PDA

View Full Version : Reflective Programming -- "vinnu"



prashant_uniyal
08-19-2010, 09:56 AM
The reflection or reflective programming is a fine feature of metaprogramming.In metaprogramming, the data and code lies in same blocks or sections or memory sections.And in reflection technique or reflective programming the code can act on itself.I mean code can manipulate or alter itself..."vinnu"

-----------------------------------------------------------------------------------
Tools required :-

IDE : notepad / notepad++ or any ide.
Language : javascript
Target : all Web browsers.
Rootkit : Once again, ur own brain

Well why i am going to discuss the reflective programming in javascript?

Because, now a days each and every web based attacks are based on script languages and to escape and avoid the antivirus signature detection or malware/forensic analysis, the attacker has to implement the exhaustive reflective techniques to obvfuscate even the simplest of the code for making it hard to be scrutinized.
-----------------------------------------------------------------------------------
The prerequisite for this tutorial is that:

You know atleast the simplest form of a webpage that is:

<html>
<head></head>

<body>

</body>
</html>

And the file extention must be either .htm or .html or so so which will be rendered by web browser to process the html tags.
-----------------------------------------------------------------------------------

The very basic skelton or pseudo program example of a reflective script will be like this:

var a="dsfsdf .. .. obfuscated code ...dfssd .ds.fv";var b=unobfuscate(a);eval(a);

and like wise any other code, which will allocate itself, then manipulate or alter itself and transfer the execution to the manipulated code using several other methods.

Now open up your favourite web-browser and in its address bar type following:
javascript:var a="axlexrxtx(x1x)x;";var b=a.replace(/x/g,'');eval(b);

The above code is a very basic example of reflection.

The second instruction is the one which must be understood here.

It is just replacing all 'x' from the variable 'a' with nothing and 'g' means global (global means in whole string) otherwise, if 'g' will not be specified, then only the first occurence of 'x' will be ommitted.

First of all, it must be kept in mind that the code will stay as a string or an array of strings in the script.

Then, we need to code a kind of encryptor or scrambler for it.

And in final released code block, the encryptor will not be needed in many cases, rather the encrypted code string and the decryptor routine will be attached.

The rotation kind of scrambling can be achieved by many methods, but i m here, going to discus only fewer or just one, and rest are ur own creativity.

we have to stringify (convert code into string) the code first.

How to know whether the code is converted to a string or how to convert it to a string?

Well, simple. bring whole of code lines under one single line.
Then envelop this line inside double or single quotation marks as:

" code block under single line"


otherwise


var a = "code block part 1"
a += "code block part 2"
---------
---------
and so on

But wait.

What if the code will already contain ".

Then, replace them with \".

or envelop the code inside single quotation marks.

And if it contains both of them, then escape the one which is being used as envelop by preffixing it with \
-----------------------------------------------------------------------------------
---> Rotation scrambling:-

A rotator can be developed using several techniques.

In one technique, we will break the string at a character and then rotate the string and assemble it again by making a joint at the replacing character.And this process will be repeated several times for several replacement and replacing characters.

Let us consider following code we want to obvfuscate:


function say(){aler("jaijeya ji")};say();


Now first process is to remove unacessary spaces and tabs and newlines.

Then convert the code into the string as:

var a = 'function say(){aler("jaijeya ji")};say();';

well, but the code contains some special charecters, so it would be better if we'll escape or encode those characters as:

var b = escape(a);

this will give me in processing:

var b = 'function%20say%28%29%7Baler%28%22jaijeya%20ji%22% 29%7D%3Bsay%28%29%3B'


Now, we should make a list of all those characters which are present and another list of absent characters for the present character's replacement.

For examples the following is the list of some of characters which are present and i want to replace them:

var c=["a","j","D","e","i","2","8","0"];

and following is the list of absent characters and which will take the place of characters from earlier list:

var d=["q","x","t","r","u","w","1","H"];


Ok now, we'll encode our rotator scrambler.

Note: In practical environment, u have to prepare the routines for refining the present and absent characters lists or strings.

So i constructed one rotator which will take a char from present characters array and split the code string at all occurences of this character and then reverse the order of strings and then join the splitted string with the replacement character from second list of absent characters. Following is the code of rotator:


function rotator(code, pres, abs) {
var a1="",len = code.length,obj, splt=null;
for(var iter=0;iter<pres.length;iter++) {
obj = RegExp(pres[iter],"g");
splt=code.split(obj,len);splt=splt.reverse();code= splt.join(d[iter]);
}return code;
}

Note: The split function in IE has some buggs. It will not properly split at edges and many more. So try to develop ur own version of split() function, which will efficiently work in most of web browsers.

So this is a practical example:
javascript:var a=escape('function say(){aler("jaijeya ji")};');var b=escape(a);var c=["a","j","D","e","i","2","8","0","t"];var d=["q","x","k","r","u","w","1","H","F"];function rotator(code, pres, abs){var a1="",len = code.length,obj, splt=null;for(var iter=0;iter<pres.length;iter++){obj = RegExp(pres[iter],"g");splt=code.split(obj,len);splt=splt.reverse();cod e=splt.join(d[iter]);}return code;}var e=rotator(b,c,d);alert(e);

The decryptor of this type of scrambling is very simple, just a little shifting of things and the original content will be retrieved back.

So, Practice a little and retrieve the contents urself.

prashant_uniyal
08-19-2010, 09:57 AM
Now let us move on to something next.

like a base64 encoder and decoder.

The standard base64 encoder algorithm is:

function encode(input) {
key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=";
var buffer = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var i = 0;
while (i < input.length) {
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
buffer = buffer +
this.key.charAt(enc1) + this.key.charAt(enc2) +
this.key.charAt(enc3) + this.key.charAt(enc4);
}
return buffer;
}


Let us use it:

javascript:function encode(input){key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=";var buffer = "";var chr1,chr2,chr3,enc1,enc2,enc3,enc4;var i=0;while(i<input.length){chr1=input.charCodeAt(i++);chr2=inpu t.charCodeAt(i++);chr3=input.charCodeAt(i++);enc1= chr1>>2;enc2=((chr1&3)<<4)|(chr2>>4);enc3=((chr2&15)<<2)|(chr3>>6);enc4=chr3&63;if(isNaN(chr2)){enc3=enc4=64}else if(isNaN(chr3)){enc4=64;}buffer=buffer+this.key.ch arAt(enc1)+this.key.charAt(enc2)+this.key.charAt(e nc3)+this.key.charAt(enc4)}return buffer};var x=escape('function say(){aler("jaijeya ji")};say();');encode(x);

i got following output:

ZnVuY3Rpb24lMjBzYXklMjglMjklN0JhbGVyJTI4JTIyamFpam V5YSUyMGppJTIyJTI5JTdEJTNCc2F5JTI4JTI5JTNC

So the decoder for this base64 encoder is:


function decode(input){ key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=";
var buffer = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
while (i < input.length) {
enc1 = this.key.indexOf(input.charAt(i++));
enc2 = this.key.indexOf(input.charAt(i++));
enc3 = this.key.indexOf(input.charAt(i++));
enc4 = this.key.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
buffer = buffer + String.fromCharCode(chr1);
if (enc3 != 64) {
buffer = buffer + String.fromCharCode(chr2);
}
if (enc4 != 64) {
buffer = buffer + String.fromCharCode(chr3);
}
}
return buffer;
}


And decrypt it in following way:

javascript:var x='ZnVuY3Rpb24lMjBzYXklMjglMjklN0JhbGVyJTI4JTIyamF pamV5YSUyMGppJTIyJTI5JTdEJTNCc2F5JTI4JTI5JTNC';
function decode(input){key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=";var buffer="";var chr1,chr2,chr3;var enc1,enc2,enc3,enc4;var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(i<input.length){enc1=this.key.indexOf(input.charAt(i ++));enc2=this.key.indexOf(input.charAt(i++));enc3 =this.key.indexOf(input.charAt(i++));enc4=this.key .indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;buffer=buffer+String.fromCharCode(chr1);if (enc3!=64){buffer=buffer+String.fromCharCode(chr2) }if(enc4!=64){buffer=buffer+String.fromCharCode(ch r3)}}return buffer};var y=unescape(decode(x));alert(y);

Well i'll suggest u to shuffle the key (but use same key both in encoder and decoder) well before use and if possible also shuffle the algorithm according to ur own needs and for destandardisation of the algorithm..."vinnu"

Hence you can move more further in this programming as I have given you some basic idea :)

[s]
11-26-2010, 11:09 AM
Vinnu Bro u always Rocks , read your access denied now a i cracked software like 2 or 3 , i will post the information how i cracked by using the respected book access denied .. :D Now this information is also very useful for me , thanks for your value able guidance :D thanks Pranshant Bro for posting vinnu bhai work

prashant_uniyal
11-26-2010, 12:51 PM
My pleasure bro :) There's always something new to learn from vinnu bro ;)