![]() Same behavior after the "beautifying process", both of the script were acting exactly the same and both tried to call the same endpoint. ![]() ![]() Thanks to the quick dynamic analysis we have done earlier, we know that the code tries to call a specific endpoint. We paid attention to the behavior of the script after the "beautifying process". Especially in this case, we were expecting some checks on the source code and even some antidebugging. When using that kind of tool, I'm always afraid that it will "break" something. So the first step towards our goal is to pass the VM logic code into any "Javascript beautifier" tool. Working on the code Beautifying the codeĪs you may have noticed, the code is minified. We exclusively used the development tools of Chromium/Chrome and our favorite text editor. Luckily, for reverse engineering Javascript code there is no need for expensive tools. We also used a proxy to keep and history of the request made by the code. In this way we will avoid any kind of call home. In our case, we ran the script in Chromium on a Linux virtual machine without a network card. As we don't want to trigger any false positive alert or cause any trouble, it is important to run the script in a sandboxed environment. We know for sure that the script will make some call home. Once we have the code, I personally like to do some quick dynamic analysis at the beginning of the reverse engineering process. Note: We redacted some part of the code for lisibility purpose. At the bottom the bytecode and the top part must be the virtual machine logic. We can identify 3 different parts, first 2 libraries, easily identifiable because of the licenses. The following screenshot is the code that is executed by the end user's browser. Let's not waste your time, let's and dig right into the technical part of this article. It is even quite common to see some CTF challenge involving VM obfuscation especially in low-level language. Reverse engineering that kind of obfuscation is difficult, it depends on the size of the instruction set and on the complexity of the instructions.īut it is far from impossible. It also comes with some performance issue, especially with high-level language like Javascript. First, it is tedious and time consuming to make. Sadly, this is no perfect world and this type of obfuscation comes with some problems. This VM generally contains a specific set of custom instruction necessary to run the bytecode. Virtual Machine obfuscation is a specific type of obfuscation in which the code is "compiled" in bytecode and meant to be executed by a specially crafted Virtual Machine. Let's see if we can "beat cybercriminals". In this article, we are going to give a try at reversing a Javascript VM obfuscation made by Kasada that claim the following statement: This is a never ending game, in which the difficulty increases with each turn.Ĭompanies have also been advertising how strong and "unbreakable" their obfuscation mechanism are in order to attract customers. Of course, threat actors have been reversing these kind of obfuscation for years too. Companies have been using obfuscation for years to hide and "protect" the business logic of their application or script. These days, obfuscation of Javascript code has become commonplace.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |