Constantly out of memory

[NekoNyanners]

Im trying to deobfuscate a 1.1mb malware sample but Im constantly out of memory. Despite literally allocating 40GB of memory:
Here are some (usually alternating) crash reports:

[!] REstringer v2.0.7
[!] Deobfuscating out.js...
[+] Obfuscation type is Generic
        [+] removeRedundantBlockStatements applying 1 new changes!
        [+] resolveProxyVariables applying 21 new changes!
        [+] resolveProxyReferences applying 118 new changes!
        [+] replaceIdentifierWithFixedValueNotAssignedAtDeclaration applying 2 new changes!
        [+] simplifyCalls applying 34 new changes!

<--- Last few GCs --->


<--- JS stacktrace --->

Committing semi space failed.
is_heap_oom = 1


<--- Heap statistics --->
total_heap_size = 1843200
total_heap_size_executable = 0
total_physical_size = 1335296
total_available_size = 137777080
used_heap_size = 579392
heap_size_limit = 137363456
malloced_memory = 90256
peak_malloced_memory = 41000
does_zap_garbage = 0
[1]    20868 IOT instruction (core dumped)  NODE_OPTIONS="--max_old_space_size=40960" restringer index.js -o index-dec.js

---

[!] REstringer v2.0.7
[!] Deobfuscating out.js...
[+] Obfuscation type is Generic
        [+] removeRedundantBlockStatements applying 1 new changes!
        [+] resolveProxyVariables applying 21 new changes!
        [+] resolveProxyReferences applying 118 new changes!
        [+] replaceIdentifierWithFixedValueNotAssignedAtDeclaration applying 2 new changes!
        [+] simplifyCalls applying 34 new changes!


#
# Fatal JavaScript out of memory: MemoryChunk allocation failed during deserialization.
#
----- Native stack trace -----

 1: 0x101c1a1  [node]
 2: 0x27bb862 v8::base::FatalOOM(v8::base::OOMType, char const*) [node]
 3: 0x125fb42  [node]
 4: 0x125fdc7 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [node]
 5: 0x148d805  [node]
 6: 0x14ea83f  [node]
 7: 0x14ea8e9 v8::internal::MemoryAllocator::AllocateUninitializedChunkAt(v8::internal::BaseSpace*, unsigned long, v8::internal::Executability, unsigned long, v8::internal::PageSize) [node]
 8: 0x14eac5c v8::internal::MemoryAllocator::AllocatePage(v8::internal::MemoryAllocator::AllocationMode, v8::internal::Space*, v8::internal::Executability) [node]
 9: 0x14fac83 v8::internal::SemiSpace::Commit() [node]
10: 0x14fb96f v8::internal::SemiSpaceNewSpace::SemiSpaceNewSpace(v8::internal::Heap*, unsigned long, unsigned long) [node]
11: 0x14a2bcf v8::internal::Heap::SetUpSpaces(v8::internal::LinearAllocationArea&, v8::internal::LinearAllocationArea&) [node]
12: 0x13eea94 v8::internal::Isolate::Init(v8::internal::SnapshotData*, v8::internal::SnapshotData*, v8::internal::SnapshotData*, bool) [node]
13: 0x190b804 v8::internal::Snapshot::Initialize(v8::internal::Isolate*) [node]
14: 0x12844ef v8::Isolate::Initialize(v8::Isolate*, v8::Isolate::CreateParams const&) [node]
15: 0x7f6d504dd356 ivm::IsolateEnvironment::IsolateCtor(unsigned long, std::shared_ptr<v8::BackingStore>, unsigned long) [/home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/isolated-vm/out/isolated_vm.node]
16: 0x7f6d50512cac ivm::IsolateHandle::New(v8::MaybeLocal<v8::Object>) [/home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/isolated-vm/out/isolated_vm.node]
17: 0x7f6d5051da6b void ivm::detail::RunBarrier<ivm::detail::CallbackMaker<v8::Local<v8::Value> (*)(v8::Local<v8::Value>, v8::MaybeLocal<v8::Object>), &(v8::Local<v8::Value> ivm::detail::ConstructorFunctionImpl<std::unique_ptr<ivm::ClassHandle, std::default_delete<ivm::ClassHandle> > (v8::MaybeLocal<v8::Object>)>::Invoke<&ivm::IsolateHandle::New>(v8::Local<v8::Value>, v8::MaybeLocal<v8::Object>)), -1, v8::FunctionCallbackInfo<v8::Value> const&>::Callback(v8::FunctionCallbackInfo<v8::Value> const&)::{lambda()#1}>(ivm::detail::CallbackMaker<v8::Local<v8::Value> (*)(v8::Local<v8::Value>, v8::MaybeLocal<v8::Object>), &(v8::Local<v8::Value> ivm::detail::ConstructorFunctionImpl<std::unique_ptr<ivm::ClassHandle, std::default_delete<ivm::ClassHandle> > (v8::MaybeLocal<v8::Object>)>::Invoke<&ivm::IsolateHandle::New>(v8::Local<v8::Value>, v8::MaybeLocal<v8::Object>)), -1, v8::FunctionCallbackInfo<v8::Value> const&>::Callback(v8::FunctionCallbackInfo<v8::Value> const&)::{lambda()#1}) [/home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/isolated-vm/out/isolated_vm.node]
18: 0x7f6d5051dfc9 ivm::ConstructorFunction<std::unique_ptr<ivm::ClassHandle, std::default_delete<ivm::ClassHandle> > (*)(v8::MaybeLocal<v8::Object>), &ivm::IsolateHandle::New>::Entry(v8::FunctionCallbackInfo<v8::Value> const&) [/home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/isolated-vm/out/isolated_vm.node]
19: 0x12b4dca  [node]
20: 0x12b511a v8::internal::Builtin_HandleApiConstruct(int, unsigned long*, v8::internal::Isolate*) [node]
21: 0x7f6d49e6c3b6 
^C[1]    20389 trace trap (core dumped)  NODE_OPTIONS="--max_old_space_size=20480" restringer out.js -o index-dec.js

---

With verbose:

$ restringer index.js -o index-dec.js -v

[!] REstringer v2.0.7
[!] Deobfuscating index.js...
[+] Obfuscation type is Generic
        [!] Running rearrangeSequences...
        [+] rearrangeSequences applying 905 new changes!
                [!] Running rearrangeSequences completed in 1.899 seconds
        [!] Running separateChainedDeclarators...
        [+] separateChainedDeclarators applying 528 new changes!
                [!] Running separateChainedDeclarators completed in 2.617 seconds
        [!] Running rearrangeSwitches...
                [!] Running rearrangeSwitches completed in 0.000 seconds
        [!] Running normalizeEmptyStatements...
                [!] Running normalizeEmptyStatements completed in 0.000 seconds
        [!] Running removeRedundantBlockStatements...
        [+] removeRedundantBlockStatements applying 1 new changes!
                [!] Running removeRedundantBlockStatements completed in 1.944 seconds
        [!] Running resolveRedundantLogicalExpressions...
                [!] Running resolveRedundantLogicalExpressions completed in 0.001 seconds
        [!] Running unwrapSimpleOperations...
                [!] Running unwrapSimpleOperations completed in 0.019 seconds
        [!] Running resolveProxyCalls...
                [!] Running resolveProxyCalls completed in 0.001 seconds
        [!] Running resolveProxyVariables...
        [+] resolveProxyVariables applying 21 new changes!
                [!] Running resolveProxyVariables completed in 2.490 seconds
        [!] Running resolveProxyReferences...
        [+] resolveProxyReferences applying 117 new changes!
                [!] Running resolveProxyReferences completed in 1.995 seconds
        [!] Running resolveMemberExpressionReferencesToArrayIndex...
                [!] Running resolveMemberExpressionReferencesToArrayIndex completed in 0.002 seconds
        [!] Running resolveMemberExpressionsWithDirectAssignment...
                [!] Running resolveMemberExpressionsWithDirectAssignment completed in 0.013 seconds
        [!] Running parseTemplateLiteralsIntoStringLiterals...
                [!] Running parseTemplateLiteralsIntoStringLiterals completed in 0.001 seconds
        [!] Running resolveDeterministicIfStatements...
                [!] Running resolveDeterministicIfStatements completed in 0.000 seconds
        [!] Running replaceCallExpressionsWithUnwrappedIdentifier...
                [!] Running replaceCallExpressionsWithUnwrappedIdentifier completed in 0.063 seconds
        [!] Running replaceEvalCallsWithLiteralContent...
                [!] Running replaceEvalCallsWithLiteralContent completed in 0.015 seconds
        [!] Running replaceIdentifierWithFixedAssignedValue...
                [!] Running replaceIdentifierWithFixedAssignedValue completed in 0.020 seconds
        [!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration...
        [+] replaceIdentifierWithFixedValueNotAssignedAtDeclaration applying 2 new changes!
                [!] Running replaceIdentifierWithFixedValueNotAssignedAtDeclaration completed in 1.781 seconds
        [!] Running replaceNewFuncCallsWithLiteralContent...
SyntaxError: 'return' outside of function
    at Espree.raise (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/espree/lib/espree.js:263:25)
    at pp$8.parseReturnStatement (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/acorn/dist/acorn.mjs:1084:12)
    at pp$8.parseStatement (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/acorn/dist/acorn.mjs:914:37)
    at pp$8.parseTopLevel (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/acorn/dist/acorn.mjs:823:21)
    at Espree.parseTopLevel (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/espree/lib/espree.js:251:26)
    at Espree.parse (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/acorn/dist/acorn.mjs:595:15)
    at Espree.parse (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/espree/lib/espree.js:173:35)
    at parse (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/espree/espree.js:134:38)
    at parseCode (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/flast/src/flast.js:16:19)
    at generateRootNode (file:///home/username/.config/nvm/versions/node/v22.13.0/lib/node_modules/restringer/node_modules/flast/src/flast.js:97:14) {
  index: 0,
  lineNumber: 1,
  column: 1
}
[-] Unable to replace new function's body with call expression: TypeError: Cannot read properties of undefined (reading 'body')
                [!] Running replaceNewFuncCallsWithLiteralContent completed in 0.002 seconds
        [!] Running replaceBooleanExpressionsWithIf...
        [+] replaceBooleanExpressionsWithIf applying 343 new changes!
                [!] Running replaceBooleanExpressionsWithIf completed in 2.470 seconds
        [!] Running replaceSequencesWithExpressions...
        [+] replaceSequencesWithExpressions applying 860 new changes!
                [!] Running replaceSequencesWithExpressions completed in 1.952 seconds
        [!] Running resolveFunctionConstructorCalls...
                [!] Running resolveFunctionConstructorCalls completed in 0.015 seconds
        [!] Running replaceFunctionShellsWithWrappedValue...
                [!] Running replaceFunctionShellsWithWrappedValue completed in 0.001 seconds
        [!] Running replaceFunctionShellsWithWrappedValueIIFE...
                [!] Running replaceFunctionShellsWithWrappedValueIIFE completed in 0.001 seconds
        [!] Running simplifyCalls...
        [+] simplifyCalls applying 34 new changes!
                [!] Running simplifyCalls completed in 2.089 seconds
        [!] Running unwrapFunctionShells...
                [!] Running unwrapFunctionShells completed in 0.003 seconds
        [!] Running unwrapIIFEs...
                [!] Running unwrapIIFEs completed in 0.010 seconds
        [!] Running simplifyIfStatements...
                [!] Running simplifyIfStatements completed in 0.001 seconds
        [!] Running resolveMinimalAlphabet...
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
[1]    5240 IOT instruction (core dumped)  restringer index.js -o index-dec.js -v

---

Is there a way to maybe disable heavy modules?
I have attached the malware sample index.js below. (again, MALWARE - be careful 😸)

index.txt

[NullDev]

I encountered a similar sample. I am not sure if it's both of them are custom obfuscators or if both are based on the same one, but it looked very similar. Same out of memory problems though

[KenMacD]

Did you try with a larger heap size? I hit this until I ran it with node --max-old-space-size=8192 /usr/local/bin/restringer ... (to use 8GB)