Sign in Subscribe
obfuscation

Overview of JavaScript Virtualization Obfuscation

Notes on virtualization obfuscation of JavaScript.

Pixelmelt

1 min read
Overview of JavaScript Virtualization Obfuscation
Photo by Brett Jordan / Unsplash

The Nature of Code "Protection"

Given that no protection is impossible to break by nature of how computers work. (they must be able to see instructions to execute them)

All you can really do is abstract the way the program runs.

Abstraction by Virtualization

One way to abstract any given program is to virtualize the code, essentially (re)compiling the input code and creating a fantasy CPU architecture implemented in your language of choice to run the compiler output.

If you know how Java has its Java Virtual Machine so that any Java code written can be run on every CPU architecture that the JVM supports then you will likely get what we are doing here.

As it turns out its a lot harder to read a binary file then JavaScript's interpreted text based syntax.

So we take that text and turn it into a binary that will run on our fantasy CPU.

Web protections are usually easier to crack than binary protection since binaries have a more established security scene, while browser based code protection is relatively newer. Hardware protections like TPUs present much greater challenges than our sandboxed JavaScript that can be easily analyzed and debugged.

Here is a really basic overview of how this is implemented in JavaScript, here you can see a program being run on a virtual instruction set:

let program = [1, 1, 1, 2, 2]
let datapointer = 0
let memory = []

while(datapointer != program.length){
  switch(program[datapointer++]){
    case 1: // Instruction 1: push the next number in the program to memory
      memory.push(program[datapointer++])
      break;
    case 2: // Instruction 2: add the top two numbers in memory
      memory.push(memory.pop() + memory.pop())
      break;
  }
}

This program is semantically identical to

1 + 2;

They both add 1 and 2 together.

If you want to see a slightly more advanced implementation, check out my JavaScript crackme's.

Just like executable programs, you can break the first two of those by monitoring the programs memory.

That's all I got for now!