Deciphering Obfuscated JavaScript Malware

Поделиться
HTML-код
  • Опубликовано: 23 дек 2024

Комментарии • 381

  • @christopher8641
    @christopher8641 8 месяцев назад +101

    I'm a backend dev and have never dug into malware analysis, but this video made the process look pretty fun and rewarding. I guess it is just a big dangerous puzzle

  • @bartekklusek5242
    @bartekklusek5242 8 месяцев назад +94

    This is not really my area of interest specifically, although i follow various computer related content.
    What actually shocked me, after watching several videos, is how orderly mind this lady has. Absolutely smooth speaking about complicated topics.
    I envy that talent so much.

    • @vazoth6423
      @vazoth6423 6 месяцев назад +2

      it takes a lot of years of practice in problem solving and critial thinking, like a lot

    • @bartekklusek9989
      @bartekklusek9989 5 месяцев назад +1

      I know this from my own experience, and it is quite obvious, but the ability to speak so flawlessly is not something most people can achieve. At least it requires proper growing up process, as in mature age you cannot reverse enoughly the way your brain was formed.

  • @cusematt23
    @cusematt23 8 месяцев назад +231

    holy effing sht. I literally just came across some heavily obfuscated js code that i am dying to reverse engineer and this vid came up. there is a god.

    • @adityadas5835
      @adityadas5835 8 месяцев назад +24

      Or maybe Big Brother is tracking you. Who knows? 😕

    • @corp-por
      @corp-por 8 месяцев назад +3

      wtf, almost the same here. A client just called me because a js file was triggering a virus alert in windows defender. And here I am 🥸

    • @Katchi_
      @Katchi_ 8 месяцев назад

      Liar.

    • @cusematt23
      @cusematt23 8 месяцев назад +2

      @@Katchi_ Not even kidding. I am using a complex optimization app and instead of it doing work on the server it just sends a giant minified obfuscated js bundle. And I am curious although not as smart as Laurie and will prob never fully reverse engineer it.
      So far the only thing I am getting is that the code using the glpk javascript library. I didn't even know this existed so that's a bonus at least. I am guessing there will soon be a day where most of the python AI/ML library functionalities are in javascript and running in your browser without (most people) you being aware. I am unsure if i should be excited or petrified.

    • @cusematt23
      @cusematt23 8 месяцев назад

      @@adityadas5835 certainly possible.

  • @digitalradiohacker
    @digitalradiohacker 8 месяцев назад +47

    I'm a complete code mong, so I'm trying to "hang around" with smart people to soak up as much as I can - hence, why I'm here.
    Just to prove I was paying attention:
    28:30
    It looks like the integer returned was "1".
    You went back to the code and typed "0".
    Thanks for the walkthrough of what you're doing - Picked up a couple of tricks here.

  • @ArjanvanVught
    @ArjanvanVught 8 месяцев назад +88

    @28:29 a little error here ;-) pasting 0 instead of the 1

    • @swenic
      @swenic 8 месяцев назад +6

      ^ 28:41

    • @sonyarianto
      @sonyarianto 7 месяцев назад +3

      yeah this is a bug in this video

    • @ThanatosUA
      @ThanatosUA 4 месяца назад

      Comment bait 🎉

  • @Jimbooos
    @Jimbooos 8 месяцев назад +15

    I did't need this but the explanation was so clear I kept watching

  • @btd6vids
    @btd6vids 6 месяцев назад +3

    These videos are really well made. I've tried to make educational content a few times before but never really landed on a good style or way to do things. You've inspired me to give it another shot

  • @NatteeSetobol
    @NatteeSetobol 8 месяцев назад +4

    Nice, I was looking for a nice detailed video that goes through such an annoying obfuscation in JavaScript. Thanks!

  • @iss9280
    @iss9280 8 месяцев назад +52

    One of my new favorite channels! I love the old school Tech Tv/G4 vibe of your set.

    • @shady4tv
      @shady4tv 8 месяцев назад +3

      The theme is from Serial Experiments Lain.
      great anime - only like 13 episodes. Would recommend watching if you have the time. I will warn you tho - it's a trip.

    • @Desmaad
      @Desmaad 8 месяцев назад +1

      Not to mention the Classic Mac (Copland/OS 8-9.2) theming.

  • @VincentGroenewold
    @VincentGroenewold 8 месяцев назад +3

    The quality of these videos is just great, I'm not into JS at all, but it's well explained to follow along, nice! It all feels very much like security through obscurity, I predict this can be automated in the near future.

  • @dblanque
    @dblanque 8 месяцев назад +7

    Super neat video, really high level of production (also, 28:37, oopsie daisies the 1!) :P
    Really awesome content, learnt a lot Laurie! Subbed :)

  • @plato4ek
    @plato4ek 8 месяцев назад +44

    20:39 and other places: you don't need to write the "console.log", just expression itself is okay.

    • @drwhitewash
      @drwhitewash 8 месяцев назад +4

      Exactly, the console will output the result of that expression, instead of those "undefined"s.

    • @kxmode
      @kxmode 8 месяцев назад +3

      I think she's being extra careful to isolate the output to the console

    • @plato4ek
      @plato4ek 8 месяцев назад +6

      @@kxmode this won't help isolate anything. Everything inside the "console.log()" is being evaluated anyway.

    • @DavidLindes
      @DavidLindes 8 месяцев назад +5

      @@kxmode the thing is, she's _in_ the "console" (in other languages, it might get called the REPL -- Read, Evaluate, Print (in a Loop)), so, as plato4ek says, it's not really isolating anything in this context. What she's doing isn't harming anything, of course, it's just also not buying much when done interactively. (But it would be very useful if recording it to a file and running it with node, say, so, perhaps it's a habit born from such intentions in prior work.)

    • @kxmode
      @kxmode 8 месяцев назад

      @@DavidLindes hmm... good to know. always thought console.log was a way to sandbox the code. A good note to self.

  • @nathaniellovely
    @nathaniellovely 6 месяцев назад

    This channel is really phenomenal. Everything from the technical aspect and way you break everything down in a clear and precise manner, the way you articulate yourself clearly, the synthwave color schemes and background setup is epic… I love all the things! Favorite channel lately :-)
    You are very knowledgeable and talented and it shows. Thank you for sharing your knowledge!

  • @sshiiden
    @sshiiden 8 месяцев назад +8

    You did a really good job with the style of your videos

  • @nicogetz
    @nicogetz 6 месяцев назад

    You've done a great job of presenting this in a clear way that makes an otherwise daunting endeavor make a lot more sense. Of course, your intuition about what the code is doing is a major factor, and that can only be developed with experience and persistence...

  • @hanfo420
    @hanfo420 4 месяца назад +1

    9:06 that’s a mistake.
    if the app is writing to the arrays content, you basically made it readonly. enhanced obfuscation also messes with data storage location and could use morphing source code

  • @shockinho
    @shockinho 8 месяцев назад +7

    This is so good I can't believe it exists, let alone such good content being free on RUclips.
    Amazing work

  • @zzord
    @zzord 8 месяцев назад

    Well done!
    Quick tip: You don't need to use console.log to evaluate expressions. You can just paste the expression and evaluate it directly.
    Also, at 22:56, you could evaluate the whole object in one step, instead of doing one function call at a time.

  • @thediskostarz
    @thediskostarz 8 месяцев назад +4

    Awesome video Laurie, I learned a lot by watching your well explained videos. Thank you.

  • @viihnaNeverShutsUp
    @viihnaNeverShutsUp 8 месяцев назад +13

    I absolutely love the way you break this down. Thank you!

  • @serpent77
    @serpent77 6 месяцев назад

    I haven't done this type of stuff in forever. Great video and a fun romp through reverse engineering malware. Great Job, you've earned a new subscriber!

  • @UliTroyo
    @UliTroyo 8 месяцев назад +2

    This was a lot of fun! What a cool breakdown.

  • @TheChugnut
    @TheChugnut 8 месяцев назад +4

    Wow, just found your channel and I love it. Your presentation style is amazing!

  • @DotDager
    @DotDager 8 месяцев назад +3

    A lot of interesting insights, great job as usual!

  • @mr.bulldops7692
    @mr.bulldops7692 8 месяцев назад +1

    Clear, concise, and cool as hell. You picked a great code example!

  • @mjs28s
    @mjs28s 7 месяцев назад +1

    pretty interesting, but what is the purpose of obfuscating your code? The people that would understand it are the same people that can also undo your mess so who are they hiding it from? The people that already cannot read code or are level 001 with their coding skills?

    • @toxidron2880
      @toxidron2880 6 месяцев назад

      You are correct, in theory you cannot prevent reverse engineering. The goal is to make reverse engineering harder such that advanced programming skills and a significant amount of time are required. You want to make them waste time that could have been spent for something more profitable.
      Edit: In context of malware, code obfuscation is used to delay malware analysis and to hide the payload ("sus" code) from anti malware software.

  • @shpleemcgert
    @shpleemcgert 8 месяцев назад +6

    At 23:06... If your ultimate goal was to get the _0x502708 map object, couldn't you have executed that block in your dev tools and just printed it out? Especially since you know the method was just outputting string characters and was not inherently malicious.
    Please correct me if there is something I'm overlooking here. Just a gut reaction at a potential time save
    Also this video was beautiful and I love your editing style. This is incredibly educational and I have subscribed. Looking forward to seeing more of your thought process.

    • @thmo_
      @thmo_ 8 месяцев назад +1

      yeah, would have been a time save to let it write the commands up to the last two map entries actually using the activexobject.

    • @epiphaner
      @epiphaner 8 месяцев назад +5

      I'm guessing she did it this way to keep it safe and accessible for the viewers.
      A viewer might not be savvy enough to distinguish which parts of the code are safe to execute and which are not.
      That would also explain why she would go through de-obfuscating the first two methods before using them even though they, to me, obviously had no code that could do harm.
      A viewer following the workflow in this video will not get their system infected.

    • @thmo_
      @thmo_ 8 месяцев назад +1

      True, also in general the way she did it was very verbose to follow along and replicate with other code, so this will be more helpful to viewers.

  • @synnveolsdatter-bh9qc
    @synnveolsdatter-bh9qc 4 месяца назад

    Love the video! It kind of inspired me to want to do something like this myself. One thing to note, you don't really need console.log() if it's a function because the return value will be automatically logged. Keep up the work!

  • @enthusi
    @enthusi 8 месяцев назад +26

    Obfuscated code is fun.. JavaScript not so much my cup of tea 😊 Thanks for presenting these topics!

    • @dodgecoates8760
      @dodgecoates8760 8 месяцев назад +3

      How can you like obfuscated code but not love javascript?

  • @vapaspen
    @vapaspen 8 месяцев назад

    My team has been fighting this thing for months now. When we got our first Sig it we though it was a FP cause of how many hits we got but no its just hitting that many people. Its a nasty little bugger. Thanks for the really cool breakdown on this! :)

  • @kxmode
    @kxmode 8 месяцев назад +4

    I've seen obfuscated JS code that includes bit shifting, which is insanely difficult to reverse engineering.
    For example:
    // Original Code
    let result = 160;
    // Obfuscated Code
    let result = (5

    • @kurdm1482
      @kurdm1482 7 месяцев назад

      Insanely easy to reverse, look into AST.

    • @kxmode
      @kxmode 7 месяцев назад

      @@kurdm1482well, yeah, you can look at the abstract syntax tree, but it still requires reversing engineering it.

  • @waffen9894
    @waffen9894 8 месяцев назад +1

    28:41.
    Were you supposed to put 1 there instead of 0?

  • @svampius2448
    @svampius2448 7 месяцев назад

    I love the content and aesthetics of your videos, definitely my favourite channel at the moment! Also, for some reason you make me think of squirrels, which is fantastic - a vaporwave squirrel.

  • @digitalsparky
    @digitalsparky 6 месяцев назад

    Something to save a little time for you: console.log is not required in the console tools. just press enter on an expression, you'll see the result right after. this is why you see undefined print after your result on its own line, it prints the return value automatically. :)

  • @ronen124
    @ronen124 8 месяцев назад +1

    28:37 aquí escribiste '0' en lugar de '1' por error .
    Esta fue una ingeniería inversa interesante y fascinante para dicho malware, muchas gracias por compartir tu análisis.

  • @rafaelskt4ever
    @rafaelskt4ever 8 месяцев назад +4

    Love your Serial Experiments: Lain theme

  • @xinaesthetic
    @xinaesthetic 6 месяцев назад

    Very nice presentation and clear patient explanation etc as others have said. A few little comments: you don't really need to type `console.log` the whole time; just execute the expression in devtools and the value will be printed. Some of the more manual bits could be done in fewer steps, like building the map of commands - I'd probably just execute that block of code and grab the output rather than manually substituting each part.
    Lastly, it's vaguely hypothetically possible that using a find/replace to rename things could end up with the wrong result if the same set of characters happened to be used elsewhere (which in larger files is really not so unlikely as bundlers aiming for small output are pretty likely to reuse similar short variable names in different scopes). If you were to use an editor with a js language server you can use a more dedicated 'rename variable' function (F2 in vscode) to do that a bit more safely.

  • @MreMeatify
    @MreMeatify 5 месяцев назад

    Thank you Laurie for another really nice video. It was really interesting watching the source unwind into something readable. To bad these malware writers don't use their talents for something more positive.

  • @stonebubbleprivat
    @stonebubbleprivat 5 месяцев назад

    The set in the background is awesome!

  • @theelliotwoods
    @theelliotwoods 6 месяцев назад

    Great video. I was hoping at the end you’d also say “and if you wanted to skip all that process you could just replace the ActiveX line with console.log to see exactly what it’s trying to execute without going through the whole process of untangling it.”

  • @armaniimus
    @armaniimus 6 месяцев назад

    I found this very interesting,
    I noticed a small err on 28:39
    I deobfucated a piece of js a few years ago.
    I find it very interesting to see someone else do it on there way.

  • @Skatche
    @Skatche 8 месяцев назад +2

    23:30 Quicker way to do this: just copy and paste the definition of the variable _0x502708 into your console and then console.log the result.

    • @Павал-л8ч
      @Павал-л8ч 8 месяцев назад +2

      Also, instead of concatenating strings in a loop, we can just replace activeX calls to console.log, run it and see what commands are executed

  • @Awesomo4000
    @Awesomo4000 8 месяцев назад +1

    9:19 The function is kind of doing what you're saying but not exactly. In the obfuscated version it's always returning the same instance of the string array. In the obfuscated version you're recreating the string array every time.
    So if you mutate the result of the obfuscated function, you'll get the mutated version on the next call. This is not the case in the obfuscated one.
    A way to reproduce what it actually does is move the declaration of the var_commandStringArray to the top of the file and just return the reference in the function. This would allow you to replace all calls to _0x1ecc() by var_commandStringArray and get rid of the function.

    • @vlk.charles
      @vlk.charles 8 месяцев назад

      I noticed that too and made a similar comment. Although I think you mixed up "obfuscated" and "deobfuscated".

  • @markhodgson7241
    @markhodgson7241 3 месяца назад

    ActiveX! Blast from the past! Run random COM objects from the browser! What could _possibly_ go wrong? Loved watching you pick this apart :-)

  • @Emerson1
    @Emerson1 8 месяцев назад +2

    Great video, and great production value

  • @JenBytecode
    @JenBytecode 8 месяцев назад +1

    Now I would like to know what the malware that would be downloaded form that server is actually doing when executed.

  • @pdelong42
    @pdelong42 8 месяцев назад

    It's been a few decades since I've done anything serious on Windows, so I was frankly surprised to learn that ActiveX is still a thing. We all thought it was a gaping security hole from day one, and I thought Microsoft was at-least disabling it by default now. Glad to see that it's deprecated (according to Wikipedia).

  • @Plagueheart
    @Plagueheart 8 месяцев назад

    I like the channel, it has a 90's style vibe from PBS after school tv educational shows which gives me that nostalgic vibe

  • @RyanEglitis
    @RyanEglitis 6 месяцев назад

    Pretty cool to see the malware "come to life" with deobsfucation. I probably would have just run the object as a single line that was getting all the commands, since it ended up putting them into a simple object structure that would be easy to copy out from, but that's just a speed-up of the process.
    I'd be interested to see a _more_ obsfucated piece of code. Some of the fun stuff I've seen is single letter function/variable names, an extensive use of hex codes, as well as the oft broken eval().

  • @ITWorx
    @ITWorx 6 месяцев назад

    What is the obfuscator app name of the given JS file ?

  • @No0Vad
    @No0Vad 8 месяцев назад

    Sometimes you get lucky with Auto-play enabled, that's how I found this video which I enjoyed. Love the retro feeling!

  • @gamedesign-yl2fx
    @gamedesign-yl2fx 7 месяцев назад

    You can invoke the expressions directly in devtools, instead of surounding it with console.log, if you do not surround it you will get the real string in dev friendly format, string parameters to console log are displayed as html in console losing whitespace information

    • @gamedesign-yl2fx
      @gamedesign-yl2fx 7 месяцев назад

      You can also use VSCode with typescript language server, this will allow you to rename while respecting scope in cases which obfuscator might use the same var name for different values

  • @zetronman
    @zetronman 8 месяцев назад +5

    I'm stupid but why are you able to find + replace-all? Doesn't that risk renaming variables that are locally scoped that use the same name as other locally scoped variables in another function?
    edit: like obviously it'd still work, I just feel like it'd mess with me a lot and it seems like it'd be better if the find-replace was scoped but idk, I don't RE malware.

    • @vlk.charles
      @vlk.charles 8 месяцев назад +2

      Yeah, I too thought that was a little "reckless". Turned out this code didn't use the same name in different scopes but it could have, just to mess with reverse engineers.

    • @NelemNaru
      @NelemNaru 3 месяца назад

      Yes! I was wondering the same thing. I've messed up my own code so many times changing variable names with replaceAll. VSCode lets you rename variables automatically without messing up scope (and without affecting non-variable strings, which replaceAll can also mess up). The video creator is very smart, but not working the smartest way in this video

  • @robertivaneinarsson5868
    @robertivaneinarsson5868 8 месяцев назад +14

    Fantastic! I would love a video from you breaking down the XZ backdoor thing.

    • @Ron55O
      @Ron55O 8 месяцев назад

      That's what I thought at first too😅

  • @gmoraesalvarez
    @gmoraesalvarez 6 месяцев назад

    Learned some obscure (to me) JS syntax today. Cool.

  • @andrewenrique5503
    @andrewenrique5503 Месяц назад

    Can someone please explain how the try/catch block that mounts the malicious command access the organized array manipulated by the immediately invoked function expression? Because it seems that the array is only manipulated in a local scope and it's never returned

  • @hitmongg
    @hitmongg 8 месяцев назад

    I've never looked at malware before; it's super interesting. Thanks for sharing!

  • @jefflucas_life
    @jefflucas_life 8 месяцев назад

    I like the way how this was video instructed , thumbs up!!

  • @TheUnknownFactor
    @TheUnknownFactor 6 месяцев назад

    I think there was a small error in the try catch function. The break would not throw-, the break would exit the loop (and thus not trigger the catch); so the if condition does have a meaningful function (it exits the otherwise infinite loop). Similarly even though the try and catch executes the same code; doing array.push(array.shift()) appends the first item of the array to the end of the array; meaning that the number of times you run that code determines the order in which the array ends up.
    Whats strange is, if this operation is indeed purely mutating a copy of that array, and not returning or throwing anything outside of the function, then this function is doing nothing except... taking time? Maybe there's a side effect in the var _0x5a123c assignment, couldnt tell

  • @glaf1488
    @glaf1488 8 месяцев назад

    I did this my job 1 or 2 years ago. Javascript is used a everywhere and obfuscated in very horrendous way. For me it was fun and even did some helper to avoid wasting too much time. As you cannot do this automaticaly, you have to do a lot of staff manually, finding the obfuscation fonctions is the most annoying part.

  • @thefrub
    @thefrub 8 месяцев назад +2

    Your production value is through the roof, you've got the whole room setup, the multiple cameras, the old Mac aesthetic. And you're great at this! This is amazing

  • @syth-1
    @syth-1 8 месяцев назад

    Great video - these are all tricks I've used to deobfuscate API's I probs shouldn't be using .-.
    If you know the code is safe to run, and have a bit more complex code that jumps thru many different libraries, executing and walking thru the code line by line helps a tone,
    What you maybe reverse engineering maybe just one file, but seeing the external lib calls and filling in the values returned just like in the video rlly helps put the puzzle together, (of course gotta give props to browser Dev tools - when walking thru code can just hover over any variable to see the current value inside)

  • @ab-tu5wc
    @ab-tu5wc 8 месяцев назад

    5:07 I saw this kind of code where a function is wrapped in parenthesis while it's being defined in a TamperMonkey user script but I didn't know what is was called so thanks for clearing that up. It's a weird way to call a function ngl. Is there an advantage to executing a function like this in terms of memory that I'm not seeing or is it just the malware person being petty and obfuscating the call to the function?

    • @rickgray
      @rickgray 8 месяцев назад +1

      It's called an IIFE. Not common these days because ES6 fixed a lot of weirdness that necessitated them.

    • @caerphoto
      @caerphoto 8 месяцев назад +1

      It's often used for initialisation code, where a bunch of stuff needs doing, but you don't want to create global variables - it keeps that portion of code contained.
      This:
      (function (root, sel) {
      let selected = root.querySelector(sel);
      selected.classList.add('loaded');
      }(window.document, 'body'));
      Is basically the same as this:
      function markAsLoaded(root, sel) {
      let selected = root.querySelector(sel);
      selected.classList.add('loaded');
      }
      markAsLoaded(window.document, 'body');
      except the first one doesn't create a global 'markAsLoaded' function. Obviously the function bodies in this example are pretty trivial, so you wouldn't actually use it in this case, but for more complex code it's useful.

  • @angelortiz-vk8ez
    @angelortiz-vk8ez 7 месяцев назад

    ¡Gracias!

  • @onlymyrailgununknown2960
    @onlymyrailgununknown2960 7 месяцев назад

    Your kind is rare. I am working on a C decompiler, and will soon deal with optimized binaries and later with static obfuscation methods and I am thinking on how to automate deobfuscation. For JS it looks quite possible. You are basically doing some kind of constant propagation (with the help of runtime logs) and give sensible names. If someone would write a high-level JS optimizer, you could also get rid of unneccessary/pointless dead code, control flow, ... then its done. Basically adapting the GCC/CLANG optimization tricks to JS would make no JS secure.

  • @RealDevastatia
    @RealDevastatia 7 месяцев назад

    3:45 The big array at line 80 looks like it'll be reassembled into a command to run a WShell script. I knew this wouldn't run in a browser because they no longer support ActiveX controls.

  • @OneAndOnlyMe
    @OneAndOnlyMe 8 месяцев назад

    This was a great tutorial, Laurie!

  • @nceban2136
    @nceban2136 7 месяцев назад

    Not a big fan of Lain, but still can appreciate the committment to the intros

  • @canetabisturi
    @canetabisturi 8 месяцев назад

    Laurie are you planning on making a video on the xz backdoor? Would love to hear your thoughts!!

  • @BernhardWeber-l5b
    @BernhardWeber-l5b 7 месяцев назад

    LOVE the effect of a tape fast-forward 😂

  • @jcKobeh
    @jcKobeh 8 месяцев назад +4

    The horizontally flipped front face camera has had me wondering exactly what you were doing for a couple of videos.
    Did you decide to do it to have your face "looking into" the direction of the code?
    Now that I'm commenting, I'll just say: I love the graphic overlays and design you use. And the way you present these videos, just clear voice, no music, well prepared, and sitting still and straight throughout the whole thing,
    My respects. I know how all of these kind of things are invisible to most when done correctly, but cheers, it doesn't go un-appreciated.

    • @Hwyadylaw
      @Hwyadylaw 7 месяцев назад

      Webcams and front-facing phone cameras tend to mirror the image to emulate.. well, a mirror, since that's how most people are used to seeing themselves.

    • @jcKobeh
      @jcKobeh 7 месяцев назад

      @@Hwyadylaw but that footage looks like a real camera, not a webcam, which is why it seems to me like it must be an active decision and not just the default thing the camera does.

  • @mistersunday_
    @mistersunday_ 8 месяцев назад

    Laurie, your channel is genius

  • @zetopr8058
    @zetopr8058 6 месяцев назад

    But what about c code with "entry" instead of main and unknown obfuscation, no injection or hooking for protection :[

    • @hanfo420
      @hanfo420 4 месяца назад

      But what about global warming

  • @hensou
    @hensou 6 месяцев назад

    Thank you! That was fun! Sounds like a thing I would like to do, I definitely want to learn more about this :)

  • @ancestrall794
    @ancestrall794 8 месяцев назад

    Really interesting. I wonder if the ActiveXObject function can be used for XSS in pentesting / CTFs

  • @i_scopes_i3914
    @i_scopes_i3914 6 месяцев назад

    @28:46 supposed to replace w int 1 after console log simp'd to 1 but you replaced w 0

  • @Farming-Technology
    @Farming-Technology 6 месяцев назад

    So an were an antivirus looking for a file containing one extra long line of code could be a legit technique?

  • @grawuka6900
    @grawuka6900 8 месяцев назад

    Hello, i would recommend to the people watching this video to use a JavaScript AST manipulation tool for this kind of de-obfuscation.
    Just with "copy propagation" and "constant folding" you will have much done in one go.
    The switch technique however is maybe not handled as it would require loop unroll.

    • @plato4ek
      @plato4ek 8 месяцев назад

      which tool would you recommend?

    • @grawuka6900
      @grawuka6900 8 месяцев назад

      Babel is nice, there are a lot of transformations(plugins) available and you can write custom plugins as you encounter new obfuscation patterns.

    • @plato4ek
      @plato4ek 8 месяцев назад

      @@grawuka6900 OK, thanks. But I thought you meant an interactive tool.

  • @jhonm6347
    @jhonm6347 8 месяцев назад

    Damn, this is very informative. I can't quite keep up with everything yet because I'm new to coding but it is very interesting, great video.

  • @BillyC
    @BillyC 8 месяцев назад +1

    This was sick to watch!

  • @damien__j
    @damien__j 8 месяцев назад +5

    I see LaurieWired and I click

  • @mrx2586
    @mrx2586 3 месяца назад

    are "immediately invoked functions" the same as anonymous functions or inline functions?

  • @g2D1
    @g2D1 8 месяцев назад

    Which OS are you using Laurie? it looks very retro. I have been looking for a KDE look alike for SOlaris 2.6 but have not been able to. But this one has a similar feel and looks like a Mac OS Retro

  • @Montegasppa
    @Montegasppa 7 месяцев назад

    This is the first (maybe second) os your videos I watch, and I got the reference. シリアルエクスペリメンツレイン

  • @GerbenWijnja
    @GerbenWijnja 8 месяцев назад

    Nice work, Laurie. Of course there are many shortcuts possible all over the place, but that also increases the risk of errors. Refactoring piece by piece provides more confidence that you're on the right track. Is the original code available somewhere? I couldn't find it with just the hash.

  • @kelliaa
    @kelliaa 8 месяцев назад

    really sick video, gonna try to learn more about this, and your set is so sick

  • @youdj_app
    @youdj_app 8 месяцев назад

    I am using the same tool, the guy uses javascript-obfuscator. You are lucky the code is short, otherwise you need to make something for complex to retrieve all the strings.

  • @BernhardWeber-l5b
    @BernhardWeber-l5b 7 месяцев назад

    I'm on my Android tablet, so can't directly verify, but I'm pretty sure that CTRL+H brings you directly to the "replace" dialog. You don't have to ctrl+f and then click. It's just ctrl+h.

  • @ArdentObserver
    @ArdentObserver 8 месяцев назад

    Just some thoughts, you could have simplified the generation of the command strings by simply commenting out the part that executes the ActiveX and simply console.log the command string at that point. The function would then be simplified to two activeX commands. Nice breakdown of how you could move step by step, just once you've identified the potentially dangerous part of the code, why not comment it out and just let it run to get the values you are looking for?

  • @kaos092
    @kaos092 8 месяцев назад

    Does anyone know where to find the file she's using? I assume it's in some malware registry or something. Googling the hash gets me nothing.

  • @JosephSaintClair
    @JosephSaintClair 8 месяцев назад

    Thank you for covering IOCCC. Something I always encourage aspiring programmers to try for themselves first the personal challenge and discipline. 🙏

  • @ZipplyZane
    @ZipplyZane 8 месяцев назад +1

    I believe you don't need to type in console.log, as the console will show return values for any expression. And it seems like typing console.log is taking up a decent amount of time for you.

  • @TheSnero3
    @TheSnero3 8 месяцев назад

    where do you get all of those wonderful backgrounds?

  • @astropgn
    @astropgn 8 месяцев назад

    Would it be an alternative to obfuscating your malware to use web assembly? I am assuming, since it is a compiled, it would require a lot more effort to reverse engineer it. Yet it would work relatively fine on modern browsers.

  • @Slycooper2456
    @Slycooper2456 8 месяцев назад +5

    Such great videos! (Love the Burnout clips at the end of each videos such a fun a game!)

  • @ShannonWare
    @ShannonWare 8 месяцев назад

    JS tools tip for NPP won you a subscriber! Thanks a million, my favourite app just got better XD

  • @pavloburyanov5842
    @pavloburyanov5842 8 месяцев назад

    For "repetitive" part: you can grep needed invocations and process them in the loop.
    PS: I believe notepad++ supports macros to make life easier.

  • @tysonbenson
    @tysonbenson 8 месяцев назад +1

    Thanks, Laurie! Awesome video!

  • @Anthony-vb7sj
    @Anthony-vb7sj 7 месяцев назад

    impressive work !!!
    This channel is very Under-rated 😯👍🏻

  • @post_rot
    @post_rot 8 месяцев назад

    why replace all when u can obfuscate the same variable name in different functions to store/do completely different things