search

ben-sb / javascript-deobfuscator

General purpose JavaScript deobfuscator
https://deobfuscate.io
Apache License 2.0
786 stars 112 forks source link

Comma Expression: different results #45

Open Semnodime opened 1 year ago

Semnodime commented 1 year ago

I wanted to help out and started digging into the cause of #36. Although I was unable to locate the core issue ( I believe the deobfuscation would actually finish, although allowing a deobfuscation parameter to limit the time spent on reversing any particular function would be nice), I stumbled upon something:

Deobfuscating example A leads to vastly different results in comparison to deobfuscating example B

This feels somewhat ackward and I wonder whether there's a bug or how this happens.

@ben-sb It'd be nice if you could throw in a guess

Example A


    function Se(p1, p2) {
        _e(_e(_e(_e(De(De(De(De(Me(Me(Me(Me(Ae(
                                                            i = Ae(
                                                                i = Ae(
                                                                    i = Ae(
                                                                        i, r = Ae(
                                                                            r, a = Ae(
                                                                                a, n = Ae(
                                                                                    n, i, r, a, p2[0], 7, -680876936), i, r, p2[1], he, -389564586), n, i, p2[2], ge, 606105819), a, n, p2[3], we, -1044525330), r = Ae(
                                                                                        r, a = Ae(
                                                                                            a, n = Ae(
                                                                                                n, i, r, a, p2[4], 7, -176418897), i, r, p2[5], he, 1200080426), n, i, p2[6], ge, -1473231341), a, n, p2[7], we, -45705983), r = Ae(
                                                                                                    r, a = Ae(
                                                                                                        a, n = Ae(
                                                                                                            n, i, r, a, p2[8], 7, 1770035416),
                                                                        i, r, p2[9], he, -1958414417), n, i, p2[ue], ge, -42063), a, n, p2[le], we, -1990404162), r = Ae(r, a = Ae(a, n = Ae(n, i, r, a, p2[he], 7, 1804603682), i, r, p2[de], he, -40341101), n, i, p2[me], ge, -1502002290), a, n, p2[fe], we, 1236535329), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[1], 5, -165796510), i, r, p2[6], 9, -1069501632), n, i, p2[le], me, 643717713), a, n, p2[0], ve, -373897302), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[5], 5, -701558691), i, r, p2[ue], 9, 38016083), n, i, p2[fe], me, -660478335), a, n, p2[4], ve, -405537848), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[9], 5, 568446438), i, r, p2[me], 9, -1019803690), n, i, p2[3], me, -187363961), a, n, p2[8], ve, 1163531501), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[de], 5, -1444681467), i, r, p2[2], 9, -51403784), n, i, p2[7], me, 1735328473), a, n, p2[he], ve, -1926607734), r = De(r, a = De(a, n = De(n, i, r, a, p2[5], 4, -378558), i, r, p2[8], le, -2022574463), n, i, p2[le], pe, 1839030562), a, n, p2[me], be, -35309556), r = De(r, a = De(a, n = De(n, i, r, a, p2[1], 4, -1530992060), i, r, p2[4], le, 1272893353), n, i, p2[7], pe, -155497632), a, n, p2[ue], be, -1094730640), r = De(r, a = De(a, n = De(n, i, r, a, p2[de], 4, 681279174), i, r, p2[0], le, -358537222), n, i, p2[3], pe, -722521979), a, n, p2[6], be, 76029189), r = De(r, a = De(a, n = De(n, i, r, a, p2[9], 4, -640364487), i, r, p2[he], le, -421815835), n, i, p2[fe], pe, 530742520), a, n, p2[2], be, -995338651), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[0], 6, -198630844), i, r, p2[7], ue, 1126891415), n, i, p2[me], fe, -1416354905), a, n, p2[5], ye, -57434055), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[he], 6, 1700485571), i, r, p2[3], ue, -1894986606), n, i, p2[ue], fe, -1051523), a, n, p2[1], ye, -2054922799), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[8], 6, 1873313359), i, r, p2[fe], ue, -30611744), n, i, p2[6], fe, -1560198380), a, n, p2[de], ye, 1309151649), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[4], 6, -145523070), i, r, p2[le], ue, -1120210379), n, i, p2[2], fe, 718787259), a, n, p2[9], ye, -343485551)
        p1[0] = Ce(n, p1[0])
    }

    function Pe(p1, p2, p3, p4, p5, p6) {
        return p2 = Ce(p1, p6), Ce(p2 << p5 | p2 >>> Ve - p5, p3)
    }

    function Ae(p1, p2, p3, p4, p5, p6, p7) {
        return Pe(p2 & p3 | ~p2 & p4, p1, p2, p5, p6, p7)
    }

    function _e(p1, p2, p3, p4, p5, p6, p7) {
        return Pe(p3 ^ (p2 | ~p4), p1, p2, p5, p6, p7)
    }

Example B

Note: Differs only in this part, where the return statement with the comma expression in Pe is refactored into two statements:

    function Pe(p1, p2, p3, p4, p5, p6) {
        p2 = Ce(p1, p6)
        return Ce(p2 << p5 | p2 >>> Ve - p5, p3)
    }
ben-sb commented 1 month ago

It's likely due to repeatedly replacing nested proxy function calls in example A, resulting in larger and larger code each time. Whereas in example B Pe isn't detected as a proxy function, due to now having statements other than just a simple return, so this issue doesn't occur. For something like example A the best option is to disable the proxy function removal setting.