A simple deobfuscator written in Java for the Polykill js file, which originally was at https://www.googie-anaiytics.com/ga.js. The version used here is at https://pastebin.com/raw/hAgtHd70. The deobfuscator depends on Rhino as a Javascript parser. It uses several steps to deobfuscate the code:
- Evaluating constant expressions (e.g.
(-0x17*0x12d+-0x1*-0x1b13+-0x1*0x7)into1). - Replacing references into objects with their constant value if possible (e.g.
a0_0x5dea1e._0x3b6b41is converted into0x150because_0x3b6b41only gets assigned once in the object definition ofa0_0x5dea1e). - Removing those table entries if they are no longer in use.
- Removing those tables entirely when they are no longer in use.
- Inlining functions that immediately return (e.g.
function _0x168ef0(_0x5ebce6,_0x4b3414,_0x26a284,_0x438748,_0x439328){return a0_0xa0b8(_0x5ebce6- -a0_0x55194f._0x48f80d,_0x4b3414);}). - Internally running the decoding function
a0_0xa0b8. - Removing
if (false) ... else .../if (true) ... else .../true ? ... : .../false ? ... : .... - Removing nesting of if statements within the else clause and replacing them with else if.
- Replacing array indexing using strings with property gets (e.g.
_0x208c16['push']is replaced with_0x208c16.push). - Splitting variable declarations (e.g.
const a0_0x5dea1e={...},a0_0x5de57c={...},a0_0x55194f={...};is replaced withconst a0_0x5dea1e={...}; const a0_0x5de57c={...}; const a0_0x55194f={...};).
Some things to note:
- The program is poorly written and might have bugs when used on similar programs - often some cases are not handled.
- This version of the deobfuscator does not include the decoding function
a0_0xa0b8- if you want it, remove the line that saysusedFunctions.remove("a0_0xa0b8");. - The deobfuscator takes its input from the clipboard.
- The deobfuscator uses its own function to convert the AST to a string because Rhino's toSource creates broken indentation.