JSFuck is a bad security barrier.

TL;DR JSFuck can be reversed with fair ease by pattern matching (or simply string matching). Check out the code section for the actual code.

You can jump to the solution section if you don't want the background details.

Why in my sane mind would I do this?

I was recently analysing some of JS obfuscation strategy used by the websites. The popular ones were minification, uglification, loading JS from encoded strings, etc. Mostly they were deployed to hide the APIs from being exploited outside of the sites. But upon careful inspection, almost all of the JS obfuscation gave away their APIs and the extracted knowledge could be used to write wrappers for those in any language of choice (although, using JS had the advantage to use their codes directly). Then I hit upon another strategy which made this task seemingly impossible. JSFuck.

All the APIs required some form of keys to be sent with each request which was verified on the server side. These keys were generated by some form of hashing or seeded random number generation. But this site loaded its API keys using JSFuck and they were unique for the each request.

The problem

So, in a nutshell, I had to get past some changing JSFuck code which injected some global variables and get the values of those variables.

JSFuck

Then I started to analyse how JSFuck gets evaluated and tried to reverse it. JSFuck works in an interesting way. It only uses six of the JS characters, ()+[]!, to generate all the codes.

The overall strategy is to use the Function method of JS to create a function from a string and then evaluate it. Which reduces the generation strategy to get hold of the Function method with the limited characters and generate the string with those characters.

The details of code generation can be checked from JSFuck's GitHub source and it would be redundant to go into the details. On a high-level summary, it can be said as recursive replacement of individual parts.


The solution

Now the question before me is how do I break it. I guess to fully reverse engineer the code would be very involved. But my target was to reverse a specific version with only specific part varying every time. So, I embarked upon the strategy of pattern matching.

The results of the initial inspection are:
  1. All codes began with a specific pattern which fetched Function.
  2. All of them ended with () which called the generated function.
  3. The code between them had segments enclosed within () of [], sometimes continuous, separated by +. They turned out to generate characters of the string being concatenated with +.
Then to further analyse the internals, I wrote some code to separate the blocks of above-mentioned types. Then tokenize them based on prefix matching of string from a mapping of the string to corresponding objects. Initially, the mapping contained only the pattern for Function and a few manually reversed characters.

To find the rest of the characters, I made the tokenizer print the unknown blocks separated by + in a JS compatible array which I then converted to the corresponding characters using JS's eval. This strategy didn't work for all the characters, especially the ones using CHAR_CODE to get the characters but it did convert a lot of other characters. After this, my tokenizer stopped spitting lots of unknown blocks and returned a lot of sane characters. (Actually, the code I was initially working with got fully deobfuscated until I hit another one with uppercase characters).

Other strategies

Before trying to solve this myself, I looked online for existing solutions. All the materials I found recommended to remove the last () and eval the code in JS. But my target was to reverse it from any language. Also removing () and using eval doesn't help if the code tried to inject some malicious code which can be easily placed any were in the middle.

Code

Who cares all the shit details? I want the damn code!

Here you go:

My code disclaimer:

  1. This code doesn't parse all the possible characters. I have added only those characters which I encountered while I was working. The missing characters can easily be added by adding the corresponding string to the jsfuck-map.lisp file.
  2. The code is in Common Lisp. I am not an experienced lisp programmer so some of the code may not be according to accepted standards. I left the commented out code intact to show the actual development process.

Result

JSFuck can be deobfuscated and the actual code can be obtained with fair ease. So, you should not be using JSFuck as a security layer.

As for that matter, I am still wondering how should one protect their API in the websites from being used outside of intended flow. Most of the strategies I have seen went down with some work.

Comments

  1. DakineJuly 10, 2017 at 9:24 PM

    I have some JSfuck code that is missing/has extra characters. How can I use your code to decode what ever is decodable and later find typos myself?

    ReplyDelete
  2. AnonymousApril 19, 2022 at 8:32 PM

    perhaps you can access https://www.dejs.vip/encry_decry/jsfuck.html

    ReplyDelete

Post a Comment

Popular posts from this blog

Gmail SMS Notification For New Mails(new, easy and simplified meathod)

Image
Here is a new and easier way to setup your Google Account to receive free and automatic SMS notification to your mobile for new mails in your Gmail Inbox. (Steps to setup only for Priority Inbox(Important Mails) is also provided .) Hey there may be many reasons why you need SMS notification for your new mails in your mailbox. As usual, Google does not fail us in this venture also. Although Google does not provide us with direct service for SMS notification of our mails, but there is a way out of this using the calendar remainder via SMS. My approach is not new. In fact if you Google for it you will get hundreds of such ways. But I found out that they all were almost the same and a little tricky to setup (although not for techies, but for common men). So, I spun up  a new and easy to setup method for it. It does not require any Gmail filter setup or any manual setup for remainders. All you need is to setup your mobile number and the script triggers. What it does is that it check
Read more

Hospital Management System (my second full fledged program)

Blabbering... You can skip it Hi buddies ... Sorry for no being able to post any blog for a long time. There were so many topics on which I wanted to post and so many newly gained knowledge that I wanted to share, but I was not able to gain the permission of long standing and ever persistent time. My new college, new friends, so many things to learn, so many things to know about and without forgetting, for my vested intrest in literature and cinematic, watching movie, tv shows and reading novels, kept me engaged throughout the half year! The one thing I realized that computer science is a vast domain and the is always so much to learn!!! Well as the title goes here I am to talk about my second full fledged program. Ya, second, my first was a simple paint program, developed by me as an assignment for Xth ICSE Board exam. It is a sad thing that I am no longer in the possession of the source code or the final program, but proof of it is sill buried in the assignment records of my
Read more

Beginner's Guide to install Kali Linux in UEFI system (Lenovo Z510)

Image
Here I am going to describe the steps to install Kali linux with dual boot in UEFI system. Your windows 8.1 installation will not be harmed. Now the computers are starting to have UEFI instead of BIOS. So, if you want to multiboot with your Kali linux then you will face a formidabe problem since the linux distros have not yet fully supported it. --You are free to skip this if you like-- I am not first one to write on this topic and many experts have already written on this. Then why am I writing this? I am writing this because during my research I was not able to get all the stuffs under one hood.I had to work out different steps from different places and then finally I was able to install it. So I planed to arrange all in a sequential manner so to help other newbies. Recently I bought a new lenovo Z510 with Windows 8.1. It has some wonderful features!After spending a week I decided to dual boot it with Kali Linux (I am not a linux pro, just a amature). My first s
Read more