“This is the first day of my participation in the Gwen Challenge in November. Check out the details: The last Gwen Challenge in 2021”
preface
Wasm is an underlying assembly language with text format support that is intended to be portable, secure and efficient.
Wasm modules can be imported into a network app (or Node.js) and expose Wasm functions for JavaScript use.
The main difference between Wasm and other virtual machines is that it is not optimized for any particular programming language, but rather abstracts the underlying hardware, with bytecode directly corresponding to the instruction and memory models of modern cpus.
To put it simply, it is relatively low-level assembly language, it is difficult to understand, it is relatively safe
The concepts section above is just a look at the basic concepts of WASM
Today’s web site
aHR0cHM6Ly9tYXRjaC55dWFucmVueHVlLmNvbS9tYXRjaC8xNQ==
Packet capture analysis and encryption positioning
Visit the site to see the total number of pages we are asked to get to the current page
So the first open capture package to see the page information access
A brief analysis shows that there is no encryption parameter for accessing the home page, but an encryption parameter M is required when turning pages
So the parameter to analyze is this m
We find the JS stack
The js encryption location can be found in the third location
You can see that the argument list is submitted, where m is the result of the window.m call
Use arrow 2 to find the logic for window.m
This leads us to the window.q function
To break window.q, click on a breakpoint and then click to flip the page
Let’s follow the logic of window.q here
From the js logic of the previous one, we can probably guess that the above section should come from WASM
Documents should be from/static/match/match15 / main wasm load
We found this WASM file
repetition
We have the WASM file here but how are we going to analyze it?
There are two ways to convert WASM into C, C ++, and so on
Methods a
The first is to use WASM2JS
# project address
https://github.com/thlorenz/wasm2js
Copy the codeThe installation
npm install wasm2js
Copy the codeYou can then use this package to read the WASM file back to JS, and then use the logic
Method 2
The second option is to use the existing Python third-party package PyWASM
The installation
pip install pywasm
Copy the codeUse the demo
import pywasm
# pywasm.on_debug()
runtime = pywasm.load('./examples/fib.wasm')
r = runtime.exec('fib'[10])
print(r) # 55
Copy the codeI looked at the official demo and it seemed very simple
Let’s give it a try
The uncomfortable part here is, which method are we going to call after we read wASM?
We still need to find the wASM portal, so we’re back to parsing wASM
Fortunately, there are many wheels on the Internet, provided by this website
wat2wasm demo
wasm2wat demo
Interchange of two formats
https://webassembly.github.io/wabt/demo/
Copy the codeWhat we need to choose here is WASm2WAT, which converts WASM to C
The parsed version looks like this
So you can actually see the logic here, where we export encode, and we can call this method externally, pass in T1, t2
If you feel the conversion to C is not very easy to understand, you can use the following package again
https://github.com/WebAssembly/wabt
https://github.com/WebAssembly/wabt/blob/main/docs/decompiler.md
Copy the codeBut wasM2JS doesn’t work as well as wasm2JS once compiled
We already know from the online compiler that the wASM file is exported using encode, so try plugging in
import math
import random
import time
import pywasm
t = int(time.time())
t1 = int(t / 2)
t2 = int(t / 2 - math.floor(random.random() * 50 + 1))
wasm_vm = pywasm.load("demo1.wasm")
m = wasm_vm.exec("encode", [t1, t2])
print(m)
print(str(m) + '|' + str(t1) + '|' + str(t2))
Copy the code
And then we can figure out what m is
I’m going to write two more articles about WASM, but WASM is a lot of fun, because there are a lot of wheels that you can use and you can just lie down