I've added instructions within "INSTALL.spidermonkey" showing how to build a js-1.8.0rc1 custom version of spidermonkey with hooked eval() statements. Upon doing so, your decodings will be more reliable and effective!
Attackers can use techniques that change the scope of variables, therefore JavaScript hooks are not sufficient to handle them. When you modify the spidermonkey engine in this manner, you do not change the scope and such cases will continue to decode successfully. I do not distribute spidermonkey with jsunpack-n so you still have some choices in this area, and therefore I did not disable the eval() hooks in pre.js, which this spidermonkey modification replaces.
I've been working much more on parsing SWF files and I have a development version of a Flash Decompiler (for ActionScript code) in the works, stay tuned for that!
From the CHANGELOG:
Updates 2009-10-08 version 0.3.1a
1) bug fixes release
1a) I now distribute an optional gzip.py file (on by default)
This file was built to fix gzip decompression errors (from python2.5), you may not want to use js this if you use python2.6
2) rule detection updates
3) updates to pre.file
4) added instructions for compiling and using custom spidermonkey version INSTALL.spidermonkey
5) (not new) you can type "make clean" to destroy all temporary and log files
Thursday, October 8, 2009
Subscribe to:
Posts (Atom)