search

relative / synchrony

javascript-obfuscator cleaner & deobfuscator
https://deobfuscate.relative.im/
GNU General Public License v3.0
849 stars 109 forks source link

Caught an error while attempting to run AST visitor! #22

Open ecraven1993 opened 2 years ago

ecraven1993 commented 2 years ago

Hello,

I was attempting to deobfuscate a file. I tried the online version you have provided, though it could not decrypt the strings and I thought perhaps it was due to the website saying it was running 2.2.0 rather than the latest 2.3.0. However, I ended up getting getting essentially the same results from the online version as I did when using the latest release on my server.

I am amateur at best when it comes to javascript so I apologize in advance.

The file that I attempted to deobfuscate is at: https://gist.github.com/ecraven1993/b09207b2accc5cfc24fdfe6a79125161 The file that resulted after attempting to deobfuscate is at: https://gist.github.com/ecraven1993/ac6247638c14fb72130b1ee5cca9f83d

Below is the full log after I ran synchrony. Please let me know if you need any more information. This is one of a handful of files I have had this issue with.

Also if there is any way I can support the development of synchrony please let me know.

root@test:~# synchrony deobfuscate ./config5.js
Running Simplify transformer
Running MemberExpressionCleaner transformer
Running LiteralMap transformer
Running DeadCode transformer
Running Demangle transformer
Running StringDecoder transformer
Caught an error while attempting to run AST visitor!

node = Node {
  type: 'FunctionDeclaration',
  start: 7531,
  end: 7559,
  range: [ 7531, 7559 ],
  id: Node {
    type: 'Identifier',
    start: 7546,
    end: 7555,
    range: [ 7546, 7555 ],
    name: '_0x1d33c6'
  },
  expression: false,
  generator: false,
  async: true,
  params: [],
  body: Node {
    type: 'BlockStatement',
    start: 7557,
    end: 7559,
    range: [ 7557, 7559 ],
    body: []
  }
}
err = TypeError: Cannot read properties of undefined (reading 'type')
    at G (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:918)
    at FunctionDeclaration (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:16297)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:147)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Program.base.BlockStatement.base.StaticBlock (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/nod                                                                                                          e_modules/acorn-walk/dist/walk.js:198:7)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Function (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:29                                                                                                          6:5)
Caught an error while attempting to run AST visitor!

node = Node {
  type: 'FunctionDeclaration',
  start: 7863,
  end: 7891,
  range: [ 7863, 7891 ],
  id: Node {
    type: 'Identifier',
    start: 7878,
    end: 7887,
    range: [ 7878, 7887 ],
    name: '_0x339c58'
  },
  expression: false,
  generator: false,
  async: true,
  params: [],
  body: Node {
    type: 'BlockStatement',
    start: 7889,
    end: 7891,
    range: [ 7889, 7891 ],
    body: []
  }
}
err = TypeError: Cannot read properties of undefined (reading 'type')
    at G (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:918)
    at FunctionDeclaration (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:16297)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:147)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Program.base.BlockStatement.base.StaticBlock (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/nod                                                                                                          e_modules/acorn-walk/dist/walk.js:198:7)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Function (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:29                                                                                                          6:5)
Caught an error while attempting to run AST visitor!

node = Node {
  type: 'FunctionDeclaration',
  start: 7957,
  end: 7979,
  range: [ 7957, 7979 ],
  id: Node {
    type: 'Identifier',
    start: 7966,
    end: 7975,
    range: [ 7966, 7975 ],
    name: '_0x53d189'
  },
  expression: false,
  generator: false,
  async: false,
  params: [],
  body: Node {
    type: 'BlockStatement',
    start: 7977,
    end: 7979,
    range: [ 7977, 7979 ],
    body: []
  }
}
err = TypeError: Cannot read properties of undefined (reading 'type')
    at G (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:918)
    at FunctionDeclaration (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:16297)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:147)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Program.base.BlockStatement.base.StaticBlock (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/nod                                                                                                          e_modules/acorn-walk/dist/walk.js:198:7)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.Function (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:29                                                                                                          6:5)
Caught an error while attempting to run AST visitor!

node = Node {
  type: 'CallExpression',
  start: 3922,
  end: 3941,
  range: [ 3922, 3941 ],
  callee: Node {
    type: 'Identifier',
    start: 3922,
    end: 3929,
    range: [ 3922, 3929 ],
    name: 'Boolean'
  },
  arguments: [
    Node {
      type: 'UnaryExpression',
      start: 3930,
      end: 3940,
      range: [Array],
      operator: '~',
      prefix: true,
      argument: [Node]
    }
  ],
  optional: false
}
err = TypeError: UnaryExpression argument is not Literal
    at J (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:9515)
    at X (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:9862)
    at /root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:13772
    at Array.map (<anonymous>)
    at literals_to_arg_array (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:13760)
    at CallExpression (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:28:22961)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:147)
    at Object.skipThrough (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modules/acorn-walk/dist/walk.js:186:                                                                                                          39)
    at s (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/dist/index.js:25:133)
    at Object.base.UnaryExpression.base.UpdateExpression (/root/.nvm/versions/node/v17.8.0/lib/node_modules/deobfuscator/node_modul                                                                                                          es/acorn-walk/dist/walk.js:373:5)
Running Simplify transformer
Running MemberExpressionCleaner transformer
Running Desequence transformer
Running ControlFlow transformer
Running Desequence transformer
Running MemberExpressionCleaner transformer
Running Simplify transformer
Running DeadCode transformer
Running Simplify transformer
Running DeadCode transformer
relative commented 2 years ago

hi, the script you provided was produced by an old version of javascript-obfuscator (prior to javascript-obfuscator@2.9.5)

it "deobfuscates" properly on latest commit from synchrony git, but it does not find the string rotating function and the string decoding functions (and therefore the array)

the extra self-defending code in the string array shifting function will have broke the the function to find the string rotating functions (see SelfDefendingTemplate.ts history) and likely the same case in the string dec funcs

will fix it when I have time

ecraven1993 commented 2 years ago

Thank you for the prompt response! Given I am mostly interested in the strings, I will gladly wait till you have the time for a fix.