AS1/2 deobfuscation of empty stack pops - returning Undefined instead

CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 - Copy AS1/2 Graph source (GraphViz) to clipboard - rightclick menu on graph
 - AS1 slash syntax support (decompilation, direct editation)
 - Setting of limit of executed instructions during AS1/2 deobfuscation
+- AS1/2 deobfuscation of empty stack pops
 
 ### Changed
 - AS1/2 Better unresolved constant handling - §§constant(xx) func instead of §§constantxx

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/LocalDataArea.java

@@ -12,10 +12,12 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action;
 
 import com.jpexs.decompiler.flash.ecma.EcmaScript;
+import com.jpexs.decompiler.flash.ecma.Undefined;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -51,6 +53,10 @@
 
     public String executionException;
 
+    public boolean checkStackSize = true;
+
+    public int undefinedCount = 0;
+
     public LocalDataArea(Stage stage) {
         this.stage = stage;
         this.target = this.stage;
@@ -64,6 +70,20 @@ public LocalDataArea(Stage stage, boolean preserveVariableOrder) {
         }
     }
 
+    public boolean stackIsEmpty() {
+        if (!checkStackSize) {
+            return false;
+        }
+        return stack.isEmpty();
+    }
+
+    public boolean stackHasMinSize(int count) {
+        if (!checkStackSize) {
+            return true;
+        }
+        return stack.size() >= count;
+    }
+
     public void clear() {
         constantPool = null;
         stack.clear();
@@ -76,17 +96,36 @@ public void clear() {
         returnValue = null;
         executionException = null;
         target = stage;
+        undefinedCount = 0;
+    }
+
+    public synchronized Object push(Object val) {
+        return stack.push(val);
     }
 
-    public Object pop() {
+    public synchronized Object peek() {
+        if (!checkStackSize && stack.isEmpty()) {
+            undefinedCount++;
+            stack.push(Undefined.INSTANCE);
+            return Undefined.INSTANCE;
+        }
+        return stack.peek();
+    }
+
+    public synchronized Object pop() {
+        boolean isEmpty = stack.isEmpty();
+        if (!checkStackSize && stack.isEmpty()) {
+            undefinedCount++;
+            return Undefined.INSTANCE;
+        }
         return stack.pop();
     }
 
-    public Double popAsNumber() {
-        return EcmaScript.toNumberAs2(stack.pop());
+    public synchronized Double popAsNumber() {
+        return EcmaScript.toNumberAs2(pop());
     }
 
-    public String popAsString() {
-        return EcmaScript.toString(stack.pop());
+    public synchronized String popAsString() {
+        return EcmaScript.toString(pop());
     }
 }

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/deobfuscation/ActionDeobfuscator.java

@@ -210,11 +210,23 @@ private boolean removeObfuscationIfs(FastActionList actions, Map<String, Object>
             ActionItem actionItem = iterator.next();
             result.clear();
             localData.clear();
-            /*ActionItem container = actions.getContainer(actionItem);
-             actions.setExcludedFlags(false);
-             if (container != null) {
-             markContainerActions(container, actions);
-             }*/
+
+            /*
+            When running code from first action,
+            there can be pops from stack when the stack is empty
+            which results in Undefined popped.
+            Some obfuscated code checks for these undefineds like:
+            
+            Not
+            If loc1
+                ConstantPool
+                Jump loc2
+            loc1:
+                <code>
+            loc2:
+            
+             */
+            localData.checkStackSize = !first; //this enables popping undefineds
 
             executeActions(actionItem, localData, cPool, result, fakeFunctions, useVariables, first);
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionAdd.java

@@ -45,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        lda.stack.push(AddActionItem.getResult(lda.pop(), lda.pop(), false));
+        lda.push(AddActionItem.getResult(lda.pop(), lda.pop(), false));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionAnd.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -44,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        lda.stack.push(AndActionItem.getResult(lda.pop(), lda.pop()));
+        lda.push(AndActionItem.getResult(lda.pop(), lda.pop()));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionAsciiToChar.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -44,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.isEmpty()) {
+        if (lda.stackIsEmpty()) {
             return false;
         }
 
-        lda.stack.push(AsciiToCharActionItem.getResult(lda.pop()));
+        lda.push(AsciiToCharActionItem.getResult(lda.pop()));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionCall.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -49,11 +50,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.isEmpty()) {
+        if (lda.stackIsEmpty()) {
             return false;
         }
 
-        lda.stage.callFrame(EcmaScript.toInt32(lda.stack.pop()));
+        lda.stage.callFrame(EcmaScript.toInt32(lda.pop()));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionCharToAscii.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -44,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.isEmpty()) {
+        if (lda.stackIsEmpty()) {
             return false;
         }
 
-        lda.stack.push(CharToAsciiActionItem.getResult(lda.pop()));
+        lda.push(CharToAsciiActionItem.getResult(lda.pop()));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionCloneSprite.java

@@ -48,13 +48,13 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 3) {
+        if (!lda.stackHasMinSize(3)) {
             return false;
         }
 
-        int depth = EcmaScript.toInt32(lda.stack.pop());
-        String source = EcmaScript.toString(lda.stack.pop());
-        String target = EcmaScript.toString(lda.stack.pop());
+        int depth = EcmaScript.toInt32(lda.pop());
+        String source = EcmaScript.toString(lda.pop());
+        String target = EcmaScript.toString(lda.pop());
         Object clonedMember = lda.stage.getMember(source);
         if (clonedMember != Undefined.INSTANCE) {
             lda.stage.setMember(target, ((ActionScriptObject) clonedMember).clone());

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionDivide.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -44,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        lda.stack.push(DivideActionItem.getResult(lda.popAsNumber(), lda.popAsNumber()));
+        lda.push(DivideActionItem.getResult(lda.popAsNumber(), lda.popAsNumber()));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionEquals.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -44,11 +45,11 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        lda.stack.push(EqActionItem.getResult(lda.pop(), lda.pop(), false));
+        lda.push(EqActionItem.getResult(lda.pop(), lda.pop(), false));
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionGetProperty.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -48,18 +49,18 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        int index = EcmaScript.toInt32(lda.stack.pop());
-        String target = EcmaScript.toString(lda.stack.pop());
+        int index = EcmaScript.toInt32(lda.pop());
+        String target = EcmaScript.toString(lda.pop());
         Object movieClip = lda.stage.getMember(target);
         if (movieClip instanceof ActionScriptObject) {
-            lda.stack.push(((ActionScriptObject) movieClip).getProperty(index));
+            lda.push(((ActionScriptObject) movieClip).getProperty(index));
             return true;
         }
-        lda.stack.push(Undefined.INSTANCE);
+        lda.push(Undefined.INSTANCE);
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionGetTime.java

@@ -44,7 +44,7 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        lda.stack.push(lda.stage.getTime());
+        lda.push(lda.stage.getTime());
         return true;
     }
 

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionGetURL2.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -112,12 +113,12 @@ public ActionGetURL2(FlasmLexer lexer) throws IOException, ActionParseException
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.size() < 2) {
+        if (!lda.stackHasMinSize(2)) {
             return false;
         }
 
-        String target = EcmaScript.toString(lda.stack.pop());
-        String urlString = EcmaScript.toString(lda.stack.pop());
+        String target = EcmaScript.toString(lda.pop());
+        String urlString = EcmaScript.toString(lda.pop());
 
         //TODO: Execute - Connection
         return true;

libsrc/ffdec_lib/src/com/jpexs/decompiler/flash/action/swf4/ActionGetVariable.java

@@ -12,7 +12,8 @@
  * Lesser General Public License for more details.
  * 
  * You should have received a copy of the GNU Lesser General Public
- * License along with this library. */
+ * License along with this library.
+ */
 package com.jpexs.decompiler.flash.action.swf4;
 
 import com.jpexs.decompiler.flash.BaseLocalData;
@@ -50,7 +51,7 @@ public String toString() {
 
     @Override
     public boolean execute(LocalDataArea lda) {
-        if (lda.stack.isEmpty()) {
+        if (lda.stackIsEmpty()) {
             return false;
         }
 
@@ -59,7 +60,7 @@ public boolean execute(LocalDataArea lda) {
             value = Undefined.INSTANCE;
         }
 
-        lda.stack.push(value);
+        lda.push(value);
         return true;
     }