Move atob to multidecoder and remove base64 method

deobs.py

@@ -47,7 +47,6 @@ def filter_iocs(
 class DeobfuScripter(ServiceBase):
     """Service for deobfuscating scripts."""
 
-    FILETYPES = ["application", "document", "exec", "image", "Microsoft", "text"]
     VALIDCHARS = b" 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
     BINCHARS = bytes(list(set(range(256)) - set(VALIDCHARS)))
 
@@ -124,70 +123,6 @@ def hex_constant(text: bytes) -> bytes | None:
         output = regex.sub(rb"(?i)\b0x([a-f0-9]{1,16})\b", lambda m: str(int(m.group(1), 16)).encode("utf-8"), text)
         return output if output != text else None
 
-    def b64decode_str(self, text: bytes) -> Optional[bytes]:
-        """Decode base64"""
-        output = text
-
-        head: bytes
-        bmatch: bytes
-        tail: bytes
-        for head, bmatch, tail in regex.findall(rb"((?:atob\()+)\'([A-Za-z0-9+/]+={0,2})\'(\)+)", text):
-            iters = min(len(head) // 5, len(tail))
-            d = bmatch
-            for _ in range(iters):
-                try:
-                    d = binascii.a2b_base64(d)
-                except binascii.Error:
-                    break
-            output = output.replace(b"atob(" * iters + b"'" + bmatch + b"'" + b")" * iters, b"'" + d + b"'")
-
-        b64str: list[bytes] = regex.findall(b"((?:[A-Za-z0-9+/]{3,}={0,2}(?:&#[x1][A0];)?[\r]?[\n]?){6,})", text)
-        for bmatch in b64str:
-            if bmatch not in output:
-                continue  # was already processed by atob
-            s = (
-                bmatch.replace(b"\n", b"")
-                .replace(b"\r", b"")
-                .replace(b" ", b"")
-                .replace(b"&#xA;", b"")
-                .replace(b"&#10;", b"")
-            )
-            uniq_char = set(s)
-            if len(uniq_char) <= 6 or len(s) < 16 or len(s) % 4:
-                continue
-            try:
-                d = binascii.a2b_base64(s)
-            except binascii.Error:
-                continue
-            sha256hash = hashlib.sha256(d).hexdigest()
-            if sha256hash not in self.hashes:
-                if len(d) > 500:
-                    m = magic.Magic(mime=True)
-                    mag = magic.Magic()
-                    ftype = m.from_buffer(d)
-                    mag_ftype = mag.from_buffer(d)
-                    for file_type in self.FILETYPES:
-                        if (file_type in ftype and "octet-stream" not in ftype) or file_type in mag_ftype:
-                            b64_file_name = f"{sha256hash[0:10]}_b64_decoded"
-                            b64_file_path = os.path.join(self.working_directory, b64_file_name)
-                            with open(b64_file_path, "wb") as b64_file:
-                                b64_file.write(d)
-                            self.files_extracted.add(b64_file_path)
-                            self.hashes.add(sha256hash)
-                            break
-
-                if len(set(d)) > 6 and all(8 < c < 127 for c in d) and len(regex.sub(rb"\s", b"", d)) > 14:
-                    output = output.replace(bmatch, d)
-                else:
-                    # Test for ASCII seperated by \x00
-                    p = d.replace(b"\x00", b"")
-                    if len(set(p)) > 6 and all(8 < c < 127 for c in p) and len(regex.sub(rb"\s", b"", p)) > 14:
-                        output = output.replace(bmatch, p)
-
-        if output == text:
-            return None
-        return output
-
     @staticmethod
     def vars_of_fake_arrays(text: bytes) -> bytes | None:
         """Parse variables of fake arrays."""
@@ -459,7 +394,6 @@ def execute(self, request: ServiceRequest) -> None:
             ("Array of strings", self.array_of_strings),
             ("Fake array vars", self.vars_of_fake_arrays),
             ("Simple XOR function", self.simple_xor_function),
-            ("B64 Decode", self.b64decode_str),
         ]
         second_pass: TechniqueList = [
             ("MSWord macro vars", self.mswordmacro_vars),