Code obfuscation serves as a strategic maneuver to transform easily comprehensible code into a labyrinthine version deliberately engineered to confound comprehension and reverse-engineering, both for humans and machines.
To illustrate the concept of obfuscation, envision a scenario where you solicit a friend to join you for coffee. A straightforward response might entail, “Hi! Sorry, I can’t today. I have to watch the kids. Same time tomorrow?
Now, envision if your friend opted for obfuscation, furnishing a more intricate rendition: “Good morrow. I offer thee the sincerest of apologies, but, alas, I can’t doth at the present day. Happy tomorrow, equal time? Has’t to take care of mine own children, I do. Sincere apologies I offer thee. Fare thee well.”
Upon scrutiny, this Shakespearean-esque rejoinder is needlessly convoluted, demanding more time to decipher, rife with redundancies, and inundated with superfluous details. While you might endure unraveling this enigma on occasion, enduring it as a regular occurrence seems untenable.
This lighthearted analogy underscores the rationale behind certain techniques employed in code obfuscation. In the subsequent section, genuine instances of code obfuscation will be explored, underscoring the parallels.
Although obfuscation is a rarity in everyday conversation, its prevalence in code is longstanding, with historical references tracing back to 1972. While diverse programming languages, such as C/C++ and Perl, have dabbled in obfuscation, JavaScript has emerged as a hotbed for its widespread adoption among developers and business proprietors.
Content escaping—URL Encoding
In the realm of cybersecurity, a discernible evasion tactic observed in the wild entails the deployment of a phishing webpage predominantly constructed from JavaScript objects. These objects, upon activation, harness the “unescape()” function to handle payloads, converting hexadecimal escape sequences into their corresponding characters. Subsequently, the processed content is rendered as HTML on the phishing site. Central to this technique are the JavaScript functions “unescape()” and “eval()”, each fulfilling pivotal roles in the execution process.
The “unescape()” function orchestrates the creation of a fresh string by substituting hexadecimal escape sequences with their corresponding characters. Conversely, “eval()” scrutinizes the string to ascertain if it represents an expression, executing it when applicable. While this approach may not boast an overtly sophisticated nature, its efficacy lies in the challenge it poses in identifying malicious intent sans rendering and evaluating the page. Notably, the prevalence of the “eval()” and “unescape()” functions across benign websites underscores the inadequacy of relying solely on their presence as indicators of malicious activity.
Moreover, an evolution in evasive tactics unveils the utilization of the decodeURI() and decodeURIComponent() functions in lieu of “unescape()”, which has been deprecated in JavaScript version 1.5.
In a separate instance, a custom function, unearthed in real-world scenarios, embraces base64 input, employing array.prototype.map to morph the string into an array. Subsequently, another custom function is enlisted to process each character. This intricate process encompasses appending ‘%’, ’00’, converting “char” to ASCII, and subsequently eliminating ’00’. The final step culminates in the application of decodeURIComponent() to the entire output, completing the transformation.