9

I have a .exe file that I am trying to get the source code of, After some digging I figured out that it's in node.js and was compiled using vercel/pkg

I tried using pkg-unpacker however the output is all messed up and have a lot of null characters, even the node-modules modules have null characters in them, Only the *.js files have null characters, *.json are fine and are in their default format
I also saw used a hex editor but that code isn't human-readable at all

Some people suggested using ghidra_nodejs which will be my next step, however I don't know how to use it or if it will work with all the weird characters in the *.js files
I think that the project is obfuscated using https://obfuscator.io/ or https://www.npmjs.com/package/javascript-obfuscator

Any Ideas/Help is appreciated, Thanks!

Improve this question

1 Answer 1

Reset to default
2

The vercel/pkg tool takes javascript (node.js) code, compiles it into v8 bytecode and wraps it in an executable code that matches the platform.

As the Github page of the pkg-unpacker tool states:

This application DOES NOT decompile any code. By default pkg compiles code to V8 bytecode. Extracted files will remain in this format except for assets.

Included .json files are assets, so they are decoded into their original readable form. The code remains as v8 bytecode.

The mentioned Ghidra plugin can disassemble and/or decompile it into readable format for analysis.

There is a detailed article about reverse engineering this type of code here:

https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/

Improve this answer
1
  • 1
    Note that the ghidra plugin linked above is not up-to-date with recent V8/NodeJS versions, the repo is archived, and it seems non-trivial to expand support to newer versions given that it involves changes to the V8 snapshotting bytecode (separate from the JS V8 bytecode itself). You might find this writeup I made recently for a challenge useful to hackily reverse it to get readable V8 assembly, but heads up it is on the longer side/not strictly focused on vercel/pkg reversing: github.com/JesseEmond/blitz-2024-registration Commented May 30, 2024 at 16:39

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.