Minded Security, profile picture
Uploaded byMinded Security
PDF, PPTX32,625 views

Advanced JS Deobfuscation

This document discusses JavaScript deobfuscation techniques using abstract syntax trees (ASTs). It begins by explaining goals of JavaScript obfuscation like blocking reverse engineering and bypassing antivirus detection. Common obfuscation techniques like eval packing and JSFuck are described. The document then discusses approaches to deobfuscation including runtime execution and manual analysis. It focuses on the benefits of partial evaluation using AST traversal and subtree reduction to perform operations like constant folding and function inlining. Examples are provided of challenges in evaluating complex data structures and functions. The conclusion is that AST-based deobfuscation is difficult but can counter some obfuscation techniques through multi-pass analysis and function hoisting.

Software
In this document
Powered by AI

Introducing advanced JavaScript concepts focused on the challenges and techniques of obfuscation.

JavaScript's flexibility enables various coding methods, enhancing obfuscation at the cost of readability.

Goals include protecting intellectual property and bypassing security measures like AV and WAF.

Listing several obfuscation tools and techniques used in public and commercial applications.

Demonstrating outputs from JSObfu, AAEncode, and JJEncode to illustrate obfuscation effectiveness.

Emphasizing the importance of deobfuscation for defense, detection, and analysis of obfuscated code.

Describes essential attributes of a successful deobfuscation process: semantics, automation, readability, etc.

Exploring methods of deobfuscation ranging from runtime analysis to manual efforts and hybrid approaches.

Using partial evaluation to split programs into static and dynamic parts for better analysis.

Describing the process of using an Abstract Syntax Tree (AST) for code reduction and clarity.

Presenting an initiative to create an AST-based deobfuscator tailored for JSObfu.

Discussing improvements in handling global variable management and object management for deobfuscation.

Methods for evaluating functions and substituting constant values in deobfuscation optimization.

Addressing difficulties in manipulating complex data structures like arrays and objects during deobfuscation.

Live demonstration of a tool related to the concepts discussed in the presentation.

Concluding thoughts on the effectiveness of AST-based deobfuscation techniques and future implications.

Providing contact details and inviting questions regarding the presented content.

Embed presentation

Download as PDF, PPTX
Advanced JS DeObfuscation via AST Stefano Di Paola CTO + Chief Scientist @MindedSecurity
JS And Obfuscation ❖ JS is super flexible! ❖ 1k+N ways the do the same thing - +N is the JS way ❖ OK from a Dev POV - performances apart ❖ Not Always OK for readability. ❖ SUPER OK for Obfuscation!
Goals of Obfuscation ❖Block-Limit RE – Intellectual Property preservation – AV Bypass of Exploits – WAF Bypass of Cross Site Scripting Payload 3
JS Obfuscators ❖Several Public Obfuscation techniques: – Eval Packer: http://dean.edwards.name/packer/ – Metasploit JSObfu: https://github.com/rapid7/jsobfu – JSFuck (From Slackers): http://www.jsfuck.com/ – JJEncode : http://utf-8.jp/public/jjencode.html – AAEncode: http://utf-8.jp/public/aaencode.html – Node-Obf: https://github.com/wearefractal/node-obf – https://github.com/search?p=2&q=obfuscator+JavaScript&type=Repositories&utf8=% E2%9C%93 – On the wild ...  Some commercial Obfuscator & Malware Obfuscator
JSObfu JSF#*k Output Example
AAEncode JJEncode Output Example
Why Do We Want to Deobfuscate? ❖Defense! ❖Mainly to revert the Scope of Obfuscation: – AV detection of known Exploits – Precise WAF identification of Cross Site Scripting Payload – Intellectual property (yeah that too)  The Final Goal is to create a "Normalized" version of the code that will allow easier comparison and analysis
Deobfuscation from P to P1 ❖Semantics preservation: – Semantics preservation is required. ❖Automation: – P1 is obtained from P without the need for hand work (Ideally). ❖Robustness: – All code valid to the interpreter should be parsable by the deobfuscator. ❖Readability: – P1 is easy to adapt and analyze. ❖Efficiency: – Program P1 should not be much slower or larger than P.
Deobfuscation Techniques ❖ Easy way: – Runtime. Sandboxed Environment to execute payload. (PhantomJS, Thug, JSCli..) – Pro : Easy – Cons: behavior based. Can't classify by source code. Hard to analyze what's going on. Possible Auto Pwnage. ❖ Harder Way: – By hand (!!!) – Pro: Human brain can be used. – Cons: Human brain MUST be used. Slow, High Expertise… A Lot. ❖ Hard/Easy Way: – Runtime + Static Analysis -> Hybrid approach via Partial Evaluation. – Pro: Leads to interesting results. – Cons: Hard to implement. Not trivial to cover all techniques.
Deobfuscation Via Partial Evaluation ❖ Partial evaluator task is to split a program in two parts – Static part: precomputed by the partial evaluator. (reduced to lowest terms) – Dynamic part: executed at runtime. (dependent on runtime environment)  Two possible approaches: – Online: all evaluations are made on-the-fly. – Offline: Multipass. Performs binding time analysis to classify expressions as static or dynamic, according to whether their values will be fully determined at specialisation time.
AST > SubTree Reduction > Deobfuscated code 1.Use JS for JS : Node + Esprima 2.ESPrima Parser > AST > http://esprima.org/demo/parse.html# 3.Traverse AST (Tree Walking) as the interpreter would 4.Reduce Sub trees by applying: – Constant folding – Encapsulation – Virtual dispatch – ... 5.Rewrite the Code w/ escodegen 6.Hopefully Enjoy the new code
Start from Scratch, oh wait ^_^’! ❖ @M1el already wrote some AST Based deobf for JSObfu: – https://github.com/m1el/esdeobfuscate https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109  Super Cool! Alas, is strictly related to JSObfu. We have: – Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple types) – String.fromCharCode execution – function returning constants are “evaluated” and Reduced to their return value – Partial “scope wise” implementation. ❖A very good starting point!
What we want ❖Improve Global Variables management – "console","window","document","String","Object","Array","eval"... ❖Operations on Native Data (JSFuck … ) +[] .. ❖Global functions execution – escape, unescape, String.*,Array.*.. ❖Variable Substitution w/ constants or globals – var win=window; …. t=win > var win=window; …. t=window ❖Scoping and Function Evaluation – Function evaluation according to variable scoping.  Objects Management: – var t={a:2}; var b=t.a; Possibly Deobfuscate all known obfuscators
Function Evaluation ❖Check for literal returned value – function xx(){ return String.fromCharCode( 0x61)+"X" } – if (return val is constant ) substitute the value to the whole sub tree. – (JSObf DEMO) ❖Check for independent scope (Closed scope) – If function is a closure > execute function in a JS environment. – ( Fun.js DEMO)
Dealing W/ Complex Data ❖ Hardest task so far ❖ Similar to Variable Substitution but harder ❖ Deal w/ Arrays and Objects ❖ Deal with dynamic properties ---------------------------- ❖ Ended up creating a scope wise state machine. :O ❖ Partially implemented var h={w:2}; var t="a"; h[t]=3; var b=h.w+h[t]
JStillery DEMO
Conclusions  This research aims to prove that although AST based deobfuscation is not an easy task, it could lead to quite interesting results. ❖ Offline approach (multi pass + time analysis) could solve particular anti deobfuscation techniques. ❖ BTW Function Hoisting was not covered! In case someone wondered. ❖ Does it work? Depends on the goals, of course ;) ❖ ActionScript would be mostly covered (as ECMAScript compatible)
Contacts + Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: @wisecwisec Global Corporate Site: http://www.mindedsecurity.com Blog: http://blog.mindedsecurity.com Twitter: http://www.twitter.com/mindedsecurity YouTube: http://www.youtube.com/user/mindedsecurity Thanks!

More Related Content

PDF
Asynchronous API in Java8, how to use CompletableFuture
byJosé Paumard
 
PDF
자바에서 null을 안전하게 다루는 방법
bySungchul Park
 
PDF
Clean architecture
byLieven Doclo
 
PDF
無瑕的程式碼 Clean Code 心得分享
byWin Yu
 
PPT
Visual Studio
byuniversity of education,Lahore
 
PPTX
Micro-frontend
byMiguel Angel Teheran Garcia
 
PPTX
An introduction to Xamarin
byCynoteck Technology Solutions Private Limited
 
PPTX
Angular vs. React
byOPITZ CONSULTING Deutschland
 
Asynchronous API in Java8, how to use CompletableFuture
byJosé Paumard
 
자바에서 null을 안전하게 다루는 방법
bySungchul Park
 
Clean architecture
byLieven Doclo
 
無瑕的程式碼 Clean Code 心得分享
byWin Yu
 
Visual Studio
byuniversity of education,Lahore
 
Micro-frontend
byMiguel Angel Teheran Garcia
 
An introduction to Xamarin
byCynoteck Technology Solutions Private Limited
 
Angular vs. React
byOPITZ CONSULTING Deutschland
 

What's hot

PDF
Embulk, an open-source plugin-based parallel bulk data loader
bySadayuki Furuhashi
 
PPT
Groovy presentation
byManav Prasad
 
PPTX
このPHP QAツールがすごい!2019
bysasezaki
 
PDF
"Micro-frontends: Scalable and Modular Frontend in Parimatch Tech", Kyrylo Ai...
byFwdays
 
PDF
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
byTeppei Sato
 
PPT
An introduction to maven gradle and sbt
byFabio Fumarola
 
PDF
Unit testing in xcode 8 with swift
byallanh0526
 
PDF
継承やめろマジやめろ。 なぜイケないのか 解説する
byTaishiYamada1
 
PDF
シーケンス図とアクティビティ図と状態遷移図
byakipii Oga
 
PPTX
Kotlin presentation
byMobileAcademy
 
PPTX
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
byAlex Cachia
 
PPTX
オフラインWebアプリケーションのつくりかた
byShumpei Shiraishi
 
PPTX
Introduction to java
bySaba Ameer
 
PPT
Maven Introduction
bySandeep Chawla
 
DOC
Typescript Basics
byManikandan [M M K]
 
PPTX
Introduction to node.js
byDinesh U
 
PDF
Introduction to jest
bypksjce
 
PDF
How to Perform Database Testing Using Selenium? Edureka
byEdureka!
 
PDF
Finally, easy integration testing with Testcontainers
byRudy De Busscher
 
PPTX
Introduction to Angularjs
byManish Shekhawat
 
Embulk, an open-source plugin-based parallel bulk data loader
bySadayuki Furuhashi
 
Groovy presentation
byManav Prasad
 
このPHP QAツールがすごい!2019
bysasezaki
 
"Micro-frontends: Scalable and Modular Frontend in Parimatch Tech", Kyrylo Ai...
byFwdays
 
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
byTeppei Sato
 
An introduction to maven gradle and sbt
byFabio Fumarola
 
Unit testing in xcode 8 with swift
byallanh0526
 
継承やめろマジやめろ。 なぜイケないのか 解説する
byTaishiYamada1
 
シーケンス図とアクティビティ図と状態遷移図
byakipii Oga
 
Kotlin presentation
byMobileAcademy
 
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
byAlex Cachia
 
オフラインWebアプリケーションのつくりかた
byShumpei Shiraishi
 
Introduction to java
bySaba Ameer
 
Maven Introduction
bySandeep Chawla
 
Typescript Basics
byManikandan [M M K]
 
Introduction to node.js
byDinesh U
 
Introduction to jest
bypksjce
 
How to Perform Database Testing Using Selenium? Edureka
byEdureka!
 
Finally, easy integration testing with Testcontainers
byRudy De Busscher
 
Introduction to Angularjs
byManish Shekhawat
 

Similar to Advanced JS Deobfuscation

PDF
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
PPT
Code obfuscation
bybijondesai
 
PDF
JavaScript From Hell - CONFidence 2.0 2009
byMario Heiderich
 
PDF
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
byAuditMark
 
PDF
Automated JavaScript Deobfuscation - PacSec 2007
byStephan Chenette
 
PPTX
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
byHeadlessZeke
 
PDF
Javascript Deofuscation A manual Approach
byGregory Hanis
 
PDF
DoSE-HALverison.pdfaaaaaaaaaaaaaaaaaaaaaaaa
byTrnHung5
 
PPTX
Don't Be Afraid of Abstract Syntax Trees
byJamund Ferguson
 
PPTX
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
byOWASP
 
PDF
Binary obfuscation using signals
byUltraUploader
 
PDF
Owaspeutour2013lisbon pedrofortunaprotectingjavascriptsourcecodeusingobfuscat...
byThiện Dương
 
PDF
Automated static deobfuscation in the context of Reverse Engineering
byzynamics GmbH
 
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
Code obfuscation
bybijondesai
 
JavaScript From Hell - CONFidence 2.0 2009
byMario Heiderich
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
byAuditMark
 
Automated JavaScript Deobfuscation - PacSec 2007
byStephan Chenette
 
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
byHeadlessZeke
 
Javascript Deofuscation A manual Approach
byGregory Hanis
 
DoSE-HALverison.pdfaaaaaaaaaaaaaaaaaaaaaaaa
byTrnHung5
 
Don't Be Afraid of Abstract Syntax Trees
byJamund Ferguson
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
byOWASP
 
Binary obfuscation using signals
byUltraUploader
 
Owaspeutour2013lisbon pedrofortunaprotectingjavascriptsourcecodeusingobfuscat...
byThiện Dương
 
Automated static deobfuscation in the context of Reverse Engineering
byzynamics GmbH
 

More from Minded Security

PDF
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
PDF
BlueClosure Pitch - Cybertech Europe 2017
byMinded Security
 
PDF
iOS Masque Attack
byMinded Security
 
PDF
Live hacking Demo
byMinded Security
 
PDF
Concrete5 Sendmail RCE Advisory
byMinded Security
 
PDF
Sandboxing JS and HTML. A lession Learned
byMinded Security
 
PDF
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 
PDF
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
byMinded Security
 
PDF
Microservices Security: dos and don'ts
byMinded Security
 
PDF
PHP Object Injection
byMinded Security
 
PDF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
PDF
Concrete5 Multiple Reflected XSS Advisory
byMinded Security
 
PDF
Matteo meucci Software Security - Napoli 10112016
byMinded Security
 
PDF
Matteo Meucci Isaca Venice - 2017
byMinded Security
 
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
BlueClosure Pitch - Cybertech Europe 2017
byMinded Security
 
iOS Masque Attack
byMinded Security
 
Live hacking Demo
byMinded Security
 
Concrete5 Sendmail RCE Advisory
byMinded Security
 
Sandboxing JS and HTML. A lession Learned
byMinded Security
 
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
byMinded Security
 
Microservices Security: dos and don'ts
byMinded Security
 
PHP Object Injection
byMinded Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
Concrete5 Multiple Reflected XSS Advisory
byMinded Security
 
Matteo meucci Software Security - Napoli 10112016
byMinded Security
 
Matteo Meucci Isaca Venice - 2017
byMinded Security
 

Recently uploaded

PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
PDF
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
PDF
Coding Assessment Tools .pdf
byCodexpro
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PPTX
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
PPTX
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
PDF
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PDF
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
PPTX
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PPTX
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PDF
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
PDF
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PDF
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PPTX
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
Coding Assessment Tools .pdf
byCodexpro
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
Custom chat gpt integration services.pptx
byChetu
 
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 

Advanced JS Deobfuscation

  • 1.
    Advanced JS DeObfuscation viaAST Stefano Di Paola CTO + Chief Scientist @MindedSecurity
  • 2.
    JS And Obfuscation ❖JS is super flexible! ❖ 1k+N ways the do the same thing - +N is the JS way ❖ OK from a Dev POV - performances apart ❖ Not Always OK for readability. ❖ SUPER OK for Obfuscation!
  • 3.
    Goals of Obfuscation ❖Block-LimitRE – Intellectual Property preservation – AV Bypass of Exploits – WAF Bypass of Cross Site Scripting Payload 3
  • 4.
    JS Obfuscators ❖Several PublicObfuscation techniques: – Eval Packer: http://dean.edwards.name/packer/ – Metasploit JSObfu: https://github.com/rapid7/jsobfu – JSFuck (From Slackers): http://www.jsfuck.com/ – JJEncode : http://utf-8.jp/public/jjencode.html – AAEncode: http://utf-8.jp/public/aaencode.html – Node-Obf: https://github.com/wearefractal/node-obf – https://github.com/search?p=2&q=obfuscator+JavaScript&type=Repositories&utf8=% E2%9C%93 – On the wild ...  Some commercial Obfuscator & Malware Obfuscator
  • 5.
  • 6.
  • 7.
    Why Do WeWant to Deobfuscate? ❖Defense! ❖Mainly to revert the Scope of Obfuscation: – AV detection of known Exploits – Precise WAF identification of Cross Site Scripting Payload – Intellectual property (yeah that too)  The Final Goal is to create a "Normalized" version of the code that will allow easier comparison and analysis
  • 8.
    Deobfuscation from Pto P1 ❖Semantics preservation: – Semantics preservation is required. ❖Automation: – P1 is obtained from P without the need for hand work (Ideally). ❖Robustness: – All code valid to the interpreter should be parsable by the deobfuscator. ❖Readability: – P1 is easy to adapt and analyze. ❖Efficiency: – Program P1 should not be much slower or larger than P.
  • 9.
    Deobfuscation Techniques ❖ Easyway: – Runtime. Sandboxed Environment to execute payload. (PhantomJS, Thug, JSCli..) – Pro : Easy – Cons: behavior based. Can't classify by source code. Hard to analyze what's going on. Possible Auto Pwnage. ❖ Harder Way: – By hand (!!!) – Pro: Human brain can be used. – Cons: Human brain MUST be used. Slow, High Expertise… A Lot. ❖ Hard/Easy Way: – Runtime + Static Analysis -> Hybrid approach via Partial Evaluation. – Pro: Leads to interesting results. – Cons: Hard to implement. Not trivial to cover all techniques.
  • 10.
    Deobfuscation Via PartialEvaluation ❖ Partial evaluator task is to split a program in two parts – Static part: precomputed by the partial evaluator. (reduced to lowest terms) – Dynamic part: executed at runtime. (dependent on runtime environment)  Two possible approaches: – Online: all evaluations are made on-the-fly. – Offline: Multipass. Performs binding time analysis to classify expressions as static or dynamic, according to whether their values will be fully determined at specialisation time.
  • 11.
    AST > SubTreeReduction > Deobfuscated code 1.Use JS for JS : Node + Esprima 2.ESPrima Parser > AST > http://esprima.org/demo/parse.html# 3.Traverse AST (Tree Walking) as the interpreter would 4.Reduce Sub trees by applying: – Constant folding – Encapsulation – Virtual dispatch – ... 5.Rewrite the Code w/ escodegen 6.Hopefully Enjoy the new code
  • 12.
    Start from Scratch,oh wait ^_^’! ❖ @M1el already wrote some AST Based deobf for JSObfu: – https://github.com/m1el/esdeobfuscate https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109  Super Cool! Alas, is strictly related to JSObfu. We have: – Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple types) – String.fromCharCode execution – function returning constants are “evaluated” and Reduced to their return value – Partial “scope wise” implementation. ❖A very good starting point!
  • 13.
    What we want ❖ImproveGlobal Variables management – "console","window","document","String","Object","Array","eval"... ❖Operations on Native Data (JSFuck … ) +[] .. ❖Global functions execution – escape, unescape, String.*,Array.*.. ❖Variable Substitution w/ constants or globals – var win=window; …. t=win > var win=window; …. t=window ❖Scoping and Function Evaluation – Function evaluation according to variable scoping.  Objects Management: – var t={a:2}; var b=t.a; Possibly Deobfuscate all known obfuscators
  • 14.
    Function Evaluation ❖Check forliteral returned value – function xx(){ return String.fromCharCode( 0x61)+"X" } – if (return val is constant ) substitute the value to the whole sub tree. – (JSObf DEMO) ❖Check for independent scope (Closed scope) – If function is a closure > execute function in a JS environment. – ( Fun.js DEMO)
  • 15.
    Dealing W/ ComplexData ❖ Hardest task so far ❖ Similar to Variable Substitution but harder ❖ Deal w/ Arrays and Objects ❖ Deal with dynamic properties ---------------------------- ❖ Ended up creating a scope wise state machine. :O ❖ Partially implemented var h={w:2}; var t="a"; h[t]=3; var b=h.w+h[t]
  • 16.
  • 17.
    Conclusions  This researchaims to prove that although AST based deobfuscation is not an easy task, it could lead to quite interesting results. ❖ Offline approach (multi pass + time analysis) could solve particular anti deobfuscation techniques. ❖ BTW Function Hoisting was not covered! In case someone wondered. ❖ Does it work? Depends on the goals, of course ;) ❖ ActionScript would be mostly covered (as ECMAScript compatible)
  • 18.
    Contacts + Q&A Mail:stefano.dipaola@mindedsecurity.com Twitter: @wisecwisec Global Corporate Site: http://www.mindedsecurity.com Blog: http://blog.mindedsecurity.com Twitter: http://www.twitter.com/mindedsecurity YouTube: http://www.youtube.com/user/mindedsecurity Thanks!