synchrony
synchrony copied to clipboard
relative
some mild feedback and random thoughts
i ran into a few issues using v2.3.0 that resulted in bad deobfuscation when using latest obfuscation (with self-defending enabled).
string-decoder:
using this decoder method as the example
function pi(t, e) {
var r = dc();
return pi = function(t, e) {
t -= 467;
var n = r[t];
return n
}, pi(t, e)
}
at first glance it seems the only issue stopping valid decoder-detection is the AssignmentExpression. it appears that v2.3.0 is expecting something like:
"expression": {
"type": "AssignmentExpression",
"operator": "=",
"left": {
"type": "Identifier",
"name": "t"
...
},
"right": {
"type": "BinaryExpression",
...
"left": {
"type": "Identifier",
"name": "t"
...
},
"operator": "-",
"right": {
"type": "Literal",
...
}
}
but instead we have something along these lines
"expression": {
"type": "AssignmentExpression",
...
"operator": "-=",
"left": {
"type": "Identifier",
"name": "t"
...
},
"right": {
"type": "Literal",
...
}
}
https://github.com/relative/synchrony/blob/master/src/transformers/stringdecoder.ts#L297
regarding string-array(s) detection
in cases where string-array detection failed it appeared to be in edge cases where calls to another string-decoder were present
function Bb() {
var t = n;
const e = ["OXksf", t(3334), t(2446), "hksLN", t(2759), ...];
return Bb = function() {
return e
}, Bb()
}
where t variable pointing at pi (shown above).
incorrect string-decoder references detected
whats going on here is variable-scope isn't being respected with regards to locating string-decoder references.
var e = pi;
...
(function(t) {
(function(t, e) {
var r = pi;
...
function n(t, e) {
var r = pi;
if (!t) throw new Error(e || r(1382))
}
...
function c(t, e, i, a) {
var o = r;
for (var l = e; l < c; l++) {
...
}
return s
}
})
})
this is a snippet of what i found that was causing incorrect removal of local variable declarations.
v2.3.0 will correctly tag the outer-scoped variable e as a reference to string-decoder pi.
equally and rightfully so the scoped variables r are tagged as references.
now that e and r sit in context.stringDecoderReferences the variable e in the for-loop body of function c is removed.
i did not solve this problem inside stringdecoder.ts. currently i don't have the knowledge to track variable scope.
what i did instead was modified rename.ts to find all instances of the string-decoders (ie: var t = pi;) and rename every reference to t then removed the node declaration of t, etc. so, basically refactor / cheap-inlined all references.
took a while to get a handle on dealing with obfuscator's self-defending stuff but looking back on this i think we could refactor/inline variables that reference the string-decoders. doing this would solve a few issues in v.2.3.0;
after my hacked up code changes to v2.3.0 i got very,very, good results.
Do you mind sharing the changes you made? I am getting alot of AST errors due to using the deobfuscator on older versions. And relative said it was an issue with it not finding the string array function. etc
what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.
what you can do is manually locate the string-decoder(s) and modify the obfuscated code a bit to match what the deobfuscator is looking for. if you can post a link or dm me - i can help.
Yea, do you have like a discord? so we don't spam this issue? Add me cool#1337