JavaScript Obfuscation
JavaScript De-Obfuscation
Concepts
- Source Code
- Code Obfuscation
- Deobfuscation
- Code Analysis
- HTTP Requests
- Decoding
Just finished the Code Obfuscation module on HTB, here's what I've Z2F0aGVyZWQK.
Source Code
The source code is the original copy of software. For my blog it's the Typescript hosted on my github. Now for most of us our source code isn't that "valuable". But if someone was to take your github portfolio project exactly and change the name? You'd be less than pleased. Now Imagine a multi-million dollar cooperation that has its IP in said code. That's the importance of Source Code.
Code Obfuscation
So now we have a problem: million dollar website and I can just check my browser and get it? Doesn't sound quite good. Not good at all, and this isn't the championing of Security through Obscurity, but its purpose is to slow down a potential attacker.
Minification
Very self-explanatory. We make the code smaller. Imagine a function:
function showName(name){
console.log("Hi. My Name is. My Name is. Who? Tshikitshiki.", name)}
showName("SlimShady")The minified version of this might look something like:
function showName(i){console.log("Hi. My Name is. My Name is. Who?Tshikitshiki.",i)}showName("SlimShady");Now you can still read this, though slightly less convenient. But why stop here?
Packing
My understanding of this is still a bit vague, but packers usually map functions, words, symbols to Maps (dictionaries for snake fans) and then rebuilds them for execution making it difficult for people to read, but keeping the functionality the same.
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 4(3){5.7("8. 0 1 2. 0 1 2. 9? a.",3)}4("b");',12,12,'My|Name|is|i|showName|console|function|log|Hi|Who|Tshikitshiki|SlimShady'.split('|'),0,{}))Chances are you can still see the strings we use. But our function is quite simple, and we also know what it does. So this has become more difficult to read, but still you can understand what it's about or doing. Also, the process of obfuscation makes run time slower. But we don't care about O(n) here, we are hacking.
Now I used the sites at the bottom for all this. And usually you can reverse the changes using them too.
The Lab
So in the final lab the machine had a static HTML page, upon checking out the dev-tools and checking the source you'd find the first flag, and there was also an obfuscated function. This was both minfied and packed.
I used beautfier tools to clean it up, from there I got my first flag.
Code analysis
Looking at the code I saw that it's sending a POST to a server to get info. From the module I learnt how to test this. Firstly I sent an empty post to see what the response looks like:
curl <url> -X POST -d "parms=''"Fun stuff, got a response. And then from that it was encoded in Base64. More on how to tell what encoding it is on another post. I decoded that, and sent it as a parameter to that POST request and got the second Flag. And that's it.
Now this wasn't a walkthrough, but a review.
From this I've seen what the purpose of this practice is, its strengths and limits. and I've seen the problem solving and critical thinking I use in Software Dev, work here. So, yayy. Fun. Well Nerd Fun, but fun nonetheless.
Comments
Post a Comment
Say something Diego!