I have a Windows program that uses awesomium to display a WebApp. This WebApp communicates in some way with the client program through some native calls. I found references to window.externalHost and window.native in the JS source, but it's build with YUI and has tens of thousand lines of code and single character variables and I can't quite figure out what exactly they are doing (static analysis).
I have injected Javascript into the WebApp to check those two objects:
try {
document.write(JSON.stringify(window.externalHost, null, 4))
} catch (err) {
document.write(err)
}
But window.externalHost is undefined and window.native is {}.
So my questions are:
- How are native calls usually set up?
- What interfaces do exist and how are they used? (Both directions)
- Can I "detour"/"intercept" native calls to see what they are sending?
- Are there any remote JS debug projects which I could inject to dynamically debug the complex WebApp?
update 1: I am confident that it uses window.native. Because of this Object {}. It seems likely that the communication is not implemented as window.externalHost.postMessage() based on what I have read on the awesomium wiki.
I now try to capture what methods are called on it. My idea was to overwrite window.onerror to capture all errors and set window.native = undefined; to capture exceptions like Cannot call aNativeCall() on undefined. Unfortunately it seems that windows.native can't be overwritten - it doesn't stay undefined.
Any other ideas?
update 2:
I came up with this javascript code to check some interesting Objects like window.external, etc...
obj = ['external', 'externalHost', 'native', 'Y', ['Y','native'],['Y','Native'], ['Y','external'], ['Y','externalHost']];
for(i=0; i< obj.length; ++i) {
try {
if(obj[i] instanceof Array) {
var tmp = window[obj[i][0]];
for(j=1; j<obj[i].length; ++j) {
tmp = tmp[obj[i][j]]
}
document.write(obj[i]+" | <b>"+Object.getOwnPropertyNames(tmp)+"</b><br>");
} else {
document.write(obj[i]+" | <b>"+Object.getOwnPropertyNames(window[obj[i]])+"</b><br>");
}
} catch(err) {
document.write(obj[i]+" | <i>Error: "+err+"</i><br>");
}
}
It became slowly more clear that it has to be window.native. This object has the following properties: 'on','isNative','scale','Emitter','call','register','_ready'
When I try to call window.native.call() the native program crashes. And the debug information shows that it crashed in a ProcessRequest function. So I found the right interface.
I now need to find out how exactly this interface is used. Unfortunately I can't overwrite window.native.call = function() { ... } to log the calls.
Anybody another idea?
