/Kasada-Reverse-new

Reverse engeneered kasada.io "captcha" / antibot

Primary LanguageJavaScript

Kasada-Reverse

Reverse engeneered kasada.io "captcha" / antibot

Why

Since @H4cK3dR4Du leaked the kasada encryption and stuff, I thought I would share some of my research too

Let's Begin

So first we need to ask ourselves, why the fuck am I spending my time on this (who tf cares about twitch?)

Now, let's look into how Kasada functions

  • They use a VM for their encryption

    • Vm's are way more advanced and dificult to reverse than just obfuscating javascript
    • They are usually encoded and encrypted wthin a large string known as "bytecode"
    • This bytecode string is decoded for proper initilization to be used by the javascript when needed

  • Encryption

    • Kasada is encrypted with the TEA algorithim
      • Uses a 64-bit block cipher meaning the code processes data in 64-bit blocks
      • Uses a 128-bit key meaning the key is split into 4 32-bit parts
      • Uses a Feistel network meaning the code uses a round-based structure with two 32-bit halves and involves shifts, additions, and XORs, which is like Feistel networks used in ciphers like TEA.
      • Uses multiple Rounds the code performs mutliple 32-bit rounds just like in the TEA algo
    • Key/IV
      • The Key & IV in kasada's encryption is dynamically generated
        • This means they are not static for specific versions or sites, but generated differetnly every time it is used
        • This is done to make it more difficult to reverse and keep it secure and hard to recreate their encryption without sandboxing
        • For the encryption, you need the encryption code, you can find this in scripts/encryption.py and the original in scripts/encryption.js

  • Dynamic VM

    • Eariler, I said Kasada uses a vm meaning there is bytecode that must be decoded to acces the inner code of the vm
    • Every time kasada is used, the bytecode changes as they have multiple versions, multiple VMs, so we need a way to follow this and decode it no matter what
    • In scripts/VM.py you will be able to use that to dynamically dump the contents of the vm, only thing required is the url of the ips.js file

Screenshots (POW)

Dynamic VM Dumper Screenshot 2024-10-26 165846

Encryption Screenshot 2024-10-26 192831

Decrypted Payload w/ Key/IV Screenshot 2024-10-26 152748

Credit

Cypher (me) @CSolverV2 - Telegram CSolver.ai - Discord

https://t.me/csolver

https://discord.gg/csolve