search

PerimeterX / restringer

A Javascript Deobfuscator
MIT License
281 stars 36 forks source link

Fix Broken function_to_array_replacements Deobfuscation #64

Open Revadike opened 1 year ago

Revadike commented 1 year ago

image

Revadike commented 1 year ago

Sorry I was so vague. You can try yourself: https://talon-website-prod.ecosec.on.epicgames.com/talon_sdk.js There are a bunch of these errors while deobfuscating, and it ends up getting stuck in an endless loop (if you have no iteration cap). I would appreciate if you guys could look into this. It's a big file, and it will definitely improve your already excellent tool if you can fix these issues.

ctrl-escp commented 1 year ago

Thanks for bringing this to my attention :) I've started looking at it, and I realized that even thought this obfuscation type is supposedly covered, this variation was missing. I've already updated the obfuscation detector to replace the augmented array properly, so next step is to figure out what else is breaking.

I'll update with any progress

Revadike commented 1 year ago

Thank you!

jorants commented 6 months ago

I have a problem with this module as well, although I am not sure it is related. escodegen is not up to date with the newest ECMAScript nodes, so it fails on a PrivateIdentifier AST node.

Adding 

class WithPriv{
 #privateId = 1;
}

to the array_function_replacements_local_proxies.js test case from obfuscation-detection gives an error 

[+] Obfuscation type is array_function_replacements
    [+] rearrangeSequences committed 3 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
    [+] separateChainedDeclarators committed 4 new changes!
[+] Applying changes to the root node...
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
    [+] resolveProxyVariables committed 1192 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
    [+] resolveProxyReferences committed 1 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
    [+] replaceBooleanExpressionsWithIf committed 4 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
    [+] replaceSequencesWithExpressions committed 5 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function

However, overriding the version of escodegen to use in package.json like so:

    "overrides":{
      "escodegen":"npm:@javascript-obfuscator/escodegen"
  },

fixes the problem. I am trying to see if this fixes the talon_sdk.js file as well, but the file is so big that it has been running for a long time already.

jorants commented 6 months ago

I could not reproduce the TypeError shown in the original issue, I did however run into a loop in the end:

[+] ==> Cycle 71 completed in 5.893 seconds with 43751 changes (228682 nodes)
    [!] Running rearrangeSequences...
        [!] Running rearrangeSequences completed in 0.048 seconds
    [!] Running separateChainedDeclarators...
        [!] Running separateChainedDeclarators completed in 0.031 seconds
    [!] Running rearrangeSwitches...
        [!] Running rearrangeSwitches completed in 0.030 seconds
    [!] Running normalizeEmptyStatements...
        [!] Running normalizeEmptyStatements completed in 0.030 seconds
    [!] Running removeRedundantBlockStatements...
        [!] Running removeRedundantBlockStatements completed in 0.029 seconds
    [!] Running resolveRedundantLogicalExpressions...
        [!] Running resolveRedundantLogicalExpressions completed in 0.025 seconds
    [!] Running unwrapSimpleOperations...
        [!] Running unwrapSimpleOperations completed in 0.050 seconds
    [!] Running resolveProxyCalls...
        [!] Running resolveProxyCalls completed in 0.030 seconds
    [!] Running resolveProxyVariables...
        [!] Running resolveProxyVariables completed in 0.041 seconds
    [!] Running resolveProxyReferences...
        [!] Running resolveProxyReferences completed in 0.433 seconds
    [!] Running resolveMemberExpressionReferencesToArrayIndex...
        [!] Running resolveMemberExpressionReferencesToArrayIndex completed in 0.027 seconds
    [!] Running resolveMemberExpressionsWithDirectAssignment...
        [!] Running resolveMemberExpressionsWithDirectAssignment completed in 0.051 seconds
    [!] Running parseTemplateLiteralsIntoStringLiterals...
        [!] Running parseTemplateLiteralsIntoStringLiterals completed in 0.033 seconds
    [!] Running resolveDeterministicIfStatements...
        [!] Running resolveDeterministicIfStatements completed in 0.026 seconds
    [!] Running replaceCallExpressionsWithUnwrappedIdentifier...
        [!] Running replaceCallExpressionsWithUnwrappedIdentifier completed in 0.046 seconds
    [!] Running replaceEvalCallsWithLiteralContent...
        [!] Running replaceEvalCallsWithLiteralContent completed in 0.031 seconds
    [!] Running replaceIdentifierWithFixedAssignedValue...
        [!] Running replaceIdentifierWithFixedAssignedValue completed in 0.039 seconds
    [!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration...
        [!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration completed in 0.050 seconds
    [!] Running replaceNewFuncCallsWithLiteralContent...
        [!] Running replaceNewFuncCallsWithLiteralContent completed in 0.021 seconds
    [!] Running replaceBooleanExpressionsWithIf...
        [!] Running replaceBooleanExpressionsWithIf completed in 0.028 seconds
    [!] Running replaceSequencesWithExpressions...
    [+] replaceSequencesWithExpressions committed 16 new changes!
        [!] Running replaceSequencesWithExpressions completed in 5.056 seconds
    [!] Running resolveFunctionConstructorCalls...
        [!] Running resolveFunctionConstructorCalls completed in 0.046 seconds
    [!] Running replaceFunctionShellsWithWrappedValue...
        [!] Running replaceFunctionShellsWithWrappedValue completed in 0.043 seconds
    [!] Running replaceFunctionShellsWithWrappedValueIIFE...
        [!] Running replaceFunctionShellsWithWrappedValueIIFE completed in 0.040 seconds
    [!] Running simplifyCalls...
        [!] Running simplifyCalls completed in 0.052 seconds
    [!] Running unwrapFunctionShells...
        [!] Running unwrapFunctionShells completed in 0.046 seconds
    [!] Running unwrapIIFEs...
        [!] Running unwrapIIFEs completed in 0.050 seconds
    [!] Running simplifyIfStatements...
        [!] Running simplifyIfStatements completed in 0.039 seconds

replaceSequencesWithExpressions keeps finding 16 updates. I ran this both on the current master branch, and on a patched version as described in my previous post. I am afraid I am not versed well enough in this project to fix the issue.

BenBaryoPX commented 6 months ago

I owe @Revadike an apology, as I didn't make much progress on this issue :(

@jorants, I've moved your comment to a new issue, as I feel it requires its own attention and discussion. Thanks for bringing it to my attention 🙏