0

I am trying to deobfuscate code. This code uses a lot of long variable names which are substituted with meaningful names at the time of running the code.

How do I preserve the state while searching and replacing?

For instance, with an obfuscated line like this:

${${"GLOBALS"}["ttxdbvdj"]}=_hash(${$urqboemtmd}.substr(${${"GLOBALS"}["wkcjeuhsnr"]},${${"GLOBALS"}["gjbhisruvsjg"]}-${$rrwbtbxgijs},${${"GLOBALS"}["ibmtmqedn"]}));

There are multiple mappings in mappings.txt which match above obfuscated line like:

$rrwbtbxgijs = hash_length;
$urqboemtmd = out;

At the first run, it will replace $rrwbtbxgijs with hash_length in the obfuscated line above. Now, when it comes across the second mapping during the next iteration of the outer while loop, it will replace $urqboemtmd with out in the obfuscated line.

The problem is:

When it comes across first mapping, it does the substitution. However, when it comes across next mapping in the same line for a different matching string, the previous search/replace result is not there.

It should preserve the previous substitution. How do I do that?

I wrote a Perl script, which would pick one mapping from mapping.txt and search the entire obfuscated code for all the occurrences of this mapping and replace it with the meaningful text.

Here is the code I wrote:

#! /usr/bin/perl

use warnings;

($mapping, $input) = @ARGV;

open MAPPING, '<', $mapping
    or die "couldn't read from the file, $mapping with error: $!\n";

while (<MAPPING>) {

    chomp;
    $line = $_;
    ($key, $value) = split("=", $line);
    open INPUT, '<', $input;

    while (<INPUT>) {

        chomp;
        if (/$key/) {

            $_=~s/\Q$key/$value/g;
            print $_,"\n";
        }
    }
    close INPUT;
}
close MAPPING;
Improve this question
0

3 Answers 3

Reset to default
3

To match the literal meta characters inside your string, you can use quotemeta or:

s/\Q$key\E/$replace/
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks. This works, I have updated my question. Could you please check it? I need to preserve the substitution stage. For instance, it makes one substitution in the line at a time. When, it finds another occurrence of a different mapping in the line, it should preserve the previous state. Which means, it should keep updating the same line as and when it finds a match.
@NeonFlash I understand every word you say, but have no idea what you mean. What does "preserve the substitution stage" mean? I assume you mean that you cannot check one key at the time. You might store the input file in an array instead of opening the file for each iteration. And save the print for last.
1

Just tell Perl not to interpret the characters in $key:

s/\Q$key/$value/g
Improve this answer

1 Comment

Thanks, it works :) I have updated the question. Could you please check it and suggest a good workaround for it?
1

Consider using B::Deobfuscate and gradually enter variable names into its configuration file as you figure out what they do.

I'm a little confused about your request to save state. What exactly are you doing/do you intend to do with the output? Here's an (untested) example of doing all the substitutions in one pass, if that helps?

my %map;
while ( my $line = <MAPPING> ) {
    chomp $line;
    my ($key, $value) = split("=", $line);
    $map{$key} = $value;
}
close MAPPING;

my $search = qr/(@{[ join '|', map quotemeta, sort { length $b <=> length $a } keys %map ]})/;
while ( my $line = <INPUT> ) {
    $line =~ s/$search/$map{$1}/g;
    print OUTPUT $line;
}
Improve this answer

2 Comments

Hi, that does seem useful however its very complicated. I would love to devote time to learn how to use it efficiently, however for the time being, is there a way to make my current script work? It is able to substitute the values properly, I just want it to preserve the state. Once a successful search/replace is done, it should be saved. The next, search/replace operation should work on the result of previous.
@Neon Flash: see added example/question in answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.