Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to apply changes to AST #105

Closed
ajmeese7 opened this issue Jan 11, 2024 · 4 comments
Closed

Unable to apply changes to AST #105

ajmeese7 opened this issue Jan 11, 2024 · 4 comments
Assignees
Labels
question Further information is requested

Comments

@ajmeese7
Copy link

ajmeese7 commented Jan 11, 2024

Hello, when running this tool on my obfuscated JavaScript sample, I encounter the following issue:

$ npx restringer ./crypto_deobfuscated_manual.js                          
[+] Obfuscation type is augmented_proxied_array_function_replacements
[+] ==> Cycle 1 completed in 0.065 seconds with no changes (322838 nodes)
	[+] resolveFunctionToArray committed 1 new changes!
[+] ==> Cycle 2 completed in 21.652 seconds with 1 changes (322827 nodes)
	[+] removeRedundantBlockStatements committed 11 new changes!
	[+] resolveProxyVariables committed 38 new changes!
	[+] resolveProxyReferences committed 1021 new changes!
	[+] replaceIdentifierWithFixedAssignedValue committed 5 new changes!
	[+] simplifyCalls committed 32 new changes!
	[+] unwrapIIFEs committed 1 new changes!
[+] Applying changes to the root node...
[+] ==> Cycle 3 completed in 56.787 seconds with 1108 changes (328524 nodes)
	[+] resolveProxyReferences committed 34 new changes!
[+] ==> Cycle 4 completed in 11.028 seconds with 1142 changes (329008 nodes)
[+] ==> Cycle 5 completed in 1.089 seconds with 1142 changes (329008 nodes)
	[+] resolveMinimalAlphabet committed 4436 new changes!
	[+] resolveDefiniteBinaryExpressions committed 2002 new changes!
	[+] resolveMemberExpressionsLocalReferences committed 3 new changes!
	[+] resolveDefiniteMemberExpressions committed 1 new changes!
	[+] resolveLocalCalls committed 2094 new changes!
[+] ==> Cycle 6 completed in 629.334 seconds with 8536 changes (284790 nodes)
	[+] resolveProxyVariables committed 7 new changes!
	[+] resolveDeterministicIfStatements committed 1 new changes!
	[+] replaceIdentifierWithFixedAssignedValue committed 10 new changes!
[-] Unable to apply changes to AST: TypeError: Cannot read properties of undefined (reading '0')
[+] ==> Cycle 7 completed in 17.126 seconds with 18 changes (284788 nodes)
	[+] removeRedundantBlockStatements committed 1 new changes!
[-] Unable to apply changes to AST: TypeError: Cannot read properties of undefined (reading '0')
	[+] resolveProxyVariables committed 4 new changes!
[-] Unable to apply changes to AST: TypeError: Cannot read properties of undefined (reading '0')
[+] ==> Cycle 8 completed in 2.1 seconds with 23 changes (284788 nodes)
	[+] resolveMinimalAlphabet committed 264 new changes!
	[+] resolveDefiniteBinaryExpressions committed 68 new changes!

<--- Last few GCs --->


<--- JS stacktrace --->


#
# Fatal javascript OOM in MemoryChunk allocation failed during deserialization.
#

Trace/breakpoint trap (core dumped)

Is there any way this can be resolved, or a workaround I can implement on my end to allow the script to complete successfully? Even just failing gracefully and emitting the partially deobfuscated file before the errors would be great.

Thank you!


Possibly related: #64

@jorants
Copy link

jorants commented Jan 12, 2024

Not a fix, but you could try using the -m 5 argument to limit the cycles to the first five.

@BenBaryoPX
Copy link
Collaborator

Thanks for reaching out @ajmeese7
I'll need the obfuscated JS file that this happens on so I can reproduce the issue before I can debug it.

@BenBaryoPX BenBaryoPX added the question Further information is requested label Jan 12, 2024
@ajmeese7
Copy link
Author

@BenBaryoPX BenBaryoPX self-assigned this Dec 20, 2024
@BenBaryoPX
Copy link
Collaborator

@ajmeese7 with v2.0.6 there's no longer a fatal error. The deobfuscation was complete in ~11 minutes with the -m 1 option, though the result wasn't great. I'll use the sample to improve the deobfuscation process, but I believe you can deobfuscate it by using a custome deobfuscator. See the boilerplate code for starting from scratch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants