项目作者: TheQmaks

项目描述 :
Some things of reversing
高级语言: JavaScript
项目地址: git://github.com/TheQmaks/chatruletka.git
创建时间: 2021-08-30T04:51:20Z
项目社区:https://github.com/TheQmaks/chatruletka

开源协议:

下载


ChatRuletka script reversing guide

STEP 1

Download original script from https://roulette.apps-host.com/scripts/main.js

STEP 1

STEP 2

Beautify script to human-readable format via https://beautifier.io/ and saving to a new file

STEP 2

STEP 3

Check for errors in syntax validator like https://esprima.org/demo/validate.html

STEP 3.1

and fix them

STEP 3.2

now we can save it

This step is required for future compatibility with the tools will be used.

STEP 4

Analyze the logic and structure of the results.
STEP 4

As we can see, the file is divided for two parts: normal and obfuscated. We so interested in second and let’s see what doing here.
Notice an array with values that are unreadable for us and two functions that access it. The first one is called at script loading, the second only on call. From the code below, we conclude that the second function is used for decryption. At this stage, I propose to move the obfuscated part into a separate file.

STEP 5

Now we will try decrypt array values.
In the browser console we will declare and execute array, functions and for loop.

  1. for(let i = 0; i < _0x521d.length; i++) {
  2. _0x521d[i] = _0x28ad(i);
  3. }
  4. console.log(_0x521d)

As a result, we got decrypted values and we can get rid of two functions.
STEP 5

Replace the old array with a new one and delete the unnecessary code.

STEP 6

Due to the fact that we have removed the call to the decryption function, it is necessary to replace all its references in the code with direct access to the array.

STEP 6.1

I solved this problem using a regular expression and replacement in Notepad++.

[_A-Za-z0-9]+\(\"(0x[A-Za-z0-9]+)\"\) replace to _0x521d[$1] where $1 is hex value and _0x521d - array variable.

STEP 6.2

STEP 7

Now we can use the https://deobfuscate.io/ for the last stages of deobfuscation as array unpacking and code optimizing.

STEP 7

STEP 8

The last step - transform the code using http://jsnice.org/

STEP 8

Voila, the code is ready to be explored in more details :)