Tips: Bypassing JavaScript Deobfuscator by Using *Comments*
There are many JS obfuscators such as JSFuck, JJencode, AAencode, etc. Some of them ignore the comment block like /* */
. Here is an interesting thing: some of deobfuscators also ignore comment blocks in the obfuscated code. This means that we can make deobfuscators ignore some parts of payloads by hiding them in comment blocks and executing it in any way.
How to hide JS payloads in their comment blocks
JavaScript has a built-in representation for multi-line string now (e.g. template string, \
in the end of lines), but some years ago there was no built-in one and such an alternative was sometimes used:
var multiline = (function () {/*
line 1
line 2
line 3
*/}).toString().match(/[^]*\/\*([^]*)\*\/\}$/)[1];
Therefore, such a payload works well:
/* This payload executes alert(1) */
Function((()=>{/*alert(1)*/}).toString().slice(7,-3))()
It can be used in combination with obfuscations like JSFuck:
/* This payload executes alert(1) */
Function((()=>{/*[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()*/}).toString().slice(7, -3))()
If a deobfuscator ignores the comment block, these payloads may seem to be the same as the following payload:
Function((()=>{}).toString().slice(7, -3))()
As a result, the deobfuscator see nothing dubious! :-)
Real Examples
JS NICE
JS NICE ignores comment blocks.
JStillery
JStillery ignores comment blocks, too.