HTML Comment Parsing Error

[cccs-kevin]

Hey @relative!

We at @CybercentreCanada are loving all of the work that you've put into this tool!

A file that we came across recently in the wild has been causing Synchrony to crash, unless we manually tweak the file content (https://github.com/CybercentreCanada/assemblyline-service-jsjaws/pull/370). Obviously this is not ideal, and we would love to have the fix included in Synchrony itself :)

I cannot share the entire file, but here is a screenshot of the initial HTML file:

and a screenshot of the extracted JavaScript that is sent to Synchrony:

There is an opening HTML comment prior to the obfuscated code, and this is ignored when emulated in Node, but crashes the Synchrony tool when the Acorn library attempts to parse it. Here is the crash log:

'/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/.bin/synchrony' deobfuscate --output '/tmp/working_directory/<hash_of_file>.cleaned' '/tmp/working_directory/tmpelxvdz1m'

/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:3460
    var err = new SyntaxError(message);
              ^
SyntaxError: Unexpected token (1:0)
    at pp$4.raise (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:3460:15)
    at pp$9.unexpected (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:756:10)
    at pp$5.parseExprAtom (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2835:12)
    at pp$5.parseExprSubscripts (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2627:21)
    at pp$5.parseMaybeUnary (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2593:19)
    at pp$5.parseExprOps (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2520:21)
    at pp$5.parseMaybeConditional (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2503:21)
    at pp$5.parseMaybeAssign (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2470:21)
    at pp$5.parseExpression (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:2433:21)
    at pp$8.parseStatement (/home/<userpath>/assemblyline-service-jsjaws/tools/node_modules/deobfuscator/node_modules/acorn/dist/acorn.js:946:47) {
  pos: 0,
  loc: Position { line: 1, column: 0 },
  raisedAt: 1
}
Node.js v19.7.0

When this opening comment is removed, Synchrony works great and deobfuscates the file.

Is there anyway that HTML comments () could be removed prior to parsing? We found that closing HTML comments (-->) also cause Acorn to crash, so it would amazing if they could be ignored / removed once sent to Synchrony.

Let me know what you think!

Kevin

[relative]

Should be fixed in v2.4.2. You will have to set sourceType to both in the options that are being passed to the deobfuscate functions

[cccs-kevin]

Thanks a ton for the quick fix! It is much appreciated.