Class: Rex::Exploitation::JSObfu

Inherits:

Object

• Object
• Rex::Exploitation::JSObfu

Defined in:

lib/rex/exploitation/jsobfu.rb

Overview

Obfuscate JavaScript by randomizing as much as possible and removing easily-signaturable string constants.

Example:

js = ::Rex::Exploitation::JSObfu.new %Q|
  var a = "0\\612\\063\\x34\\x35\\x36\\x37\\x38\\u0039";
  var b = { foo : "foo", bar : "bar" }
  alert(a);
  alert(b.foo);
|
js.obfuscate
puts js

Example Output:

var VwxvESbCgv = String.fromCharCode(0x30,0x31,062,063,064,53,0x36,067,070,0x39);
var ToWZPn = {
  "\146\157\x6f": (function () { var yDyv="o",YnCL="o",Qcsa="f"; return Qcsa+YnCL+yDyv })(),
  "\142ar": String.fromCharCode(0142,97,0162)
};
alert(VwxvESbCgv);
alert(ToWZPn.foo);

NOTE: Variables MUST be declared with a ‘var’ statement BEFORE first use (or not at all) for this to generate correct code! If variables are not declared they will not be randomized but the generated code will be correct.

Bad Example Javascript:

a = "asdf"; // this variable hasn't been declared and will not be randomized
var a;
alert(a); // real js engines will alert "asdf" here

Bad Example Obfuscated:

a = (function () { var hpHu="f",oyTm="asd"; return oyTm+hpHu })();
var zSrnHpEfJZtg;
alert(zSrnHpEfJZtg);

Notice that the first usage of a (before it was declared) is not randomized. Thus, the obfuscated version will alert ‘undefined’ instead of “asdf”.

Direct Known Subclasses

JavascriptOSDetect

Instance Attribute Summary

• #ast ⇒ Object readonly

  Abstract Syntax Tree generated by RKelly::Parser#parse.

Instance Method Summary

• #<<(str) ⇒ Object

  Add str to the un-obfuscated code.

• #initialize(code) ⇒ JSObfu constructor

  Saves code for later obfuscation with #obfuscate.

• #obfuscate ⇒ Object

  Parse and obfuscate.

• #sym(lookup) ⇒ Object

  Return the obfuscated name of a symbol.

• #to_s ⇒ Object

  Return the (possibly obfuscated) code as a string.

Constructor Details

#initialize(code) ⇒ JSObfu

Saves code for later obfuscation with #obfuscate

# File 'lib/rex/exploitation/jsobfu.rb', line 61

def initialize(code)
	@code = code
	@funcs = {}
	@vars  = {}
	@debug = false
end

Instance Attribute Details

#ast ⇒ Object (readonly)

Abstract Syntax Tree generated by RKelly::Parser#parse

# File 'lib/rex/exploitation/jsobfu.rb', line 56

def ast
  @ast
end

Instance Method Details

#<<(str) ⇒ Object

Add str to the un-obfuscated code.

Calling this method after #obfuscate is undefined

# File 'lib/rex/exploitation/jsobfu.rb', line 73

def <<(str)
	@code << str
end

#obfuscate ⇒ Object

Parse and obfuscate

# File 'lib/rex/exploitation/jsobfu.rb', line 108

def obfuscate
	parse
	obfuscate_r(@ast)
end

#sym(lookup) ⇒ Object

Return the obfuscated name of a symbol

You MUST call #obfuscate before this method!

# File 'lib/rex/exploitation/jsobfu.rb', line 94

def sym(lookup)
	if @vars[lookup]
		ret = @vars[lookup]
	elsif @funcs[lookup]
		ret = @funcs[lookup]
	else
		ret = lookup
	end
	ret
end

#to_s ⇒ Object

Return the (possibly obfuscated) code as a string.

If #obfuscate has not been called before this, returns the parsed, unobfuscated code. This can be useful for example to remove comments and standardize spacing.

# File 'lib/rex/exploitation/jsobfu.rb', line 84

def to_s
	parse if not @ast
	@ast.to_ecma
end