Skip to content

DEOBFUSCATION_SUMMARY.md

Latest commit

 

History

History
74 lines (56 loc) · 3.1 KB

DEOBFUSCATION_SUMMARY.md

File metadata and controls

74 lines (56 loc) · 3.1 KB

Deobfuscation Summary

Overview

Successfully deobfuscated the main entry point and core functionality of the JavaScript codebase. The code was heavily obfuscated with hex-encoded variable names and split across multiple files.

What Was Deobfuscated

✅ Completed

  1. Main Entry Point (main.jsdeobfuscated/mainEntry.js)

    • jy1()main() - Entry point function
    • Handles CI environment detection and background process spawning

  2. Data Collection (deobfuscated/dataCollection.js)

    • aL0()collectSystemAndCloudData() - Main orchestration function
    • Coordinates all data collection activities

  3. Utility Functions (deobfuscated/utils/)

    • $y1()getSystemInfo() - System information
    • tL0()generateRandomString() - Random string generation
    • oL0()getNpmTokenFromConfig() - NPM config parsing

  4. Provider Classes (deobfuscated/providers/)

    • dqGitHubClient - GitHub API operations
    • mqGitHubReposProcessor - GitHub repository processing
    • WXAWSSecretsManager - AWS secrets collection
    • HwGCPSecretsManager - GCP secrets collection
    • EqAzureSecretsManager - Azure secrets collection
    • WlNPMTokenValidator - NPM token validation
    • TlTruffleHogScanner - Secret scanning
    • Helper functions for GitHub Actions setup

Code Structure

The deobfuscated code is organized into:

  • Main entry point - Handles execution flow
  • Data collection - Orchestrates all collection activities
  • Utils - Helper functions
  • Providers - Cloud service and API clients

Key Findings

The codebase performs the following activities:

  1. Collects system information (platform, architecture, hostname, user)
  2. Authenticates with GitHub using multiple methods
  3. Creates GitHub repositories for data storage
  4. Collects secrets from AWS, GCP, and Azure
  5. Validates and uses NPM tokens
  6. Scans filesystem for secrets using TruffleHog
  7. Extracts GitHub Actions secrets via workflow manipulation
  8. Saves all collected data to GitHub repositories

Remaining Work

The following files still contain obfuscated code but are primarily dependencies:

  • file_1.js - Module helpers and protobuf definitions (can be left as-is)
  • file_2.js - gRPC constants and logger (can be left as-is)
  • file_3.js through file_12.js - External dependencies (AWS SDK, GCP, Azure SDKs, etc.)

These files contain mostly third-party library code that was bundled, so they don't need extensive deobfuscation unless specific functionality needs to be understood.

Usage

The deobfuscated code can be used by:

  1. Importing from src/deobfuscated/ directory
  2. The main entry point is in src/main.js which imports from deobfuscated/mainEntry.js
  3. All functions and classes have meaningful names and documentation

Notes

  • The deobfuscated code maintains the same functionality as the original
  • Some implementations reference external libraries that need to be installed
  • The original obfuscation used triple base64 encoding for data storage
  • Variable names were hex-encoded (e.g., _0x5ddff6)