Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Broken function_to_array_replacements Deobfuscation #64

Open
Revadike opened this issue Jan 7, 2023 · 6 comments
Open

Fix Broken function_to_array_replacements Deobfuscation #64

Revadike opened this issue Jan 7, 2023 · 6 comments

Comments

@Revadike
Copy link

Revadike commented Jan 7, 2023
edited
Loading

image
@Revadike Revadike changed the title Deadlock Errors Jan 7, 2023
@Revadike
Copy link
Author

Revadike commented Jan 8, 2023

Sorry I was so vague.
You can try yourself: https://talon-website-prod.ecosec.on.epicgames.com/talon_sdk.js
There are a bunch of these errors while deobfuscating, and it ends up getting stuck in an endless loop (if you have no iteration cap).
I would appreciate if you guys could look into this.
It's a big file, and it will definitely improve your already excellent tool if you can fix these issues.

@ctrl-escp
Copy link
Contributor

Thanks for bringing this to my attention :)
I've started looking at it, and I realized that even thought this obfuscation type is supposedly covered, this variation was missing.
I've already updated the obfuscation detector to replace the augmented array properly, so next step is to figure out what else is breaking.

I'll update with any progress

@Revadike
Copy link
Author

Revadike commented Jan 8, 2023

Thank you!

@BenBaryoPX BenBaryoPX changed the title Errors Fix Broken function_to_array_replacements Deobfuscation Sep 13, 2023
@jorants
Copy link

jorants commented Jan 10, 2024
edited
Loading

I have a problem with this module as well, although I am not sure it is related.
escodegen is not up to date with the newest ECMAScript nodes, so it fails on a PrivateIdentifier AST node.

Adding

class WithPriv{
 #privateId = 1;
}

to the array_function_replacements_local_proxies.js test case from obfuscation-detection gives an error

[+] Obfuscation type is array_function_replacements
	[+] rearrangeSequences committed 3 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
	[+] separateChainedDeclarators committed 4 new changes!
[+] Applying changes to the root node...
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
	[+] resolveProxyVariables committed 1192 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
	[+] resolveProxyReferences committed 1 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
	[+] replaceBooleanExpressionsWithIf committed 4 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function
	[+] replaceSequencesWithExpressions committed 5 new changes!
[-] Unable to apply changes to AST: TypeError: this[type] is not a function

However, overriding the version of escodegen to use in package.json like so:

    "overrides":{
      "escodegen":"npm:@javascript-obfuscator/escodegen"
  },

fixes the problem. I am trying to see if this fixes the talon_sdk.js file as well, but the file is so big that it has been running for a long time already.

@jorants
Copy link

jorants commented Jan 10, 2024

I could not reproduce the TypeError shown in the original issue, I did however run into a loop in the end:

[+] ==> Cycle 71 completed in 5.893 seconds with 43751 changes (228682 nodes)
	[!] Running rearrangeSequences...
		[!] Running rearrangeSequences completed in 0.048 seconds
	[!] Running separateChainedDeclarators...
		[!] Running separateChainedDeclarators completed in 0.031 seconds
	[!] Running rearrangeSwitches...
		[!] Running rearrangeSwitches completed in 0.030 seconds
	[!] Running normalizeEmptyStatements...
		[!] Running normalizeEmptyStatements completed in 0.030 seconds
	[!] Running removeRedundantBlockStatements...
		[!] Running removeRedundantBlockStatements completed in 0.029 seconds
	[!] Running resolveRedundantLogicalExpressions...
		[!] Running resolveRedundantLogicalExpressions completed in 0.025 seconds
	[!] Running unwrapSimpleOperations...
		[!] Running unwrapSimpleOperations completed in 0.050 seconds
	[!] Running resolveProxyCalls...
		[!] Running resolveProxyCalls completed in 0.030 seconds
	[!] Running resolveProxyVariables...
		[!] Running resolveProxyVariables completed in 0.041 seconds
	[!] Running resolveProxyReferences...
		[!] Running resolveProxyReferences completed in 0.433 seconds
	[!] Running resolveMemberExpressionReferencesToArrayIndex...
		[!] Running resolveMemberExpressionReferencesToArrayIndex completed in 0.027 seconds
	[!] Running resolveMemberExpressionsWithDirectAssignment...
		[!] Running resolveMemberExpressionsWithDirectAssignment completed in 0.051 seconds
	[!] Running parseTemplateLiteralsIntoStringLiterals...
		[!] Running parseTemplateLiteralsIntoStringLiterals completed in 0.033 seconds
	[!] Running resolveDeterministicIfStatements...
		[!] Running resolveDeterministicIfStatements completed in 0.026 seconds
	[!] Running replaceCallExpressionsWithUnwrappedIdentifier...
		[!] Running replaceCallExpressionsWithUnwrappedIdentifier completed in 0.046 seconds
	[!] Running replaceEvalCallsWithLiteralContent...
		[!] Running replaceEvalCallsWithLiteralContent completed in 0.031 seconds
	[!] Running replaceIdentifierWithFixedAssignedValue...
		[!] Running replaceIdentifierWithFixedAssignedValue completed in 0.039 seconds
	[!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration...
		[!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration completed in 0.050 seconds
	[!] Running replaceNewFuncCallsWithLiteralContent...
		[!] Running replaceNewFuncCallsWithLiteralContent completed in 0.021 seconds
	[!] Running replaceBooleanExpressionsWithIf...
		[!] Running replaceBooleanExpressionsWithIf completed in 0.028 seconds
	[!] Running replaceSequencesWithExpressions...
	[+] replaceSequencesWithExpressions committed 16 new changes!
		[!] Running replaceSequencesWithExpressions completed in 5.056 seconds
	[!] Running resolveFunctionConstructorCalls...
		[!] Running resolveFunctionConstructorCalls completed in 0.046 seconds
	[!] Running replaceFunctionShellsWithWrappedValue...
		[!] Running replaceFunctionShellsWithWrappedValue completed in 0.043 seconds
	[!] Running replaceFunctionShellsWithWrappedValueIIFE...
		[!] Running replaceFunctionShellsWithWrappedValueIIFE completed in 0.040 seconds
	[!] Running simplifyCalls...
		[!] Running simplifyCalls completed in 0.052 seconds
	[!] Running unwrapFunctionShells...
		[!] Running unwrapFunctionShells completed in 0.046 seconds
	[!] Running unwrapIIFEs...
		[!] Running unwrapIIFEs completed in 0.050 seconds
	[!] Running simplifyIfStatements...
		[!] Running simplifyIfStatements completed in 0.039 seconds

replaceSequencesWithExpressions keeps finding 16 updates. I ran this both on the current master branch, and on a patched version as described in my previous post.
I am afraid I am not versed well enough in this project to fix the issue.

@ajmeese7 ajmeese7 mentioned this issue Jan 11, 2024
Closed
@BenBaryoPX BenBaryoPX mentioned this issue Jan 12, 2024
Closed
@BenBaryoPX
Copy link
Collaborator

I owe @Revadike an apology, as I didn't make much progress on this issue :(

@jorants, I've moved your comment to a new issue, as I feel it requires its own attention and discussion. Thanks for bringing it to my attention 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jorants @Revadike @ctrl-escp @BenBaryoPX