Reversing WebAssembly Module 101
2019-10-22, 10:30–12:00, Fischbach

WebAssembly (WASM) is a new binary format currently supported by all major web-browsers (Firefox, Chrome, Safari and Edge). WebAssembly module are most commonly compiled from C/C++/Rust source code, loaded and executed inside JS scripts. It is known for being used for malicious purposes like cryptojacking but you will legitimately found usage of WebAssembly inside web-browsers addons, nodejs module or even blockchain smart contracts.

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, ...). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.

Workshop outline

The following point will be discussed in this workshop.

  • Introduction
  • WebAssembly Basics
  • WebAssembly Runtime VM
  • Module dissection
  • Reversing wasm module
  • Dynamic analysis
  • Cryptominers
  • Conclusion

Patrick Ventuzelo is a french security researcher specializing in Vulnerability research, Reverse engineering, Security tool development, and Program analysis. Patrick is the author of Octopus, one of the first Open-source security analysis tool that support WebAssembly and multiple Blockchain Smart Contract to help researchers perform Analysis on closed-source bytecode.

Previously, Patrick was working for Quoscient GmbH, P1 Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick has been Speaker and Trainer at various international security conferences (FIRST, Northsec, BlackAlps,, Toorcon, REcon Montreal/Brussels, SSTIC)