#18 – Analyzing the structure of the old Javascript Deobfuscator plugin

This is a continuation of my precedent article concerning PhantomJS. As I said, my end goal is to create a JavaScript deobfuscator tool using PhantomJS (for scalability purposes).

After checking the PhantomJS binary and help, it doesn’t seem like there is a debugging function used to print the different called arguments or any way I could change the options to be able to trace the current javascript execution. So, I think I have these options:

  • Update the core of PhantomJS to print the currently executed function – Could be doable but it would probably be a pain to maintain.
  • Inject a JavaScript inside the current page to be able to trace the execution flow – That’s what I’m aiming for right now. It offers the advantage to be pretty scalable even if PhantomJS updates.

Thinking about what I could inject as payload, I thought that my first step should be to analyze the old Javascript Deobfuscator plugin for Firefox, since browser plugins (.XPI for Firefox) are generally packaged HTML/JavaScript source files, I might be able to at least understand how they did it, since it was the plugin I had the most success with in the past. The creator did provide a link to their source here, but we could’ve extracted the files from the XPI as well since it is just a ZIP archive.

 

Structure of the source code

In the “chrome/” folder, we can find the main part of the plugin.

  • “content/” is where the main JavaScript files are stored
  • “locale/” is where the language translation files are stored
  • “skin/” is where the CSS and image/icons are stored

In the “lib/” folder, not too sure but I guess it is where the start/main() of the plugin is, there is a main.js, calling panel.js.

I’ll probably have to concentrate on “lib/” and “chrome/content/”.

 

lib/panel.js

First, it will import the DevTools API, which seems to be an obsolete way to customize the UI by registering tools. Each tool lives in its own tab called a panel. Then the script will define a tool using some content from “chrome/content/” or “chrome/skin/” for the icon.

The script will add some callback listeners to verify if the page is correctly loaded as well as some things related to debugging listeners (onNewScript, onScriptExecuted, onNavigate) these ones could be useful later on.

onNewScript will call addScript with the message data, onScriptExecuted will call updateScriptExectime with the id as well as its execution time and onNavigate will assure the messageManager is cleared between each navigation.

 

List of files in “content/”

  • beautify.js – Looks like it is a beautifier script/library (similar to what jsbeautifier will do)
  • common.js – A wrapper for a require function, not too sure what it does, for now it will notify an “observer” using Services.obs.notifyObservers
  • content.js – Seems to be where all the main functions when a button is pushed are stored
  • panel.js – An extension of lib/panel.js the callback functions are stored here for example (addScript, updateScriptExecTime, …), seems like there are other functions as well
  • panel.xul – A general configuration file for plugins. More information about xul.
  • worker.js – Contains other callback functions, another onNewScript listener is present in content.js calling for example “onScript” which is defined in worker.js

 

Conclusion

More analysis should be done on the plugin, but from what I gathered, there are some callback functions that could be interesting to re-implement inside PhantomJS, I’ll just have to make sure it is something that is available in WebKit (as it is used in PhantomJS) and that it is not exclusive to Mozilla. It also means that my project seems possible, I’ll just need to see how I will implement my system since I’ll have to be able to call some functions during runtime if I want to trace it correctly (for example, enter a username and password combination then click on a button).

Leave a Reply

Your email address will not be published.