Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comma Expression: different results #45

Open
Semnodime opened this issue May 22, 2023 · 1 comment
Open

Comma Expression: different results #45

Semnodime opened this issue May 22, 2023 · 1 comment

Comments

@Semnodime
Copy link

I wanted to help out and started digging into the cause of #36.
Although I was unable to locate the core issue ( I believe the deobfuscation would actually finish, although allowing a deobfuscation parameter to limit the time spent on reversing any particular function would be nice), I stumbled upon something:

Deobfuscating example A leads to vastly different results in comparison to deobfuscating example B

This feels somewhat ackward and I wonder whether there's a bug or how this happens.

@ben-sb It'd be nice if you could throw in a guess

Example A

    function Se(p1, p2) {
        _e(_e(_e(_e(De(De(De(De(Me(Me(Me(Me(Ae(
                                                            i = Ae(
                                                                i = Ae(
                                                                    i = Ae(
                                                                        i, r = Ae(
                                                                            r, a = Ae(
                                                                                a, n = Ae(
                                                                                    n, i, r, a, p2[0], 7, -680876936), i, r, p2[1], he, -389564586), n, i, p2[2], ge, 606105819), a, n, p2[3], we, -1044525330), r = Ae(
                                                                                        r, a = Ae(
                                                                                            a, n = Ae(
                                                                                                n, i, r, a, p2[4], 7, -176418897), i, r, p2[5], he, 1200080426), n, i, p2[6], ge, -1473231341), a, n, p2[7], we, -45705983), r = Ae(
                                                                                                    r, a = Ae(
                                                                                                        a, n = Ae(
                                                                                                            n, i, r, a, p2[8], 7, 1770035416),
                                                                        i, r, p2[9], he, -1958414417), n, i, p2[ue], ge, -42063), a, n, p2[le], we, -1990404162), r = Ae(r, a = Ae(a, n = Ae(n, i, r, a, p2[he], 7, 1804603682), i, r, p2[de], he, -40341101), n, i, p2[me], ge, -1502002290), a, n, p2[fe], we, 1236535329), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[1], 5, -165796510), i, r, p2[6], 9, -1069501632), n, i, p2[le], me, 643717713), a, n, p2[0], ve, -373897302), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[5], 5, -701558691), i, r, p2[ue], 9, 38016083), n, i, p2[fe], me, -660478335), a, n, p2[4], ve, -405537848), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[9], 5, 568446438), i, r, p2[me], 9, -1019803690), n, i, p2[3], me, -187363961), a, n, p2[8], ve, 1163531501), r = Me(r, a = Me(a, n = Me(n, i, r, a, p2[de], 5, -1444681467), i, r, p2[2], 9, -51403784), n, i, p2[7], me, 1735328473), a, n, p2[he], ve, -1926607734), r = De(r, a = De(a, n = De(n, i, r, a, p2[5], 4, -378558), i, r, p2[8], le, -2022574463), n, i, p2[le], pe, 1839030562), a, n, p2[me], be, -35309556), r = De(r, a = De(a, n = De(n, i, r, a, p2[1], 4, -1530992060), i, r, p2[4], le, 1272893353), n, i, p2[7], pe, -155497632), a, n, p2[ue], be, -1094730640), r = De(r, a = De(a, n = De(n, i, r, a, p2[de], 4, 681279174), i, r, p2[0], le, -358537222), n, i, p2[3], pe, -722521979), a, n, p2[6], be, 76029189), r = De(r, a = De(a, n = De(n, i, r, a, p2[9], 4, -640364487), i, r, p2[he], le, -421815835), n, i, p2[fe], pe, 530742520), a, n, p2[2], be, -995338651), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[0], 6, -198630844), i, r, p2[7], ue, 1126891415), n, i, p2[me], fe, -1416354905), a, n, p2[5], ye, -57434055), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[he], 6, 1700485571), i, r, p2[3], ue, -1894986606), n, i, p2[ue], fe, -1051523), a, n, p2[1], ye, -2054922799), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[8], 6, 1873313359), i, r, p2[fe], ue, -30611744), n, i, p2[6], fe, -1560198380), a, n, p2[de], ye, 1309151649), r = _e(r, a = _e(a, n = _e(n, i, r, a, p2[4], 6, -145523070), i, r, p2[le], ue, -1120210379), n, i, p2[2], fe, 718787259), a, n, p2[9], ye, -343485551)
        p1[0] = Ce(n, p1[0])
    }

    function Pe(p1, p2, p3, p4, p5, p6) {
        return p2 = Ce(p1, p6), Ce(p2 << p5 | p2 >>> Ve - p5, p3)
    }

    function Ae(p1, p2, p3, p4, p5, p6, p7) {
        return Pe(p2 & p3 | ~p2 & p4, p1, p2, p5, p6, p7)
    }


    function _e(p1, p2, p3, p4, p5, p6, p7) {
        return Pe(p3 ^ (p2 | ~p4), p1, p2, p5, p6, p7)
    }

Example B

Note: Differs only in this part, where the return statement with the comma expression in Pe is refactored into two statements:

    function Pe(p1, p2, p3, p4, p5, p6) {
        p2 = Ce(p1, p6)
        return Ce(p2 << p5 | p2 >>> Ve - p5, p3)
    }
@ben-sb
Copy link
Owner

ben-sb commented Oct 6, 2024

It's likely due to repeatedly replacing nested proxy function calls in example A, resulting in larger and larger code each time. Whereas in example B Pe isn't detected as a proxy function, due to now having statements other than just a simple return, so this issue doesn't occur.
For something like example A the best option is to disable the proxy function removal setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Semnodime @ben-sb