Jump to content
Tuts 4 You

Web RE vs binaries RE


Recommended Posts

learnReverse

So i recently got into reverse engineering world and found out all cool stuff and tools that people use in order to analyse software that is being ran on certain OS. On other hand, I barely see people reverse engineering web based applications, so i wanted to understand is this true and if there are some similar platforms such as crackme but for web based reverse engineering?
 

Thanks a bunch

Link to post
NOP

Web based is a pretty broad term. There are sites that crack flash games, unity games, javascript exploits and lots of others. Or are you talking about 'Hacking' into some sort of cloud? You would have to be more specific?

Link to post
learnReverse

Well i'm mostly reffering to antibots for example. An example is anti bots such as Cloudflare, Akamai, Perimeterx etc. that detect bots on sites. Their Javascripts are heavily obfuscated and virtualized sometimes even. Some sites even create their own custom anti bot scripts that are heavily obfuscated so i was wondering if there is any interest in this community towards this  angle or its more oriented towards binaries?

Link to post
Taitor
10 minutes ago, learnReverse said:

Well i'm mostly reffering to antibots for example. An example is anti bots such as Cloudflare, Akamai, Perimeterx etc. that detect bots on sites. Their Javascripts are heavily obfuscated and virtualized sometimes even. Some sites even create their own custom anti bot scripts that are heavily obfuscated so i was wondering if there is any interest in this community towards this  angle or its more oriented towards binaries?

Malware analysis is done here. But breaking legitimate bots and software is not allowed here, since it could be deemed illegal in some cases. Bypassing protection measures (legit) ones always raises eyebrows and can cause problems if clear tuts are made available with clear intention to bypass them.

Edited by Taitor (see edit history)
  • Like 1
Link to post
Progman

Im surprised machine learning is not enough to avoid getting into white box reversing of virtualized or obfuscated javascript.  I've still yet to see an convincing project though to simulate human like input e.g. mouse and keyboard or even touch screens and their timing subtleties.  And many detection systems bait with captchas while really analyzing input.  The mouse is a really amazing source of data in fact.  It is so good that it is used for entropy generation to seed random number generators.  Subtleties in acceleration or jaggedness in arc like movements are certainly there.  Not to mention differences between mouse brands and DPI and software settings.  My guess is the detection is extremely approximate due to the wide variety of environments.  But certainly most bots would do easily detectable perfect movements or perfect timing.

Without writing the bot input detection framework first though, it would be hard or basically impossible to measure how realistic an ML tool would be considering it has to work in real time.  It's certainly possible with the raw computing power and multiple core situation these days.  Would make an interesting scientific research paper even.

Link to post
learnReverse
Posted (edited)
3 hours ago, Progman said:

Im surprised machine learning is not enough to avoid getting into white box reversing of virtualized or obfuscated javascript.  I've still yet to see an convincing project though to simulate human like input e.g. mouse and keyboard or even touch screens and their timing subtleties.  And many detection systems bait with captchas while really analyzing input.  The mouse is a really amazing source of data in fact.  It is so good that it is used for entropy generation to seed random number generators.  Subtleties in acceleration or jaggedness in arc like movements are certainly there.  Not to mention differences between mouse brands and DPI and software settings.  My guess is the detection is extremely approximate due to the wide variety of environments.  But certainly most bots would do easily detectable perfect movements or perfect timing.

Without writing the bot input detection framework first though, it would be hard or basically impossible to measure how realistic an ML tool would be considering it has to work in real time.  It's certainly possible with the raw computing power and multiple core situation these days.  Would make an interesting scientific research paper even.

You should then take a look at Akamai's anti bot. They use machine learning principles and one of their biggest defense is mouse movement analysis. 

Edited by learnReverse (see edit history)
  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...