Last active
July 6, 2024 04:57
-
-
Save muellerberndt/f07913d23ef3fe7e5874b3edca3d009c to your computer and use it in GitHub Desktop.
Inferno deobfuscator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const fs = require('fs'); | |
const vm = require('vm'); | |
const acorn = require('acorn'); | |
const escodegen = require('escodegen'); | |
const estraverse = require('estraverse'); | |
const { JSDOM } = require('jsdom'); | |
function deobfuscate(obfuscatedCode) { | |
const ast = acorn.parse(obfuscatedCode, { ecmaVersion: 2020 }); | |
const dom = new JSDOM('<!DOCTYPE html><html><head></head><body></body></html>'); | |
const window = dom.window; | |
const document = window.document; | |
const context = { ...global, window, document, console }; | |
const vmContext = vm.createContext(context); | |
vm.runInContext(obfuscatedCode, vmContext); | |
estraverse.replace(ast, { | |
enter: function (node, parent) { | |
// Check if the node is a call expression of the specific obfuscated function | |
if (node.type === 'CallExpression' && node.callee.type === 'Identifier' && node.callee.name.match(/^__p_\d+.*$/)) { | |
// Generate the code to evaluate | |
const codeToEvaluate = escodegen.generate(node); | |
try { | |
// Evaluate the function call within the simulated browser environment | |
const evaluatedResult = vm.runInContext(codeToEvaluate, vmContext); | |
// Replace the function call with a literal if the result is a string | |
if (typeof evaluatedResult === 'string') { | |
return { type: 'Literal', value: evaluatedResult }; | |
} | |
} catch (error) { | |
console.error(`Error evaluating expression: ${codeToEvaluate}`, error); | |
} | |
} | |
} | |
}); | |
const deobfuscatedCode = escodegen.generate(ast); | |
return deobfuscatedCode; | |
} | |
const obfuscatedCode = fs.readFileSync('obfuscated.js', 'utf8'); | |
const deobfuscatedCode = deobfuscate(obfuscatedCode); | |
fs.writeFileSync('deobfuscated.js', deobfuscatedCode, 'utf8'); | |
console.log('Deobfuscated code has been written to deob.js'); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment