eric at rachner.us
Sun Jan 25 05:12:34 EST 2009
The short answer is that no obfuscator can be so powerful as to really
At the end of the day, a (de)obfuscator must present code to the browser au
natural, or it won't run. Personally, I won't spend time writing utilities
to attack individual obfuscators because I know that every obfuscator must
eventually stop pretending to be clever and pass a blob of plaintext
going on, I can just hook/inspect whatever is given the browser.
In my opinion, the only real reason to care about the behavior of a given
obfuscator is academic: sometime's it's interesting to guess at whatever the
malware author might be thinking.
From: Sophia Sun [mailto:sophiasfq at gmail.com]
Sent: Saturday, January 24, 2009 8:09 PM
To: James Landis
Cc: websecurity at webappsec.org
Thanks for pointing out the ambiguity, James.
kinds of obfuscation techniques are being used in an obfuscator, such as the
randomization of variable names and function names and code shuffling.
I agree with you that client-side code manipulation provides no real
security value. But think about obfuscation from a web administer's
delay the detection of a payload. Take XSS worms for example, it seems to me
that most of them are obfuscated. It would be nice to know what obfuscation
techniques are commonly used in obfuscators and how powerful an obfuscator
On Sat, Jan 24, 2009 at 6:10 PM, James Landis <elspood at gmail.com> wrote:
More parameters please. Commercial or open-source? Do you want the
As I'm sure you know this, given the fact that you explicitly use the
word "obfuscator", but manipulation of client-side code provides no
real security value beyond prevention of casual theft and reuse of
On Sat, Jan 24, 2009 at 4:53 PM, Sophia Sun <sophiasfq at gmail.com> wrote:
> name a few widely used ones? So far, I've tried Jsob and some free
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity