feat: inline simple string arrays

j4k0xb · Aug 14, 2023 · 6e40f6b · 6e40f6b
1 parent c90c5e3
commit 6e40f6b
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 0 deletions.
diff --git a/src/deobfuscator/stringArray.ts b/src/deobfuscator/stringArray.ts
@@ -1,6 +1,8 @@
 import traverse, { NodePath } from '@babel/traverse';
 import * as t from '@babel/types';
 import * as m from '@codemod/matchers';
+import { inlineArray } from '../utils/inline';
+import { isReadonlyObject } from '../utils/matcher';
 import { renameFast } from '../utils/rename';
 
 export interface StringArray {
@@ -53,6 +55,7 @@ export function findStringArray(ast: t.Node): StringArray | undefined {
   );
 
   traverse(ast, {
+    // Wrapped string array from later javascript-obfuscator versions
     FunctionDeclaration(path) {
       if (matcher.match(path.node)) {
         const length = arrayExpression.current!.elements.length;
@@ -69,6 +72,22 @@ export function findStringArray(ast: t.Node): StringArray | undefined {
         path.stop();
       }
     },
+    // Simple string array inlining (only `array[0]`, `array[1]` etc references, no rotating/decoding).
+    // May be used by older or different obfuscators
+    VariableDeclaration(path) {
+      if (!variableDeclaration.match(path.node)) return;
+
+      const length = arrayExpression.current!.elements.length;
+      const binding = path.scope.getBinding(arrayIdentifier.current!.name)!;
+      const memberAccess = m.memberExpression(
+        m.fromCapture(arrayIdentifier),
+        m.numericLiteral(m.matcher(value => value < length))
+      );
+      if (!isReadonlyObject(binding, memberAccess)) return;
+
+      inlineArray(arrayExpression.current!, binding.referencePaths);
+      path.remove();
+    },
   });
 
   return result;

diff --git a/src/utils/inline.ts b/src/utils/inline.ts
@@ -3,6 +3,24 @@ import * as t from '@babel/types';
 import * as m from '@codemod/matchers';
 import { findParent } from './matcher';
 
+/**
+ * Make sure the array is immutable and references are valid before using!
+ *
+ * Example:
+ * `const arr = ["foo", "bar"]; console.log(arr[0]);` -> `console.log("foo");`
+ */
+export function inlineArray(
+  array: t.ArrayExpression,
+  references: NodePath[]
+): void {
+  for (const reference of references) {
+    const memberPath = reference.parentPath! as NodePath<t.MemberExpression>;
+    const property = memberPath.node.property as t.NumericLiteral;
+    const index = property.value;
+    const replacement = array.elements[index]!;
+    memberPath.replaceWith(replacement);
+  }
+}
 /**
  * Inline function used in control flow flattening (that only returns an expression)
  * Example:

diff --git a/test/__snapshots__/deobfuscator.test.ts.snap b/test/__snapshots__/deobfuscator.test.ts.snap
@@ -78,6 +78,8 @@ exports[`deobfuscate obfuscator.io-rotator-unary.js 1`] = `
 hi();"
 `;
 
+exports[`deobfuscate simple-string-array.js 1`] = `"console.log(\\"Hello, World!\\");"`;
+
 exports[`inline decoder > inline function 1`] = `
 "function decoder() {}
 decoder(1);

diff --git a/test/deobfuscator.test.ts b/test/deobfuscator.test.ts
@@ -22,6 +22,7 @@ test.each([
   'obfuscator.io-control-flow.js',
   'obfuscator.io-control-flow-keys.js',
   'obfuscator.io-high.js',
+  'simple-string-array.js',
 ])('deobfuscate %s', async filename => {
   const result = await webcrack(
     await readFile(join('test', 'samples', filename), 'utf8')

diff --git a/test/samples/simple-string-array.js b/test/samples/simple-string-array.js
@@ -0,0 +1,2 @@
+const arr = ['log', 'Hello, World!'];
+console[arr[0]](arr[1]);