Data obfuscation is the next layer in the whole obfuscation process and it tries to fog the data output so that it will be pretty hard to understand when analyzing it with our own eyes. Data obfuscation is often the most obfuscated part of the code; many times attackers don’t want to sit down and just obfuscate everything since it can take a while (there are some automatic tools for obfuscation as well which can speed up the process).
– Let’s take an example of a non data obfuscation code:
Easy to read and understand, right?
– The same data obfuscated:
As we can see from the obfuscated data, there are 3 different combinations of concatenation:
This is a char concatenation.
The fromCharCode() method converts Unicode values into characters. Here we can see a hexadecimal value that in ascii is “i”.
It’s the same here, but this time we use the decimal value instead of hexadecimal.
Here we can see another example which calculates the decimal value of 207-100 in decimals and we get 107 which turns out to be the letter “k”.
Then we can see more variables which tend to play with some simple mathematics. The end result is that the variable “oqzc” holds the number 210.
So we will start with the first 2 lines of code:
We can see here a variable called “ntdot” which holds the value of 77, and we can see that the variable “ntdov” holds a string and at the end we see the use of the replace and split function. If we try to execute these lines for output, we can understand that we will replace every 77 with nothing, so we can clean this string and the split function will insert it into a list. So the output will look like this:
So to speed up things, this is the code with the data obfuscation:
And this is the code when we cleared the obfuscation: