obfuscator.io/augmentedArray deobfuscates wrong strings
j4k0xb opened this issue · comments
I used the default settings and script from https://obfuscator.io:
(function(_0x21e099,_0x15c98c){var _0x3c4cc0=_0x24db,_0x405c10=_0x21e099();while(!![]){try{var _0x4e6cf6=parseInt(_0x3c4cc0(0xf3))/0x1*(-parseInt(_0x3c4cc0(0xf0))/0x2)+parseInt(_0x3c4cc0(0xf7))/0x3*(parseInt(_0x3c4cc0(0xef))/0x4)+-parseInt(_0x3c4cc0(0xf9))/0x5*(-parseInt(_0x3c4cc0(0xf5))/0x6)+-parseInt(_0x3c4cc0(0xf4))/0x7*(parseInt(_0x3c4cc0(0xf1))/0x8)+parseInt(_0x3c4cc0(0xf2))/0x9+parseInt(_0x3c4cc0(0xfa))/0xa+-parseInt(_0x3c4cc0(0xf6))/0xb*(parseInt(_0x3c4cc0(0xee))/0xc);if(_0x4e6cf6===_0x15c98c)break;else _0x405c10['push'](_0x405c10['shift']());}catch(_0x252b69){_0x405c10['push'](_0x405c10['shift']());}}}(_0x3811,0x5b2a2));function _0x3811(){var _0x44d691=['58336gdkeTG','21OMJjdy','2376lTAtyJ','5027FeXtQK','6zRYrIX','log','5045hlktXV','6976210UrdQDm','25428XSZdGp','162948oYJHvz','8qQEVqn','249544xlGotk','4410513MxqsxI'];_0x3811=function(){return _0x44d691;};return _0x3811();}function hi(){var _0x315583=_0x24db;console[_0x315583(0xf8)]('Hello\x20World!');}function _0x24db(_0x1c8605,_0x27f641){var _0x381140=_0x3811();return _0x24db=function(_0x24db9a,_0x1a6221){_0x24db9a=_0x24db9a-0xee;var _0x367c9e=_0x381140[_0x24db9a];return _0x367c9e;},_0x24db(_0x1c8605,_0x27f641);}hi();But when deobfuscating, it chooses wrong strings like ['8qQEVqn'] instead of ['log']
Seems to be caused by inlining the unshuffled array in _0x24db (should be var _0x381140 = ['25428XSZdGp', '162948oYJHvz', ....)
Logs
[+] Obfuscation type is augmented_proxied_array_function_replacements
[+] ==> Cycle 1 completed in 0.007 seconds with no changes (237 nodes)
[+] rearrangeSequences committed 1 new changes!
[+] Replacing {var _0x381140=_0x3811();return _0x24db=function(_0x24db9a,_ --with-- { var _0x381140 = _0x3811(); _0x24db = function (_0x24db
[+] resolveProxyVariables committed 13 new changes!
[+] Replacing _0x3c4cc0 --with-- _0x24db
[+] Replacing _0x315583 --with-- _0x24db
[+] resolveProxyReferences committed 1 new changes!
[+] Replacing _0x367c9e --with-- _0x381140[_0x24db9a]
[+] ==> Cycle 2 completed in 0.028 seconds with 15 changes (239 nodes)
[+] resolveProxyVariables committed 2 new changes!
[+] Removing _0x3c4cc0 = _0x24db
[+] Removing var _0x315583 = _0x24db;
[+] ==> Cycle 3 completed in 0.007 seconds with 17 changes (232 nodes)
[+] ==> Cycle 4 completed in 0 seconds with 17 changes (232 nodes)
[+] resolveMinimalAlphabet committed 1 new changes!
[+] Replacing ![] --with-- false
[+] resolveLocalCalls committed 15 new changes!
[+] Replacing _0x24db(243) --with-- 'log'
[+] Replacing _0x24db(240) --with-- '2376lTAtyJ'
[+] Replacing _0x24db(247) --with-- '162948oYJHvz'
[+] Replacing _0x24db(239) --with-- '21OMJjdy'
[+] Replacing _0x24db(249) --with-- '249544xlGotk'
[+] Replacing _0x24db(245) --with-- '6976210UrdQDm'
[+] Replacing _0x24db(244) --with-- '5045hlktXV'
[+] Replacing _0x24db(241) --with-- '5027FeXtQK'
[+] Replacing _0x24db(242) --with-- '6zRYrIX'
[+] Replacing _0x24db(250) --with-- '4410513MxqsxI'
[+] Replacing _0x24db(246) --with-- '25428XSZdGp'
[+] Replacing _0x24db(238) --with-- '58336gdkeTG'
[+] Replacing _0x3811() --with-- [ '58336gdkeTG', '21OMJjdy', '2376lTAtyJ', '5027FeXt
[+] Replacing _0x24db(248) --with-- '8qQEVqn'
[+] ==> Cycle 5 completed in 0.098 seconds with 16 changes (229 nodes)
[+] ==> Cycle 6 completed in 0 seconds with no changes (229 nodes)
[+] resolveMinimalAlphabet committed 7 new changes!
[+] Replacing !false --with-- true
[+] Replacing parseInt('log') / 1 * (-parseInt('2376lTAtyJ') / 2) + parseI --with-- NaN
[+] ==> Cycle 7 completed in 0.045 seconds with 7 changes (153 nodes)
[+] resolveProxyVariables committed 1 new changes!
[+] Replacing _0x4e6cf6 --with-- NaN
[+] ==> Cycle 8 completed in 0.003 seconds with 1 changes (153 nodes)
[+] resolveProxyVariables committed 1 new changes!
[+] Removing var _0x4e6cf6 = NaN;
[+] ==> Cycle 9 completed in 0.003 seconds with 2 changes (149 nodes)
[+] ==> Cycle 10 completed in 0 seconds with 2 changes (149 nodes)
[+] ==> Cycle 11 completed in 0.003 seconds with no changes (149 nodes)
[+] ==> Cycle 12 completed in 0.001 seconds with no changes (149 nodes)
[+] ==> Cycle 13 completed in 0 seconds with no changes (149 nodes)
[+] normalizeComputed committed 4 new changes!
[+] Replacing _0x405c10['push'] --with-- _0x405c10.push
[+] Replacing _0x405c10['shift'] --with-- _0x405c10.shift
[+] ==> Cycle 14 completed in 0.003 seconds with 4 changes (149 nodes)
[+] ==> Cycle 15 completed in 0 seconds with 4 changes (149 nodes)
[+] Saved tmp/test.js-deob.js
[!] Deobfuscation took 0.256 seconds.
(function (_0x21e099, _0x15c98c) {
var _0x405c10 = _0x21e099();
while (true) {
try {
if (NaN === _0x15c98c)
break;
else
_0x405c10.push(_0x405c10.shift());
} catch (_0x252b69) {
_0x405c10.push(_0x405c10.shift());
}
}
}(_0x3811, 373410));
function _0x3811() {
var _0x44d691 = [
'58336gdkeTG',
'21OMJjdy',
'2376lTAtyJ',
'5027FeXtQK',
'6zRYrIX',
'log',
'5045hlktXV',
'6976210UrdQDm',
'25428XSZdGp',
'162948oYJHvz',
'8qQEVqn',
'249544xlGotk',
'4410513MxqsxI'
];
_0x3811 = function () {
return _0x44d691;
};
return [
'58336gdkeTG',
'21OMJjdy',
'2376lTAtyJ',
'5027FeXtQK',
'6zRYrIX',
'log',
'5045hlktXV',
'6976210UrdQDm',
'25428XSZdGp',
'162948oYJHvz',
'8qQEVqn',
'249544xlGotk',
'4410513MxqsxI'
];
}
function hi() {
console['8qQEVqn']('Hello World!');
}
function _0x24db(_0x1c8605, _0x27f641) {
var _0x381140 = [
'58336gdkeTG',
'21OMJjdy',
'2376lTAtyJ',
'5027FeXtQK',
'6zRYrIX',
'log',
'5045hlktXV',
'6976210UrdQDm',
'25428XSZdGp',
'162948oYJHvz',
'8qQEVqn',
'249544xlGotk',
'4410513MxqsxI'
];
_0x24db = function (_0x24db9a, _0x1a6221) {
_0x24db9a = _0x24db9a - 238;
var _0x367c9e = _0x381140[_0x24db9a];
return _0x381140[_0x24db9a];
};
return _0x24db(_0x1c8605, _0x27f641);
}
hi();
Found the issue :) Thanks for bringing this up!