JASSDO tool - deobfuscator

[d07.RiV]

I got confused over where to post it since I couldn't find tool section, so I post it here. Mod, feel free to move it.

This tool de-obfuscates JASS code in case your deprotector didn't do it or didn't do it well enough. I tested it with both .j files and .wts files recovered with xdep.
Features (all features can be turned off in .ini file):
Indents lines, inserts blank lines between functions.
Renames globals, locals and functions (xdep only renames globals).
Restores integers obfuscated as hexadecimals or characters (e.g. 'd' is restored as 100), bypasses simple arithmetic operations with constants (e.g. 123+877 is restored as 1000) and restores unit/item/etc IDs after that (so if protector converted 'U000' to 135436526+1293784898 the original ID will get recovered).
Extracts strings from WTS.
Prints function definitions and their line numbers to another file.
Inlines short functions (mostly generated by GUI)
Does not bug up when it finds a linebreak inside string constant (xdep stops indenting lines in this case).

.zip file contains .exe console application and .ini config file.
All input/output files are defined in .ini

http://www.mediafire.com/?1yypxxwmcd3

[CrackUps]

Antivirus Version Last Update Result
AhnLab-V3 2008.5.22.1 2008.05.22 -
AntiVir 7.8.0.19 2008.05.22 -
Virus total results

Authentium 5.1.0.4 2008.05.22 -
Avast 4.8.1195.0 2008.05.22 -
AVG 7.5.0.516 2008.05.22 -
BitDefender 7.2 2008.05.22 -
CAT-QuickHeal 9.50 2008.05.22 -
ClamAV 0.92.1 2008.05.22 -
DrWeb 4.44.0.09170 2008.05.22 -
eSafe 7.0.15.0 2008.05.22 -
eTrust-Vet 31.4.5812 2008.05.22 -
Ewido 4.0 2008.05.22 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.22 -
Fortinet 3.14.0.0 2008.05.22 -
GData 2.0.7306.1023 2008.05.22 -
Ikarus T3.1.1.26.0 2008.05.22 -
Kaspersky 7.0.0.125 2008.05.22 -
McAfee 5301 2008.05.22 -
Microsoft 1.3520 2008.05.22 -
NOD32v2 3123 2008.05.22 -
Norman 5.80.02 2008.05.22 -
Panda 9.0.0.4 2008.05.22 -
Prevx1 V2 2008.05.22 -
Rising 20.45.32.00 2008.05.22 -
Sophos 4.29.0 2008.05.22 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.22 -
TheHacker 6.2.92.317 2008.05.22 -
VBA32 3.12.6.6 2008.05.22 -
VirusBuster 4.3.26:9 2008.05.22 -
Webwasher-Gateway 6.6.2 2008.05.22 -

Looks good

[Vegas]

44k, I dont trust it. Could be a password stealer. who knows!! When I get a chance, I will try it on my other lappy with a banned key.

[Bushido]

I don't trust this either ...

[JJ2197]

It's 76kb... though he is from Vampirism Fire... so idk...

[Tobias]

I trust him, he made the RSA that Shamanno is gonna hate .

[d07.RiV]

wow i didnt know you got such attitude.
here are the sources, if u still dont trust the .exe it then compile the sources yourself.

http://www.mediafire.com/?mtwxtbmxajg

[Senethior459]

I'll trust him. Looks safe

Spoiler:

Scan taken on 23 May 2008 12:04:41 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

, I'll test it out!
Well, it's an interesting program. It took the war3map.j and the war3map.wts and made two new files, war3mapDECL.j and war3mapDO.j. The DO is the normal war3map.j file. The DECL is actually just a list of the function titles, in order. It's a bunch of this.

Spoiler:

function Func0001 takes real loc_real01 returns nothing // line 204
function Func0002 takes nothing returns boolean // line 224
function Func0003 takes itemtype loc_itemtype01,integer loc_integer01 returns nothing // line 231
function Func0004 takes nothing returns nothing // line 242
function Func0005 takes nothing returns nothing // line 282
function Func0006 takes nothing returns boolean // line 287
function Func0007 takes unit loc_unit01,integer loc_integer01 returns item // line 291
function Func0008 takes nothing returns nothing // line 301
function Func0009 takes string loc_string01 returns boolean // line 331
function Func0010 takes player loc_player01 returns nothing // line 364
function Func0011 takes integer loc_integer01 returns integer // line 374

I'm not even sure if it was obsfuscated beforehand, but afterward, it had changed from this

Spoiler:

globals
force O=null
force I=null
boolean array O0
string array I0
player OO=null
integer IO=0
integer OI=0
integer array II
integer O00=0
integer OO0=0
integer OI0=0
force O10=null
integer array I00
integer array IO0
string array II0
weathereffect array I10
boolean array O0O
unit array OOO
integer OIO=0

to THIS

Spoiler:

globals
force force001=null
force force002=null
boolean array booleans001
string array strings001
player player001=null
integer integer001=0
integer integer002=0
integer array integers001
integer integer003=0
integer integer004=0
integer integer005=0
force force003=null
integer array integers002
integer array integers003
string array strings002
weathereffect array weathereffects001
boolean array booleans002
unit array units001
integer integer006=0

It also tried to change rawcodes to four character rawcodes, from the integers that they were, but I unfortunately didn't have a .j file with that, so it did nothing. If anyone has a file with that type of protection, go ahead and try this, but I can't fully test it at the moment. One thing that was annoying, though, was that it renamed everything. I could have changed that, but it was the default. If I searched for function main, it will not come up. You need to figure out which line it was in the original, and scroll to it in the new one. Basically, it is TRUE AS ADVERTISED. If anyone else would like to test the other functions that I did not, please do, but this program seems like it will work if it IS obsfuscated. For the amount of stuff that this has, I also doubt it has room for a virus, and as everyone's scans have come up clean... We can trust him. This seems like a very useful tool for deobsfuscation, I'm going to keep it in case I do need it!

(edit) Yeah, you're right. I don't know what's up with that, nobody bothered to actually download and run a virus check, they just assumed that since it was that small, it must be a virus. Though, it doesn't help that you just joined yesterday, and that was your first post. Besides, my antivirus makes this horrible noise if I try to download spyware, and stops the download until I tell it to go, lol. Kaspersky seems pretty good so far!

[d07.RiV]

Its small because there are no resources (except an icon which takes up 1 kb) and its done in C++ with no .net or anything, plus its console. I don't know how people manage to make 1 MB .exe files unless they put in a bunch of images and stuff.

Anyway, I suppose I should not rename the "main" function because then it will not work. But other than that, most of the time obfuscated files rename all variables/functions to those O1I0 things so making these options set by default is okay.

[GhettoChild]

Cool tool, I wish I had thie earlier lol. Would have saved me some time.