Open analtevs opened 2 years ago
Do you mind sharing the changes you made? I am getting alot of AST errors due to using the deobfuscator on older versions. And relative said it was an issue with it not finding the string array function. etc
what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.
what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.
Yea, do you have like a discord? so we don't spam this issue? Add me cool#1337
@analtevs Hello?
i ran into a few issues using v2.3.0 that resulted in bad deobfuscation when using latest obfuscation (with self-defending enabled).
string-decoder:
using this decoder method as the example
at first glance it seems the only issue stopping valid decoder-detection is the AssignmentExpression. it appears that v2.3.0 is expecting something like:
but instead we have something along these lines
https://github.com/relative/synchrony/blob/master/src/transformers/stringdecoder.ts#L297
regarding string-array(s) detection
in cases where string-array detection failed it appeared to be in edge cases where calls to another string-decoder were present
where
t
variable pointing atpi
(shown above).incorrect string-decoder references detected
whats going on here is variable-scope isn't being respected with regards to locating string-decoder references.
this is a snippet of what i found that was causing incorrect removal of local variable declarations. v2.3.0 will correctly tag the outer-scoped variable
e
as a reference to string-decoderpi
. equally and rightfully so the scoped variablesr
are tagged as references. now thate
andr
sit incontext.stringDecoderReferences
the variablee
in the for-loop body of functionc
is removed.i did not solve this problem inside
stringdecoder.ts
. currently i don't have the knowledge to track variable scope. what i did instead was modifiedrename.ts
to find all instances of the string-decoders (ie:var t = pi;
) and rename every reference tot
then removed the node declaration oft
, etc. so, basically refactor / cheap-inlined all references.took a while to get a handle on dealing with obfuscator's self-defending stuff but looking back on this i think we could refactor/inline variables that reference the string-decoders. doing this would solve a few issues in v.2.3.0;
after my hacked up code changes to v2.3.0 i got very,very, good results.