DEV Community: TrustSig The latest articles on DEV Community by TrustSig (@trustsig). https://dev.to/trustsig https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3938710%2F44b12e0d-7f55-4fd3-9f01-e6a763725787.png DEV Community: TrustSig https://dev.to/trustsig en Building a Wasm-in-Wasm Virtualizer (with JIT decrypted paged memory) TrustSig Mon, 18 May 2026 17:54:34 +0000 https://dev.to/trustsig/building-a-wasm-in-wasm-virtualizer-with-jit-decrypted-paged-memory-pk1 https://dev.to/trustsig/building-a-wasm-in-wasm-virtualizer-with-jit-decrypted-paged-memory-pk1 <h3> Intro </h3> <p>WebAssembly was built for portability and raw speed. It was definitely not built for keeping secrets. To really protect your code, you have to compile it down to a custom, undocumented bytecode and ship it with a tiny internal interpreter to run it securely.</p> <p>When you compile C, C++, or Rust to native machine code, the compiler strips away a lot of the code's structure. The final assembly is tied deeply to the physical hardware, making it tough to read. But compiling to WebAssembly generates a binary that keeps a highly structured, strictly typed Abstract Syntax Tree (AST).</p> <p>Anyone with a normal browser debugger can grab a <code>.wasm</code> file, run it through a standard decompiler like WABT, and understand the code. If your app sends sensitive crypto logic, DRM, game anti-cheat, or validation checks to the client, shipping plain WebAssembly is insecure. </p> <h3> What We Will Be Doing </h3> <p>We're going to build a WebAssembly-in-WebAssembly virtualization engine from scratch. Instead of just dumping a giant wall of code on you, we'll build this system step by step. We'll map out the concepts, sketch the execution flow, trace how memory works, and write the code piece by piece.</p> <h3> The End Result </h3> <p>By the end of this massive guide, you'll have a fully working code virtualization pipeline. Your compiler will take a normal binary, pull out a target function, translate it into a custom instruction set, encrypt it heavily, and inject a tiny virtual machine back into the file to run the function safely — without the browser ever knowing.</p> <h3> Prerequisites </h3> <p>You'll need a few tools and some basic knowledge to follow along with the build phases.</p> <ul> <li>A recent installation of the Rust toolchain is required to compile the interpreter.</li> <li>The <code>wasm32-unknown-unknown</code> compilation target must be installed via rustup.</li> <li>The <code>walrus</code> crate should be added to your project dependencies for syntax tree manipulation.</li> <li>You should have a solid grasp on basic systems programming, bitwise math, and raw memory manipulation.</li> </ul> <h2> Chapter 1 — Designing the Virtual Instruction Set Architecture </h2> <p>Before we write any compiler code, we need to define the custom language our virtual machine will read, which is called an <strong>Instruction Set Architecture</strong> (ISA).</p> <h3> Conceptualizing the Execution Model </h3> <p>Our custom virtual machine will run as a <strong>stack machine</strong> under the hood.</p> <p>Standard Wasm is also a stack machine. This means an instruction like <code>add</code> doesn't explicitly say which variables to add. It just assumes the two numbers it needs are sitting right on top of the virtual stack. It pops them off, adds them, and pushes the result back on top.</p> <p>For example, to compute <code>5 + 10</code>, the machine executes: <code>PUSH 5</code>, <code>PUSH 10</code>, <code>ADD</code>.</p> <p>Using this exact same setup guarantees that translating from standard WebAssembly into our custom bytecode stays logically consistent and mathematically safe. However, we will completely randomize the numerical opcodes. If a hacker tries to view our binary payload, they won't see standard Wasm bytes. They'll just see an arbitrary sequence of bytes that only our internal, hidden interpreter understands.</p> <h3> Defining the Virtual Opcodes </h3> <p>We define our allowed machine instructions using a strict Rust enum. This will be the absolute foundation of our virtual processor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/isa.rs</span> <span class="nd">#[derive(Debug,</span> <span class="nd">Clone,</span> <span class="nd">Copy,</span> <span class="nd">PartialEq,</span> <span class="nd">Eq,</span> <span class="nd">Hash)]</span> <span class="nd">#[repr(u8)]</span> <span class="k">pub</span> <span class="k">enum</span> <span class="n">Opcode</span> <span class="p">{</span> <span class="n">Push</span> <span class="o">=</span> <span class="mi">0x01</span><span class="p">,</span> <span class="n">Pop</span> <span class="o">=</span> <span class="mi">0x02</span><span class="p">,</span> <span class="n">Dup</span> <span class="o">=</span> <span class="mi">0x03</span><span class="p">,</span> <span class="n">Swap</span> <span class="o">=</span> <span class="mi">0x04</span><span class="p">,</span> <span class="c1">// Arithmetic</span> <span class="nb">Add</span> <span class="o">=</span> <span class="mi">0x10</span><span class="p">,</span> <span class="nb">Sub</span> <span class="o">=</span> <span class="mi">0x11</span><span class="p">,</span> <span class="nb">Mul</span> <span class="o">=</span> <span class="mi">0x12</span><span class="p">,</span> <span class="n">DivS</span> <span class="o">=</span> <span class="mi">0x13</span><span class="p">,</span> <span class="c1">// Bitwise Logic</span> <span class="nb">BitAnd</span> <span class="o">=</span> <span class="mi">0x20</span><span class="p">,</span> <span class="nb">BitOr</span> <span class="o">=</span> <span class="mi">0x21</span><span class="p">,</span> <span class="nb">BitXor</span> <span class="o">=</span> <span class="mi">0x22</span><span class="p">,</span> <span class="c1">// Memory and Registers</span> <span class="n">LoadReg</span> <span class="o">=</span> <span class="mi">0x30</span><span class="p">,</span> <span class="n">StoreReg</span> <span class="o">=</span> <span class="mi">0x31</span><span class="p">,</span> <span class="c1">// Control Flow</span> <span class="n">Jmp</span> <span class="o">=</span> <span class="mi">0x50</span><span class="p">,</span> <span class="n">Jz</span> <span class="o">=</span> <span class="mi">0x51</span><span class="p">,</span> <span class="n">Exit</span> <span class="o">=</span> <span class="mi">0xFF</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Notice the specific instructions for managing registers (<code>LoadReg</code> and <code>StoreReg</code>). While pure math works beautifully on the stack, complex functions usually need local variables to keep track of state (like loop counters). We need a safe way to hold data outside the volatile stack, so we'll use a static array of virtual registers for that.</p> <p>Control flow instructions (<code>Jmp</code> and <code>Jz</code> — Jump if Zero) are also essential for handling if-statements and while-loops inside the protected code.</p> <h3> The Dispatch Mapping Layer </h3> <p>We need a rock-solid way to turn a raw <code>u8</code> byte back into our typed <code>Opcode</code> enum at runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">impl</span> <span class="n">Opcode</span> <span class="p">{</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">from_u8</span><span class="p">(</span><span class="n">v</span><span class="p">:</span> <span class="nb">u8</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">match</span> <span class="n">v</span> <span class="p">{</span> <span class="mi">0x01</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="n">Push</span><span class="p">),</span> <span class="mi">0x10</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="nb">Add</span><span class="p">),</span> <span class="mi">0x20</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="nb">BitAnd</span><span class="p">),</span> <span class="mi">0x30</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="n">LoadReg</span><span class="p">),</span> <span class="mi">0x50</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="n">Jmp</span><span class="p">),</span> <span class="mi">0xFF</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Opcode</span><span class="p">::</span><span class="n">Exit</span><span class="p">),</span> <span class="c1">// repetitive match arms omitted for brevity</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nb">None</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>It might be tempting to just use <code>std::mem::transmute</code> to cast a <code>u8</code> into an Enum and save some typing, but that's super dangerous in a VM. If a hacker slightly messes with the bytecode, <code>transmute</code> would cause undefined behavior and crash the module instantly. Writing out this explicit <code>match</code> layer guarantees our execution loop only handles opcodes it actually understands.</p> <h3> Chapter 1 Recap </h3> <p>We've mapped out our custom instruction set. By completely decoupling our logic from the standard WebAssembly spec, we've created a setup where normal decompilers are totally useless. In a real-world obfuscation engine, you'd randomly generate the byte assignments inside this <code>from_u8</code> function on every single build, which instantly ruins signature-based analysis. Next up, let's build the physical memory model to run this instruction set.</p> <h2> Chapter 2 — Architecting the VM State and Memory Model </h2> <p>Our interpreter needs to be completely self-contained, skipping dynamic memory allocators entirely.</p> <h3> Bypassing the Host Allocator </h3> <p>Our custom VM has to allocate all its memory statically at compile time, right inside the Wasm binary's <code>.data</code> segment. This means <strong>zero required runtime heap allocations</strong> for the Virtual Machine.</p> <p>Dropping a virtual machine into an already-compiled Wasm module creates a tough memory constraint. The host module already has its own memory allocator (like <code>wee_alloc</code> or <code>malloc</code>) managing the heap.</p> <p>If we try to bring our own dynamic allocator, we risk overlapping and trashing the host's active memory. Plus, packing a full memory allocator into our VM would make the final binary massive and obvious.</p> <h3> Provisioning Static Execution Arrays </h3> <p>By setting up the stack and registers as raw, contiguous static arrays, we guarantee that booting up the interpreter takes exactly zero clock cycles at runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// interpreter/src/lib.rs</span> <span class="nd">#[inline(always)]</span> <span class="k">fn</span> <span class="nf">abort</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="o">!</span> <span class="p">{</span> <span class="nn">core</span><span class="p">::</span><span class="nn">arch</span><span class="p">::</span><span class="nn">wasm32</span><span class="p">::</span><span class="nf">unreachable</span><span class="p">();</span> <span class="p">}</span> <span class="k">static</span> <span class="k">mut</span> <span class="n">STACK</span><span class="p">:</span> <span class="p">[</span><span class="nb">i64</span><span class="p">;</span> <span class="mi">2048</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span> <span class="mi">2048</span><span class="p">];</span> <span class="k">static</span> <span class="k">mut</span> <span class="n">REGS</span><span class="p">:</span> <span class="p">[</span><span class="nb">i64</span><span class="p">;</span> <span class="mi">512</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span> <span class="mi">512</span><span class="p">];</span> <span class="k">static</span> <span class="k">mut</span> <span class="n">SP</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </code></pre> </div> <p>The physical memory layout inside the final Wasm module will look roughly like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ Host .data segment ][ VM STACK (2048 × i64) ][ VM REGS (512 × i64) ] </code></pre> </div> <p>I used 64-bit integers (<code>i64</code>) everywhere so we can comfortably fit standard 32-bit ints, 64-bit ints, and floating-point numbers based on their raw bits.</p> <p>Using <code>static mut</code> variables in Rust normally requires strict <code>unsafe</code> blocks, because changing global variables across multiple threads causes massive data races. But Wasm currently runs in a strictly single-threaded way by default, and our internal loop is purely synchronous, making this perfectly safe here.</p> <h3> Interfacing with Host Memory APIs </h3> <p>We expose some foreign function interfaces (FFIs) so the host module can pass the right execution arguments and the session key directly into our static arrays.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">static</span> <span class="k">mut</span> <span class="n">GLOBAL_SESSION_KEY</span><span class="p">:</span> <span class="nb">u8</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nd">#[no_mangle]</span> <span class="k">pub</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"C"</span> <span class="k">fn</span> <span class="nf">vm_set_session_key</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="nb">u32</span><span class="p">)</span> <span class="p">{</span> <span class="n">GLOBAL_SESSION_KEY</span> <span class="o">=</span> <span class="n">key</span> <span class="k">as</span> <span class="nb">u8</span><span class="p">;</span> <span class="p">}</span> <span class="nd">#[no_mangle]</span> <span class="k">pub</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"C"</span> <span class="k">fn</span> <span class="nf">vm_set_reg</span><span class="p">(</span><span class="n">idx</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">val</span><span class="p">:</span> <span class="nb">i64</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">idx</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">512</span> <span class="p">{</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of_mut!</span><span class="p">(</span><span class="n">REGS</span><span class="p">)</span> <span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span> <span class="nf">.add</span><span class="p">(</span><span class="n">idx</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="o">=</span> <span class="n">val</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Since our bytecode is going to be heavily encrypted, the VM needs to know the exact decryption key before it runs anything. We can't hardcode this key into the interpreter, since we'll change it on every single build to stop fingerprinting. We need a global state variable for the key, and an exported function (<code>vm_set_session_key</code>) so the host can securely pass it in.</p> <p>A protected function is pretty useless if it can't handle external arguments. When the host module intercepts a call, it needs to grab the parameters from the browser and push them safely into our VM's registers.</p> <p>We do this by exporting <code>vm_set_reg</code>. This lets the host populate our register array right before the main loop starts. We use <code>core::ptr::addr_of_mut!</code> because modern Rust prefers explicit raw pointers over creating references to mutable statics.</p> <p>By manually writing to the register array with raw pointers, we keep strict isolation boundaries. The VM stays totally shielded from the host, working only on the data we explicitly hand it.</p> <h3> Chapter 2 Recap </h3> <p>We've built a super solid, zero-allocation memory model. By relying on static Wasm memory, our engine will run extremely fast while keeping a tiny footprint. With the registers, stack, and APIs ready, it's time to build the actual processor loop.</p> <h2> Chapter 3 — The Fetch-Decode-Execute Loop and Lazy Decryption </h2> <h3> State Tracking and Sliding Windows </h3> <p>We'll build a strict execution state object that uses a sliding window and an XOR cipher to decrypt code lazily on the fly.</p> <blockquote> <p><strong>Maximum decrypted instruction window exposed in memory at any time: 256 bytes</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// interpreter/src/lib.rs</span> <span class="k">const</span> <span class="n">PAGE_SIZE</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">256</span><span class="p">;</span> <span class="k">struct</span> <span class="n">VmState</span> <span class="p">{</span> <span class="n">ptr</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">pc</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">session_key</span><span class="p">:</span> <span class="nb">u8</span><span class="p">,</span> <span class="n">current_page_id</span><span class="p">:</span> <span class="nb">i32</span><span class="p">,</span> <span class="n">ves</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="n">PAGE_SIZE</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p>Leaving our custom bytecode unencrypted in memory completely defeats the point of a VM. Hackers can easily use tools like Cheat Engine or automated memory dumpers to scrape the Wasm heap. If the bytecode is just sitting there in plain text, our whole obfuscation plan fails.</p> <p>To make this truly resilient, we have to ensure the plaintext instructions only exist in memory exactly when the processor needs them, and then vanish immediately.</p> <p>We slice the encrypted bytecode into 256-byte pages. When the program counter hits a new page, the VM pauses execution, decrypts those specific 256 bytes using the session key, and loads them into a secure buffer. When the program counter leaves that page, the old plaintext gets entirely wiped out and replaced by the next page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Encrypted bytecode: [ PAGE 0 (256B) ][ PAGE 1 (256B) ][ PAGE 2 (256B) ] ... ↓ PC enters page 1 ↓ Decrypt page 1 → load into VES buffer ↓ Execute from VES until page boundary ↓ Wipe VES → decrypt page 2 → continue </code></pre> </div> <p>This struct tracks exactly where the encrypted code lives in the host's memory (<code>ptr</code>), how far along we are in our virtual loop (<code>pc</code>), and securely holds the decrypted bytes (<code>ves</code>, which stands for Virtual Execution Segment).</p> <h3> The JIT Decryption Routine </h3> <p>When we cross into a new page, the VM decrypts that specific chunk of bytes and copies it strictly into our volatile virtual execution segment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">impl</span> <span class="n">VmState</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">decrypt_page</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">page_id</span><span class="p">:</span> <span class="nb">u32</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">start_addr</span> <span class="o">=</span> <span class="n">page_id</span> <span class="k">as</span> <span class="nb">usize</span> <span class="o">*</span> <span class="n">PAGE_SIZE</span><span class="p">;</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">0</span><span class="o">..</span><span class="n">PAGE_SIZE</span> <span class="p">{</span> <span class="k">if</span> <span class="n">start_addr</span> <span class="o">+</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="k">self</span><span class="py">.len</span> <span class="p">{</span> <span class="c1">// Calculate physical memory address inside the host Wasm</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ptr</span> <span class="o">+</span> <span class="p">(</span><span class="n">start_addr</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">let</span> <span class="n">encrypted_byte</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">addr</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u8</span><span class="p">);</span> <span class="c1">// Decryption occurs entirely inside local volatile state</span> <span class="k">self</span><span class="py">.ves</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">encrypted_byte</span> <span class="o">^</span> <span class="k">self</span><span class="py">.session_key</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Pad unused memory to obscure the exact file length footprint</span> <span class="k">self</span><span class="py">.ves</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">self</span><span class="py">.current_page_id</span> <span class="o">=</span> <span class="n">page_id</span> <span class="k">as</span> <span class="nb">i32</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This Just-In-Time decryption trick ensures that if a hacker freezes the browser to scrape memory, they will only ever see a maximum of 256 bytes of plaintext at any given microsecond. This makes bulk-analyzing the payload practically impossible.</p> <h3> Execution and Opcode Dispatch </h3> <p>The absolute heart of our interpreter handles moving the program counter forward, grabbing bytes through our JIT boundary checker, and running the actual math on our stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">fetch_u8</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u8</span> <span class="p">{</span> <span class="k">if</span> <span class="k">self</span><span class="py">.pc</span> <span class="o">&gt;=</span> <span class="k">self</span><span class="py">.len</span> <span class="p">{</span> <span class="k">return</span> <span class="mi">0xFF</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">page_id</span> <span class="o">=</span> <span class="p">(</span><span class="k">self</span><span class="py">.pc</span> <span class="o">/</span> <span class="n">PAGE_SIZE</span><span class="p">)</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">let</span> <span class="n">offset</span> <span class="o">=</span> <span class="k">self</span><span class="py">.pc</span> <span class="o">%</span> <span class="n">PAGE_SIZE</span><span class="p">;</span> <span class="k">if</span> <span class="k">self</span><span class="py">.current_page_id</span> <span class="o">!=</span> <span class="n">page_id</span> <span class="k">as</span> <span class="nb">i32</span> <span class="p">{</span> <span class="k">self</span><span class="nf">.decrypt_page</span><span class="p">(</span><span class="n">page_id</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="n">val</span> <span class="o">=</span> <span class="k">self</span><span class="py">.ves</span><span class="p">[</span><span class="n">offset</span><span class="p">];</span> <span class="k">self</span><span class="py">.pc</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">val</span> <span class="p">}</span> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">fetch_i64</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">i64</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">b</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">];</span> <span class="k">for</span> <span class="n">item</span> <span class="k">in</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">b</span> <span class="p">{</span> <span class="o">*</span><span class="n">item</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.fetch_u8</span><span class="p">();</span> <span class="p">}</span> <span class="nn">i64</span><span class="p">::</span><span class="nf">from_le_bytes</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[no_mangle]</span> <span class="k">pub</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"C"</span> <span class="k">fn</span> <span class="nf">vm_exec</span><span class="p">(</span><span class="n">ptr</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">i64</span> <span class="p">{</span> <span class="k">let</span> <span class="n">base_sp</span> <span class="o">=</span> <span class="n">SP</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">state</span> <span class="o">=</span> <span class="n">VmState</span> <span class="p">{</span> <span class="n">ptr</span><span class="p">,</span> <span class="n">len</span><span class="p">,</span> <span class="n">pc</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="n">session_key</span><span class="p">:</span> <span class="n">GLOBAL_SESSION_KEY</span><span class="p">,</span> <span class="n">current_page_id</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">ves</span><span class="p">:</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">PAGE_SIZE</span><span class="p">],</span> <span class="p">};</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">let</span> <span class="n">op</span> <span class="o">=</span> <span class="n">state</span><span class="nf">.fetch_u8</span><span class="p">();</span> <span class="k">match</span> <span class="n">op</span> <span class="p">{</span> <span class="mi">0x01</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Push logic</span> <span class="k">let</span> <span class="n">val</span> <span class="o">=</span> <span class="n">state</span><span class="nf">.fetch_i64</span><span class="p">();</span> <span class="k">if</span> <span class="n">SP</span> <span class="o">&lt;</span> <span class="mi">2048</span> <span class="p">{</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of_mut!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">)</span> <span class="o">=</span> <span class="n">val</span><span class="p">;</span> <span class="n">SP</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="mi">0x10</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Addition logic</span> <span class="k">if</span> <span class="n">SP</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="p">{</span> <span class="n">SP</span> <span class="o">-=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">let</span> <span class="n">b</span> <span class="o">=</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">);</span> <span class="n">SP</span> <span class="o">-=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">let</span> <span class="n">a</span> <span class="o">=</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">);</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of_mut!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">)</span> <span class="o">=</span> <span class="n">a</span><span class="nf">.wrapping_add</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">SP</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="mi">0x30</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Load Register logic</span> <span class="k">let</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">state</span><span class="nf">.fetch_i64</span><span class="p">()</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">;</span> <span class="k">if</span> <span class="n">idx</span> <span class="o">&lt;</span> <span class="mi">512</span> <span class="p">{</span> <span class="k">let</span> <span class="n">val</span> <span class="o">=</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of!</span><span class="p">(</span><span class="n">REGS</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">idx</span><span class="p">);</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of_mut!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">)</span> <span class="o">=</span> <span class="n">val</span><span class="p">;</span> <span class="n">SP</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="mi">0x50</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Unconditional Jump logic</span> <span class="k">let</span> <span class="n">target_pc</span> <span class="o">=</span> <span class="n">state</span><span class="nf">.fetch_i64</span><span class="p">()</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">;</span> <span class="k">if</span> <span class="n">target_pc</span> <span class="o">&lt;</span> <span class="n">state</span><span class="py">.len</span> <span class="p">{</span> <span class="n">state</span><span class="py">.pc</span> <span class="o">=</span> <span class="n">target_pc</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">abort</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="mi">0xFF</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Exit logic</span> <span class="k">let</span> <span class="n">ret</span> <span class="o">=</span> <span class="k">if</span> <span class="n">SP</span> <span class="o">&gt;</span> <span class="n">base_sp</span> <span class="p">{</span> <span class="n">SP</span> <span class="o">-=</span> <span class="mi">1</span><span class="p">;</span> <span class="o">*</span><span class="nn">core</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nd">addr_of!</span><span class="p">(</span><span class="n">STACK</span><span class="p">)</span><span class="py">.cast</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.add</span><span class="p">(</span><span class="n">SP</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="mi">0</span> <span class="p">};</span> <span class="n">SP</span> <span class="o">=</span> <span class="n">base_sp</span><span class="p">;</span> <span class="k">return</span> <span class="n">ret</span><span class="p">;</span> <span class="p">}</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nf">abort</span><span class="p">(),</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Some instructions need larger parameters (like <code>Push</code>, which needs to know the exact 64-bit number to put on the stack). So, we add a small helper method to fetch eight consecutive bytes and rebuild them into a valid integer. By calling our existing <code>fetch_u8</code> method under the hood, this multi-byte fetcher automatically gets all the page-boundary checks and lazy decryption logic for free.</p> <p>The logic inside this massive <code>match</code> statement quietly manages its own isolated context, handles jumps for complex <code>if</code> statements, and safely returns control to the host only when it hits the <code>Exit</code> opcode.</p> <h3> Chapter 3 Recap </h3> <p>Our Wasm virtual machine is fully working. It runs in pure isolation, uses zero allocators, processes math on a stack, and cryptographically hides itself from memory dumpers using a 256-byte rolling JIT window. But a VM is useless without code to run on it. Now we need to build the compiler layer to generate those encrypted payloads.</p> <h2> Chapter 4 — Compiling Intermediate Representation to Custom Bytecode </h2> <h3> Parsing the WebAssembly Module with Walrus </h3> <p>We'll use the <a href="https://github.com/rustwasm/walrus" rel="noopener noreferrer">Walrus crate</a> to parse the target binary and set up a dynamic buffer for compilation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/compiler.rs</span> <span class="k">use</span> <span class="nn">walrus</span><span class="p">::</span><span class="nn">ir</span><span class="p">::{</span><span class="n">Instr</span><span class="p">,</span> <span class="n">Value</span><span class="p">};</span> <span class="k">use</span> <span class="nn">walrus</span><span class="p">::</span><span class="n">LocalFunction</span><span class="p">;</span> <span class="k">use</span> <span class="nn">byteorder</span><span class="p">::{</span><span class="n">ByteOrder</span><span class="p">,</span> <span class="n">LittleEndian</span><span class="p">};</span> <span class="k">use</span> <span class="nn">rand</span><span class="p">::</span><span class="n">Rng</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Compiler</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">bytecode</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Our interpreter engine is finished, but right now it's useless because it has no bytecode to run. We need to build a compiler layer that reads standard Wasm logic from an existing file and deeply translates it into our custom, undocumented format.</p> <p>We are basically building a backend compiler. We aren't parsing human-readable Rust or C++ source code. We're taking a pre-compiled Wasm binary, extracting the internal instructions, and translating them down into our own specific bytes.</p> <p>Walrus converts the raw Wasm file into an Intermediate Representation (IR) that we can easily iterate over in Rust. We need a simple struct to hold our output bytes as we generate them. As we walk through the original app's logic step by step, we'll push our custom opcode bytes straight into this vector.</p> <h3> Translating Standard Instructions to Custom Bytecode </h3> <p>Our compiler recursively walks through the function's IR, aggressively crushing the typed Wasm logic down into our randomized, custom byte format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">impl</span> <span class="n">Compiler</span> <span class="p">{</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">compile_paged</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">func</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">LocalFunction</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="p">(</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">,</span> <span class="nb">u8</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">entry_id</span> <span class="o">=</span> <span class="n">func</span><span class="nf">.entry_block</span><span class="p">();</span> <span class="k">let</span> <span class="n">block</span> <span class="o">=</span> <span class="n">func</span><span class="nf">.block</span><span class="p">(</span><span class="n">entry_id</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="n">instr</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="k">in</span> <span class="n">block</span><span class="py">.instrs</span><span class="nf">.iter</span><span class="p">()</span> <span class="p">{</span> <span class="k">self</span><span class="nf">.compile_instr</span><span class="p">(</span><span class="n">instr</span><span class="p">);</span> <span class="p">}</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0xFF</span><span class="p">);</span> <span class="c1">// Forcefully append the exit opcode manually</span> <span class="k">self</span><span class="nf">.encrypt_and_finalize</span><span class="p">()</span> <span class="c1">// Execute cryptographic pass</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">fn</span> <span class="nf">compile_instr</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">instr</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Instr</span><span class="p">)</span> <span class="p">{</span> <span class="k">match</span> <span class="n">instr</span> <span class="p">{</span> <span class="c1">// Translating constant variables</span> <span class="nn">Instr</span><span class="p">::</span><span class="nf">Const</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">Value</span><span class="p">::</span><span class="nf">I32</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="o">=</span> <span class="n">c</span><span class="py">.value</span> <span class="p">{</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0x01</span><span class="p">);</span> <span class="c1">// Custom Push Opcode</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">];</span> <span class="nn">LittleEndian</span><span class="p">::</span><span class="nf">write_i64</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v</span> <span class="k">as</span> <span class="nb">i64</span><span class="p">);</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Translating arithmetic binary operations</span> <span class="nn">Instr</span><span class="p">::</span><span class="nf">Binop</span><span class="p">(</span><span class="n">op</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">match</span> <span class="n">op</span><span class="py">.op</span> <span class="p">{</span> <span class="nn">walrus</span><span class="p">::</span><span class="nn">ir</span><span class="p">::</span><span class="nn">BinaryOp</span><span class="p">::</span><span class="n">I32Add</span> <span class="k">=&gt;</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0x10</span><span class="p">),</span> <span class="c1">// Custom Add Opcode</span> <span class="nn">walrus</span><span class="p">::</span><span class="nn">ir</span><span class="p">::</span><span class="nn">BinaryOp</span><span class="p">::</span><span class="n">I32Sub</span> <span class="k">=&gt;</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0x11</span><span class="p">),</span> <span class="c1">// Custom Sub Opcode</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nd">unimplemented!</span><span class="p">(</span><span class="s">"Operator not natively mapped"</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Translating Variable reading</span> <span class="nn">Instr</span><span class="p">::</span><span class="nf">LocalGet</span><span class="p">(</span><span class="n">l</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0x30</span><span class="p">);</span> <span class="c1">// Custom LoadReg Opcode</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">];</span> <span class="nn">LittleEndian</span><span class="p">::</span><span class="nf">write_i64</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">,</span> <span class="n">l</span><span class="py">.local</span><span class="nf">.index</span><span class="p">()</span> <span class="k">as</span> <span class="nb">i64</span><span class="p">);</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Translating Variable writing</span> <span class="nn">Instr</span><span class="p">::</span><span class="nf">LocalSet</span><span class="p">(</span><span class="n">l</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.push</span><span class="p">(</span><span class="mi">0x31</span><span class="p">);</span> <span class="c1">// Custom StoreReg Opcode</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">8</span><span class="p">];</span> <span class="nn">LittleEndian</span><span class="p">::</span><span class="nf">write_i64</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">,</span> <span class="n">l</span><span class="py">.local</span><span class="nf">.index</span><span class="p">()</span> <span class="k">as</span> <span class="nb">i64</span><span class="p">);</span> <span class="k">self</span><span class="py">.bytecode</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">);</span> <span class="p">}</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nd">unimplemented!</span><span class="p">(</span><span class="s">"Instruction architecture not mapped"</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We need a method that takes a Walrus function (<code>LocalFunction</code>), strictly walks through every single instruction in that function's block, and tells our translation layer to output the corresponding virtual bytecode. Once all instructions are translated, we forcefully append our <code>Exit</code> opcode so the VM knows exactly when to stop.</p> <p>By pulling the initial entry block, we get the true mathematical root of the function's execution path, making sure we capture every single logical step the developer originally wrote.</p> <p>The actual translation happens step by step. We deeply analyze the Walrus <code>Instr</code> object, match it against known patterns, and emit the custom opcodes we defined back in Chapter 1.</p> <p>If we hit a hardcoded number, we spit out a push opcode followed by those 8 bytes of data. If we hit a local variable access, we emit a register load opcode followed by the variable's virtual register index.</p> <p>This destructive translation process completely strips away all the original context. Wasm's incredibly rich typing system and readable operations get mercilessly flattened into a purely mathematical array of secret bytes.</p> <h3> Cryptographic Obfuscation Pass </h3> <p>Finally, we run the bytecode array through a bitwise XOR cipher using a uniquely generated session key to hide its logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">fn</span> <span class="nf">encrypt_and_finalize</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="p">(</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">,</span> <span class="nb">u8</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">rng</span> <span class="o">=</span> <span class="nn">rand</span><span class="p">::</span><span class="nf">thread_rng</span><span class="p">();</span> <span class="k">let</span> <span class="n">session_key</span> <span class="o">=</span> <span class="n">rng</span><span class="py">.gen</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">();</span> <span class="c1">// Generate isolated session key</span> <span class="c1">// Encrypt everything iteratively</span> <span class="k">for</span> <span class="n">byte</span> <span class="k">in</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="py">.bytecode</span> <span class="p">{</span> <span class="o">*</span><span class="n">byte</span> <span class="o">^=</span> <span class="n">session_key</span><span class="p">;</span> <span class="p">}</span> <span class="p">(</span><span class="k">self</span><span class="py">.bytecode</span><span class="nf">.clone</span><span class="p">(),</span> <span class="n">session_key</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Once the plaintext bytecode is generated, it absolutely has to be encrypted. Leaving it as plain text inside the final Wasm file means advanced reverse-engineers could eventually map out our math, even with the custom ISA.</p> <p>We generate a random crypto key using Rust's <code>rand</code> crate, loop over the entire bytecode vector, and apply our bitwise XOR cipher. We'll return both the encrypted payload and the key, so our injector can deploy them nicely into the host module.</p> <p>This one pass completely ruins the binary data for anyone snooping around. To a reverse engineer or malware scanner, the carefully structured logic is instantly replaced by pure high-entropy cryptographic noise.</p> <h3> Chapter 4 Recap </h3> <p>The compiler bridge is finished. We can theoretically take a standard Wasm instruction like <code>LocalGet</code>, map it to our IR, translate it into our virtual <code>LoadReg</code> opcode, append the arguments, and encrypt the result into pure garbage. The final hurdle is wiring this ciphertext back into the original <code>.wasm</code> file.</p> <h2> Chapter 5 — Abstract Syntax Tree Rewriting and VM Injection </h2> <h3> Erasing the Original AST </h3> <p>The injector component completely nukes the original execution instructions from the host binary's function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/injector.rs</span> <span class="k">use</span> <span class="nn">walrus</span><span class="p">::{</span><span class="n">Module</span><span class="p">,</span> <span class="n">FunctionId</span><span class="p">,</span> <span class="n">DataId</span><span class="p">,</span> <span class="n">MemoryId</span><span class="p">};</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">replace_body_with_thunk</span><span class="p">(</span> <span class="n">module</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Module</span><span class="p">,</span> <span class="n">func_id</span><span class="p">:</span> <span class="n">FunctionId</span><span class="p">,</span> <span class="n">vm_exec_import</span><span class="p">:</span> <span class="n">FunctionId</span><span class="p">,</span> <span class="n">vm_set_reg_import</span><span class="p">:</span> <span class="n">FunctionId</span><span class="p">,</span> <span class="n">vm_set_session_key_import</span><span class="p">:</span> <span class="n">FunctionId</span><span class="p">,</span> <span class="n">bytecode_ptr</span><span class="p">:</span> <span class="nb">i32</span><span class="p">,</span> <span class="n">bytecode_len</span><span class="p">:</span> <span class="nb">i32</span><span class="p">,</span> <span class="n">data_id</span><span class="p">:</span> <span class="n">DataId</span><span class="p">,</span> <span class="n">mem_id</span><span class="p">:</span> <span class="n">MemoryId</span><span class="p">,</span> <span class="n">session_key</span><span class="p">:</span> <span class="nb">u8</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">func</span> <span class="o">=</span> <span class="n">module</span><span class="py">.funcs</span><span class="nf">.get_mut</span><span class="p">(</span><span class="n">func_id</span><span class="p">);</span> <span class="k">let</span> <span class="n">local_func</span> <span class="o">=</span> <span class="n">func</span><span class="py">.kind</span><span class="nf">.unwrap_local_mut</span><span class="p">();</span> <span class="k">let</span> <span class="n">args</span> <span class="o">=</span> <span class="n">local_func</span><span class="py">.args</span><span class="nf">.clone</span><span class="p">();</span> <span class="k">let</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">local_func</span><span class="nf">.entry_block</span><span class="p">();</span> <span class="c1">// Destroy the original application logic entirely.</span> <span class="n">local_func</span><span class="nf">.block_mut</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span><span class="py">.instrs</span><span class="nf">.clear</span><span class="p">();</span> </code></pre> </div> <p>If a JavaScript frontend expects to call an exported Wasm function named <code>calculate_secure_hash</code>, we can't just delete it from the file. That would instantly break the integration and crash the web app.</p> <p>Instead, we have to securely overwrite the guts of <code>calculate_secure_hash</code>. We strictly delete its original syntax tree, wipe out the proprietary algorithms, and replace it entirely with a tiny, automated adapter script called a <strong>Thunk</strong>.</p> <p>The flow of our injected Thunk works like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>JS calls calculate_secure_hash(arg0, arg1) ↓ [Thunk intercepts] ↓ memory.init → deploy encrypted bytecode ↓ vm_set_session_key → load decryption key ↓ vm_set_reg(0, arg0), vm_set_reg(1, arg1) ↓ vm_exec(bytecode_ptr, bytecode_len) ↓ Return result to JS </code></pre> </div> <p>At this point in the compile process, if the JS app called the function, it would safely do absolutely nothing and return empty. The actual secret logic has been totally eradicated from the standard execution path and can't be decompiled.</p> <h3> Allocating the Bytecode to Linear Memory </h3> <p>The injector immediately writes new bulk-memory operations into that empty block to deploy the encrypted payload securely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">let</span> <span class="k">mut</span> <span class="n">builder</span> <span class="o">=</span> <span class="n">local_func</span><span class="nf">.builder_mut</span><span class="p">()</span><span class="nf">.func_body</span><span class="p">();</span> <span class="c1">// Deploy the encrypted bytecode from the passive data segment</span> <span class="c1">// into active Wasm linear memory dynamically</span> <span class="n">builder</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="n">bytecode_ptr</span><span class="p">)</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="n">bytecode_len</span><span class="p">)</span> <span class="nf">.memory_init</span><span class="p">(</span><span class="n">mem_id</span><span class="p">,</span> <span class="n">data_id</span><span class="p">);</span> <span class="c1">// Securely set the isolated decryption session key for the VM</span> <span class="n">builder</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="n">session_key</span> <span class="k">as</span> <span class="nb">i32</span><span class="p">)</span> <span class="nf">.call</span><span class="p">(</span><span class="n">vm_set_session_key_import</span><span class="p">);</span> </code></pre> </div> <p>WebAssembly lets us embed raw bytes deep inside passive <code>.data</code> segments. But by default, these passive segments just sit there like a zip file. We have to explicitly tell the host's memory manager to dynamically unpack our encrypted bytecode out of the file and into active linear memory so the VM can actually read and run it.</p> <p>We initialize a new function builder in Walrus to start writing our replacement Thunk. We use the standard Wasm <code>memory.init</code> instruction to cleanly deploy the payload, and immediately trigger the VM's key initialization hook.</p> <p>The encrypted ciphertext gets strictly mapped right into active memory, exactly where our core interpreter expects to find it.</p> <h3> Constructing the Execution Thunk </h3> <p>The adapter loop translates the host arguments, fires up the virtual context, and safely returns the mathematical result.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">for</span> <span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">arg_local</span><span class="p">)</span> <span class="k">in</span> <span class="n">args</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.enumerate</span><span class="p">()</span> <span class="p">{</span> <span class="n">builder</span><span class="nf">.i32_const</span><span class="p">(</span><span class="n">idx</span> <span class="k">as</span> <span class="nb">i32</span><span class="p">);</span> <span class="c1">// Argument index -&gt; Virtual Register ID</span> <span class="n">builder</span><span class="nf">.local_get</span><span class="p">(</span><span class="n">arg_local</span><span class="p">);</span> <span class="c1">// Actual Argument Value</span> <span class="c1">// Promote 32-bit parameters to 64-bit to match our VM architecture</span> <span class="n">builder</span><span class="nf">.unop</span><span class="p">(</span><span class="nn">walrus</span><span class="p">::</span><span class="nn">ir</span><span class="p">::</span><span class="nn">UnaryOp</span><span class="p">::</span><span class="n">I64ExtendI32S</span><span class="p">);</span> <span class="c1">// Pass the data safely through the isolation barrier</span> <span class="n">builder</span><span class="nf">.call</span><span class="p">(</span><span class="n">vm_set_reg_import</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="c1">// Trigger the virtual execution loop</span> <span class="n">builder</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="n">bytecode_ptr</span><span class="p">)</span> <span class="nf">.i32_const</span><span class="p">(</span><span class="n">bytecode_len</span><span class="p">)</span> <span class="nf">.call</span><span class="p">(</span><span class="n">vm_exec_import</span><span class="p">);</span> <span class="c1">// Format the VM output back into the expected Host application format</span> <span class="n">builder</span><span class="nf">.unop</span><span class="p">(</span><span class="nn">walrus</span><span class="p">::</span><span class="nn">ir</span><span class="p">::</span><span class="nn">UnaryOp</span><span class="p">::</span><span class="n">I32WrapI64</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The original function took parameters (like ints or pointers) right from the external JS context. We have to gracefully route these parameters deep into our virtual machine so the internal logic has the data it needs to run.</p> <p>We loop over the arguments the function originally expected. For each one, we push its sequential index (which maps to a Virtual Register ID) and its raw value onto the host stack, cast it up to a 64-bit integer using <code>I64ExtendI32S</code>, and invoke the interpreter's register API.</p> <p>Our VM instance is now fully hydrated with the incoming request data. The absolute last step is to call the main execution loop, passing it the exact memory address and length of the encrypted bytecode.</p> <p>Once the VM finishes crunching the math over the JIT sliding window, it reliably returns a 64-bit result, which we intelligently cast back down to match the original 32-bit function signature.</p> <h3> Chapter 5 Recap </h3> <p>The integration is completely seamless. The final binary will cleanly export the exact same functions it did originally. The external JavaScript app stays totally unaware that anything even changed. But when triggered, the engine reliably jumps straight into our custom thunk, populates the virtual context, and securely runs the secret logic via the hidden interpreter.</p> <h2> Final Conclusion </h2> <p>Throughout this huge guide, we've systematically built a hardcore WebAssembly-in-WebAssembly virtualization engine. We started by looking at how transparent standard Wasm binaries are, realizing that shipping secret logic in normal <code>.wasm</code> files is basically handing out plain text.</p> <p>To fix this, we designed our own custom <strong>Instruction Set Architecture</strong>, mapping operations onto a completely random numerical layout. We built a hyper-optimized Virtual Machine in Rust that totally avoids memory allocators to keep a tiny footprint, relying entirely on static arrays and raw memory pointers.</p> <p>We locked this machine down by building a JIT sliding decryption window. Even if a hacker dumped the live browser memory, they'd only ever find a broken 256-byte slice of the app, rendering their automated reverse-engineering tools totally blind.</p> <p>We built a backend compiler using Walrus to aggressively rip out the original Abstract Syntax Tree, crushing typed Wasm instructions down into encrypted garbage. Finally, we built a slick injection pipeline, replacing the original function with an automated <strong>Thunk</strong> that translates inputs and outputs between the standard environment and our secure bunker.</p> <h3> Where to Go From Here </h3> <p>While this VM gives us incredible security through obfuscation, software protection is a never-ending arms race. If you want to take this architecture into real-world projects, consider adding these techniques to your compiler.</p> <h4> Control Flow Flattening </h4> <p>Before converting to bytecode, tweak the Walrus IR to crush all <code>if</code> statements and <code>loops</code> into massive, mathematically complex <code>switch</code> statements, completely hiding the real execution paths.</p> <h4> Opaque Predicates </h4> <p>Inject fake math operations into the bytecode that look completely real but always evaluate to zero, forcing attackers to reverse-engineer thousands of useless, garbage instructions.</p> <h4> Dynamic Key Provisioning </h4> <p>Instead of leaving the session key inside the Wasm data segment, make the host server stream the decryption key dynamically over a WebSocket at runtime. This ensures the Wasm file can never be decompiled locally without a live, authenticated connection.</p> <p>By stacking these advanced tricks on top of the VM architecture we built today, you can guarantee your WebAssembly logic stays fiercely protected no matter where it runs.</p> webassembly compiling security nieche