Js deobfuscation with JStillery - bsides-roma 2018
0 likes1,695 views
The document discusses JavaScript deobfuscation techniques. It begins by introducing common JavaScript obfuscation methods like Eval Packer, Metasploit JSObfu, JSFuck, JJEncode, AAEncode, and others. It then discusses the goals of deobfuscation, including semantics preservation, automation, robustness, readability, and efficiency. Several deobfuscation techniques are presented, such as using a sandboxed runtime environment or static and dynamic analysis with partial evaluation. The document dives deeper into an AST-based approach using Esprima to parse code into an AST and then reduce subtrees. It references an existing deobfuscation tool for JSObfu code and discusses areas for improvement. In the
![❖ Possibly Deobfuscate all known obfuscators
❖ Improve Global Variables management
"console","window","document","String","Object","Array","eval"..
❖ Operations on Native Data (JSFuck … ) +[] ….
❖ Global functions execution
➢ escape, unescape, String.*,Array.*..
❖ Variable Substitution w/ constants or globals
➢ var win=window; …. t=win > var win=window; …. t=window
❖ Scoping and Function Evaluation
➢ Function evaluation according to variable scoping.
❖ Objects Management:
➢ var t={a:2}; var b=t.a;
What we want](https://image.slidesharecdn.com/jsdeobfuscationwithjstillery-bsidesroma-180131135902/85/Js-deobfuscation-with-JStillery-bsides-roma-2018-13-320.jpg)
![Implementation: Function Scoping
❖ To Deal W/ Variable substitution & Function scope Analysis.
❖ Scopes are Objects
❖ SubScopes are Object whose prototype is the super Scope:
➢ function_scope = Object.create(scope);
function findScope(key,scope){
if( !scope ) return false;
if(scope.hasOwnProperty(key)){
return {scope:scope,value:scope[key]};
}
return findScope(key,scope.__proto__);
}](https://image.slidesharecdn.com/jsdeobfuscationwithjstillery-bsidesroma-180131135902/85/Js-deobfuscation-with-JStillery-bsides-roma-2018-15-320.jpg)
![Implementation: Dealing W/ Complex Data (Objects etc)
❖ Hardest task so far
❖ Similar to Variable Substitution but harder
❖ Deal w/ Arrays and Objects
❖ Deal with dynamic properties
----------------------------
❖ Ended up creating a scope wise state machine. :O
❖ Partially implemented
var h={w:2};
var t="a";
h[t]=3;
var b=h.w+h[t]](https://image.slidesharecdn.com/jsdeobfuscationwithjstillery-bsidesroma-180131135902/85/Js-deobfuscation-with-JStillery-bsides-roma-2018-16-320.jpg)
![゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/
(o^_^o);
(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:
((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚)
];
(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];
(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+
((゚ー゚==3) +'_') [゚Θ゚]+
((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];
(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_')
[(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚);
(゚Д゚)[゚ε゚]=''; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='"';
(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+
(゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+
(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+
(o^_^o)+
(゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) -
(゚Θ゚))+ (゚Д゚)
[゚o゚]) (゚Θ゚)) ('_');](https://image.slidesharecdn.com/jsdeobfuscationwithjstillery-bsidesroma-180131135902/85/Js-deobfuscation-with-JStillery-bsides-roma-2018-21-320.jpg)
Js deobfuscation with JStillery - bsides-roma 2018
- 1. JS DeObfuscation with JStillery Stefano Di Paola CTO + Chief Scientist @MindedSecurity 13 January 2018
- 2. ❖ Research (Spare Time) ➢ Bug Hunter & Sec Research (Pdf UXSS, Flash Security, HPP, DOMinator) ➢ Software Security Since ~'99 ➢ Dealing with JavaScript since 2006 ❖ Work ➢ CTO @ Minded Security ➢ Chief Scientist $ WhoAmI
- 3. ❖ JS is super flexible! ❖ 1k+N ways the do the same thing - +N is the JS way ❖ OK from a Dev POV - performances apart ❖ Not Always OK for readability. ❖ SUPER OK for Obfuscation! ❖ Scope of Obfuscation: Block-Limit RE ➢ Intellectual Property preservation ➢ AV Bypass of Exploits ➢ WAF Bypass of Cross Site Scripting Payload JS And Obfuscation
- 4. ❖ Publicly known JS obfuscation techniques: ➢ Eval Packer: http://dean.edwards.name/packer/ ➢ Metasploit JSObfu: https://github.com/rapid7/jsobfu ➢ JSFuck (From Slackers): http://www.jsfuck.com/ ➢ JJEncode : http://utf-8.jp/public/jjencode.html ➢ AAEncode: http://utf-8.jp/public/aaencode.html ➢ Node-Obf: https://github.com/wearefractal/node-obf ➢ https://github.com/javascript-obfuscator/javascript-obfuscator ➢ https://github.com/search?p=2&q=obfuscator+JavaScript&type=Repositories&utf8=% E2%9C%93 ❖ Vendor Based JS Obfuscators: ➢ https://javascriptobfuscator.com/ ➢ https://jscrambler.com JS And Obfuscation
- 7. ❖ Defense! ❖ Mainly to revert the Scope of Obfuscation: ➢ AV detection of known Exploits ➢ Precise WAF identification of Cross Site Scripting Payload ➢ Intellectual property (yeah that too) Why Do We Want to Deobfuscate?
- 8. Deobfuscation from P to P’ ❖ Semantics preservation: ➢ Semantics preservation is required. ❖ Automation: ➢ P’ is obtained from P without the need for hand work (Ideally). ❖ Robustness: ➢ All code valid to the interpreter should be parsable by the deobfuscator. ❖ Readability: ➢ P’ is easy to adapt and analyze. ❖ Efficiency: ➢ Program P’ should not be much slower or larger than P.
- 9. Deobfuscation Techniques ❖ Easy way: ➢ Runtime. Use Sandboxed Environment to execute the payload. (PhantomJS, Thug, JSCli..) ➢ Pro : Easy ➢ Cons: behavior based. Can't classify by source code. Hard to analyze what's going on. Possible Auto Pwnage. ❖ Harder Way: ➢ By hand ➢ Pro: Human brain can be used. ➢ Cons: Human brain MUST be used. Slow, High Expertise… A Lot. ❖ Hard/Easy Way: ➢ Runtime + Static Analysis -> Hybrid approach via Partial Evaluation. ➢ Pro: Leads to interesting results. ➢ Cons: Hard to implement. Not trivial to cover all techniques.
- 10. Deobfuscation Via Partial Evaluation ❖ Partial evaluator task is to split a program in two parts ➢ Static part: precomputed by the partial evaluator. (reduced to lowest terms) ➢ Dynamic part: executed at runtime. (dependent on runtime environment) ❖ Two possible approaches: ➢ Online: all evaluations are made on-the-fly. ➢ Offline: Multipass. Performs binding time analysis to classify expressions as static or dynamic, according to whether their values will be fully determined at specialisation time.
- 11. AST > SubTree Reduction > Deobfuscated code 1. Use JS for JS : Node + Esprima 2. ESPrima Parser > AST > http://esprima.org/demo/parse.html# 3. Traverse AST (Tree Walking) as the interpreter would 4. Reduce Sub trees by applying: ➢ Constant folding ➢ Encapsulation ➢ Virtual dispatch ➢ ... 5. Rewrite the Code w/ escodegen 6. Hopefully Enjoy the new code
- 12. Start from Scratch, oh wait ^_^’! ❖ Someone already wrote some AST Based deobf for JSObfu: ➢ https://github.com/m1el/esdeobfuscate (DEMO) ➢ https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js#L109 ❖ Super Cool! Alas, is strictly related to JSObfu (DEMO) ❖ We have: ➢ Constant folding w binary ops: +,-,*,/,^ and partial unary ops ~ - .. (On simple types) ➢ String.fromCharCode execution ➢ function returning constants are “evaluated” and Reduced to their return value ➢ Partial “scope wise” implementation. ➢ https://github.com/m1el/esdeobfuscate/blob/master/esdeobfuscate.js ❖ A very good starting point!
- 13. ❖ Possibly Deobfuscate all known obfuscators ❖ Improve Global Variables management "console","window","document","String","Object","Array","eval".. ❖ Operations on Native Data (JSFuck … ) +[] …. ❖ Global functions execution ➢ escape, unescape, String.*,Array.*.. ❖ Variable Substitution w/ constants or globals ➢ var win=window; …. t=win > var win=window; …. t=window ❖ Scoping and Function Evaluation ➢ Function evaluation according to variable scoping. ❖ Objects Management: ➢ var t={a:2}; var b=t.a; What we want
- 14. Implementation: Function execution ❖ Check for literal returned value (JSObf uDEMO) ➢ function xx(){ return String.fromCharCode(“x61”)+”X” } ➢ if return val = constant -> substitute the value to the whole sub tree. ❖ Check for independent scope (Closed scope) ( Fun.js DEMO) ➢ if function is closure > execute function in a JS environment.
- 15. Implementation: Function Scoping ❖ To Deal W/ Variable substitution & Function scope Analysis. ❖ Scopes are Objects ❖ SubScopes are Object whose prototype is the super Scope: ➢ function_scope = Object.create(scope); function findScope(key,scope){ if( !scope ) return false; if(scope.hasOwnProperty(key)){ return {scope:scope,value:scope[key]}; } return findScope(key,scope.__proto__); }
- 16. Implementation: Dealing W/ Complex Data (Objects etc) ❖ Hardest task so far ❖ Similar to Variable Substitution but harder ❖ Deal w/ Arrays and Objects ❖ Deal with dynamic properties ---------------------------- ❖ Ended up creating a scope wise state machine. :O ❖ Partially implemented var h={w:2}; var t="a"; h[t]=3; var b=h.w+h[t]
- 18. Conclusions ❖ Release in a few days!! https://github.com/mindedsecurity/JStillery ❖ Research took about 15 days ❖ Not easy task, although I’m not a JS rookie :) ❖ Offline approach (multi pass + time analysis) could solve particular anti deobf techniques. ❖ Hybrid approach can lead to interesting results ❖ BTW Function Hoisting was not covered! In case someone wondered. ❖ Does it work? Depends on the goals, of course ;) ❖ ActionScript would be mostly covered (as ECMAScript compatible)
- 19. Related projects ❖ https://github.com/svent/jsdetox ❖ https://illuminatejs.com/#/ ❖ https://github.com/buffer/thug
- 20. Q&A JStillery: https://github.com/mindedsecurity/JStillery Email: stefano.dipaola@mindedsecurity.com Twitter: @WisecWisec Blog: http://blog.mindedsecurity.com Company: http://www.mindedsecurity.com
- 21. ゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o); (゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ: ((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ]; (゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚]; (゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+ ((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚]; (゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]=''; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='"'; (゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚) [゚o゚]) (゚Θ゚)) ('_');