Deobfuscating VM Based JavaScript

Question

Deobfuscating VM Based JavaScript

Closed this issue 3 years ago · 3 comments

I've encountered some JavaScript files (like ReCaptcha) that essentially implement a virtual machine in JavaScript and pass a big blob of text to it. This makes deobfuscation very difficult. Do you have any experience or advice with these kind of scripts?

Answer 1 · 2020-08-28T01:42:43.000Z

Absolutely. It's a pain for obvious reasons but furthermore, it becomes very difficult to identify whether variations represent minor changes or completely new chunks of logic.

Deobfuscating the VM is still valuable but it has a wall. Eventually you have to bite the bullet and reverse engineer the VM implementation and how it interprets the input. AFAIK there is no general-purpose VM-based transpiler/compiler – each I've come across is proprietary – so the cost (in time) is substantial when compared to the re-usability of the effort.

Answer 2 · 2020-09-13T20:10:56.000Z

@chris124567 I've already reversed Botguard. I emailed them at their secret email inside their VM(hint: is not botguard-contact@google.com).

first contact
reply

I'm trying to see if @jsoverson could help me out with this other VM I've been working on for a while now.

https://gist.github.com/pinyugi/64f10666a7a0c30977bb2901183601ec

@jsoverson Could you please help me reverse this VM file please?

Answer 3 · 2020-09-16T02:53:08.000Z

@pinyugi if you have specific questions I can answer them (probably best as another issue).

I can't help with large tasks, though.