Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem in push/shift decoding #126

Open
nero08 opened this issue Nov 23, 2024 · 6 comments
Open

Problem in push/shift decoding #126

nero08 opened this issue Nov 23, 2024 · 6 comments
Labels
bug Something isn't working deobfuscate

Comments

@nero08
Copy link

nero08 commented Nov 23, 2024
edited
Loading

Describe the bug

There is a problem when webcrack try to decode the push/shift element that I send in example.

It decode correctly the elements associated to the function name a0_0x528b but the others are not used to decode the rest of the file.

I just sent the part that encode the elements in file because the file is big.

Expected Behaviour

Have to be unobfuscated

Code

full js file:

https://easyupload.io/34xky7

part of the obfuscated elements (push/shift functions):

  function a0_0x8190(_0x3a1d3b, _0x19d501) {
    var _0x40cbcd = a0_0x569f();
    return (a0_0x8190 = function (_0x27b0be, _0x384693) {
      return _0x40cbcd[_0x27b0be -= 499];
    })(_0x3a1d3b, _0x19d501);
  }
  function a0_0x528b(_0x41ec02, _0x528c27) {
    var _0x2798e1 = a0_0x2798();
    a0_0x528b = function (_0x528b1e, _0x200c9f) {
      _0x528b1e = _0x528b1e - 337;
      var _0x5af9a0 = _0x2798e1[_0x528b1e];
      return _0x5af9a0;
    };
    return a0_0x528b(_0x41ec02, _0x528c27);
  }
  function a0_0x5da2(_0x52cd28, _0x1076ae) {
    var _0x49e95c = a0_0x2cca();
    return (a0_0x5da2 = function (_0x59f6b5, _0x498325) {
      return _0x49e95c[_0x59f6b5 -= 239];
    })(_0x52cd28, _0x1076ae);
  }
  var a0_0x5ede5b = a0_0x528b;
  (function (_0x4d62c1, _0x58f3bd) {
    var _0x2b253d = a0_0x528b;
    var _0x53ceaf = _0x4d62c1();
    while (true) {
      try {
        var _0xfff7c5 = parseInt(_0x2b253d(93088)) / 1 + -parseInt(_0x2b253d(113278)) / 2 * (parseInt(_0x2b253d(94808)) / 3) + -parseInt(_0x2b253d(123437)) / 4 * (parseInt(_0x2b253d(32382)) / 5) + -parseInt(_0x2b253d(64088)) / 6 + parseInt(_0x2b253d(51606)) / 7 + parseInt(_0x2b253d(47428)) / 8 * (parseInt(_0x2b253d(34299)) / 9) + -parseInt(_0x2b253d(108249)) / 10 * (-parseInt(_0x2b253d(127672)) / 11);
        if (_0xfff7c5 === _0x58f3bd) {
          break;
        } else {
          _0x53ceaf.push(_0x53ceaf.shift());
        }
      } catch (_0x464780) {
        _0x53ceaf.push(_0x53ceaf.shift());
      }
    }
  })(a0_0x2798, 297657);
  var a0_0x263a20 = a0_0x5da2;
  (function () {
    var _0x5daa5e = a0_0x528b;
    var _0x4418a1 = a0_0x5da2;
    var _0x3867a0 = a0_0x2cca();
    while (true) {
      try {
        if (-parseInt(_0x4418a1(96242)) * (-parseInt(_0x4418a1(44115)) / 2) + -parseInt(_0x4418a1(57808)) / 3 * (parseInt(_0x4418a1(4978)) / 4) + -parseInt(_0x4418a1(54189)) / 5 + parseInt(_0x4418a1(86330)) / 6 * (-parseInt(_0x4418a1(43705)) / 7) + parseInt(_0x4418a1(84986)) / 8 + -parseInt(_0x4418a1(22711)) / 9 + -parseInt(_0x4418a1(107165)) / 10 * (-parseInt(_0x4418a1(19300)) / 11) == 693310) {
          break;
        }
        _0x3867a0.push(_0x3867a0[_0x5daa5e(74333)]());
      } catch (_0x19f5e5) {
        _0x3867a0[_0x5daa5e(103807)](_0x3867a0.shift());
      }
    }
  })();
  var a0_0x3c7ee8 = a0_0x8190;
  (function () {
    var _0x370ed1 = a0_0x5da2;
    var _0x6c4b1e = a0_0x8190;
    var _0x48e352 = a0_0x569f();
    while (true) {
      try {
        if (+parseInt(_0x6c4b1e(68652)) * (parseInt(_0x6c4b1e(21730)) / 2) + parseInt(_0x6c4b1e(74730)) / 3 * (parseInt(_0x6c4b1e(19768)) / 4) + -parseInt(_0x6c4b1e(114501)) / 5 + parseInt(_0x6c4b1e(112379)) / 6 * (-parseInt(_0x6c4b1e(131033)) / 7) + parseInt(_0x6c4b1e(78507)) / 8 * (parseInt(_0x6c4b1e(87877)) / 9) + -parseInt(_0x6c4b1e(84410)) / 10 * (parseInt(_0x6c4b1e(86016)) / 11) + parseInt(_0x6c4b1e(39831)) / 12 == 178899) {
          break;
        }
        _0x48e352[_0x370ed1(112192)](_0x48e352[_0x370ed1(129489)]());
      } catch (_0xe8c56e) {
        _0x48e352[_0x370ed1(112192)](_0x48e352.shift());
      }
    }
  })();


a0_0x2cca, a0_0x2798 and a0_0x569f are dictionnary functions, you can check it in the full file because it's big dictionnary

Logs

webcrack:transforms prepare: started +0ms
  webcrack:transforms prepare: finished with 769 changes +1s
  webcrack:transforms deobfuscate: started +0ms
  webcrack:deobfuscate String Array: 132889 strings +0ms
  webcrack:deobfuscate String Array Rotate: yes +2ms
  webcrack:deobfuscate String Array Encodings: 1 +5ms
  webcrack:transforms inline-object-props: started +11s
  webcrack:transforms inline-object-props: finished with 1 changes +1s
  webcrack:transforms inline-decoder-wrappers: started +0ms
  webcrack:transforms inline-decoder-wrappers: finished with 143714 changes +11s
  webcrack:transforms inline-decoded-strings: started +27ms
  webcrack:transforms inline-decoded-strings: finished with 141225 changes +2s
  webcrack:transforms merge-strings, dead-code, control-flow-object, control-flow-switch: started +1ms
  webcrack:transforms merge-strings, dead-code, control-flow-object, control-flow-switch: finished with 0 changes +1s
  webcrack:transforms deobfuscate: finished with 284943 changes +0ms
  webcrack:transforms transpile, unminify: started +0ms
  webcrack:transforms transpile, unminify: finished with 523198 changes +3s
  webcrack:transforms self-defending, debug-protection, jsx, jsx-new: started +0ms
  webcrack:transforms self-defending, debug-protection, jsx, jsx-new: finished with 0 changes +2s
  webcrack:transforms merge-object-assignments, evaluate-globals: started +0ms
  webcrack:transforms merge-object-assignments, evaluate-globals: finished with 0 changes +9s
@nero08 nero08 added the bug Something isn't working label Nov 23, 2024
@j4k0xb
Copy link
Owner

j4k0xb commented Nov 23, 2024

simply deobfuscate it multiple times

@nero08
Copy link
Author

nero08 commented Nov 23, 2024

I have this when I try:

`webcrack:transforms prepare: started +0ms
webcrack:transforms prepare: finished with 769 changes +988ms
webcrack:transforms deobfuscate: started +0ms
webcrack:deobfuscate String Array: 134577 strings +0ms
webcrack:deobfuscate String Array Rotate: yes +1ms
webcrack:deobfuscate String Array Encodings: 1 +6ms
webcrack:transforms inline-object-props: started +9s
webcrack:transforms inline-object-props: finished with 0 changes +1s
webcrack:transforms inline-decoder-wrappers: started +0ms
/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/types/lib/definitions/utils.js:95
function validate(node, key, val) {
^

RangeError: Maximum call stack size exceeded
at validate (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/types/lib/definitions/utils.js:95:20)
at Object.assign.oneOfNodeTypes [as validate] (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/types/lib/definitions/core.js:61:11)
at validateField (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/types/lib/validators/validate.js:33:9)
at validate (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/types/lib/validators/validate.js:16:3)
at NodePath._replaceWith (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/traverse/lib/path/replacement.js:141:5)
at NodePath.replaceWith (/webcrack/node_modules/.pnpm/@babel[email protected]/node_modules/@babel/traverse/lib/path/replacement.js:127:16)
at inlineVariableAliases (file:///webcrack/packages/webcrack/dist/index.js:361:11)
at inlineVariableAliases (file:///webcrack/packages/webcrack/dist/index.js:348:24)
at inlineVariableAliases (file:///webcrack/packages/webcrack/dist/index.js:348:24)
at inlineVariableAliases (file:///webcrack/packages/webcrack/dist/index.js:348:24)

Node.js v20.16.0
`

@nero08
Copy link
Author

nero08 commented Nov 23, 2024

it's a babel issue?

@j4k0xb
Copy link
Owner

j4k0xb commented Nov 23, 2024

nope it happens when inlining variables, gets stuck in an infinite loop for code like this:

_0x3f65e5 = _0x1042a4
// ...
_0x1042a4 = _0x3f65e5

why this occurs in the first place is still not clear

@nero08
Copy link
Author

nero08 commented Nov 24, 2024

So, I have to modify something in the obfuscated code to make it works, you think?

@nero08
Copy link
Author

nero08 commented Nov 24, 2024

nope it happens when inlining variables, gets stuck in an infinite loop for code like this:

_0x3f65e5 = _0x1042a4
// ...
_0x1042a4 = _0x3f65e5

why this occurs in the first place is still not clear

Can you help me to know what I have to do to fix that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working deobfuscate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nero08 @j4k0xb