NorthSec 2019 "Reversing WebAssembly Module 101" Workshop

WebAssembly (WASM) is a new binary format currently supported by all major browsers (Firefox, Chrome, WebKit /Safari and Microsoft Edge) and executed inside JS scripts. It is already used for malicious purposes like Cryptojacking and can be found inside some web-browsers addons.

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (Octopus, Wasabi, ...) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module. Along the talk, I will only used open source tools.

• Firefox
• Google Chrome

# Security Analysis tool for WebAssembly module and Blockchain Smart Contracts
git clone https://github.com/quoscient/octopus

Follow the installation guide here

# Universal WebAssembly runtime
# https://github.com/wasmerio/wasmer
curl https://get.wasmer.io -sSfL | sh

sudo apt install python3 python3-pip

# WebAssembly interpreter written in pure Python
# https://github.com/mohanson/pywasm
pip3 install pywasm

# Python library to run WebAssembly binaries.
# https://github.com/wasmerio/python-ext-wasm
pip3 install wasmer

# A dynamic analysis framework for WebAssembly programs.
# install over docker: https://github.com/danleh/wasabi#alternative-setup-via-docker
git clone https://github.com/danleh/wasabi

# WABT: The WebAssembly Binary Toolkit
git clone --recursive https://github.com/WebAssembly/wabt
cd wabt

Follow the installation guide here

OR you can used the wasm2wat online demo

ctf/wall1

cd ctf/FlareOn5

cd cryptonight

cd firefox_addons/ublock