some mild feedback and random thoughts

[analtevs]

i ran into a few issues using v2.3.0 that resulted in bad deobfuscation when using latest obfuscation (with self-defending enabled).

string-decoder:

using this decoder method as the example

function pi(t, e) {
  var r = dc();
  return pi = function(t, e) {
    t -= 467;
    var n = r[t];
    return n
  }, pi(t, e)
}

at first glance it seems the only issue stopping valid decoder-detection is the AssignmentExpression. it appears that v2.3.0 is expecting something like:

"expression": {
  "type": "AssignmentExpression",
  "operator": "=",
  "left": {
    "type": "Identifier",
    "name": "t"
    ...
  },
  "right": {
    "type": "BinaryExpression",
    ...
    "left": {
      "type": "Identifier",
      "name": "t"
      ...
    },
    "operator": "-",
    "right": {
      "type": "Literal",
      ...
  }
}

but instead we have something along these lines

"expression": {
  "type": "AssignmentExpression",
  ...
  "operator": "-=",
  "left": {
    "type": "Identifier",
    "name": "t"
    ...
  },
  "right": {
    "type": "Literal",
    ...
  }
}

https://github.com/relative/synchrony/blob/master/src/transformers/stringdecoder.ts#L297

regarding string-array(s) detection

in cases where string-array detection failed it appeared to be in edge cases where calls to another string-decoder were present

function Bb() {
  var t = n;
  const e = ["OXksf", t(3334), t(2446), "hksLN", t(2759), ...];
  return Bb = function() {
    return e
  }, Bb()
}

where t variable pointing at pi (shown above).

incorrect string-decoder references detected

whats going on here is variable-scope isn't being respected with regards to locating string-decoder references.

var e = pi;
...
(function(t) {
  (function(t, e) {
    var r = pi;
    ...
    function n(t, e) {
      var r = pi;
      if (!t) throw new Error(e || r(1382))
    }
   ...
    function c(t, e, i, a) {
      var o = r;
      for (var l = e; l < c; l++) {
        ...
      }
      return s
    }
  })
})

this is a snippet of what i found that was causing incorrect removal of local variable declarations. v2.3.0 will correctly tag the outer-scoped variable e as a reference to string-decoder pi. equally and rightfully so the scoped variables r are tagged as references. now that e and r sit in context.stringDecoderReferences the variable e in the for-loop body of function c is removed.

i did not solve this problem inside stringdecoder.ts. currently i don't have the knowledge to track variable scope. what i did instead was modified rename.ts to find all instances of the string-decoders (ie: var t = pi;) and rename every reference to t then removed the node declaration of t, etc. so, basically refactor / cheap-inlined all references.

took a while to get a handle on dealing with obfuscator's self-defending stuff but looking back on this i think we could refactor/inline variables that reference the string-decoders. doing this would solve a few issues in v.2.3.0;

after my hacked up code changes to v2.3.0 i got very,very, good results.

[g0dzcsgo]

Do you mind sharing the changes you made? I am getting alot of AST errors due to using the deobfuscator on older versions. And relative said it was an issue with it not finding the string array function. etc

[analtevs]

what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.

[g0dzcsgo]

what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.

Yea, do you have like a discord? so we don't spam this issue? Add me cool#1337

[g0dzcsgo]

@analtevs Hello?