Arguments.callee.toString() demystified

Published: 2007-08-06
Last Updated: 2007-08-06 07:35:24 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Couple of days ago I wrote a diary about dynamic JavaScript obfuscation (http://isc.sans.org/diary.html?storyid=3219). The deobfuscation function in this case used the well known arguments.callee.toString() trick in order to prevent modification of the code.

During analysis I confirmed something that I saw previously as well (http://isc.sans.org/diary.html?storyid=1519) – Internet Explorer and Mozilla Firefox have different implementations of this method. The reader who initially submitted the link to the exploit web page, Daniel, did some initial investigation on the implementation of this function.

Yesterday another reader, Ant, sent us his analysis of how Internet Explorer and Mozilla handle this function. Ant did a great job and found out almost exactly what’s going on.

Basically, Internet Explorer always preserves the original text, no matter what’s inside. Mozilla Firefox (the Spidermonkey script engine), on the other side, does some simple optimizations before calling the arguments.callee.toString() method.

Here are Ant’s comments:

The following text is removed before calling the method:

// comment1
/* comment2 */

The following operators are applied before calling the method:

arithmetic (+, -, *, /, %)
bitwise NOT (~)
bitwise shift (<<, >>, >>>)

So, in other words, if you have a variable var test = 2+3; the test I put in the diary would show VARTEST23 in Internet Explorer and VARTEST5 in Firefox.

This, obviously, can cause problems when analyzing such scripts so analysts have to be careful about environments they are working in, as the bad guys can use this to create JavaScript code that will work only in certain browsers (not that we didn’t know that already…). Great job Ant!

--

Bojan

Keywords:
0 comment(s)

Comments


Diary Archives