I have a .exe file that I am trying to get the source code of, After some digging I figured out that it's in node.js and was compiled using vercel/pkg
I tried using pkg-unpacker however the output is all messed up and have a lot of null characters, even the node-modules modules have null characters in them, Only the *.js files have null characters, *.json are fine and are in their default format
I also saw used a hex editor but that code isn't human-readable at all
Some people suggested using ghidra_nodejs which will be my next step, however I don't know how to use it or if it will work with all the weird characters in the *.js files
I think that the project is obfuscated using https://obfuscator.io/ or https://www.npmjs.com/package/javascript-obfuscator
Any Ideas/Help is appreciated, Thanks!
Asked
Active
Viewed 3,205 times
9
Anon
- 91
- 1
- 2
1 Answers
1
The vercel/pkg tool takes javascript (node.js) code, compiles it into v8 bytecode and wraps it in an executable code that matches the platform.
As the Github page of the pkg-unpacker tool states:
This application DOES NOT decompile any code. By default pkg compiles code to V8 bytecode. Extracted files will remain in this format except for assets.
Included .json files are assets, so they are decoded into their original readable form. The code remains as v8 bytecode.
The mentioned Ghidra plugin can disassemble and/or decompile it into readable format for analysis.
There is a detailed article about reverse engineering this type of code here:
https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/
Yotamz
- 1,207
- 6
- 19