Workshop @ EthCC 2020: Reversing Ewasm contract 101



2020/03/03 @ EthCC 2020

In this talk, I briefly introduce WebAssembly concepts , Ewasm specificity and opcodes/instructions. Secondly, I show how to create Ewasm smart contract and expose different techniques/tools to perform WebAssembly module closed-source analysis. Finally, we go through some basic examples to apply reversing (reverse engineering) on those Ewasm contracts and understand the logic inside.


slides

Blogpost: Analysis of Google Keep WebAssembly module​

webassembly wasm security google keep patrick ventuzelo reversing analysis emscripten

2019/07/16 @ webassembly-security.com

Is WebAssembly already used in the wild?

The answer is of course YES and some WebAssembly modules are potentially running right now in your browser if you are using Google web services. Recently, Google was using WebAssembly for the beta version of Google Earth but also in production for services like Google Keep.

  1. Google Keep Wasm Module & JS File Extraction
  2. WebAssembly Module Reversing
  3. Extract Build Information
  4. What is Sketchology and Ink?
  5. Reversing Protobuf Encoded Blobs
  6. Extract WebGL Vertex Shader Structure
  7. Absolute path, Error messages, Mangling & Constant names
  8. Going Deeper & Conclusion

link, pdf

Talk @ FIRST 2019: Analyze & Detect WebAssembly Cryptominer


2019/06/17 @ FIRST conference 2019

More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.

First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.

  1. Introduction
  2. WebAssembly Basics
  3. Module dissection
  4. Program analysis
  5. WebAssembly Cryptominers
  6. Analysis (Coinhive & Cryptoloot)
  7. Cryptominers detection
  8. Conclusion

link / slides

Workshop @ Northsec 2019: Reversing WebAssembly Module 101


2019/05/21 @ Northsec 2019

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (OctopusWasabi, …) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module.

Along the talk, I will only used open source tools.

  1. Introduction
  2. WebAssembly Basics
  3. WebAssembly Runtime VM
  4. WebAssembly VM internals
  5. Module dissection
  6. Program analysis
  7. Wasabi
  8. Cryptominers
  9. Firefox addons analysis
  10. Conclusion

link / slides (not yet) / repository

Blogpost: Ethereum Threat Actors Part 3 — Phishings/Scams using Smart Contracts

Ethereum smart contract  malware  threat actor phishing patrick ventuzelo blogpost quoscient analysis scams

2019/04/03 @ QuoScient Medium

In part three of our mini-series (see part #1 & part #2) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a phishing tactic that used a smart contract address. Interestingly, this smart contract is not unique and the exact same closed-source bytecode is used in more than 130 thousand smart contracts.

  1. Phishing on Forums/Telegram.
  2. Quick analysis of the Smart contract Bytecode
  3. Who is behind 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0?
  4. Similar Luno user wallets Used for Phishing
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Talk @ EthCC 2019: Let’s dig inside Ethereum Smart Contracts compiled to WebAssembly

Ethereum ETHCC Paris reverse webassembly patrick ventuzelo analysis smart contract Parity Kovan mainnet testnet conference talk


2019/02/18 @ EthCC 2019

At Devcon4, Vitalik annonced that WebAssembly (wasm) will be part of Ethereum 2.0 (Serenity). It’s already possible to compile smart contracts to wasm modules and run them in the Kovan network.

Using WebAssembly smart contract doesn’t mean using secure smart contract.

In this talk, I will explain what’s inside a WebAssembly module and illustrate how to analyze wasm Ethereum smart contracts to find vulnerabilities and unoptimization.

  1. Introduction
  2. WebAssembly basics
  3. Program analysis
  4. Parity Helloworld
  5. WASM module Vulnerabilities
  6. Conclusion

link / slides / video

Talk @ ToorCon XX – 2018: Reversing Ethereum Smart Contracts

toorcon webassembly wasm patrick ventuzelo reversing analysis ethereum evm


2018/09/15 @ ToorCon XX – 2018

Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ….).

Some smart contract handle thousand of ETH and can’t be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that’s also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.


link / slides

Talk @ ToorCon XX – 2018: Dissection of WebAssembly module

 

toorcon webassembly wasm patrick ventuzelo reversing analysis ethereum evm


2018/09/15 @ ToorCon XX – 2018

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web“. More than one year after the “official” release, it is not only used “for the web” by web browsers but also in some (huge) other projects like Blockchain Smart Contract platforms (EOS and Ethereum).

I will first introduce WebAssembly concepts and who currently used it in the wild. Secondly, I will show different WebAssembly VM available and explain the security measures implemented into it. Finally, I will show you, throw real life WASM modules, how to do static analysis, using techniques such as reversing, control flow and calls flow analysis, to understand deeper its behaviors. Along the talk, I will used multiple open source tools but mainly the one that I have developed and that is already available on Github (Octopus).


link / slides / video