JavaScript Obfuscations Contest: We Have a Winner
by Ricky LawshaeWe had a fantastic response to the JavaScript obfuscation contest we announced a couple of weeks ago. In fact, with more than 50 correct entrants, I think I may have underestimated our audience a bit. Trust me when I say that I won’t make that mistake again—the next time we do this, it will be significantly more difficult.
We’ve determined the winner of the iPad, but before we reveal who it is, I wanted to take a moment to acknowledge a few of the people who correctly determined that the answer to the challenge was CVE 2010-3765.
Last time we put the obfuscated code in a .txt file for copy-and-pasting. To make it easy to compare that code against the solution to the challenge, follow this link for the unobfuscated .txt file.
Successful entrants in the contest—all of whom will receive a BreakingPoint t-shirt—include:
| Manuel Acanthephyra | Peter Kosinar |
| Alexander Antukh | Krzysztof Kotowicz |
| Ahmad Azizan | Neal Lambert |
| David B. | Jon Leathery |
| Sean Catchpole | Clément Lecigne |
| Matt Cote | Hermes Li |
| Chris Cross | lintaba |
| Holger Dähre | Richard Lyttle |
| Darryl at Kahu Security | Jonas Magazinius |
| Sébastien Duquette | Marcin Miszczak |
| Dennis Dwyer | Brian Mordosky |
| Peter Ferrie | psifertex |
| Georgi Geshev | Michael Schierl |
| Eugeniy Ghostyukhin | Chris Schmidt |
| Lars Olav Gigstad | Fermin J. Serna |
| Seth Hardy | Sudeep Singh |
| Mario Heiderich | Michele Spagnuolo |
| Norman Hippert | Tomas Stefunko |
| Csoban K. | Bartek Szopka |
| Prasanna K. | Sven Taute |
| Alexandros Kapravelos | Joey Tyson |
| Kris Kaspersky | WanderingGlitch |
| Yoshiki Kawata | Michael Xin |
| Anton Kirsanov | Yoyola |
Great work, everybody! Many of the hackers who responded gave us not just the correct CVE, but also interesting details about how they approached it. I am definitely taking their techniques into account for next time. Here are a few of my favorites from the lessons I’ve learned:
- No matter how obscured things are, if they are always obscured the same way, it is a simple matter to search-and-replace the obfuscated code with the de-obfuscated. I already have several ideas to increase entropy in my obfuscator, with different string obfuscations, more ways to get references to the window object, and so on.
- document.write() statements are an easy way to tell what’s going on. Aside from picking a less noisy CVE for next time, I’ll work on finding some clever ways around this problem.
- Changing parts of the code (for example, swapping eval with console.log) allows for easier analysis. I have a couple of ideas for new encoding methods, such as basing the encoding on an md5sum of the code itself or something like that in order to prevent code-tampering.
All these insights give me more to work on for next time. But now, the moment you’ve all been waiting for . . . the winner is . . . Kris Kaspersky. We will be sending Kris the iPad shortly.
Thank you once again to everyone who participated. I hope you’re looking forward to the next challenge as much as I am!
