Skip to content
This repository has been archived by the owner on Dec 1, 2023. It is now read-only.

Detecting string patterns (suffix and prefix) #7

Open
fraxken opened this issue Apr 3, 2022 · 0 comments
Open

Detecting string patterns (suffix and prefix) #7

fraxken opened this issue Apr 3, 2022 · 0 comments
Labels
help wanted Extra attention is needed
Projects
Roadmap

Comments

@fraxken
Copy link
Member

fraxken commented Apr 3, 2022

Hello 馃憢,

Current methods for detecting suffix and prefix are not working very well in light of what is possible in obfuscated code.

Example:

[
  { commonPrefix: '_0x3c0c55', commonStr: null },
  { commonPrefix: '_0x1185d5', commonStr: '_0x' },
  { commonPrefix: '_0x160fc8', commonStr: '_0x' },
  { commonPrefix: '_0x18a66f', commonStr: '_0x' },
  { commonPrefix: '_0x18a835', commonStr: '_0x' },
  { commonPrefix: '_0x1a8356', commonStr: '_0x' },
  { commonPrefix: '_0x1adf3b', commonStr: '_0x' },
  { commonPrefix: '_0x1e4510', commonStr: '_0x' },
  { commonPrefix: '_0x1e9a2a', commonStr: '_0x' },
  { commonPrefix: '_0x215558', commonStr: '_0x' },
  { commonPrefix: '_0x2b0194', commonStr: '_0x' },
  { commonPrefix: '_0x2fffe5', commonStr: '_0x' },
  { commonPrefix: '_0x32c822', commonStr: '_0x3' },
  { commonPrefix: '_0x33bb79', commonStr: '_0x3' },
  { commonPrefix: '_0x347d1c', commonStr: '_0x3' },
  { commonPrefix: '_0x34d723', commonStr: '_0x3' },
  { commonPrefix: '_0x354004', commonStr: '_0x3' },
  { commonPrefix: '_0x35b235', commonStr: '_0x3' },
  { commonPrefix: '_0x3655de', commonStr: '_0x3' },
  { commonPrefix: '_0x383944', commonStr: '_0x3' },
  { commonPrefix: '_0x3be907', commonStr: '_0x3' },
  { commonPrefix: '_0x1', commonStr: '_0x' },
  { commonPrefix: '_0x', commonStr: '_0x' }
]

Here we keep a common prefix equal _0x.

But with a Dictionnary of identifiers this may not work as we expect:

[
  { commonPrefix: 'bromance', commonStr: 'br' },
  { commonPrefix: 'brtklcvl', commonStr: 'brtklcvl' },
  { commonPrefix: 'brocoli', commonStr: 'br' },
  { commonPrefix: 'booboo', commonStr: 'b' },
  { commonPrefix: 'br', commonStr: 'br' }
]

For documentation see: JSXRay - Patterns of obfuscated JavaScript code

The objective would be to succeed in developing a set of tools capable of identifying patterns used by obfuscator tools.
@fraxken fraxken added the help wanted Extra attention is needed label Apr 3, 2022
@fraxken fraxken added this to Backlog in Roadmap Feb 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
Roadmap
Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fraxken