“This is the first day of my participation in the Gwen Challenge in November. Check out the details: The last Gwen Challenge in 2021”

preface

Wasm is an underlying assembly language with text format support that is intended to be portable, secure and efficient.

Wasm modules can be imported into a network app (or Node.js) and expose Wasm functions for JavaScript use.

The main difference between Wasm and other virtual machines is that it is not optimized for any particular programming language, but rather abstracts the underlying hardware, with bytecode directly corresponding to the instruction and memory models of modern cpus.

To put it simply, it is relatively low-level assembly language, it is difficult to understand, it is relatively safe

The concepts section above is just a look at the basic concepts of WASM

Today’s web site

aHR0cHM6Ly9tYXRjaC55dWFucmVueHVlLmNvbS9tYXRjaC8xNQ==

Packet capture analysis and encryption positioning

Visit the site to see the total number of pages we are asked to get to the current page

So the first open capture package to see the page information access

A brief analysis shows that there is no encryption parameter for accessing the home page, but an encryption parameter M is required when turning pages

So the parameter to analyze is this m

We find the JS stack

The js encryption location can be found in the third location

You can see that the argument list is submitted, where m is the result of the window.m call

Use arrow 2 to find the logic for window.m

This leads us to the window.q function

To break window.q, click on a breakpoint and then click to flip the page

Let’s follow the logic of window.q here

From the js logic of the previous one, we can probably guess that the above section should come from WASM

Documents should be from/static/match/match15 / main wasm load

We found this WASM file

repetition

We have the WASM file here but how are we going to analyze it?

There are two ways to convert WASM into C, C ++, and so on

Methods a

The first is to use WASM2JS

# project address
https://github.com/thlorenz/wasm2js
Copy the code

The installation

npm install wasm2js
Copy the code

You can then use this package to read the WASM file back to JS, and then use the logic

Method 2

The second option is to use the existing Python third-party package PyWASM

The installation

pip install pywasm
Copy the code

Use the demo

import pywasm
# pywasm.on_debug()

runtime = pywasm.load('./examples/fib.wasm')
r = runtime.exec('fib'[10])
print(r) # 55
Copy the code

I looked at the official demo and it seemed very simple

Let’s give it a try

The uncomfortable part here is, which method are we going to call after we read wASM?

We still need to find the wASM portal, so we’re back to parsing wASM

Fortunately, there are many wheels on the Internet, provided by this website

wat2wasm demo

wasm2wat demo

Interchange of two formats

https://webassembly.github.io/wabt/demo/
Copy the code

What we need to choose here is WASm2WAT, which converts WASM to C

The parsed version looks like this

So you can actually see the logic here, where we export encode, and we can call this method externally, pass in T1, t2

If you feel the conversion to C is not very easy to understand, you can use the following package again

https://github.com/WebAssembly/wabt
https://github.com/WebAssembly/wabt/blob/main/docs/decompiler.md
Copy the code

But wasM2JS doesn’t work as well as wasm2JS once compiled

We already know from the online compiler that the wASM file is exported using encode, so try plugging in

import math
import random
import time
import pywasm


t = int(time.time())
t1 = int(t / 2)
t2 = int(t / 2 - math.floor(random.random() * 50 + 1))
wasm_vm = pywasm.load("demo1.wasm")
m = wasm_vm.exec("encode", [t1, t2])
print(m)
print(str(m) + '|' + str(t1) + '|' + str(t2))
Copy the code

And then we can figure out what m is

I’m going to write two more articles about WASM, but WASM is a lot of fun, because there are a lot of wheels that you can use and you can just lie down