Code Obfuscation and Deobfuscation

Sharing is caring
This entry is part 14 of 18 in the series Incident Response and Forensics

Views: 16

Code Obfuscation is a technique used to make a script more difficult to read by humans but allows it to function the same from a technical point of view, though performance may be slower. This is usually achieved automatically by using an obfuscation tool, which takes code as an input, and attempts to re-write the code in a way that is much more difficult to read, depending on its design.

http://beautifytools.com/javascript-obfuscator.php

online tool for Javascript obfuscation

BeautifyTools to obfuscate the code:

Code obfuscators often turn the code into a dictionary of all of the words and symbols used within the code and then attempt to rebuild the original code during execution by referring to each word and symbol from the dictionary.

While Python and PHP usually reside on the server-side and hence are hidden from end-users, JavaScript is usually used within browsers at the client-side, and the code is sent to the user and executed in cleartext. This is why obfuscation is very often used with JavaScript.

It must be noted that doing authentication or encryption on the client-side is not recommended, as code is more prone to attacks this way.

Main reasons for Code Obfuscation:

  1. To protect the code being copied or reused
  2. To provide security by preventing attacks on vulnerabilities that may be found within the code.

However, the most common usage of obfuscation, however, is for malicious actions. It is common for attackers and malicious actors to obfuscate their malicious scripts to prevent Intrusion Detection and Prevention systems from detecting their scripts. 

Tools for Obfuscation

Sample Java code:

function addNumbers(num1, num2) {
  return num1 + num2;
}

let result = addNumbers(5, 3);
console.log(result); // Output: 8

https://jsconsole.com

https://beautifytools.com/javascript-obfuscator.php

A common way of reducing the readability of a snippet of JavaScript code while keeping it fully functional is JavaScript minification. Code minification means having the entire code in a single (often very long) line. Code minification is more useful for longer code, as if our code only consisted of a single line, it would not look much different when minified.

Code minification can be applied to any programming language.

https://www.toptal.com/developers/javascript-minifier

 Usually, minified JavaScript code is saved with the extension .min.js.

Run the minified code in jconsole.com

Code Obfuscation with Beautifytools:

Note: The above type of obfuscation is known as “packing”, which is usually recognizable from the six function arguments used in the initial function “function(p,a,c,k,e,d)“. It  converts all words and symbols of the code into a list or a dictionary and then refer to them using the (p,a,c,k,e,d) function to re-build the original code during execution.

While a packer does a great job reducing the code’s readability, we can still see its main strings written in cleartext, which may reveal some of its functionality.

Run the code in Jconsole.com:

We see that we get the same output.

Advanced Obfuscation

https://obfuscator.io

javascript to obfuscate

function _0x1d2e(){const _0x4e362a=[‘483752vxcaHx’,’2739832dUYGpa’,’log’,’47298HNpyIF’,’278422qrraJD’,’225RmZZwU’,’1xESKiJ’,’6826338bvlBga’,’502873MGVFJq’,’913899RJINFK’];_0x1d2e=function(){return _0x4e362a;};return _0x1d2e();}const _0x17bbef=_0x1df8;function _0x1df8(_0xe0773d,_0xc16522){const _0x1d2e60=_0x1d2e();return _0x1df8=function(_0x1df836,_0x50db38){_0x1df836=_0x1df836-0x77;let _0x569765=_0x1d2e60[_0x1df836];return _0x569765;},_0x1df8(_0xe0773d,_0xc16522);}(function(_0x7ba468,_0x47006c){const _0x531608=_0x1df8,_0x43a08f=_0x7ba468();while(!![]){try{const _0x1d6f00=-parseInt(_0x531608(0x79))/0x1(-parseInt(_0x531608(0x77))/0x2)+parseInt(_0x531608(0x7c))/0x3+-parseInt(_0x531608(0x7d))/0x4+-parseInt(_0x531608(0x78))/0x5(-parseInt(_0x531608(0x80))/0x6)+-parseInt(_0x531608(0x7b))/0x7+parseInt(_0x531608(0x7e))/0x8+-parseInt(_0x531608(0x7a))/0x9;if(_0x1d6f00===_0x47006c)break;else _0x43a08f‘push’;}catch(_0x53f2fb){_0x43a08f‘push’;}}}(_0x1d2e,0x2e567));function addNumbers(_0x702e3f,_0x235b40){return _0x702e3f+_0x235b40;}let result=addNumbers(0x5,0x3);console_0x17bbef(0x7f);

Obfuscated code

Same result when executing the code in Jconsole.com:

Other advanced Javascript Obfuscation tools:

https://jsfuck.com

https://utf-8.jp/public/jjencode.html

https://utf-8.jp/public/aaencode.html

Keep in mind that, complex code obfuscators make code execution & compilation very slow.

Deobfuscation

Sample deobfuscated jsp code

https://beautifier.io

function _0x1d2e(){const _0x4e362a=[‘483752vxcaHx’,’2739832dUYGpa’,’log’,’47298HNpyIF’,’278422qrraJD’,’225RmZZwU’,’1xESKiJ’,’6826338bvlBga’,’502873MGVFJq’,’913899RJINFK’];_0x1d2e=function(){return _0x4e362a;};return _0x1d2e();}const _0x17bbef=_0x1df8;function _0x1df8(_0xe0773d,_0xc16522){const _0x1d2e60=_0x1d2e();return _0x1df8=function(_0x1df836,_0x50db38){_0x1df836=_0x1df836-0x77;let _0x569765=_0x1d2e60[_0x1df836];return _0x569765;},_0x1df8(_0xe0773d,_0xc16522);}(function(_0x7ba468,_0x47006c){const _0x531608=_0x1df8,_0x43a08f=_0x7ba468();while(!![]){try{const _0x1d6f00=-parseInt(_0x531608(0x79))/0x1(-parseInt(_0x531608(0x77))/0x2)+parseInt(_0x531608(0x7c))/0x3+-parseInt(_0x531608(0x7d))/0x4+-parseInt(_0x531608(0x78))/0x5(-parseInt(_0x531608(0x80))/0x6)+-parseInt(_0x531608(0x7b))/0x7+parseInt(_0x531608(0x7e))/0x8+-parseInt(_0x531608(0x7a))/0x9;if(_0x1d6f00===_0x47006c)break;else _0x43a08f‘push’;}catch(_0x53f2fb){_0x43a08f‘push’;}}}(_0x1d2e,0x2e567));function addNumbers(_0x702e3f,_0x235b40){return _0x702e3f+_0x235b40;}let result=addNumbers(0x5,0x3);console_0x17bbef(0x7f);

However, the code is still not very easy to read. This is because the code we are dealing with was not only minified but obfuscated as well. 

We can find many good online tools to deobfuscate JavaScript code and turn it into something we can understand. One good tool is UnPacker. 

Supply the output from js-beauty.io to Unpacker

Another way of unpacking such code is to find the return value at the end and use console.log to print it instead of executing it.

Code Analysis

function addNumbers(num1, num2) {
  return num1 + num2;
}

let result = addNumbers(5, 3);
console.log(result); // Output: 8

The above code has only one function addNumbers. With the use of code deobfuscation and code analysis, we were able to uncover this function.

Series Navigation<< Incident Report TemplateWireshark 101 | Traffic Analysis and Investigation (PART 02) >>