-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathdeob.go
129 lines (101 loc) · 2.62 KB
/
deob.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package deobfuscator
import (
"github.com/ditashi/jsbeautifier-go/jsbeautifier"
"github.com/dop251/goja"
"log"
"regexp"
"strings"
"sync"
"time"
)
var Verbose bool
var VerboseTime time.Time
const tryPrefix = `try {`
const trySuffix = `;}catch(e){}`
var cleanObjectCalls = regexp.MustCompile(`\["[$\w_][\w\d_]+"]`)
func (v *Virtual) runInVm(str string) (goja.Value, error) {
v.lock.Lock()
defer v.lock.Unlock()
return v.vm.RunString(str)
}
func Deob(script []byte) []byte {
script = findAndReplaceScriptHashValue(script)
windowName := regexp.MustCompile(`(\w+)=window`).FindSubmatch(script)[1]
var err error
var v *Virtual
var scriptString string
scriptString, v, err = runMainFunction(string(script), true)
if err != nil {
log.Fatalf("Error: %s", err)
}
v.deobedScript = scriptString
if err = v.deob(false); err != nil {
log.Fatalf("Error: %s", err)
}
return []byte(CleanFinalScript(v.deobedScript, string(windowName), true))
}
func runMainFunction(script string, fast bool) (string, *Virtual, error) {
parsed, err := loadScript(script)
if err != nil {
return "", nil, err
}
var _, vm = CleanScriptAndRun([]byte(script))
if err != nil {
return "", nil, err
}
virtual := &Virtual{
vm: vm,
lock: &sync.Mutex{},
script: script,
program: parsed,
deobedScript: script,
deobScript: true,
}
virtual.evalString()
if !fast {
virtual.evalInt()
replaceOperations(&virtual.deobedScript)
}
return virtual.deobedScript, virtual, nil
}
func (v *Virtual) deob(fast bool) error {
var _, vm = CleanScriptAndRun([]byte(v.script))
v.vm = vm
v.deobString(fast)
return nil
}
func removeReturnStatement(script, identifier string, arguments []string, isCall bool) string {
var expression = identifier
if isCall {
expression += ".call"
}
expression += "("
for i, arg := range arguments {
if i > 0 {
expression += ","
}
expression += arg
}
expression += ")"
return strings.Replace(script, "return "+expression, expression, 1)
}
func RunInVm(script string) (*goja.Runtime, error) {
vm := goja.New()
_, err := vm.RunString(tryPrefix + script + trySuffix)
return vm, err
}
func CleanFinalScript(script string, windowName string, doBeautify bool) string {
script = cleanObjectCalls.ReplaceAllStringFunc(script, func(s string) string {
return "." + s[2:len(s)-2]
})
wn := regexp.MustCompile(`\b` + windowName + `\b\.`)
script = wn.ReplaceAllString(script, "")
if doBeautify {
script, _ = beautify(&script)
}
return script
}
func beautify(src *string) (string, error) {
options := jsbeautifier.DefaultOptions()
return jsbeautifier.Beautify(src, options)
}