Unsolved [TUTORIAL] How to deobfuscate (most) scripts on this forum
-
Requirement:
- js knowledge
- knowing how to use the terminal (install + run programs)
- a code editor
- a brain
Step 1: Obtain the obfuscated script:
In this example, I'll use BetterCriticals.
Before deobfuscation:
Step 2: Basic deobfuscator and formatter
- install
nodejs(only once) - install
synchrony - create a
configfile with the following content:
rename: true loose: true sourceType: "script"- put the obfuscated script and the above
configfile in the same directory, opencmd.exe/terminal and runsynchrony -c config [NAME]where name is the file name of the obfuscated script.
Now the script should look like this:
Step 3: use brain
Quick reminder:
var flyModule = moduleManager.getModule('Fly')can be obfuscated into
var flyModule = moduleManager['getModule']('Fly')and then those strings can be hidden inside a table and used via a decode function (a function that takes an index into the strings table and return the deobfuscated string).
Use your brain now: what's the decode function in this script:
If you can't see that the decode function is
axolotl_b, stop reading this, else proceed to step 4.Step 4: transformer
Wouldn't it be nice if we can write a program that convert
into
by replacing each call of
axototl_bwith the result of that call?4.1: transformer base
The variable
axototl_acontains the encrypted string table for this script so copy that into a new file calledtransformer.js
4.2: remove anti debugger and anti formatter:
Take a look at the decode function:
Again, if you can't see the part that prevents debugging and formatting, quit reading. For everyone else it's this part:
WCaJFGonly succeeds iftPYtSPis a obfuscated function (in this case, have no newline which our deobfuscated one does). So uhm, remove it I guess.fShere is also another anti debug function:
So by now, you should know what to copy and what to not copy to your
transformer.js. Mine look like this.4.3: processing input
First, read read from stdin line by line and
String.replace(), particularly the part that cover Specifying a function as the replacement.
Now add this to yourtransformer.js:function replacer(match, p1, offset, string) { return "'" + axolotl_b(p1) + "'"; } function processLine(line) { line = line.replaceAll( /axolotl_b\('([0-9A-Fa-fxX]+)'\)/g, replacer ); console.log(line) // print modified } process.stdin.pipe(require('split')()).on('data', processLine) // for each line, run ProcessLineNow your
transformer.jsshould look like this. Before running your transformer, runnpm install splitfirst.Now, run
node transformer.js < crits.cleaned.js > crits.js(pretty sure this works on windows too, tested on linux) withcrits.cleaned.jsbeing the file produced in step 2 andcrits.jsis the name of the new file.The (almost) deobfuscated script should look like this file or this image:
Feel free to remove everything before the line
var scriptName = 'BetterCriticals'as that is the beginning of most normal script and everything before it have no use from now.
Step 5: last
synchronyRepeat step 2 on the file produced by step 4. You should get something similar to this:
Step 6: Rename variables
You read the entire thing and have a working brain, I believe you can do this yourself.
Questions u may have:
- I need more example: check out my other post in which I deobfuscated? using the same technique.
- Bad english: yes ik english is not my first language.
- Setup: images taken from Code OSS with Atom One Dark color scheme, running on Artix Linux.
Questions I have:
- What's the name (and creator) of this obfuscator?
-
Wildwest
-
can you do the 20mb script in the other thread though?
-
@segv-segv said in [TUTORIAL] How to deobfuscate (most) scripts on this forum:
Questions I have:
What's the name (and creator) of this obfuscator?
People most likely use
https://github.com/CCBlueX/LiquidScript/tree/master/obfuscatorwhich uses
https://github.com/javascript-obfuscator/javascript-obfuscator
or the online website
https://obfuscator.io/ -
@Aftery XD
can you try deobfuscating it?
