Cover photo
Marc Chung
Attended Arizona State University
Lives in Phoenix
491 followers|387,621 views


Marc Chung

Shared publicly  - 
Code for America Brigrade
Add a comment...

Marc Chung

Shared publicly  - 
Reverse engineering malicious JavaScript.

A few days ago, I got an email with a PDF attachment. When viewing the PDF with Preview, there were only two blank pages. Curiously, I opened up the PDF with a plain text editor and guess what I found embedded in the PDF: (Don't worry, it won't break your computer)

A quick search reveals that Adobe Acrobat is the only PDF reader that executes JavaScript, so I wasn't worried about being compromised. Still curious, I thought I'd figure out what was happening by deciphering (or un-obfuscating) the code.

First, it's kinda cute how much crazy shit you can do with JavaScript. The first thing I did was unescape the HTML entity codes so that ...

&lt; became <
&#000119; became w
w(s&#46;join('')); became w(s.join(''));

... and so on, until I got the following:

Then I opened Chrome, launched the JavaScript console and proceeded to step through the code. (Whenever I reverse engineer these types of attacks it's almost always a bunch of work to obfuscate 'eval()'.)

Here are a few noteworthy entries

(1) The payload only executes when ...


... are equal to each other (in this case, when the variables === 'nct').

I'm not sure on which platforms this is or isn't true, but it does make you consider how popular and widespread JavaScript runtime engines have become.

(2) The next few lines splits a long string into an array and deciphers the array with the following Caesar cipher:

cc="+K_4{3 ;q-QpandD:/xM08u'W.iF}tr\"l^I%7]Ybkf=S[g?mL96svCo&lt;2E,*(yB5)jAVRUchwe1";

(3) After the array has been deciphered, it concatenates the array (into the payload) and runs it through eval.

Here's the rest of the documented code:

I'm pretty sure I did something wrong because the payload has typos, for example: 'return' is 'rcturn' and 'function' is 'funVtion'

You can see the deciphered payload here:

It looks like the string is further obfuscated, but before I continue, can anyone help me figure out why the payload has typos? You can view all four entries here:
Clifford Wong's profile photoMarc Chung's profile photoJ.R. Murray's profile photo
I was unfortunate enough to get one of these and have to break it down. It was basically a heap spray (not sure which vuln) that ran some shellcode. It was the usual http downloader, which pulled down the following sample:
Here is a sandbox report as well -
Add a comment...

Marc Chung

Shared publicly  - 
Explains how you pass around function literals. Results in cleaner code
Ikai Lan originally shared:
Captain Obvious on Javascript: it's a functional programming language! Worth a read even if you're an experienced Javascript programmer just to refresh your knowledge.
Add a comment...

Marc Chung

Shared publicly  - 
A quick post about Analytics and Google SSL.

A few days ago, I noticed that Google Analytics wasn't reporting keywords for Google (organic search results). Incoming keywords were replaced with '(not provided)'.

This has to do with Google's recent SSL changes--increased privacy for end-users, increased difficulty for inbound marketers. SEOmoz has one of the better write ups describing the situation:

Though, from the comments you'd think there were shenanigans going on.

"all of my top search keyword positions are now "Not Provided"."
"lost keyword information on a little over 2% of our visits and climbing."
"whatever happened to "do not evil"" <-- really?

The good news is that there's a quick fix: enable SSL on your own site. Yes, that's right. You'll need to buy an SSL certificate and install it on your site. You can also setup an htaccess or nginx config that 301 redirects http to https.

Here's why:

The referrer, HTTP_REFERER, is dropped when users move from an SSL website to a non-SSL website, which is the case when a user searches on and is taken to However, the HTTP_REFERER remains intact when users move from an SSL website to another SSL website.

If you want to see this in action, I've setup a quick demo.

1. Visit the demo page:
2. See that link? Click it. It's a specially crafted query that will return only the demo page.
3. Clicking on the first search engine result will take you to the demo page with the HTTP_REFERER intact. The keyword also shows up in Google Analytics.

Looking forward to SSL everywhere in 2012.

(Updated with a quick demo)
Heather Carnes's profile photoClifford Wong's profile photoMarc Chung's profile photo
Good question. Copy and paste it?
Add a comment...

Marc Chung

Shared publicly  - 
Love this organization

"[Khan] takes a dim view of the constructionist idea that students won’t really understand math unless they discover each principle on their own. “Isaac Newton would not have invented calculus had he not had textbooks on algebra.” Bill Gates is even more scathing: “It’s bullshit,” he says. “If you can’t do multiplication, then tell me, what is your contribution to society going to be?”"
Salman Khan's educational website of 2,400 video lessons could be the solution to middle-of-the-class mediocrity.
Riyad Kalla's profile photoMarc Chung's profile photoNicholas DiBiase's profile photoPaul-Marcel St-Onge's profile photo
I spent a bunch of time on their YouTube channel tonight; great stuff and well done. Presentations made for web not just recorded in a classroom.

I could see teachers feeling threatened. When I took Calculus in high school, it seemed everybody got a second text book or two to better understand what our text and teacher couldn't get across. Khan Academy's presentation would be likely better than the teacher's!

I have to admit, two of the dimmest people on my street are teachers.
Add a comment...

Marc Chung

Shared publicly  - 
I want to know what people are calling their labels. What are your top three circles?
Vivin Paliath's profile photoG Jimerson's profile photoMatt Clower's profile photo
Bwahaha classic, Glenn. I have a 'hot' list on facebook, but maybe I should consider being more specific.

Marc Chung

Shared publicly  - 
Feynman would have been 94 today. Among his many areas of interest, the one on software comes to mind.

Here's what he wrote about how the onboard software system for the Challenger spacecraft.

Pay particular attention to the attitude towards high quality (only six errors have ever been found), the attitude towards testing (for safety reasons), and the approach to saving money (cutting scope, and not process)

It was written in 1986.


The software is checked very carefully in a bottom-up fashion. First, each new line of code is checked, then sections of code or modules with special functions are verified. The scope is increased step by step until the new changes are incorporated into a complete system and checked. This complete output is considered the final product, newly released. But completely independently there is an independent verification group, that takes an adversary attitude to the software development group, and tests and verifies the software as if it were a customer of the delivered product. There is additional verification in using the new programs in simulators, etc. A discovery of an error during verification testing is considered very serious, and its origin studied very carefully to avoid such mistakes in the future. Such unexpected errors have been found only about six times in all the programming and program changing (for new or altered payloads) that has been done. The principle that is followed is that all the verification is not an aspect of program safety, it is merely a test of that safety, in a non-catastrophic verification. Flight safety is to be judged solely on how well the programs do in the verification tests. A failure here generates considerable concern.

To summarize then, the computer software checking system and attitude is of the highest quality. There appears to be no process of gradually fooling oneself while degrading standards so characteristic of the Solid Rocket Booster or Space Shuttle Main Engine safety systems. To be sure, there have been recent suggestions by management to curtail such elaborate and expensive tests as being unnecessary at this late date in Shuttle history. This must be resisted for it does not appreciate the mutual subtle influences, and sources of error generated by even small changes of one part of a program on another. There are perpetual requests for changes as new payloads and new demands and modifications are suggested by the users. Changes are expensive because they require extensive testing. The proper way to save money is to curtail the number of requested changes, not the quality of testing for each.
Full Appendix F
Add a comment...

Marc Chung

Shared publicly  - 
Street Fighter meets ping pong.
Riyad Kalla's profile photo
Given how it starts off, this ended up being about 20x cooler than I expected. Some awesome effects, would really like to see a behind-the-scenes of how you put a video like this together.
Add a comment...

Marc Chung

Shared publicly  - 
Air Status originally shared:
If you were out on New Years Eve in Phoenix, AZ, you were probably exposed to the poorest air quality for December 31st in the last 7 years.

The highest fine particles (PM-2.5) peaked at around midnight, which we presume is right around the same time that the fireworks went off.

So why the sudden spike? What happened this year?

I'll share some insight into what I think happened. Last year, HB 2246--the Arizona Fireworks law--passed legalizing state-approved or "safe and sane" fireworks. Now because of the timeliness of the bill's passing (on Dec 1st, 2010) not a lot of people heard about it in time to buy fireworks for 2010.

Of course, this changed in 2011, which evidently caused some pretty miserable side effects.
Poor air quality in Arizona and California. Last night saw the poorest air quality (Very Unhealthy) for December 31 in Phoenix in 7 years. The forecast discussion at says: Forecast Discussi...
Marc Chung's profile photoLuis Montes's profile photo
and karma strikes back.... 8 mile bike ride just now, and got my recommended monthly allowance of car exhaust.
Add a comment...

Marc Chung

Shared publicly  - 
At a coffee shop overhearing a couple of people mentioning how Google Plus is complicated. One of them appears to be actually stressing out. Damn surprising.
Naum Trifanoff's profile photoJames Britt's profile photoHeather Carnes's profile photoJohn Moore's profile photo
Marc - missed u at the GTUG mtg last nite. BTW... my app is +1000 installs now - not bad for a narrow niche. Cheers
Add a comment...

Marc Chung

Shared publicly  - 
They've crossed the status and the private one-on-one streams
Yonatan Zunger originally shared:
More useful-but-maybe-not-obvious features of Google+

* If you want to send a private message to someone, just create a normal post and share it only with them. Bam! Instant one-on-one conversation! If you want to make a post publicly visible but aim it specifically at someone, share it with them and also with Public (or also with your circles, etc).

* Speaking of sharing only with someone: If you type +<name> or @<name>, it shares the post directly with them, just like if you added their name in the sharing targets. You can also do this in a comment, to pull someone else into the conversation.

* Want to see who can see a post? Next to the dateline at the top of a post, you’ll see something like “Public” or “Limited.” “Limited” is a link -- click on it to see who has access.

* At the top right of each post, there’s a little circle-and-triangle menu. For your own posts, this menu lets you edit or delete the post, or disable commenting or resharing. For other people’s posts, it lets you link to the post, mute it, block the person completely, or report abuse.
Robert Heron's profile photoBeau Simpson's profile photo
This will undoubtedly lead to many amusing "oops i thought this was a private conversation" moments. I still say a one-on-one should be done via email, but I'm old fashioned.

Marc Chung

Shared publicly  - 
Craziest G+ feature I've run into. Sorting friends by relevance.
Paul-Marcel St-Onge's profile photoMarc Chung's profile photoHeather Lynne Herr's profile photoRiyad Kalla's profile photo
Woohoo, top 3!
Collections Marc is following
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Los Angeles - Melbourne - Brunei - Singapore
The man with the plan
  • Arizona State University
Basic Information