I have a Windows program that uses awesomium to display a WebApp. This WebApp communicates in some way with the client program through some native calls. I found references to window.externalHost and window.native in the JS source, but it's build with YUI and has tens of thousand lines of code and single character variables and I can't quite figure out what exactly they are doing (static analysis).

I have injected Javascript into the WebApp to check those two objects:

try { document.write(JSON.stringify(window.externalHost, null, 4)) } catch (err) { document.write(err) }

But window.externalHost is undefined and window.native is {} .

So my questions are:

How are native calls usually set up?

What interfaces do exist and how are they used? (Both directions)

Can I "detour"/"intercept" native calls to see what they are sending?

Are there any remote JS debug projects which I could inject to dynamically debug the complex WebApp?

update 1: I am confident that it uses window.native . Because of this Object {} . It seems likely that the communication is not implemented as window.externalHost.postMessage() based on what I have read on the awesomium wiki.

I now try to capture what methods are called on it. My idea was to overwrite window.onerror to capture all errors and set window.native = undefined; to capture exceptions like Cannot call aNativeCall() on undefined . Unfortunately it seems that windows.native can't be overwritten - it doesn't stay undefined.

Any other ideas?

update 2:

I came up with this javascript code to check some interesting Objects like window.external , etc...

obj = ['external', 'externalHost', 'native', 'Y', ['Y','native'],['Y','Native'], ['Y','external'], ['Y','externalHost']]; for(i=0; i< obj.length; ++i) { try { if(obj[i] instanceof Array) { var tmp = window[obj[i][0]]; for(j=1; j<obj[i].length; ++j) { tmp = tmp[obj[i][j]] } document.write(obj[i]+" | <b>"+Object.getOwnPropertyNames(tmp)+"</b><br>"); } else { document.write(obj[i]+" | <b>"+Object.getOwnPropertyNames(window[obj[i]])+"</b><br>"); } } catch(err) { document.write(obj[i]+" | <i>Error: "+err+"</i><br>"); } }

It became slowly more clear that it has to be window.native . This object has the following properties: 'on','isNative','scale','Emitter','call','register','_ready'

When I try to call window.native.call() the native program crashes. And the debug information shows that it crashed in a ProcessRequest function. So I found the right interface.

I now need to find out how exactly this interface is used. Unfortunately I can't overwrite window.native.call = function() { ... } to log the calls.

Anybody another idea?