rubysecurity.org

Anecdotes from a Linux Systems Administrator. /root

Home About Books Blog Portfolio Archive
    24 May 2017

    Working with Ruby obfuscated code: Finding all classes available in a module

    by Alpha01

    As a follow up to my HashiCorp Rocks! blog post. Up until now, I’ve never directly worked with any obfuscated code. HashiCorp obfuscates their VMware Fusion and Workstation commercial Vagrant plugins.

    Like Vagrant, the plugins themselves are written in Ruby.

    alpha03:lib tony$ file vagrant-vmware-fusion.rb
vagrant-vmware-fusion.rb: ASCII text, with very long lines, with CRLF, LF line terminators

    However, if you try to read the source all you’ll see is a bunch of encoded text. Since my Vagrant plugin has some functionality that only works after a certain action gets executed by the proprietary plugins. This is why I needed to know the exact name of that particular action (class name) exactly how it’s defined inside the VMware Fusion and Workstation plugins. This was a serious problem because I can’t read their source code!

    Luckily, this wasn’t as difficult as it seems. Finding the classes (or methods but in the case of mine I didn’t need too) available in Ruby is fairly simple process. To my luck somebody had already asked and answered this question in StackOverflow.

    In my case, first step was needing to know the name of the actual module itself. I found the easiest way to get the name of the module that’s obfuscated, is to intentionally have it spit out an exception. In doing that, I found that the module names whose namespace I’ll be searching were HashiCorp::VagrantVMwarefusion and HashiCorp::VagrantVMwareworkstation.

    Once I knew the modules’s name, I was able to use Ruby to view what additional modules I have within the particular module namespace. I was able to accomplish that using the following

    t = HashiCorp::VagrantVMwareworkstation.constants.select {|c| 
HashiCorp::VagrantVMwareworkstation.const_get(c).is_a? Module
}
puts t

    The above sample code spit out a bunch of modules inside HashiCorp::VagrantVMwareworkstation, but since I know the Vagrant plugin API and it’s coding standards/practices. I was able to verify that the module I’m searching for is HashiCorp::VagrantVMwareworkstation::Action. Once again, looking at Plugin API and other examples, I knew that this is where the class is I’m looking is stored in. So I used the following to get the corresponding class name within HashiCorp::VagrantVMwareworkstation::Action.

    p = HashiCorp::VagrantVMwareworkstation::Action.constants.select { |c|
HashiCorp::VagrantVMwareworkstation::Action.const_get(c).is_a? Class
}
 puts p

    I repeated the above tests for HashiCorp::VagrantVMwarefusion and I was also able to find the corresponding class name that it’s defined inside the obfuscated Ruby code.

    In the end I was able to get the classes HashiCorp::VagrantVMwareworkstation::Action::Suspend and HashiCorp::VagrantVMwarefusion::Action::Suspend, and everything worked as expected.

    Tags: [ ruby vagrant ]