Obfuscator.io is no longer working

[Rulliam]

Describe the bug
Deobfuscating Obfuscator io is no longer working

To Reproduce
it does not work anymore for obfuscator io
i tried with the obfuscator io sample

// Paste your JavaScript code here
function hi() {
  console.log("Hello World!");
}
hi();

-> obfuscated:

var _0x305e=['9saDTIV','326PQEvGs','56489vfJpQr','log','316680vTtHaV','167leqdwt','Hello\x20World!','92112VNXwdf','135890nrPiXD','175642lixkia','594079wXNZKt'];var _0x2a47=function(_0x816949,_0x40e825){_0x816949=_0x816949-0x152;var _0x305eb0=_0x305e[_0x816949];return _0x305eb0;};(function(_0x3700ba,_0x18dfd4){var _0x2e4789=_0x2a47;while(!![]){try{var _0x5919da=parseInt(_0x2e4789(0x154))+-parseInt(_0x2e4789(0x155))+parseInt(_0x2e4789(0x15c))+parseInt(_0x2e4789(0x156))+parseInt(_0x2e4789(0x15a))*parseInt(_0x2e4789(0x158))+parseInt(_0x2e4789(0x152))*-parseInt(_0x2e4789(0x159))+-parseInt(_0x2e4789(0x157));if(_0x5919da===_0x18dfd4)break;else _0x3700ba['push'](_0x3700ba['shift']());}catch(_0x226ab0){_0x3700ba['push'](_0x3700ba['shift']());}}}(_0x305e,0x4b4c8));function hi(){var _0x3c243f=_0x2a47;console[_0x3c243f(0x15b)](_0x3c243f(0x153));}hi();

but when trying to deobfuscate, in the console i have the error

Decode Error! ErrorEvent {isTrusted: true, message: "Uncaught Error: Not matched", filename: "http://127.0.0.1:4000/de4js/worker/decode.js", lineno: 79, colno: 11, …}

Uncaught Error: Not matched
    at decode.js:79

Desktop (please complete the following information):

• OS: linux
• Browser: chrome 87
• Version: 1.11.1

Additional context
Does not works neither in online demo version, nor in builded version

[zxsleebu]

agree. i can't decode anything :c

[lelinhtinh]

Same #59 but more detail 👍

[TristonStuart]

Code obfuscated from obfuscator.io will not work with the following options:

• Eval
• Array
• Obfuscator io
• _Number
• JSFuck
• JJencode
• AAencode
• URLencode
• Packer
• JS Obfuscator
• My Obfuscate

I don't know if some of these are intended to throw javascript errors or not. But they all throw different errors usually "Not Matched" though. Just some more info on this bug.

[ashoksihmar]

it's not working anymore.

[bbday]

yep same issue

[richcn]

same issue. Will it be resolved?

[lelinhtinh]

same issue. Will it be resolved?

No hope - at this time.

[anka-213]

@lelinhtinh Why no hope at this time? Do you want a PR?

I've managed to write a deobfuscator that works on obfuscator.io using jscodeshift and could probably port (i.e. rewrite from scratch) the relevant code to whatever framework this tool is based on.

[lelinhtinh]

PR is always welcome. However, you should consider specialized projects, and the code is cleaner.

• https://github.com/LostMyCode/javascript-deobfuscator
• https://github.com/sd-soleaio/javascript-deobfuscator
• https://github.com/uwu/synchrony
• ...

[anka-213]

Ah, thanks! I've missed those projects.
What was the major barrier for supporting the latest updates of obfuscator.io in this project?

[lelinhtinh]

Obfuscator.io is always up-to-date. If you fixed for the new version, the code generated from the old version will fail. It is almost impossible to distinguish which version the obfuscated code is based on.

[sanex3339]

Oh), please do not update all this deobfuscators. It will keep the summer more enjoyable).
Let's your all enjoy the summer instead!

[anka-213]

What if I find updating deobfuscators enjoyable? :P
Maybe reviewing PRs is the less enjoyable part?

[bbday]

the only real part they change it is obufuscantion function (synchrony) "StringDecoderTransformer" (atm they can also use some function that not exist in Node or build at runtime),
the easy way i found is replace it inside config with: (i deobuscated on original code then i export to in dictionary)

var dic =[ ... deobuscated value ... ]
var decFunction = function (key, nnn) {
return dic[key - 0xd6];
};
{
name: 'StringDecoderTransformer',
params: {
identifiers: [['a0_0x2250', 0, decFunction, 0]], //target string, , targetFunction
findStringArrays: true,
},
},

Atm only synchrony is good to work with obfuscation.io cause you can avoid previous issue, but there are other issue in code cause it export function like 'functionname'.['name'] instead functionnanme.name

[anka-213]

Atm only synchrony is good to work with obfuscation.io cause you can avoid previous issue, but there are other issue in code cause it export function like 'functionname'.['name'] instead of functionnanme.name

And my highly unrefined script at https://github.com/anka-213/js-deobfuscator
It uses safe-eval though, so I'm not sure how safe it is to use on untrusted code.

[sanex3339]

I remember some deobfuscator with eval that was hosted online and eval allowed me to run any commands to traverse over file system and for other things)

https://deo.sigr.io/

[bbday]

for example this is best example with higest level of obfuscation i found, that not work with Node and all deobufscator i tried failed, if you can defeat it, you win all challanges with obfuscator.io
https://www.ea.com/fifa/ultimate-team/web-app/js/ocompiled.js

[sanex3339]

Wow, didn't know that EA is using it.

[anka-213]

@bbday Oh, I was super confused why eval was looping infinitely on it, but it was checking if the anti-debugger function in the bottom of the file was included, which it wasn't in my eval code. It does indeed seem advanced.

[bbday]

Wow, didn't know that EA is using it.

they use obfuscator.io with some advanced feature (to defeat not real browser JS), that why i posted my example how to bypass it with manual "dictionary" with synchrony StringDecoderTransformer.

I suggest dont waste time try to build something that work with it (shoul be require a real browser (like cef) but too much complex task).
Just simple function like i show you before to bypass it, is enought, there are so much work for other more important tasks :D
After you bypass StringDecoderTransformer, you can start to use eval for other tasks.

Only synchrony with my simple mod work to defeat it, but missing other task like i suggest on relative/synchrony#10 (i dont have enought skills on Js to fix it by self)

I told you this is higest challange found, but when you win it you feel so good :D

[sanex3339]

I can break eval in the future btw, because there is a way to know if we inside an eval call.

[anka-213]

@sanex3339 Oh, I only now made the connection that you wrote obfuscator.io, so updating the deobfuscators would mean more work for you.

[bbday]

I can break eval in the future btw, because there is a way to know if we inside an eval call.

funny they use your tool and dont give you any reward 🗡️ they made last year +1500 milions $
Maybe is time to change your license and ask payment for commercial use :D

[anka-213]

I can break eval in the future btw, because there is a way to know if we inside an eval call.

funny they use your tool and dont give you any reward 🗡️ they made last year +1500 milions $
Maybe is time to change your license and ask payment for commercial use :D

Maybe it should be changed to GPL, so all derivative works that include source code from the project will also need to be open source? 😁

[anka-213]

Oh, cool! This code checks that the code hasn't been pretty-printed.

var noPrettyPrintingPls = function(){return 'newState';};
/\w+ *\(\) *\{\w+ *['|"].+['|"];? *\}/.test(noPrettyPrintingPls.toString())

Sneaky!

[ethanaobrien]

@lelinhtinh

I may work on this (Probably not) but I found a method that will decode the https://obfuscator.io/ code (So far, it has worked for everything that I have tried)

What I do not have implemented: in the decoder file you must update the head code to
decrypt a different file.

Does not currently decode \x and \u characters

https://github.com/ethanaobrien/emulatorjs/blob/main/decrypt%20tools/index.html includes the worker (all client side).

If I run it through this script, and then a javascript cleaner, I have no syntax errors or any errors.

Hope this helps!