RetiredQQ/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Simple Javascript deobfuscator

Aims to deobfuscate the result of JavascriptObfuscator free version.
Run

To tun the script, you should have had node.js installed first.
Requires node.js and following npm modules:

esprima
estraverse
escodegen

Simply run the following commands:
npm install esprima estraverse escodegen
node deobfuscator.js obfuscated-file.js

About the files


origin.js: sample code snippet from http://youmightnotneedjquery.com/
obfuscated.js: obfuscated from origin.js
deobfuscated.js: deobfuscated from obfuscated.js


## deobfuscated.js
var _0x6dc0 = [
    'GET',
    '/my/url',
    'open',
    'onload',
    'status',
    'responseText',
    'parse',
    'onerror',
    'send',
    'the-element',
    'getElementById',
    'opacity',
    'style',
    'requestAnimationFrame',
    'classList',
    'toggle',
    ' ',
    'split',
    'className',
    'indexOf',
    'splice',
    'push',
    'join'
];
(function () {
    var _0xbafbx1 = new XMLHttpRequest();
    _0xbafbx1.open('GET', '/my/url', true);
    _0xbafbx1.onload = function () {
        if (_0xbafbx1.status >= 200 && _0xbafbx1.status < 400) {
            var _0xbafbx2 = JSON.parse(_0xbafbx1.responseText);
        } else {
        }
    };
    _0xbafbx1.onerror = function () {
    };
    _0xbafbx1.send();
    var _0xbafbx3 = document.getElementById('the-element');
    function _0xbafbx4(_0xbafbx3) {
        _0xbafbx3.style.opacity = 0;
        var _0xbafbx5 = +new Date();
        var _0xbafbx6 = function () {
            _0xbafbx3.style.opacity = +_0xbafbx3.style.opacity + (new Date() - _0xbafbx5) / 400;
            _0xbafbx5 = +new Date();
            if (+_0xbafbx3.style.opacity < 1) {
                window.requestAnimationFrame && requestAnimationFrame(_0xbafbx6) || setTimeout(_0xbafbx6, 16);
            }
            ;
        };
        _0xbafbx6();
    }
    _0xbafbx4(_0xbafbx3);
    if (_0xbafbx3.classList) {
        _0xbafbx3.classList.toggle(className);
    } else {
        var _0xbafbx7 = _0xbafbx3.className.split(' ');
        var _0xbafbx8 = _0xbafbx7.indexOf(className);
        if (_0xbafbx8 >= 0) {
            _0xbafbx7.splice(_0xbafbx8, 1);
        } else {
            _0xbafbx7.push(className);
        }
        ;
        _0xbafbx3.className = _0xbafbx7.join(' ');
    }
    ;
}());

## deobfuscator.js
/**
 * Author: ChiChou
 *
 * Deobfuscate code generated by free version of
 * JavascriptObfuscator (https://javascriptobfuscator.com/Javascript-Obfuscator.aspx)
 *
 * Usage: node deobfuscator.js file.js>output.js
 *
 */

var esprima = require('esprima');
var estraverse = require('estraverse');
var escodegen = require('escodegen');

function shouldSwitchScope(node) {
  return node.type.match(/^Function(Express|Declarat)ion$/);
}

function main(fileName) {
  var code = require('fs').readFileSync(fileName).toString();
  var ast = esprima.parse(code);
  var strings = {};
  var scopeDepth = 0; // initial: global

  // pass 1: extract all strings
  estraverse.traverse(ast, {
    enter: function(node) {
	  if (shouldSwitchScope(node)) {
	    scopeDepth++;
	  }

      if (scopeDepth == 0 &&
		node.type === esprima.Syntax.VariableDeclarator &&
        node.init &&
        node.init.type === esprima.Syntax.ArrayExpression &&
		node.init.elements.every(function(e) {return e.type === esprima.Syntax.Literal})) {
        strings[node.id.name] = node.init.elements.map(function(e) {
          return e.value;
        });
        this.skip();
      }
    },
	leave: function(node) {
      if (shouldSwitchScope(node)) {
		scopeDepth--;
	  }
	}
  });

  // pass 2: restore code
  ast = estraverse.replace(ast, {
    enter: function(node) {
    },
	leave: function(node) {
	  // restore strings
	  if (node.type === esprima.Syntax.MemberExpression &&
        node.computed &&
        strings.hasOwnProperty(node.object.name) &&
        node.property.type === esprima.Syntax.Literal
      ) {
        var val = strings[node.object.name][node.property.value];
        return {
          type: esprima.Syntax.Literal,
          value: val,
          raw: val
        }
      }

	  if (node.type === esprima.Syntax.MemberExpression &&
        node.property.type === esprima.Syntax.Literal &&
        typeof node.property.value === 'string'
      ) {
        return {
          type: esprima.Syntax.MemberExpression,
          computed: false,
          object: node.object,
          property: {
            type: esprima.Syntax.Identifier,
            name: node.property.value
          }
        }
      }
	}
  });

  console.log(escodegen.generate(ast));
}

main(process.argv[2]);

## obfuscated.js
var _0x6dc0=["\x47\x45\x54","\x2F\x6D\x79\x2F\x75\x72\x6C","\x6F\x70\x65\x6E","\x6F\x6E\x6C\x6F\x61\x64","\x73\x74\x61\x74\x75\x73","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x70\x61\x72\x73\x65","\x6F\x6E\x65\x72\x72\x6F\x72","\x73\x65\x6E\x64","\x74\x68\x65\x2D\x65\x6C\x65\x6D\x65\x6E\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6F\x70\x61\x63\x69\x74\x79","\x73\x74\x79\x6C\x65","\x72\x65\x71\x75\x65\x73\x74\x41\x6E\x69\x6D\x61\x74\x69\x6F\x6E\x46\x72\x61\x6D\x65","\x63\x6C\x61\x73\x73\x4C\x69\x73\x74","\x74\x6F\x67\x67\x6C\x65","\x20","\x73\x70\x6C\x69\x74","\x63\x6C\x61\x73\x73\x4E\x61\x6D\x65","\x69\x6E\x64\x65\x78\x4F\x66","\x73\x70\x6C\x69\x63\x65","\x70\x75\x73\x68","\x6A\x6F\x69\x6E"];(function(){var _0xbafbx1= new XMLHttpRequest();_0xbafbx1[_0x6dc0[2]](_0x6dc0[0],_0x6dc0[1],true);_0xbafbx1[_0x6dc0[3]]=function(){if(_0xbafbx1[_0x6dc0[4]]>=200&&_0xbafbx1[_0x6dc0[4]]<400){var _0xbafbx2=JSON[_0x6dc0[6]](_0xbafbx1[_0x6dc0[5]])}else {}};_0xbafbx1[_0x6dc0[7]]=function(){};_0xbafbx1[_0x6dc0[8]]();var _0xbafbx3=document[_0x6dc0[10]](_0x6dc0[9]);function _0xbafbx4(_0xbafbx3){_0xbafbx3[_0x6dc0[12]][_0x6dc0[11]]=0;var _0xbafbx5=+ new Date();var _0xbafbx6=function(){_0xbafbx3[_0x6dc0[12]][_0x6dc0[11]]=+_0xbafbx3[_0x6dc0[12]][_0x6dc0[11]]+( new Date()-_0xbafbx5)/400;_0xbafbx5=+ new Date();if(+_0xbafbx3[_0x6dc0[12]][_0x6dc0[11]]<1){(window[_0x6dc0[13]]&&requestAnimationFrame(_0xbafbx6))||setTimeout(_0xbafbx6,16)};};_0xbafbx6();}_0xbafbx4(_0xbafbx3);if(_0xbafbx3[_0x6dc0[14]]){_0xbafbx3[_0x6dc0[14]][_0x6dc0[15]](className)}else {var _0xbafbx7=_0xbafbx3[_0x6dc0[18]][_0x6dc0[17]](_0x6dc0[16]);var _0xbafbx8=_0xbafbx7[_0x6dc0[19]](className);if(_0xbafbx8>=0){_0xbafbx7[_0x6dc0[20]](_0xbafbx8,1)}else {_0xbafbx7[_0x6dc0[21]](className)};_0xbafbx3[_0x6dc0[18]]=_0xbafbx7[_0x6dc0[22]](_0x6dc0[16]);};})();

## origin.js
(function() {
    var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);

    request.onload = function() {
        if (request.status >= 200 && request.status < 400) {
            // Success!
            var data = JSON.parse(request.responseText);
        } else {
            // We reached our target server, but it returned an error

        }
    };

    request.onerror = function() {
        // There was a connection error of some sort
    };

    request.send();

    var el = document.getElementById('the-element');

    function fadeIn(el) {
        el.style.opacity = 0;

        var last = +new Date();
        var tick = function() {
            el.style.opacity = +el.style.opacity + (new Date() - last) / 400;
            last = +new Date();

            if (+el.style.opacity < 1) {
                (window.requestAnimationFrame && requestAnimationFrame(tick)) || setTimeout(tick, 16)
            }
        };

        tick();
    }

    fadeIn(el);

    if (el.classList) {
        el.classList.toggle(className);
    } else {
        var classes = el.className.split(' ');
        var existingIndex = classes.indexOf(className);

        if (existingIndex >= 0)
            classes.splice(existingIndex, 1);
        else
            classes.push(className);

        el.className = classes.join(' ');
    }
})()
	var _0x6dc0 = [
	'GET',
	'/my/url',
	'open',
	'onload',
	'status',
	'responseText',
	'parse',
	'onerror',
	'send',
	'the-element',
	'getElementById',
	'opacity',
	'style',
	'requestAnimationFrame',
	'classList',
	'toggle',
	' ',
	'split',
	'className',
	'indexOf',
	'splice',
	'push',
	'join'
	];
	(function () {
	var _0xbafbx1 = new XMLHttpRequest();
	_0xbafbx1.open('GET', '/my/url', true);
	_0xbafbx1.onload = function () {
	if (_0xbafbx1.status >= 200 && _0xbafbx1.status < 400) {
	var _0xbafbx2 = JSON.parse(_0xbafbx1.responseText);
	} else {
	}
	};
	_0xbafbx1.onerror = function () {
	};
	_0xbafbx1.send();
	var _0xbafbx3 = document.getElementById('the-element');
	function _0xbafbx4(_0xbafbx3) {
	_0xbafbx3.style.opacity = 0;
	var _0xbafbx5 = +new Date();
	var _0xbafbx6 = function () {
	_0xbafbx3.style.opacity = +_0xbafbx3.style.opacity + (new Date() - _0xbafbx5) / 400;
	_0xbafbx5 = +new Date();
	if (+_0xbafbx3.style.opacity < 1) {
	window.requestAnimationFrame && requestAnimationFrame(_0xbafbx6) \|\| setTimeout(_0xbafbx6, 16);
	}
	;
	};
	_0xbafbx6();
	}
	_0xbafbx4(_0xbafbx3);
	if (_0xbafbx3.classList) {
	_0xbafbx3.classList.toggle(className);
	} else {
	var _0xbafbx7 = _0xbafbx3.className.split(' ');
	var _0xbafbx8 = _0xbafbx7.indexOf(className);
	if (_0xbafbx8 >= 0) {
	_0xbafbx7.splice(_0xbafbx8, 1);
	} else {
	_0xbafbx7.push(className);
	}
	;
	_0xbafbx3.className = _0xbafbx7.join(' ');
	}
	;
	}());
	/**
	* Author: ChiChou
	*
	* Deobfuscate code generated by free version of
	* JavascriptObfuscator (https://javascriptobfuscator.com/Javascript-Obfuscator.aspx)
	*
	* Usage: node deobfuscator.js file.js>output.js
	*
	*/

	var esprima = require('esprima');
	var estraverse = require('estraverse');
	var escodegen = require('escodegen');

	function shouldSwitchScope(node) {
	return node.type.match(/^Function(Express\|Declarat)ion$/);
	}

	function main(fileName) {
	var code = require('fs').readFileSync(fileName).toString();
	var ast = esprima.parse(code);
	var strings = {};
	var scopeDepth = 0; // initial: global

	// pass 1: extract all strings
	estraverse.traverse(ast, {
	enter: function(node) {
	if (shouldSwitchScope(node)) {
	scopeDepth++;
	}

	if (scopeDepth == 0 &&
	node.type === esprima.Syntax.VariableDeclarator &&
	node.init &&
	node.init.type === esprima.Syntax.ArrayExpression &&
	node.init.elements.every(function(e) {return e.type === esprima.Syntax.Literal})) {
	strings[node.id.name] = node.init.elements.map(function(e) {
	return e.value;
	});
	this.skip();
	}
	},
	leave: function(node) {
	if (shouldSwitchScope(node)) {
	scopeDepth--;
	}
	}
	});

	// pass 2: restore code
	ast = estraverse.replace(ast, {
	enter: function(node) {
	},
	leave: function(node) {
	// restore strings
	if (node.type === esprima.Syntax.MemberExpression &&
	node.computed &&
	strings.hasOwnProperty(node.object.name) &&
	node.property.type === esprima.Syntax.Literal
	) {
	var val = strings[node.object.name][node.property.value];
	return {
	type: esprima.Syntax.Literal,
	value: val,
	raw: val
	}
	}

	if (node.type === esprima.Syntax.MemberExpression &&
	node.property.type === esprima.Syntax.Literal &&
	typeof node.property.value === 'string'
	) {
	return {
	type: esprima.Syntax.MemberExpression,
	computed: false,
	object: node.object,
	property: {
	type: esprima.Syntax.Identifier,
	name: node.property.value
	}
	}
	}
	}
	});

	console.log(escodegen.generate(ast));
	}

	main(process.argv[2]);
	(function() {
	var request = new XMLHttpRequest();
	request.open('GET', '/my/url', true);

	request.onload = function() {
	if (request.status >= 200 && request.status < 400) {
	// Success!
	var data = JSON.parse(request.responseText);
	} else {
	// We reached our target server, but it returned an error

	}
	};

	request.onerror = function() {
	// There was a connection error of some sort
	};

	request.send();

	var el = document.getElementById('the-element');

	function fadeIn(el) {
	el.style.opacity = 0;

	var last = +new Date();
	var tick = function() {
	el.style.opacity = +el.style.opacity + (new Date() - last) / 400;
	last = +new Date();

	if (+el.style.opacity < 1) {
	(window.requestAnimationFrame && requestAnimationFrame(tick)) \|\| setTimeout(tick, 16)
	}
	};

	tick();
	}

	fadeIn(el);

	if (el.classList) {
	el.classList.toggle(className);
	} else {
	var classes = el.className.split(' ');
	var existingIndex = classes.indexOf(className);

	if (existingIndex >= 0)
	classes.splice(existingIndex, 1);
	else
	classes.push(className);

	el.className = classes.join(' ');
	}
	})()