IlluminateJs: a good Javascript Deobfuscator

Useful during analysis of malicious sites

Yesterday in my twitter stream i’ve seen this tweet by Florian Roth:

During the analysis of a malicious site, one of the first step is the deobfuscation of the suspicious javascript.

There are a lot of tools (online or standalone) that can help the analyst during this step, but IlluminateJs from my point orf view is one of the most complete and accurate.

Consider it like JSDetox, but on steroids.

IlluminateJs core is a Babel compiler plugin and it works entirely in your browser, no server interaction is needed to perform deobfuscation.

Features

  • Extended constant propagation
  • Array mutators tracking
  • Mixed-type expressions evaluation
  • Support modern JavaScript (ES6)
  • Function calls evaluation
  • Built-in function evaluation
  • Loops evaluation
  • Procedure inlining

References

https://illuminatejs.com

Related posts

1 Comment

  1. $(‘.ui’)[‘keyup’](function () {
    if (event[‘keyCode’] == 13) {

    var max = $(this).attr(‘max-input’);

    var _0xc340xc = this[‘id’][‘split’](‘a’),
    _0xc340xd = _0xc340xc[0],
    _0xc340xe = _0xc340xc[1],
    _0xc340xf = 1,
    _0xc340x10 = $(this)[‘val’](),
    _0xc340x11 = ”;
    if ($(this)[‘val’]() == ”) {
    $(this)[‘css’]({
    “\x62\x6F\x78\x2D\x73\x68\x61\x64\x6F\x77”: ‘0px 0px 2px palevioletred’,
    “\x62\x6F\x72\x64\x65\x72”: ‘1px solid red’
    });
    e[‘preventDefault’]();
    _0xc340xb = true;
    } else {
    if ($(this)[‘val’]() max) {
    $(this)[‘css’]({
    “\x62\x6F\x78\x2D\x73\x68\x61\x64\x6F\x77”: ‘0px 0px 2px palevioletred’,
    “\x62\x6F\x72\x64\x65\x72”: ‘1px solid red’
    });
    e[‘preventDefault’]();
    _0xc340xb = true;
    } else {
    $(this)[‘css’]({
    “\x62\x6F\x72\x64\x65\x72”: ‘1px solid #999’,
    “\x62\x6F\x78\x2D\x73\x68\x61\x64\x6F\x77″: ‘0px 0px 0px #00aced’
    });
    _0xc340xa += $(this)[‘val’]() + ‘-‘;
    _0xc340xb = false;
    }
    }
    }
    };
    $[‘ajax’]({
    type: ‘POST’,
    url: ‘getCriteria.php’,
    dataType: ‘JSON’,
    cache: false,
    success: function (_0xc340x4) {
    $[‘each’](_0xc340x4, function (_0xc340x5, _0xc340x6) {
    if (_0xc340xe == _0xc340x6[‘cri_id’]) {
    var _0xc340x12 = ‘.’ + _0xc340x6[‘percentage’];
    _0xc340x11 = _0xc340x10 * _0xc340x12;
    var _0xc340x13 = ‘jid=’ + _0xc340x7 + ‘&canID=’ + _0xc340xd + ‘&catID=’ + _0xc340xf + ‘&criID=’ + _0xc340xe + ‘&score=’ + _0xc340x11 + ‘&pscore=’ + _0xc340x10;
    $[‘ajax’]({
    type: ‘POST’,
    url: ‘insertprelim.php’,
    data: _0xc340x13,
    cache: false,
    beforeSend: function () {
    $(‘.td’ + _0xc340xd + ‘#td’ + _0xc340xe)[‘html’](”)
    },
    success: function (_0xc340x4) {
    getChecked();
    $(‘.td’ + _0xc340xd + ‘#td’ + _0xc340xe)[‘html’](”);
    }
    });
    }
    })
    }
    });
    }
    });

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.