Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Variable names, lambda functions, and executing safe javascript

See original GitHub issue

Thank you for this useful tool.

I have been receiving phishing/spam messages with IP addresses in the Russian Federation (e.g., 3260518168///sh.php) that redirect to a page with the following Javascript:

var _0x45a3=['href','310326TemamY','$1//$2','3789jqLAjI','201260CufYBR','includes','location','624856ogdMrz','28pRWhXX','10734yvtFqz','352RuMMpQ','1339PvpRAh','392868PctkdY','indexOf','596BmZxvY'];var _0x5ce7=function(_0x34bb17,_0x37718d){_0x34bb17=_0x34bb17-0x1b8;var _0x45a37a=_0x45a3[_0x34bb17];return _0x45a37a;};var _0x3c82e1=_0x5ce7;(function(_0x4279be,_0x4a014c){var _0x2ec4e6=_0x5ce7;while(!![]){try{var _0xe2f92d=-parseInt(_0x2ec4e6(0x1c4))+parseInt(_0x2ec4e6(0x1c2))*-parseInt(_0x2ec4e6(0x1bf))+-parseInt(_0x2ec4e6(0x1c0))+parseInt(_0x2ec4e6(0x1bc))*parseInt(_0x2ec4e6(0x1bd))+parseInt(_0x2ec4e6(0x1bb))+-parseInt(_0x2ec4e6(0x1b8))+parseInt(_0x2ec4e6(0x1c6))*parseInt(_0x2ec4e6(0x1be));if(_0xe2f92d===_0x4a014c)break;else _0x4279be['push'](_0x4279be['shift']());}catch(_0x1227cb){_0x4279be['push'](_0x4279be['shift']());}}}(_0x45a3,0x87e5e));var params='lptoken=16bb40f2638560276692';params!=''&&(window[_0x3c82e1(0x1ba)][_0x3c82e1(0x1c3)][_0x3c82e1(0x1c1)]('?')<0x0?params='?'+params:params='&'+params);if(window['location']['href'][_0x3c82e1(0x1b9)]('#'))window[_0x3c82e1(0x1ba)][_0x3c82e1(0x1c3)]=window['location'][_0x3c82e1(0x1c3)]['replace'](/(.*?)\/\/(.*?)\/(.*)#/,_0x3c82e1(0x1c5))+params;
[Click to see the output from deobfuscate.io] 
var _0x45a3 = ["href", "310326TemamY", "$1//$2", "3789jqLAjI", "201260CufYBR", "includes", "location", "624856ogdMrz", "28pRWhXX", "10734yvtFqz", "352RuMMpQ", "1339PvpRAh", "392868PctkdY", "indexOf", "596BmZxvY"];
var _0x5ce7 = function (_0x34bb17, _0x37718d) {
  _0x34bb17 = _0x34bb17 - 440;
  var _0x45a37a = _0x45a3[_0x34bb17];
  return _0x45a37a;
};
var _0x3c82e1 = _0x5ce7;
(function (_0x4279be, _0x4a014c) {
  var _0x2ec4e6 = _0x5ce7;
  while (!![]) {
    try {
      var _0xe2f92d = -parseInt(_0x2ec4e6(452)) + parseInt(_0x2ec4e6(450)) * -parseInt(_0x2ec4e6(447)) + -parseInt(_0x2ec4e6(448)) + parseInt(_0x2ec4e6(444)) * parseInt(_0x2ec4e6(445)) + parseInt(_0x2ec4e6(443)) + -parseInt(_0x2ec4e6(440)) + parseInt(_0x2ec4e6(454)) * parseInt(_0x2ec4e6(446));
      if (_0xe2f92d === _0x4a014c) break; else _0x4279be.push(_0x4279be.shift());
    } catch (_0x1227cb) {
      _0x4279be.push(_0x4279be.shift());
    }
  }
}(_0x45a3, 556638));
var params = "lptoken=16bb40f2638560276692";
params != "" && (window[_0x3c82e1(442)][_0x3c82e1(451)][_0x3c82e1(449)]("?") < 0 ? params = "?" + params : params = "&" + params);
if (window.location.href[_0x3c82e1(441)]("#")) window[_0x3c82e1(442)][_0x3c82e1(451)] = window.location[_0x3c82e1(451)].replace(/(.*?)\/\/(.*?)\/(.*)#/, _0x3c82e1(453)) + params;

  1. It would be nice if javascript-deobfuscator had an option for renaming variables and functions that begin with underscore (‘_’). Since single letter names (a, b, c) can be confusing, I suggest assigning names using a phonetic alphabet: alpha, bravo, charlie.

  2. Another trick that is being used is to assign a lambda function to a variable instead of defining it normally. For example:

     var _0x5ce7 = function (_0x34bb17, _0x37718d) {
   _0x34bb17 = _0x34bb17 - 440;
   var _0x45a37a = _0x45a3[_0x34bb17];
   return _0x45a37a;
 };
 var _0x3c82e1 = _0x5ce7;

    Can such anonymous function definitions be deobfuscated?

  3. Finally, it looks like this code is using an array of strings as a lookup table to scramble its code. It may not be possible always, but it would be nice, where it is safe to do so, if javascript-deobfuscator could execute trivial javascript functions.

    For example, function _0x3c82e1 (defined above) is safe as it only subtracts the number 440 and then looks up a string from this table:

    [
  'href',         '310326TemamY', '$1//$2',       '3789jqLAjI',
  '201260CufYBR', 'includes',     'location',     '624856ogdMrz',
  '28pRWhXX',     '10734yvtFqz',  '352RuMMpQ',    '1339PvpRAh',
  '392868PctkdY', 'indexOf',      '596BmZxvY'
]

    It would be very helpful if javascript-deobfuscator could convert this:

    if (window.location.href[_0x3c82e1(441)]("#"))
  window[_0x3c82e1(442)][_0x3c82e1(451)] 
    = window.location[_0x3c82e1(451)].replace(/(.*?)\/\/(.*?)\/(.*)#/, _0x3c82e1(453)) + params;

    into something like this:

    if (window.location.href['310326TemamY']("#"))
  window['$1//$2']['1339PvpRAh']
    = window.location['310326TemamY'].replace(/(.*?)\/\/(.*?)\/(.*)#/, 'indexOf') + params;

    (This deobfuscation was done by hand so it likely definitely has errors, which shows how important it is to have an automated tool for deobfuscation.)

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
ben-sbcommented, Jan 5, 2022

Have added a shuffled list of 25k of those names in latest commits

1reaction
ben-sbcommented, Dec 28, 2021

I’ve also added function evaluation as a somewhat experimental feature, you can read the details here https://github.com/sd-soleaio/javascript-deobfuscator#advanced-usage

Read more comments on GitHub >

github_iconTop Results From Across the Web

JavaScript Lambda Functions Simplified 101 - Learn | Hevo
A JavaScript Lambda Function is a short anonymous function that takes one or more parameters and has only one expression. They essentially ...
Read more >
Using AWS Lambda environment variables
An environment variable is a pair of strings that is stored in a function's version-specific configuration. The Lambda runtime makes environment variables ......
Read more >
Global node.js Variables Are Safe to Use in AWS Lambda
In general, global variables are frowned upon. In fact, they can be dangerous. If you have a Node.js application running an Express web ......
Read more >
Using and Securing Environment Variables with AWS Lambda ...
Open the functions page on the Lambda console and choose a function. · Choose Configuration > Environment variables. · Select the Edit button....
Read more >
Accessing Secrets Safely in Lambda Functions | Pulumi Blog
The reason that we're using the .toLocaleUpperCase() function is because as a rule, the usual way of defining environment variable names is ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Crashed during function evaluate even though no execute directive used

Next page

Has this project been abandoned? It no longer works.