WASM introduction

Root-me challenge: Do you know WebAssembly? Find the password that validates this crackme.

  1. A Web assembly file is loaded: http://challenge01.root-me.org/cracking/ch41/index.wasm.

  2. Decompile index.wasm with tools from the WebAssembly Binary Toolkit.

  3. Analysis

  • Look at $check_password code. Password is MD5 hashed.

  • At the end of the file some constant values are defined.

  1. Use, for example, the hashes website to decrypt.

  2. Enter the decrypted password in the site to get the flag.

Resources

Counter moves

WASM ships logic to the browser where anyone can read it. Treating the client as untrusted is the only durable stance. The defender’s view is in the blue notes on the application layer as a target.