Automating Javascript Deobfuscation

Presented at LayerOne 2017, May 28, 2017, 4 p.m. (60 minutes).

Most Javascript deobfuscation seems to be reliant on mocking functions like eval() and making objects like `WScript` available, running the (potentially malicious!) javascript, either in a browser tab or nodejs, and printing out what was passed to mocked functions. This talk covers what a more “right” approach might be, which is to say that most current Javascript can be meaningfully deobfuscated with a few optimizations often used by compilers to reduce code size. I’ll also walk through a example implementation of those same techniques to deobfuscate some malicious Javascript from the wild plains of The Internet.

Presenters:

• Iximeow
  Computer guy. Software engineer. Reverse engineer. Ivory tower academic. Nerd on the internet. Iximeow has been called all of these things, and more. 4/5 people agree – Iximeow really likes weird computer things.

Links:

• https://infocon.org/cons/LayerOne/LayerOne 2017/Automating Javascript Deobfuscation (iximeow).mp4
• https://www.youtube.com/watch?v=yIVLs6ruLjk

Similar Presentations:

• Summercon 2017 / Breaking the JavaScript ASLR
• AppSec USA 2014 / Warning Ahead: Security Storms are Brewing in Your JavaScript
• AppSec USA 2012 / KEYNOTE: Securing JavaScript by Douglas Crockford