join string literals

Author: kmvi

.gitignore

@@ -72,4 +72,5 @@ typings/
 !.vscode/launch.json
 !.vscode/extensions.json
 
-*.js
+*.js
+*.map

.vscode/launch.json

@@ -13,7 +13,7 @@
                 "${workspaceFolder}/**/*.js"
             ],
             "args": [
-                "${workspaceFolder}/test-data/test-obf3.js"
+                "${workspaceFolder}/test-data/test-obf6.js"
             ]
         }
     ]

src/deobfuscator.js.map

@@ -5,6 +5,10 @@ import { EspreeFacade } from './EspreeFacade';
 import { VariableDeclaration } from 'estree';
 import { StringArrayProtection } from './string-array';
 import { registerDecoders } from './utils';
+import { ProtectionBase } from './protection';
+import { StringSplit } from './string-split';
+
+type ProtectionCtor = new (code: string, ast: estree.Program) => ProtectionBase;
 
 export class Deobfuscator {
 
@@ -20,6 +24,10 @@ export class Deobfuscator {
     };
 
     private ast: estree.Program | null = null;
+    private protections: ProtectionCtor[] = [
+        StringSplit,
+        StringArrayProtection,
+    ];
 
     constructor (public code: string) {
 
@@ -37,13 +45,15 @@ export class Deobfuscator {
         let code = this.code;
         let ast = this.ast;
 
-        let p = new StringArrayProtection(code, ast);
-        p.detect();
-        p.remove();
-
-        let result = generate(this.ast);
+        for (const ctor of this.protections) {
+            const p = new ctor(code, ast);
+            if (p.detect()) {
+                ast = p.remove();
+                code = generate(ast);
+            }
+        }
 
-        return result;
+        return code;
     }
 
 }

src/deobfuscator.ts

@@ -2,9 +2,21 @@ import * as espree from 'espree';
 import * as estree from 'estree';
 
 export abstract class ProtectionBase {
+
+    protected active: boolean = false;
+
     constructor (
         protected code: string,
-        protected ast: estree.Program) {
+        protected ast: estree.Program)
+    {
+
+    }
+
+    abstract detect(): boolean;
+    abstract remove(): estree.Program;
 
+    isActive() {
+        return this.active;
     }
+
 }

src/protection.js.map

@@ -12,7 +12,6 @@ export class StringArrayProtection extends ProtectionBase {
     private arrayVar: string = '';
     private array: string[] = [];
     private astArray: estree.Statement | null = null;
-    private active: boolean = false;    
 
     private hasRotation: boolean = false;
     private rotFunc: string = '';
@@ -95,10 +94,6 @@ export class StringArrayProtection extends ProtectionBase {
         return this.hasEncoding;
     }
 
-    isActive() {
-        return this.active;
-    }
-
     remove(): estree.Program {
         let result = this.ast;
         if (!this.active)

src/protection.ts

@@ -0,0 +1,39 @@
+import * as espree from 'espree';
+import * as estree from 'estree';
+import { ProtectionBase } from "./protection";
+import { VisitorOption, traverse, replace } from 'estraverse';
+import { isBinaryExpression, isLiteral } from './utils';
+
+export class StringSplit extends ProtectionBase {
+
+    constructor(code: string, ast: estree.Program) {
+        super(code, ast);
+        this.active = true;
+    }
+
+    detect(): boolean {
+        return this.active;
+    }
+
+    remove(): estree.Program {
+        if (!this.active)
+            return this.ast;
+
+        this.ast = <estree.Program> replace(this.ast, {
+            enter: (node, parent) => {
+                if (isBinaryExpression(node) && node.operator === '+' &&
+                    isLiteral(node.left) && isLiteral(node.right) &&
+                    typeof node.left.value === 'string' && typeof node.right.value === 'string')
+                {
+                    return <estree.Literal> {
+                        type: 'Literal',
+                        value: node.left.value + node.right.value
+                    };
+                }
+            }
+        });
+        
+        return this.ast;
+    }
+
+}

src/string-array.js.map

@@ -30,3 +30,12 @@ export function decodeRC4(encoded: string, key: string): string {
         throw new Error('Call registerDecoders() first.');
     return g.rc4(encoded, key);
 }
+
+export function isBinaryExpression(node: estree.Node): node is estree.BinaryExpression {
+    return node.type === 'BinaryExpression';
+}
+
+export function isLiteral(node: estree.Node): node is estree.Literal {
+    return node.type === 'Literal';
+}
+