Skip to content
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.

Detecting string patterns (suffix and prefix) #7

Open
fraxken opened this issue Apr 3, 2022 · 0 comments
Open

Detecting string patterns (suffix and prefix) #7

fraxken opened this issue Apr 3, 2022 · 0 comments
Labels
help wanted Extra attention is needed

Comments

@fraxken
Copy link
Member

fraxken commented Apr 3, 2022

Hello 👋,

Current methods for detecting suffix and prefix are not working very well in light of what is possible in obfuscated code.

Example:

[
  { commonPrefix: '_0x3c0c55', commonStr: null },
  { commonPrefix: '_0x1185d5', commonStr: '_0x' },
  { commonPrefix: '_0x160fc8', commonStr: '_0x' },
  { commonPrefix: '_0x18a66f', commonStr: '_0x' },
  { commonPrefix: '_0x18a835', commonStr: '_0x' },
  { commonPrefix: '_0x1a8356', commonStr: '_0x' },
  { commonPrefix: '_0x1adf3b', commonStr: '_0x' },
  { commonPrefix: '_0x1e4510', commonStr: '_0x' },
  { commonPrefix: '_0x1e9a2a', commonStr: '_0x' },
  { commonPrefix: '_0x215558', commonStr: '_0x' },
  { commonPrefix: '_0x2b0194', commonStr: '_0x' },
  { commonPrefix: '_0x2fffe5', commonStr: '_0x' },
  { commonPrefix: '_0x32c822', commonStr: '_0x3' },
  { commonPrefix: '_0x33bb79', commonStr: '_0x3' },
  { commonPrefix: '_0x347d1c', commonStr: '_0x3' },
  { commonPrefix: '_0x34d723', commonStr: '_0x3' },
  { commonPrefix: '_0x354004', commonStr: '_0x3' },
  { commonPrefix: '_0x35b235', commonStr: '_0x3' },
  { commonPrefix: '_0x3655de', commonStr: '_0x3' },
  { commonPrefix: '_0x383944', commonStr: '_0x3' },
  { commonPrefix: '_0x3be907', commonStr: '_0x3' },
  { commonPrefix: '_0x1', commonStr: '_0x' },
  { commonPrefix: '_0x', commonStr: '_0x' }
]

Here we keep a common prefix equal _0x.

But with a Dictionnary of identifiers this may not work as we expect:

[
  { commonPrefix: 'bromance', commonStr: 'br' },
  { commonPrefix: 'brtklcvl', commonStr: 'brtklcvl' },
  { commonPrefix: 'brocoli', commonStr: 'br' },
  { commonPrefix: 'booboo', commonStr: 'b' },
  { commonPrefix: 'br', commonStr: 'br' }
]

For documentation see: JSXRay - Patterns of obfuscated JavaScript code

The objective would be to succeed in developing a set of tools capable of identifying patterns used by obfuscator tools.
@fraxken fraxken added the help wanted Extra attention is needed label Apr 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fraxken