npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

deob-transformations

v1.1.0

Published

Some babel transformations for deobfuscating nasty javascript

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

peeeetpeeeet

Keywords

babeldeobfuscatingbabeltransformationsreverse-engineering

Readme

Useful babel transformations for deobfuscating javascript

This library contains a number of useful babel transformations, that will make nasty javascript code a lot more readable.

It can be installed from npm

Example

const transformations = require("deob-transformations");

const code = `
function _aegh(){debugger;};const z = "l";const zz = "o"
const zzz = "g"
;;function _0x1uz(){;;debugger;};if (!![])  {
window["c"+zz+"ns"+zz+z+"e"][z+zz+zzz](z+zz+z);;
};;
`;

ast = transformations.code_to_ast(code);

transformations.delete_unused(ast);
transformations.replace_with_actual_val(ast);
transformations.constant_folding(ast);
transformations.deobfuscate_object_calls(ast);
transformations.deobfuscate_hidden_false(ast);
transformations.remove_useless_if(ast);
transformations.remove_empty_statements(ast);

deobbed = transformations.ast_to_code(ast);
console.log(transformations.beautify_code(deobbed));

This example transforms the nasty input javascript into a very readable window.console.log('lol').

Utilities

code_to_ast(string)

Parses the input code and returns an abstract syntax tree than can be used for the transformations

ast_to_code(ast)

Does the opposite as code_to_ast

beautify_code(string)

Beautifys code. Takes a string as the input argument, not an abstract syntax tree

Available transformations

remove_empty_statements(ast)

Removes empty statements, for example useless semicolons.

constant_folding(ast)

https://steakenthusiast.github.io/2022/05/28/Deobfuscating-Javascript-via-AST-Manipulation-Constant-Folding/#Examples

deobfuscate_jsfuck(ast)

https://steakenthusiast.github.io/2022/06/14/Deobfuscating-Javascript-via-AST-Deobfuscating-a-Peculiar-JSFuck-style-Case/

rename_function_arguments(ast)

Rename the arguments of a function to be more uniform and readable. Not always a good transformation to do.

// Before
fun = (rw, srdgb, a3r, s_sar) => {};

// After
fun = (arg_a, arg_b, arg_c, arg_d) => {};

rename_identifiers(ast)

Renames all identifiers in variable declarators. Also renames function names.

// Before

function O00O11(O00O11, O00O11I1I, O00O11II1, O0OO11I1I) {}
const O00O11II1 = () => {};
const O00O11I1I = "hello";
const O0OO11I1I = "world";

// After
function func_aaa(O00O11, O00O11I1I, O00O11II1, O0OO11I1I) {}
const var_aab = () => {};
const var_aac = "hello";
const var_aad = "world";

// Together with rename_function_arguments(ast)
function func_aaa(arg_aaa, arg_aab, arg_aac, arg_aad) {}
const var_aab = () => {};
const var_aac = "hello";
const var_aad = "world";

deobfuscate_hidden_false(ast)

// Before
const a = ![];
const b = !![];

// After
const a = false;
const b = true;

This is also being done by the deobfuscate_jsfuck transformation.

remove_useless_if(ast)

Removes useless if statements

// Before
if (true) {
    console.log("Hi!");
}

// After
console.log("Hi!");
// Before
if (false) {
    console.log("Hi!");
}
console.log("Hey");

// After
console.log("Hey"); // the if statement get's never exucted, so it get's removed

This transformation is often useful after other transformation, for example deobfuscate_hidden_false

replace_hex_encoded(ast)

Replaces hexadecimal strings and encoded strings with a readable value

// Before
const a = 0x01;
console.log("Hello\x20World");

// After
const a = 1;
console.log("Hello World");

remove_comma_statements(ast)

// Before
for (b = 2, c = 5, console.log("123"), a; true; c++) {}

// After
b = 2;
c = 5;
console.log("123");

for (a; true; c++) {}

replace_with_actual_val(ast)

https://steakenthusiast.github.io/2022/05/31/Deobfuscating-Javascript-via-AST-Replacing-References-to-Constant-Variables-with-Their-Actual-Value/

Replaces all references to constants with the constant value and removes the constants declaration. If there is no reference, the value gets lost. This does not include dictionaries or arrays.

// Before
const a = "1";
const b = "Hi!";
console.log(b);

// After
console.log("Hi!");

remove_dead_else(ast)

// Before
if (something) {
    console.log("Hi!");
} else {
}

// After
if (something) {
    console.log("Hi!");
}

delete_unused(ast)

https://steakenthusiast.github.io/2022/06/04/Deobfuscating-Javascript-via-AST-Removing-Dead-or-Unreachable-Code/

Deletes all read or unreachable code.

deobfuscate_object_calls(ast)

Makes the code use the dot notation everywhere

// Before
const m = {
    a: "Hello, World!",
};
console["log"](m["a"]);

// After
const m = {
    a: "Hello, World!",
};
console.log(m.a);

rewrite_inline_logical_expression(ast)

// Before
function a() {
    return (g = a), h instanceof g.Function && g.Function.prototype.toString.call(h).indexOf("[native code]") > 0;
}

// After
function a() {
    if (h instanceof g.Function) {
        _temp = g.Function.prototype.toString.call(h).indexOf("[native code]") > 0;
    }

    return (g = a), _temp;
}