from Hacker News

Evading JavaScript anti-debugging techniques

by hazebooth on 8/1/23, 7:35 PM with 51 comments

by 8chanAnon on 8/1/23, 8:29 PM
Interesting though it involves recompiling the web browser. I have encountered this issue on many websites and my response is to stream the website through a proxy server which can then save the content (both outgoing and incoming) to the local disk for analysis. Using the browser's debugging tool is a lost cause when you're dealing with obfuscated code. The approach that I use is to isolate the target JS, modify it by including calls to a websocket, save the code to disk and instruct the proxy server to load the code from disk instead of from the website. This way the website appears to work normally except with my modification. In some cases, it may be necessary to isolate an additional file or two due to dependencies.
The reason for the websocket is that the browser console is also rendered inoperable due to the debugger statements and console clear commands emanating from the website JS. A websocket is then the only way to transfer actionable information (such as a password or a secret link). It's not an easy or quick process but, by inserting websocket calls in interesting places, it is possible to figure out what the JS is doing. It also helps a lot to prettify the JS in order to study it. There are websites that can do that for you. Unfortunately, the prettification of the JS may break it so you're still stuck with doing the modifications in the original JS.
I built my own proxy server for this task but I imagine that the same may be possible with a tool like HTTP Toolkit but that means getting the Pro version.
by jkingsman on 8/1/23, 9:50 PM
I'm surprised to not see Chrome's handy "Never pause here" menu that appears when you right click any line of JS, including debug breakpoints. This is typically what I do when there's a debug in an intervaled function (simple anti-debug commonly found on some video sites).
Example: https://i.imgur.com/BsphnEu.png
by gmerc on 8/1/23, 10:44 PM
Unfortunately that won’t be an option with Web Integrity….
by TYT on 8/2/23, 1:19 AM
For people who don't want to compile the anti-debugging firefox themselves, I have set up a github repo to do it automatically: https://github.com/Sec-ant/anti-anti-debugging-debugger-fire...
by rasz on 8/2/23, 9:14 AM
>By renaming it to something like "banana," the debugger would no longer trigger on occurrences of the debugger keyword. To achieve this, we built customized version of Firefox.
heavy handed approach. I have some moderate success intercepting setInterval/setTimeout and manually sifting to find that one call that starts the ball rolling. Things get old fast when the code you are looking at looks like
```
    0[_0x199d1e(0x815*-0x2+0x1735+0x13f*-0x5)](_0x199d1e(0x3b3*0xa+0x1c1+-0x260d),_0x199d1e(0x2149*0x1+0x9f7+0x1*-0x29f5)))[_0x
```
by 29ebJCyy on 8/2/23, 5:46 AM
Just record a Replay (https://replay.io). Done!
by crazygringo on 8/1/23, 9:56 PM
> Once upon a time, whenever you tried to open your devtools on Supreme's website, you found yourself trapped in a pesky debugger loop.
Could somebody here explain what that means, since the article doesn't? What's a debugger loop? What is the actual JavaScript code that somehow prevents debugging, and how does it accomplish that?
by badrabbit on 8/2/23, 4:05 AM
The SANS course for this still teaches to use IE for debugging JS because it is the only browser that lets you break at arbitrary points in the code instead of newline boundaries.
by 38 on 8/2/23, 12:13 AM
note if all you care about is capturing the web requests, you can use something like MITM Proxy:
https://github.com/mitmproxy/mitmproxy
by lini on 8/1/23, 9:35 PM
You can also use a MITM proxy tool to intercept the JS files and modify their response body to remove or replace the `debugger;` statements with something else. Might require inspecting the JS files first to see what needs to be replaced exactly, but should not take more than a few minutes.
by ezekiel68 on 8/2/23, 4:46 AM
Ah yes, the eternal arms race.