This is not really my area of interest specifically, although i follow various computer related content. What actually shocked me, after watching several videos, is how orderly mind this lady has. Absolutely smooth speaking about complicated topics. I envy that talent so much.
@vazoth64232 ай бұрын
it takes a lot of years of practice in problem solving and critial thinking, like a lot
@bartekklusek99892 ай бұрын
I know this from my own experience, and it is quite obvious, but the ability to speak so flawlessly is not something most people can achieve. At least it requires proper growing up process, as in mature age you cannot reverse enoughly the way your brain was formed.
@christopher86415 ай бұрын
I'm a backend dev and have never dug into malware analysis, but this video made the process look pretty fun and rewarding. I guess it is just a big dangerous puzzle
@nismos14270r21 күн бұрын
very lucky
@cusematt235 ай бұрын
holy effing sht. I literally just came across some heavily obfuscated js code that i am dying to reverse engineer and this vid came up. there is a god.
@adityadas58355 ай бұрын
Or maybe Big Brother is tracking you. Who knows? 😕
@corp-por5 ай бұрын
wtf, almost the same here. A client just called me because a js file was triggering a virus alert in windows defender. And here I am 🥸
@Katchi_5 ай бұрын
Liar.
@cusematt235 ай бұрын
@@Katchi_ Not even kidding. I am using a complex optimization app and instead of it doing work on the server it just sends a giant minified obfuscated js bundle. And I am curious although not as smart as Laurie and will prob never fully reverse engineer it. So far the only thing I am getting is that the code using the glpk javascript library. I didn't even know this existed so that's a bonus at least. I am guessing there will soon be a day where most of the python AI/ML library functionalities are in javascript and running in your browser without (most people) you being aware. I am unsure if i should be excited or petrified.
@cusematt235 ай бұрын
@@adityadas5835 certainly possible.
@digitalradiohacker5 ай бұрын
I'm a complete code mong, so I'm trying to "hang around" with smart people to soak up as much as I can - hence, why I'm here. Just to prove I was paying attention: 28:30 It looks like the integer returned was "1". You went back to the code and typed "0". Thanks for the walkthrough of what you're doing - Picked up a couple of tricks here.
@angelortiz-vk8ez3 ай бұрын
yep, saw that as well
@sambeard44283 ай бұрын
It's a bait
@oliverdowning15433 ай бұрын
I literally winced when I saw that.
@Urgleflogue3 ай бұрын
Gawd, paused the video and angrily looked for this comment :)
@oliverdowning15433 ай бұрын
@@Urgleflogue same
@solifugus5 ай бұрын
I love JavaScript. I often wonder if we could create a compiled language with dynamic reflective data objects, similar to JavaScript (I know few people will agree with me on this). In any case, how do you not wonder if we could get results by breaking those steps up and feeding each to an LLM model? My first language was TRS-80 Color Basic, then M6809 Assembly (beautiful), then C, then C++, then Perl, then PHP, and then JavaScript (my favorite). I actually first started using JavaScript to write my neural simulator which was previously written in C++. I found that it performed similarly to execute and yet took a fraction of the time to code and debug. I also learned other languages and work in them today like JCL, SAS, Python, flavors of SQL, etc. Most recently, I am in love with RISC-V Assembly.
@iss92805 ай бұрын
One of my new favorite channels! I love the old school Tech Tv/G4 vibe of your set.
@shady4tv5 ай бұрын
The theme is from Serial Experiments Lain. great anime - only like 13 episodes. Would recommend watching if you have the time. I will warn you tho - it's a trip.
@Desmaad5 ай бұрын
Not to mention the Classic Mac (Copland/OS 8-9.2) theming.
@Jimbooos5 ай бұрын
I did't need this but the explanation was so clear I kept watching
@btd6vids3 ай бұрын
These videos are really well made. I've tried to make educational content a few times before but never really landed on a good style or way to do things. You've inspired me to give it another shot
@shockinho5 ай бұрын
This is so good I can't believe it exists, let alone such good content being free on KZbin. Amazing work
@viihnaNeverShutsUp5 ай бұрын
I absolutely love the way you break this down. Thank you!
@dblanque4 ай бұрын
Super neat video, really high level of production (also, 28:37, oopsie daisies the 1!) :P Really awesome content, learnt a lot Laurie! Subbed :)
@ArjanvanVught5 ай бұрын
@28:29 a little error here ;-) pasting 0 instead of the 1
@swenic5 ай бұрын
^ 28:41
@sonyarianto4 ай бұрын
yeah this is a bug in this video
@ThanatosUAАй бұрын
Comment bait 🎉
@VincentGroenewold5 ай бұрын
The quality of these videos is just great, I'm not into JS at all, but it's well explained to follow along, nice! It all feels very much like security through obscurity, I predict this can be automated in the near future.
@NatteeSetobol5 ай бұрын
Nice, I was looking for a nice detailed video that goes through such an annoying obfuscation in JavaScript. Thanks!
@menegatmarcelo5 ай бұрын
Laurie, your voice and way to explain is gorgeous!! New favorite channel! Im a simple FE developer who loves non FE content :) Thank you for exists!
@TheChugnut5 ай бұрын
Wow, just found your channel and I love it. Your presentation style is amazing!
@enthusi5 ай бұрын
Obfuscated code is fun.. JavaScript not so much my cup of tea 😊 Thanks for presenting these topics!
@dodgecoates87605 ай бұрын
How can you like obfuscated code but not love javascript?
@thefrub5 ай бұрын
Your production value is through the roof, you've got the whole room setup, the multiple cameras, the old Mac aesthetic. And you're great at this! This is amazing
@nathaniellovely3 ай бұрын
This channel is really phenomenal. Everything from the technical aspect and way you break everything down in a clear and precise manner, the way you articulate yourself clearly, the synthwave color schemes and background setup is epic… I love all the things! Favorite channel lately :-) You are very knowledgeable and talented and it shows. Thank you for sharing your knowledge!
@plato4ek5 ай бұрын
20:39 and other places: you don't need to write the "console.log", just expression itself is okay.
@drwhitewash5 ай бұрын
Exactly, the console will output the result of that expression, instead of those "undefined"s.
@kxmode5 ай бұрын
I think she's being extra careful to isolate the output to the console
@plato4ek5 ай бұрын
@@kxmode this won't help isolate anything. Everything inside the "console.log()" is being evaluated anyway.
@DavidLindes5 ай бұрын
@@kxmode the thing is, she's _in_ the "console" (in other languages, it might get called the REPL -- Read, Evaluate, Print (in a Loop)), so, as plato4ek says, it's not really isolating anything in this context. What she's doing isn't harming anything, of course, it's just also not buying much when done interactively. (But it would be very useful if recording it to a file and running it with node, say, so, perhaps it's a habit born from such intentions in prior work.)
@kxmode5 ай бұрын
@@DavidLindes hmm... good to know. always thought console.log was a way to sandbox the code. A good note to self.
@robertivaneinarsson58685 ай бұрын
Fantastic! I would love a video from you breaking down the XZ backdoor thing.
@Ron55O5 ай бұрын
That's what I thought at first too😅
@sshiiden5 ай бұрын
You did a really good job with the style of your videos
@BlackHermit5 ай бұрын
A true gem for anyone passionate about unraveling the mysteries! This step-by-step approach to deobfuscating and reverse engineering an obfuscated JavaScript file is not just informative, but downright thrilling. I love how Laurie invites viewers to follow along with the truth provided. Simply invaluable! 💻🔍✨
@timolff92395 ай бұрын
what's the point of using chatgpt to comment on a youtube video?
@BlackHermit5 ай бұрын
@@timolff9239 ChatGPT's English is better than mine. I couldn't have possibly articulated my feelings towards this video better than it did!
@AEONIC_MUSIC5 ай бұрын
But everyone can tell it's AI so we think it's fake. Also I think claude opus has more natural speaking
@BlackHermit5 ай бұрын
@@AEONIC_MUSIC Well, it is fake in the sense that I was not the one who worded everything, but I did tell ChatGPT what I felt!
@fabriziolopez663 ай бұрын
@@timolff9239 😂
@thediskostarz5 ай бұрын
Awesome video Laurie, I learned a lot by watching your well explained videos. Thank you.
@synnveolsdatter-bh9qcАй бұрын
Love the video! It kind of inspired me to want to do something like this myself. One thing to note, you don't really need console.log() if it's a function because the return value will be automatically logged. Keep up the work!
@zzord4 ай бұрын
Well done! Quick tip: You don't need to use console.log to evaluate expressions. You can just paste the expression and evaluate it directly. Also, at 22:56, you could evaluate the whole object in one step, instead of doing one function call at a time.
@nicogetz3 ай бұрын
You've done a great job of presenting this in a clear way that makes an otherwise daunting endeavor make a lot more sense. Of course, your intuition about what the code is doing is a major factor, and that can only be developed with experience and persistence...
@DotDager5 ай бұрын
A lot of interesting insights, great job as usual!
@fabriziolopez663 ай бұрын
👍
@stonebubbleprivat2 ай бұрын
The set in the background is awesome!
@ronen1245 ай бұрын
28:37 aquí escribiste '0' en lugar de '1' por error . Esta fue una ingeniería inversa interesante y fascinante para dicho malware, muchas gracias por compartir tu análisis.
@UliTroyo5 ай бұрын
This was a lot of fun! What a cool breakdown.
@MreMeatify2 ай бұрын
Thank you Laurie for another really nice video. It was really interesting watching the source unwind into something readable. To bad these malware writers don't use their talents for something more positive.
@markhodgson724114 күн бұрын
ActiveX! Blast from the past! Run random COM objects from the browser! What could _possibly_ go wrong? Loved watching you pick this apart :-)
@rafaelskt4ever5 ай бұрын
Love your Serial Experiments: Lain theme
@armaniimus3 ай бұрын
I found this very interesting, I noticed a small err on 28:39 I deobfucated a piece of js a few years ago. I find it very interesting to see someone else do it on there way.
@nceban21364 ай бұрын
Not a big fan of Lain, but still can appreciate the committment to the intros
@davidburns81135 ай бұрын
I'm ecstatic I just found this channel! TYSM for sharing skills and methods like this on the Internet for free! Also the little corgi made my day!!
@RyanEglitis3 ай бұрын
Pretty cool to see the malware "come to life" with deobsfucation. I probably would have just run the object as a single line that was getting all the commands, since it ended up putting them into a simple object structure that would be easy to copy out from, but that's just a speed-up of the process. I'd be interested to see a _more_ obsfucated piece of code. Some of the fun stuff I've seen is single letter function/variable names, an extensive use of hex codes, as well as the oft broken eval().
@mr.bulldops76925 ай бұрын
Clear, concise, and cool as hell. You picked a great code example!
@svampius24484 ай бұрын
I love the content and aesthetics of your videos, definitely my favourite channel at the moment! Also, for some reason you make me think of squirrels, which is fantastic - a vaporwave squirrel.
@theelliotwoods3 ай бұрын
Great video. I was hoping at the end you’d also say “and if you wanted to skip all that process you could just replace the ActiveX line with console.log to see exactly what it’s trying to execute without going through the whole process of untangling it.”
@xinaesthetic2 ай бұрын
Very nice presentation and clear patient explanation etc as others have said. A few little comments: you don't really need to type `console.log` the whole time; just execute the expression in devtools and the value will be printed. Some of the more manual bits could be done in fewer steps, like building the map of commands - I'd probably just execute that block of code and grab the output rather than manually substituting each part. Lastly, it's vaguely hypothetically possible that using a find/replace to rename things could end up with the wrong result if the same set of characters happened to be used elsewhere (which in larger files is really not so unlikely as bundlers aiming for small output are pretty likely to reuse similar short variable names in different scopes). If you were to use an editor with a js language server you can use a more dedicated 'rename variable' function (F2 in vscode) to do that a bit more safely.
@shpleemcgert5 ай бұрын
At 23:06... If your ultimate goal was to get the _0x502708 map object, couldn't you have executed that block in your dev tools and just printed it out? Especially since you know the method was just outputting string characters and was not inherently malicious. Please correct me if there is something I'm overlooking here. Just a gut reaction at a potential time save Also this video was beautiful and I love your editing style. This is incredibly educational and I have subscribed. Looking forward to seeing more of your thought process.
@thmo_5 ай бұрын
yeah, would have been a time save to let it write the commands up to the last two map entries actually using the activexobject.
@epiphaner5 ай бұрын
I'm guessing she did it this way to keep it safe and accessible for the viewers. A viewer might not be savvy enough to distinguish which parts of the code are safe to execute and which are not. That would also explain why she would go through de-obfuscating the first two methods before using them even though they, to me, obviously had no code that could do harm. A viewer following the workflow in this video will not get their system infected.
@thmo_5 ай бұрын
True, also in general the way she did it was very verbose to follow along and replicate with other code, so this will be more helpful to viewers.
@Slycooper24565 ай бұрын
Such great videos! (Love the Burnout clips at the end of each videos such a fun a game!)
@serpent773 ай бұрын
I haven't done this type of stuff in forever. Great video and a fun romp through reverse engineering malware. Great Job, you've earned a new subscriber!
@OfficialiGamer4 ай бұрын
I don't deal with programming much (or js) as I'm a hardware guy, but I found this super interesting to watch, and I understood most of it! Keep up the good work pretty lady!
@MrDarthsirius3 ай бұрын
Learned some obscure (to me) JS syntax today. Cool.
@JosephSaintClair4 ай бұрын
Thank you for covering IOCCC. Something I always encourage aspiring programmers to try for themselves first the personal challenge and discipline. 🙏
@jcKobeh5 ай бұрын
The horizontally flipped front face camera has had me wondering exactly what you were doing for a couple of videos. Did you decide to do it to have your face "looking into" the direction of the code? Now that I'm commenting, I'll just say: I love the graphic overlays and design you use. And the way you present these videos, just clear voice, no music, well prepared, and sitting still and straight throughout the whole thing, My respects. I know how all of these kind of things are invisible to most when done correctly, but cheers, it doesn't go un-appreciated.
@Hwyadylaw4 ай бұрын
Webcams and front-facing phone cameras tend to mirror the image to emulate.. well, a mirror, since that's how most people are used to seeing themselves.
@jcKobeh4 ай бұрын
@@Hwyadylaw but that footage looks like a real camera, not a webcam, which is why it seems to me like it must be an active decision and not just the default thing the camera does.
@digitalsparky3 ай бұрын
Something to save a little time for you: console.log is not required in the console tools. just press enter on an expression, you'll see the result right after. this is why you see undefined print after your result on its own line, it prints the return value automatically. :)
@damien__j5 ай бұрын
I see LaurieWired and I click
@No0Vad5 ай бұрын
Sometimes you get lucky with Auto-play enabled, that's how I found this video which I enjoyed. Love the retro feeling!
@hanfo420Ай бұрын
9:06 that’s a mistake. if the app is writing to the arrays content, you basically made it readonly. enhanced obfuscation also messes with data storage location and could use morphing source code
@zhanezar5 ай бұрын
this was so good to watch, the quality of production is amazing
@RyanEglitis3 ай бұрын
One interesting piece you skipped over was the use of the split fuction on the string. It was accessed as a property on the string, which let them store the name of the function "split" outside of code as a string. It didn't really do much obsfucating here, but it could do a lot with a more complex object. Oh, and !![] and ![] could further deobsfucate to true and false 😅
@vapaspen5 ай бұрын
My team has been fighting this thing for months now. When we got our first Sig it we though it was a FP cause of how many hits we got but no its just hitting that many people. Its a nasty little bugger. Thanks for the really cool breakdown on this! :)
@Skatche5 ай бұрын
23:30 Quicker way to do this: just copy and paste the definition of the variable _0x502708 into your console and then console.log the result.
@user-jx7cv2td4y5 ай бұрын
Also, instead of concatenating strings in a loop, we can just replace activeX calls to console.log, run it and see what commands are executed
@martin1b5 ай бұрын
I love this. It's amazing how obfuscation can make it look so much more complex than it really is.
@mendodsoregonbackroads66325 ай бұрын
Yea the way it all boiled down at the end to just a few lines of code was pretty cool.
@Plagueheart5 ай бұрын
I like the channel, it has a 90's style vibe from PBS after school tv educational shows which gives me that nostalgic vibe
@Emerson15 ай бұрын
Great video, and great production value
@BernhardWeber-l5b4 ай бұрын
LOVE the effect of a tape fast-forward 😂
@pdelong425 ай бұрын
It's been a few decades since I've done anything serious on Windows, so I was frankly surprised to learn that ActiveX is still a thing. We all thought it was a gaping security hole from day one, and I thought Microsoft was at-least disabling it by default now. Glad to see that it's deprecated (according to Wikipedia).
@hitmongg4 ай бұрын
I've never looked at malware before; it's super interesting. Thanks for sharing!
@Saru-Dono4 ай бұрын
Notepad ++ and MS Edge is such a based combo for development
@jefflucas_life5 ай бұрын
I like the way how this was video instructed , thumbs up!!
@kxmode5 ай бұрын
I've seen obfuscated JS code that includes bit shifting, which is insanely difficult to reverse engineering. For example: // Original Code let result = 160; // Obfuscated Code let result = (5
@kurdm14824 ай бұрын
Insanely easy to reverse, look into AST.
@kxmode4 ай бұрын
@@kurdm1482well, yeah, you can look at the abstract syntax tree, but it still requires reversing engineering it.
@Kakerate24 ай бұрын
i love seeing this done in n++!
@gamedesign-yl2fx4 ай бұрын
You can invoke the expressions directly in devtools, instead of surounding it with console.log, if you do not surround it you will get the real string in dev friendly format, string parameters to console log are displayed as html in console losing whitespace information
@gamedesign-yl2fx4 ай бұрын
You can also use VSCode with typescript language server, this will allow you to rename while respecting scope in cases which obfuscator might use the same var name for different values
@syth-15 ай бұрын
Great video - these are all tricks I've used to deobfuscate API's I probs shouldn't be using .-. If you know the code is safe to run, and have a bit more complex code that jumps thru many different libraries, executing and walking thru the code line by line helps a tone, What you maybe reverse engineering maybe just one file, but seeing the external lib calls and filling in the values returned just like in the video rlly helps put the puzzle together, (of course gotta give props to browser Dev tools - when walking thru code can just hover over any variable to see the current value inside)
@ceruleanserpent3873 ай бұрын
I love the Copland OS interface
@ITWorx3 ай бұрын
What is the obfuscator app name of the given JS file ?
@Anthony-vb7sj3 ай бұрын
impressive work !!! This channel is very Under-rated 😯👍🏻
@zetronman5 ай бұрын
I'm stupid but why are you able to find + replace-all? Doesn't that risk renaming variables that are locally scoped that use the same name as other locally scoped variables in another function? edit: like obviously it'd still work, I just feel like it'd mess with me a lot and it seems like it'd be better if the find-replace was scoped but idk, I don't RE malware.
@vlk.charles5 ай бұрын
Yeah, I too thought that was a little "reckless". Turned out this code didn't use the same name in different scopes but it could have, just to mess with reverse engineers.
@NelemNaru9 күн бұрын
Yes! I was wondering the same thing. I've messed up my own code so many times changing variable names with replaceAll. VSCode lets you rename variables automatically without messing up scope (and without affecting non-variable strings, which replaceAll can also mess up). The video creator is very smart, but not working the smartest way in this video
@MaxProgramming-uv6br3 ай бұрын
I wrote this in one hour lol. It's fact that Arabs really love poetry. I love these kind of videos but IDK why. Deciphering seems fun to me, it multiply(: Many thoughts are driving me to be a spy. Don't even try stopping me, I'm just a guy. *I tried to be creative as much as I could xd (:
@一本のうんち5 ай бұрын
brill!i feel like deobfuscating js code is a great exercise for a beginner as all source code is right there, just looking a tiny bit messier than a regular js code
@lauriewired5 ай бұрын
Absolutely! It's also very encouraging to see the code quickly becoming more readable
@hensou3 ай бұрын
Thank you! That was fun! Sounds like a thing I would like to do, I definitely want to learn more about this :)
@ShannonWare5 ай бұрын
JS tools tip for NPP won you a subscriber! Thanks a million, my favourite app just got better XD
@stacksmasherninja72665 ай бұрын
not even sure whether that's an actual linux distro but it looks 10/10
@onlymyrailgununknown29604 ай бұрын
Your kind is rare. I am working on a C decompiler, and will soon deal with optimized binaries and later with static obfuscation methods and I am thinking on how to automate deobfuscation. For JS it looks quite possible. You are basically doing some kind of constant propagation (with the help of runtime logs) and give sensible names. If someone would write a high-level JS optimizer, you could also get rid of unneccessary/pointless dead code, control flow, ... then its done. Basically adapting the GCC/CLANG optimization tricks to JS would make no JS secure.
@tysonbenson5 ай бұрын
Thanks, Laurie! Awesome video!
@pavloburyanov58425 ай бұрын
For "repetitive" part: you can grep needed invocations and process them in the loop. PS: I believe notepad++ supports macros to make life easier.
@skrewed3 ай бұрын
The double spaces on the command line and the 0 instead of 1 almost threw me off, lucky it was at the end
@jhonm63475 ай бұрын
Damn, this is very informative. I can't quite keep up with everything yet because I'm new to coding but it is very interesting, great video.
@justinmiller33495 ай бұрын
Incredibly educational, and great production value. You're killing it. Keep it up!
@firiasu5 ай бұрын
Notepad++ and ActiveX... You're definitely from the past!🔮✨
@tommyovesen5 ай бұрын
Notepad++ is not the past. ActiveX is, but it is not she using it. Come on! Be polite
@levonschaftin36765 ай бұрын
@@tommyovesen ?
@Montegasppa4 ай бұрын
This is the first (maybe second) os your videos I watch, and I got the reference. シリアルエクスペリメンツレイン
@kelliaa5 ай бұрын
really sick video, gonna try to learn more about this, and your set is so sick
@ZioYuri785 ай бұрын
This is so fascinating, thanks for sharing your competence!
@adjd925 ай бұрын
Interesting video. Whenever I hear about Javascript malware, I'm glad and fortified in my use, of Noscript. Sure, Noscript isn't 100% secure, but it's far better than executing everything that may come with some random website.
@OneAndOnlyMe5 ай бұрын
This was a great tutorial, Laurie!
@thechosenoneforyou4 ай бұрын
Love you videos! It would be super cool if you made a discord server with a mobile security focus!
@mistersunday_5 ай бұрын
Laurie, your channel is genius
@rayhere79254 ай бұрын
I simp. ....Okay, back to the video 🙏
@ancestrall7944 ай бұрын
Really interesting. I wonder if the ActiveXObject function can be used for XSS in pentesting / CTFs
@walksinrain4 ай бұрын
This is some seriously cool stuff. Subscribed :) I loved seeing when the camera angle changed, it seems you really do have a bunch of old monitors buzzing away back there haha!
@Sasha-Good5 ай бұрын
Amazing ReveЯsive design on channel 💯
@world-96445 ай бұрын
Never thought I’d see a serial experiments lain reference in a coding video.
@Awesomo40005 ай бұрын
9:19 The function is kind of doing what you're saying but not exactly. In the obfuscated version it's always returning the same instance of the string array. In the obfuscated version you're recreating the string array every time. So if you mutate the result of the obfuscated function, you'll get the mutated version on the next call. This is not the case in the obfuscated one. A way to reproduce what it actually does is move the declaration of the var_commandStringArray to the top of the file and just return the reference in the function. This would allow you to replace all calls to _0x1ecc() by var_commandStringArray and get rid of the function.
@vlk.charles5 ай бұрын
I noticed that too and made a similar comment. Although I think you mixed up "obfuscated" and "deobfuscated".
@GerbenWijnja5 ай бұрын
Nice work, Laurie. Of course there are many shortcuts possible all over the place, but that also increases the risk of errors. Refactoring piece by piece provides more confidence that you're on the right track. Is the original code available somewhere? I couldn't find it with just the hash.
@rne12235 ай бұрын
Editing is amazing, but the content is off the charts. Amazing work 👏👏👏