# SpiderMonkey
# Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser
# FOR610 Labs: 3.6, 3.7, 4.5 | Sections: 3, 4
# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts

% javascript, deobfuscation, execution

# Basic usage
js -f malicious.js

# Process input file
js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js


# --- Recipes (multi-tool chains) ---

# >> Deobfuscate JavaScript with SpiderMonkey
# Beautify compressed JavaScript
js-beautify <malicious.js> > readable.js
# Execute with objects.js to simulate browser/WScript APIs
js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
# If script expects location.href, edit objects.js first:
cp /usr/share/remnux/objects.js .
# Edit objects.js to set: location = { href: 'http://expected-url' }
js -f objects.js -f <malicious.js> > decoded.js

# >> Clean Null Bytes from UTF-16 JavaScript
# Check for null bytes (look for 00 in hex)
xxd <script.js> | head -2
# Remove null bytes
cat <script.js> | tr -d '\00' > clean.js
# Then deobfuscate
js -f /usr/share/remnux/objects.js -f clean.js > decoded.js
# Beautify the result
js-beautify decoded.js > final.js