2. JS And Obfuscation
❖ JS is super flexible!
❖ 1k+N ways the do the same thing - +N is the JS way
❖ OK from a Dev POV - performances apart
❖ Not Always OK for readability.
❖ SUPER OK for Obfuscation!
3. Goals of Obfuscation
❖Block-Limit RE
– Intellectual Property preservation
– AV Bypass of Exploits
– WAF Bypass of Cross Site Scripting Payload
3
7. Why Do We Want to Deobfuscate?
❖Defense!
❖Mainly to revert the Scope of Obfuscation:
– AV detection of known Exploits
– Precise WAF identification of Cross Site Scripting Payload
– Intellectual property (yeah that too)
The Final Goal is to create a "Normalized" version of the
code that will allow easier comparison and analysis
8. Deobfuscation from P to P1
❖Semantics preservation:
– Semantics preservation is required.
❖Automation:
– P1 is obtained from P without the need for hand work (Ideally).
❖Robustness:
– All code valid to the interpreter should be parsable by the
deobfuscator.
❖Readability:
– P1 is easy to adapt and analyze.
❖Efficiency:
– Program P1 should not be much slower or larger than P.
9. Deobfuscation Techniques
❖ Easy way:
– Runtime. Sandboxed Environment to execute payload. (PhantomJS, Thug,
JSCli..)
– Pro : Easy
– Cons: behavior based. Can't classify by source code. Hard to analyze what's
going on. Possible Auto Pwnage.
❖ Harder Way:
– By hand (!!!)
– Pro: Human brain can be used.
– Cons: Human brain MUST be used. Slow, High Expertise… A Lot.
❖ Hard/Easy Way:
– Runtime + Static Analysis -> Hybrid approach via Partial Evaluation.
– Pro: Leads to interesting results.
– Cons: Hard to implement. Not trivial to cover all techniques.
10. Deobfuscation Via Partial Evaluation
❖ Partial evaluator task is to split a program in two parts
– Static part: precomputed by the partial evaluator. (reduced to
lowest terms)
– Dynamic part: executed at runtime. (dependent on runtime
environment)
Two possible approaches:
– Online: all evaluations are made on-the-fly.
– Offline: Multipass. Performs binding time analysis to classify
expressions as static or dynamic, according to whether their
values will be fully determined at specialisation time.
11. AST > SubTree Reduction > Deobfuscated code
1.Use JS for JS : Node + Esprima
2.ESPrima Parser > AST > http://esprima.org/demo/parse.html#
3.Traverse AST (Tree Walking) as the interpreter would
4.Reduce Sub trees by applying:
– Constant folding
– Encapsulation
– Virtual dispatch
– ...
5.Rewrite the Code w/ escodegen
6.Hopefully Enjoy the new code
12. Start from Scratch, oh wait ^_^’!
❖ @M1el already wrote some AST Based deobf for JSObfu:
– https://github.com/m1el/esdeobfuscate
https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109
Super Cool! Alas, is strictly related to JSObfu. We have:
– Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple
types)
– String.fromCharCode execution
– function returning constants are “evaluated” and Reduced to their return value
– Partial “scope wise” implementation.
❖A very good starting point!
13. What we want
❖Improve Global Variables management
– "console","window","document","String","Object","Array","eval"...
❖Operations on Native Data (JSFuck … ) +[] ..
❖Global functions execution
– escape, unescape, String.*,Array.*..
❖Variable Substitution w/ constants or globals
– var win=window; …. t=win > var win=window; …. t=window
❖Scoping and Function Evaluation
– Function evaluation according to variable scoping.
Objects Management:
– var t={a:2}; var b=t.a;
Possibly Deobfuscate all known obfuscators
14. Function Evaluation
❖Check for literal returned value
– function xx(){
return String.fromCharCode( 0x61)+"X"
}
– if (return val is constant )
substitute the value to the whole sub tree.
– (JSObf DEMO)
❖Check for independent scope (Closed scope)
– If function is a closure > execute function in a JS environment.
– ( Fun.js DEMO)
15. Dealing W/ Complex Data
❖ Hardest task so far
❖ Similar to Variable Substitution but harder
❖ Deal w/ Arrays and Objects
❖ Deal with dynamic properties
----------------------------
❖ Ended up creating a scope wise state machine. :O
❖ Partially implemented
var h={w:2};
var t="a";
h[t]=3;
var b=h.w+h[t]
17. Conclusions
This research aims to prove that although AST based deobfuscation
is not an easy task, it could lead to quite interesting results.
❖ Offline approach (multi pass + time analysis) could solve particular
anti deobfuscation techniques.
❖ BTW Function Hoisting was not covered! In case someone
wondered.
❖ Does it work? Depends on the goals, of course ;)
❖ ActionScript would be mostly covered (as ECMAScript compatible)