WingNews logo WingNews
top | item 32133044

(no title)

melissalobos | 3 years ago

To answer your question, yes. Someone absolutely can decode that and figure out the odds. If they couldn't then there would be less obfuscation used. A browser ABSOLUTELY has to be able to run the javascript. Anyone dedicated enough can de-compile that javascript to a program. Is it easy? No, but people do it all the time.

I have had to deal with client that thought they could keep some bit of code secret on a browser before. I have had to explain many many times that anything the browser can do a human can do. So if a browser can run the code, at some point a human can too.

discuss

order

throwntoday|3 years ago

I think what the parent meant was, can someone looking at it decode what is going on. Not asking whether it is possible in general.

michaelsbradley|3 years ago

That's why they wrote "Anyone dedicated enough can de-compile that javascript..."

Meaning, effectively, it can be de-obfuscated into code with control flow that's readily understood by a human, even if it would take some patience and practice (and the right tools) to perform the de-obfuscation.

Re: the FreeSlots.com program, https://deobfuscate.io shows that most of the obfuscation is related to decoding characters per some algorithm of their devising and eventually eval'ing the string as a JS program. There are likely several tricky rounds of that technique (and others) used at layers within the obfuscated code.

If the FreeSlots devs are clever, then they likely have a scheme to randomly generate the code they want (producing their desired result in terms of odds), where the random part is w.r.t. how the obfuscation layers are composed. Done well, that could make it rather difficult to mechanically de-obfuscate their code changing over time, i.e. without a human intervening to help identify the distinct layers because... parsers are hard.

gernb|3 years ago

nothing special about code in a browser. there are regular reports from bug finders where they detail how they disassembled iOS or some native app etc and worked out how some exploit worked

lovingCranberry|3 years ago

The Hexrays decompilation plugin for ARM architecture works very fine and produces more readable code than this js :D