Reverse engineering a node app that used zeit/pkg to "compile" it

Question

I have an app (that I believe has malware in it, but I wish to confirm before I go ahead and use it) that has been compiled/packaged using Zeit's PKG.

It seems to use v8's snapshot feature to obfuscate the code... any way to reverse this? I know it compiled node in the exe, but I'm new to programming and reverse engineering.

Where do I start with reverse engineering this thing? Thanks!

Answer 1

First you need to understand how it works. You will find that it forks node.js repo and change the bootstrapping code responsible of starting the engine.

Second part is the serialized data. It uses V8 engine (the javascript engine running node.js and chromium based browsers) to create a bytecode of the whole program and appends that to the end of the binary.

So, to reverse that binary:

1. You would need to first extract that trailing section. It will contain a pseudo file system saved as JSON. You only need the file containing the bytecode. The file can be opened in hex editor and you can search the strings unless they are obfuscated.
2. You would need to convert the binary bytecode created by the v8 engine to a readable bytecode. There are no public tools available at the time of writing this or very outdated. Now you have something similar to assembly that you can read and make sense of.
3. You may go one step further to convert the bytecode to JavaScript code but this is a very hard task since the engine stripped some logic in optimization.

As a side note, v8 engine allows to you dump the bytecode directly in text format by passing a flag -print-bytecode and optionally --print-bytecode-filter=func_name. However, v8 engine will not dump constant pools since that functionality is stripped from release channel. This will allow you to see the function code but not the values used by the function.