[strictnein]

A binary format is no more obfuscated than minified JS? What now?

Going to need some clarification on how that's the case.

[jandrese]

I guess he's saying that an unminifier tool is effectively no different than a decompiler, and both are basically unreadable without it.

That said, I don't know of any webassembly decompilers, although I guess they must exist by this point. But also historically decompilers have been imperfect as some of the structure of the code is lost in the compilation process and has to be inferred, sometimes incorrectly, by the decompiler. Compare to a minifier where all you lose is the variable names, comments, and possibly helpful whitespace. All of the structure of the code is still there and there are no heuristics necessary to recreate something that resembles the original source.

[cjbprime]

There are certainly wasm decompilers -- wasm2c, wasm2js, etc. You also have access to the browser's JS debugger for breakpoints, line by line execution control, dumping wasm's linear memory.

I haven't written any productive WebAssembly but I play Capture The Flag competitions, and it's become frequent for a wasm reverse engineering challenge to be thrown in. The tools are good enough to make that tractable, even for non-experts in wasm like me.

It helps a little that it's a stack-based rather than register-based VM. Usually more of the intent of code is preserved that way. It's like reversing a JVM class, rather than like reversing a native binary.

[throwaway40324]

What are these Capture The Flag competitions? Do you mind posting a link?

[cjbprime]

Sure. My favorite explanation's a short video:

https://youtu.be/8ev9ZX9J45A

[pumanoir]

That is correct, a minified JS will preserve most of the semantics of the original program. And since the original source can come from any language, how would one know which decompiler to use.

[MikeHolman]

You could already compile programs from other languages to javascript.

https://github.com/jashkenas/coffeescript/wiki/List-of-langu...

Wasm was effectively an extension of asm.js. It makes the experience of compile-to-web better, but it isn't much more opaque than other projects.

[maeln]

WASM is a binary and a text format. You can turn any WASM binary to the text format and have a readable version of the blob. Firefox can automatically show you the text version of a WASM blob. So no, there is no difference with a minified JS. Just because there are in a text format don't make them any more easy to reverse engineer.

[strictnein]

Unless I'm completely missing something the "text version" you're talking about is just WASM and there's quite a difference between that and minified JS.

ex:

   end $label121
   get_local $var7
   get_local $var9
   call $func3444
   get_local $var7
   call $func1500

[coolreader18]

How is that any more readable than deobfuscated js?

    func1500(func3444(var7, var9), var7)

or more likely:

    gw(kl(s,i),s)

[maeln]

Yes this is what I am talking about. Once you know the instruction, I fail to see how it is more difficult to understand than javascript.

[CivBase]

That's like saying x86_64 assembly is as easy to understand as C. High level languages exist to make code easier to understand.

[int_19h]

wasm is higher-level than x86 (or any other native) assembly.

[strictnein]

That certainly is a take.

[azakai]

There is a difference in degree, though. Unminified JS is usually easier to read than wasm text, in general.

One practical factor: I often debug wasm files by compiling them to JS first.

At least wasm has structured control flow, which helps a lot. I wish wasm had even more readability features, personally.

[Rusky]

It's a binary format originally based on minified JS, with a standard textual form, and which can be viewed and debugged with exactly the same tools (and ease) as minified JS.

[strictnein]

Can you point me to an example of this?

[strictnein]

Thanks for the downvote whoever. Honestly, I want an example of how it "can be viewed and debugged with exactly the same tools (and ease) as minified JS".

I see nothing that states that is the case.

[strictnein]

I mean... come on:

https://medium.com/@pnfsoftware/reverse-engineering-webassem...

[IshKebab]

WASM is essentially a more efficient version of Asm.js, which is just Javascript. WASM is a binary format. Asm.js is Javascript. They're equally obfuscated.