Obfuscation and Deobfuscation part 2 ?

In the previous blog which you can read here we had covered topics like :

 What is obfuscation ? 

What is deobfuscation ? 

What is the need of deobfuscation ? 

In this blog we will be covering common techniques of obfuscation and deobfuscation . 

Common Obfuscation Techniques 

Before understanding deobfuscation it is very well important to know about tools and techniques that the villain ( obfuscation ) is going to use against us int the war. 

1. Encoding & Encryption

• Obfuscation: Simple encodings like Base64, ROT13, or XOR with a key are used to hide strings and payloads. The code often contains a decoder function that runs just before the payload is used.

• Deobfuscation:

  • Identify the Encoding: Look for patterns (e.g., == at the end for Base64).

  • Use Standard Tools: Use built-in language functions (atob() in JavaScript for Base64) or online decoders.

  • Find the Key: For XOR, the analyst must find the key, sometimes by analyzing the surrounding code.

  Example (Base64):

  • Obfuscated String: JG1vZHVsZSA9ICdCYXNlNjQn

  • Deobfuscated: $module = 'Base64'

2. String Splitting & Concatenation

• Obfuscation: A string is broken into multiple parts and combined at runtime.

• Deobfuscation: A deobfuscator tool or an analyst can execute the concatenation logic in a safe environment (like a sandbox) to reveal the final string.

  Example (JavaScript):

  • Obfuscated:

    javascript

    var a = "Hell";
    var b = "o ";
    var c = "World";
    var url = a + b + c; // Results in "Hello World"

  • Deobfuscated: Hello World

3. Dead Code Insertion

• Obfuscation: Adding useless code, variables, or statements that do nothing. This makes the code longer and more confusing for a human reader.

• Deobfuscation: A good deobfuscator tool will perform code cleanup, removing unreachable or irrelevant code to simplify the structure.

4. Renaming & Minification

• Obfuscation: Changing meaningful variable and function names to short, meaningless ones (e.g., userAuthenticationCheck() becomes a1()). This is very common in JavaScript to reduce file size.

• Deobfuscation: This is often the hardest to fully reverse. While you can't recover the original names, tools can rename a1, a2, a3 to var1, var2, var3 to make the logic slightly easier to follow. The core logic remains intact.

5. Control Flow Flattening

• Obfuscation: Transforming the normal, intuitive flow of a program (if/else, loops) into a giant switch statement inside a loop. This destroys the logical structure and is very disorienting.

• Deobfuscation: Advanced deobfuscators use pattern recognition and program analysis to reconstruct the original control flow, which is a complex process.

How Debfuscation is performed ?

1. Manual Analysis: For simple obfuscation, an analyst can use a text editor, a debugger, and their own knowledge of encodings to manually reverse the steps.

2. Automated Tools: For complex obfuscation, specialized tools are essential.

   • JavaScript: JSBeautifier, JSNice, de4js

   • Python: Uncompyle6 (for reversing bytecode back to source)

   • Java: Procyon, CFR (for reversing JAR files)

   • General/PowerShell: Custom scripts, CyberChef (a "cyber swiss army knife").

3. Sandboxed Execution: Running the code in a safe, isolated environment (a sandbox) and observing what it does or dumping the deobfuscated payload from memory after it has been decoded by the program itself.

This was just the theory section and it is highly suggested to practice javascript deobfuscation lab for free of cost on Hack The Box. In the next module I will be talking about the tools I have used while learning obfuscation and deobfuscation .