The document discusses JavaScript deobfuscation techniques. It begins by introducing common JavaScript obfuscation methods like Eval Packer, Metasploit JSObfu, JSFuck, JJEncode, AAEncode, and others. It then discusses the goals of deobfuscation, including semantics preservation, automation, robustness, readability, and efficiency. Several deobfuscation techniques are presented, such as using a sandboxed runtime environment or static and dynamic analysis with partial evaluation. The document dives deeper into an AST-based approach using Esprima to parse code into an AST and then reduce subtrees. It references an existing deobfuscation tool for JSObfu code and discusses areas for improvement. In the

1. JS DeObfuscation with JStillery
Stefano Di Paola CTO + Chief Scientist
@MindedSecurity
13 January 2018

2. ❖ Research (Spare Time)
➢ Bug Hunter & Sec Research (Pdf UXSS, Flash Security, HPP, DOMinator)
➢ Software Security Since ~'99
➢ Dealing with JavaScript since 2006
❖ Work
➢ CTO @ Minded Security
➢ Chief Scientist
$ WhoAmI

3. ❖ JS is super flexible!
❖ 1k+N ways the do the same thing - +N is the JS way
❖ OK from a Dev POV - performances apart
❖ Not Always OK for readability.
❖ SUPER OK for Obfuscation!
❖ Scope of Obfuscation: Block-Limit RE
➢ Intellectual Property preservation
➢ AV Bypass of Exploits
➢ WAF Bypass of Cross Site Scripting Payload
JS And Obfuscation

4. ❖ Publicly known JS obfuscation techniques:
➢ Eval Packer: http://dean.edwards.name/packer/
➢ Metasploit JSObfu: https://github.com/rapid7/jsobfu
➢ JSFuck (From Slackers): http://www.jsfuck.com/
➢ JJEncode : http://utf-8.jp/public/jjencode.html
➢ AAEncode: http://utf-8.jp/public/aaencode.html
➢ Node-Obf: https://github.com/wearefractal/node-obf
➢ https://github.com/javascript-obfuscator/javascript-obfuscator
➢ https://github.com/search?p=2&q=obfuscator+JavaScript&type=Repositories&utf8=%
E2%9C%93
❖ Vendor Based JS Obfuscators:
➢ https://javascriptobfuscator.com/
➢ https://jscrambler.com
JS And Obfuscation

5. JSObfu
JSFuck

6. AAEncode
JJEncode

7. ❖ Defense!
❖ Mainly to revert the Scope of Obfuscation:
➢ AV detection of known Exploits
➢ Precise WAF identification of Cross Site Scripting Payload
➢ Intellectual property (yeah that too)
Why Do We Want to Deobfuscate?

8. Deobfuscation from P to P’
❖ Semantics preservation:
➢ Semantics preservation is required.
❖ Automation:
➢ P’ is obtained from P without the need for hand work (Ideally).
❖ Robustness:
➢ All code valid to the interpreter should be parsable by the deobfuscator.
❖ Readability:
➢ P’ is easy to adapt and analyze.
❖ Efficiency:
➢ Program P’ should not be much slower or larger than P.

9. Deobfuscation Techniques
❖ Easy way:
➢ Runtime. Use Sandboxed Environment to execute the payload. (PhantomJS, Thug,
JSCli..)
➢ Pro : Easy
➢ Cons: behavior based. Can't classify by source code. Hard to analyze what's going on.
Possible Auto Pwnage.
❖ Harder Way:
➢ By hand
➢ Pro: Human brain can be used.
➢ Cons: Human brain MUST be used. Slow, High Expertise… A Lot.
❖ Hard/Easy Way:
➢ Runtime + Static Analysis -> Hybrid approach via Partial Evaluation.
➢ Pro: Leads to interesting results.
➢ Cons: Hard to implement. Not trivial to cover all techniques.

10. Deobfuscation Via Partial Evaluation
❖ Partial evaluator task is to split a program in two parts
➢ Static part: precomputed by the partial evaluator. (reduced to lowest terms)
➢ Dynamic part: executed at runtime. (dependent on runtime environment)
❖ Two possible approaches:
➢ Online: all evaluations are made on-the-fly.
➢ Offline: Multipass. Performs binding time analysis to classify expressions as
static or dynamic, according to whether their values will be fully determined
at specialisation time.

11. AST > SubTree Reduction > Deobfuscated code
1. Use JS for JS : Node + Esprima
2. ESPrima Parser > AST > http://esprima.org/demo/parse.html#
3. Traverse AST (Tree Walking) as the interpreter would
4. Reduce Sub trees by applying:
➢ Constant folding
➢ Encapsulation
➢ Virtual dispatch
➢ ...
5. Rewrite the Code w/ escodegen
6. Hopefully Enjoy the new code

12. Start from Scratch, oh wait ^_^’!
❖ Someone already wrote some AST Based deobf for JSObfu:
➢ https://github.com/m1el/esdeobfuscate (DEMO)
➢ https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109
❖ Super Cool! Alas, is strictly related to JSObfu (DEMO)
❖ We have:
➢ Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple types)
➢ String.fromCharCode execution
➢ function returning constants are “evaluated” and Reduced to their return value
➢ Partial “scope wise” implementation.
➢ https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js
❖ A very good starting point!

13. ❖ Possibly Deobfuscate all known obfuscators
❖ Improve Global Variables management
"console","window","document","String","Object","Array","eval"..
❖ Operations on Native Data (JSFuck … ) +[] ….
❖ Global functions execution
➢ escape, unescape, String.*,Array.*..
❖ Variable Substitution w/ constants or globals
➢ var win=window; …. t=win > var win=window; …. t=window
❖ Scoping and Function Evaluation
➢ Function evaluation according to variable scoping.
❖ Objects Management:
➢ var t={a:2}; var b=t.a;
What we want

14. Implementation: Function execution
❖ Check for literal returned value (JSObf uDEMO)
➢ function xx(){
return String.fromCharCode(“x61”)+”X”
}
➢ if return val = constant -> substitute the value to
the whole sub tree.
❖ Check for independent scope (Closed scope) ( Fun.js DEMO)
➢ if function is closure > execute function in a JS environment.

15. Implementation: Function Scoping
❖ To Deal W/ Variable substitution & Function scope Analysis.
❖ Scopes are Objects
❖ SubScopes are Object whose prototype is the super Scope:
➢ function_scope = Object.create(scope);
function findScope(key,scope){
if( !scope ) return false;
if(scope.hasOwnProperty(key)){
return {scope:scope,value:scope[key]};
}
return findScope(key,scope.__proto__);
}

16. Implementation: Dealing W/ Complex Data (Objects etc)
❖ Hardest task so far
❖ Similar to Variable Substitution but harder
❖ Deal w/ Arrays and Objects
❖ Deal with dynamic properties
----------------------------
❖ Ended up creating a scope wise state machine. :O
❖ Partially implemented
var h={w:2};
var t="a";
h[t]=3;
var b=h.w+h[t]

17. JStillery
DEMO
https://www.youtube.com/watch?v=QITb12MGvX4

18. Conclusions
❖ Release in a few days!! https://github.com/mindedsecurity/JStillery
❖ Research took about 15 days
❖ Not easy task, although I’m not a JS rookie :)
❖ Offline approach (multi pass + time analysis) could solve particular anti
deobf techniques.
❖ Hybrid approach can lead to interesting results
❖ BTW Function Hoisting was not covered! In case someone wondered.
❖ Does it work? Depends on the goals, of course ;)
❖ ActionScript would be mostly covered (as ECMAScript compatible)

19. Related projects
❖ https://github.com/svent/jsdetox
❖ https://illuminatejs.com/#/
❖ https://github.com/buffer/thug

20. Q&A
JStillery: https://github.com/mindedsecurity/JStillery
Email: stefano.dipaola@mindedsecurity.com
Twitter: @WisecWisec
Blog: http://blog.mindedsecurity.com
Company: http://www.mindedsecurity.com

21. ﾟωﾟﾉ= /｀ｍ´）ﾉ ~┻━┻ //*´∇｀*/ ['_']; o=(ﾟｰﾟ) =_=3; c=(ﾟΘﾟ) =(ﾟｰﾟ)-(ﾟｰﾟ); (ﾟДﾟ) =(ﾟΘﾟ)= (o^_^o)/
(o^_^o);
(ﾟДﾟ)={ﾟΘﾟ: '_' ,ﾟωﾟﾉ : ((ﾟωﾟﾉ==3) +'_') [ﾟΘﾟ] ,ﾟｰﾟﾉ :(ﾟωﾟﾉ+ '_')[o^_^o -(ﾟΘﾟ)] ,ﾟДﾟﾉ:
((ﾟｰﾟ==3) +'_')[ﾟｰﾟ] }; (ﾟДﾟ) [ﾟΘﾟ] =((ﾟωﾟﾉ==3) +'_') [c^_^o];(ﾟДﾟ) ['c'] = ((ﾟДﾟ)+'_') [ (ﾟｰﾟ)+(ﾟｰﾟ)-(ﾟΘﾟ)
];
(ﾟДﾟ) ['o'] = ((ﾟДﾟ)+'_') [ﾟΘﾟ];
(ﾟoﾟ)=(ﾟДﾟ) ['c']+(ﾟДﾟ) ['o']+(ﾟωﾟﾉ +'_')[ﾟΘﾟ]+ ((ﾟωﾟﾉ==3) +'_') [ﾟｰﾟ] + ((ﾟДﾟ) +'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+
((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+
((ﾟｰﾟ==3) +'_') [(ﾟｰﾟ) - (ﾟΘﾟ)]+(ﾟДﾟ) ['c']+((ﾟДﾟ)+'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ (ﾟДﾟ) ['o']+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ];
(ﾟДﾟ) ['_'] =(o^_^o) [ﾟoﾟ] [ﾟoﾟ];(ﾟεﾟ)=((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟДﾟ) .ﾟДﾟﾉ+((ﾟДﾟ)+'_')
[(ﾟｰﾟ) + (ﾟｰﾟ)]+((ﾟｰﾟ==3) +'_') [o^_^o -ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟωﾟﾉ +'_') [ﾟΘﾟ]; (ﾟｰﾟ)+=(ﾟΘﾟ);
(ﾟДﾟ)[ﾟεﾟ]=''; (ﾟДﾟ).ﾟΘﾟﾉ=(ﾟДﾟ+ ﾟｰﾟ)[o^_^o -(ﾟΘﾟ)];(oﾟｰﾟo)=(ﾟωﾟﾉ +'_')[c^_^o];(ﾟДﾟ) [ﾟoﾟ]='"';
(ﾟДﾟ) ['_'] ( (ﾟДﾟ) ['_'] (ﾟεﾟ+(ﾟДﾟ)[ﾟoﾟ]+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+
(ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+
(ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+
(o^_^o)+
(ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) -
(ﾟΘﾟ))+ (ﾟДﾟ)
[ﾟoﾟ]) (ﾟΘﾟ)) ('_');