Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis.
When you read this diary entry, you’ll see that I have to create 2 Python scripts to be used by translate.py to search with a regular expression and replace all matches with the output of a Python function.
I updated translate.py so that I don’t have to create Python scripts for this regex search-and-replace, but that I can do it from the command-line with a new option. This new option (-r, –regex) takes a regular expression and does a search-and-replace.
Here are the 2 “scripts” using this new option:
translate.py -r "\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)" "lambda oMatch: chr(39) + chr(int(oMatch.group(1), 16)) + chr(39)"
translate.py -r "('[^']*' ?\+ ?)+'[^']*'" "lambda oMatch: chr(39) + eval(oMatch.group(0)) + chr(39)"
If you just want to do a search-and-replace, you can use a constant regex and lambda function, like this (replace False with True):
translate.py -r "False" "lambda oMatch: 'True'"
translate_v2_2_0.zip (https)
MD5: D561D9987A3E5264E40A4B5C4057A732
SHA256: BC532BD5C7DD86DCADDF7B7B9A34453E983E226E103E0591E7D480BB43C350E0
