]}function e(a){var c=h.pop(),d=h.pop();return void 0===d||void 0===c?b():h.unshift(a(d,c))}for(var f=a.length,h=[];0!==f;){var k=d();if("^"===k){for(k="";;){var x=d();if("^"===x)break;k=x+k}h.unshift([0,k])}else if("."===k)e(ca);else if("#"===k)e(ea);else if("!"===k)e(ja);else if("$"===k)e(function(a,c){var d=cb(a);return!1===d?b():[6,d,c]});else if("_"===k)h.unshift(B);else return b()}c(0===f);
c(1===h.length);return h[0]},machinetext_print:function(a){function b(){for(var a=[],b=0,h=c;b<h.length;b++){var k=h[b];k=G(k);var x=function(b,c,e,f){d+=c;return a.push(e(b),f(b))};if(n(k))d+="^"+k[1]+"^";else if(r(k))x(k,".",t,da);else if(u(k))d+="_";else if(v(k))x(k,"#",fa,ia);else if(w(k))x(k,"!",la,ma);else if(va(k))k=wa(k),x(k,"$",function(a){return M(a[1])},pa);else return{value:g()}}c=a}for(var c=[a],d="";0!==c.length;)if(a=b(),"object"===typeof a)return a.value;return d},Trampoline:function(){},
trampoline_return:pb,trampoline_delay:sb,run_trampoline:tb,return_effect_systemName:vb,bind_effect_systemName:wb,new_effect_bind:function(a,b){return[3,wb,E(a,b)]},new_effect_return:function(a){return[3,vb,a]},run_monad_trampoline:function(a,b,c,d){return ub(a,b,c,d)},run_monad_stackoverflow:function(a,b,c,d){return tb(ub(function(b,c){return pb(a(b,c))},function(a,c,d){return pb(b(a,c,function(a,b){return tb(d(a,b))}))},c,d))}};
So many bad payloads hide in comments , when you try to deobfuscate and analyse if there is alot of payload in comments JStillery put errors or sometimes completely ignore them
It would be nice to have an option to keep comments intact
For example :
var malicious_payload = (function () {/*
Bad code can be here
Must of the time they hide in 1000 comments each containing a single character
They get extracted and run using custom methods
*/}).toString().match(/[^]*\/\*([^]*)\*\/\}$/)[1];
alert(malicious_payload);
I saw a clever one he had this between code
/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */
used a custom method to create a URL from jquery comment and load another payload
I was scratching my head for a long hour cause I couldn't find whats happening
To be fair it was hiding inside a asm which was getting converted to wasm and had 10 layers of crap and virtual dom all over the place
Anyway it would be nice if you keep the comment in, our detect such behavior
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.