Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis.
When you read this diary entry, you’ll see that I have to create 2 Python scripts to be used by translate.py to search with a regular expression and replace all matches with the output of a Python function.
I updated translate.py so that I don’t have to create Python scripts for this regex search-and-replace, but that I can do it from the command-line with a new option. This new option (-r, –regex) takes a regular expression and does a search-and-replace.
Here are the 2 “scripts” using this new option:
translate.py -r "\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)" "lambda oMatch: chr(39) + chr(int(oMatch.group(1), 16)) + chr(39)"
translate.py -r "('[^']*' ?\+ ?)+'[^']*'" "lambda oMatch: chr(39) + eval(oMatch.group(0)) + chr(39)"
If you just want to do a search-and-replace, you can use a constant regex and lambda function, like this (replace False with True):
translate.py -r "False" "lambda oMatch: 'True'"
translate_v2_2_0.zip (https)
MD5: D561D9987A3E5264E40A4B5C4057A732
SHA256: BC532BD5C7DD86DCADDF7B7B9A34453E983E226E103E0591E7D480BB43C350E0
Hi,
Thank you for this post. I’m not able to find translate.py v2.2 on your website, can you say me where it can be downloaded ?
Thanks
Nicolas
Comment by Nicolas — Tuesday 1 March 2016 @ 15:32
Hi Nicolas,
I made a mistake, I forgot to include a download link on this blog post.
But you can also find it on its dedicated page: https://blog.didierstevens.com/programs/translate/
Comment by Didier Stevens — Tuesday 1 March 2016 @ 15:43
Thanks !
Comment by Nicolas — Tuesday 1 March 2016 @ 15:53
[…] Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation […]
Pingback by Overview of Content Published In February | Didier Stevens — Tuesday 29 March 2016 @ 0:01