/script-kiddie/002_script_kiddie/script-kiddie/node_modules/js-beautify/js/lib/unpackers/javascriptobfuscator_unpacker.js |
@@ -0,0 +1,103 @@ |
// |
// simple unpacker/deobfuscator for scripts messed up with javascriptobfuscator.com |
// written by Einar Lielmanis <einar@jsbeautifier.org> |
// |
// usage: |
// |
// if (JavascriptObfuscator.detect(some_string)) { |
// var unpacked = JavascriptObfuscator.unpack(some_string); |
// } |
// |
// |
|
var JavascriptObfuscator = { |
detect: function(str) { |
return /^var _0x[a-f0-9]+ ?\= ?\[/.test(str); |
}, |
|
unpack: function(str) { |
if (JavascriptObfuscator.detect(str)) { |
var matches = /var (_0x[a-f\d]+) ?\= ?\[(.*?)\];/.exec(str); |
if (matches) { |
var var_name = matches[1]; |
var strings = JavascriptObfuscator._smart_split(matches[2]); |
str = str.substring(matches[0].length); |
for (var k in strings) { |
str = str.replace(new RegExp(var_name + '\\[' + k + '\\]', 'g'), |
JavascriptObfuscator._fix_quotes(JavascriptObfuscator._unescape(strings[k]))); |
} |
} |
} |
return str; |
}, |
|
_fix_quotes: function(str) { |
var matches = /^"(.*)"$/.exec(str); |
if (matches) { |
str = matches[1]; |
str = "'" + str.replace(/'/g, "\\'") + "'"; |
} |
return str; |
}, |
|
_smart_split: function(str) { |
var strings = []; |
var pos = 0; |
while (pos < str.length) { |
if (str.charAt(pos) === '"') { |
// new word |
var word = ''; |
pos += 1; |
while (pos < str.length) { |
if (str.charAt(pos) === '"') { |
break; |
} |
if (str.charAt(pos) === '\\') { |
word += '\\'; |
pos++; |
} |
word += str.charAt(pos); |
pos++; |
} |
strings.push('"' + word + '"'); |
} |
pos += 1; |
} |
return strings; |
}, |
|
|
_unescape: function(str) { |
// inefficient if used repeatedly or on small strings, but wonderful on single large chunk of text |
for (var i = 32; i < 128; i++) { |
str = str.replace(new RegExp('\\\\x' + i.toString(16), 'ig'), String.fromCharCode(i)); |
} |
str = str.replace(/\\x09/g, "\t"); |
return str; |
}, |
|
run_tests: function(sanity_test) { |
var t = sanity_test || new SanityTest(); |
|
t.test_function(JavascriptObfuscator._smart_split, "JavascriptObfuscator._smart_split"); |
t.expect('', []); |
t.expect('"a", "b"', ['"a"', '"b"']); |
t.expect('"aaa","bbbb"', ['"aaa"', '"bbbb"']); |
t.expect('"a", "b\\\""', ['"a"', '"b\\\""']); |
t.test_function(JavascriptObfuscator._unescape, 'JavascriptObfuscator._unescape'); |
t.expect('\\x40', '@'); |
t.expect('\\x10', '\\x10'); |
t.expect('\\x1', '\\x1'); |
t.expect("\\x61\\x62\\x22\\x63\\x64", 'ab"cd'); |
t.test_function(JavascriptObfuscator.detect, 'JavascriptObfuscator.detect'); |
t.expect('', false); |
t.expect('abcd', false); |
t.expect('var _0xaaaa', false); |
t.expect('var _0xaaaa = ["a", "b"]', true); |
t.expect('var _0xaaaa=["a", "b"]', true); |
t.expect('var _0x1234=["a","b"]', true); |
return t; |
} |
|
|
}; |
/script-kiddie/002_script_kiddie/script-kiddie/node_modules/js-beautify/js/lib/unpackers/myobfuscate_unpacker.js |
@@ -0,0 +1,90 @@ |
// |
// simple unpacker/deobfuscator for scripts messed up with myobfuscate.com |
// You really don't want to obfuscate your scripts there: they're tracking |
// your unpackings, your script gets turned into something like this, |
// as of 2011-04-25: |
/* |
|
var _escape = 'your_script_escaped'; |
var _111 = document.createElement('script'); |
_111.src = 'http://api.www.myobfuscate.com/?getsrc=ok' + |
'&ref=' + encodeURIComponent(document.referrer) + |
'&url=' + encodeURIComponent(document.URL); |
var 000 = document.getElementsByTagName('head')[0]; |
000.appendChild(_111); |
document.write(unescape(_escape)); |
|
*/ |
// |
// written by Einar Lielmanis <einar@jsbeautifier.org> |
// |
// usage: |
// |
// if (MyObfuscate.detect(some_string)) { |
// var unpacked = MyObfuscate.unpack(some_string); |
// } |
// |
// |
|
var MyObfuscate = { |
detect: function(str) { |
if (/^var _?[0O1lI]{3}\=('|\[).*\)\)\);/.test(str)) { |
return true; |
} |
if (/^function _?[0O1lI]{3}\(_/.test(str) && /eval\(/.test(str)) { |
return true; |
} |
return false; |
}, |
|
unpack: function(str) { |
if (MyObfuscate.detect(str)) { |
var __eval = eval; |
try { |
eval = function(unpacked) { // jshint ignore:line |
if (MyObfuscate.starts_with(unpacked, 'var _escape')) { |
// fetch the urlencoded stuff from the script, |
var matches = /'([^']*)'/.exec(unpacked); |
var unescaped = unescape(matches[1]); |
if (MyObfuscate.starts_with(unescaped, '<script>')) { |
unescaped = unescaped.substr(8, unescaped.length - 8); |
} |
if (MyObfuscate.ends_with(unescaped, '</script>')) { |
unescaped = unescaped.substr(0, unescaped.length - 9); |
} |
unpacked = unescaped; |
} |
// throw to terminate the script |
unpacked = "// Unpacker warning: be careful when using myobfuscate.com for your projects:\n" + |
"// scripts obfuscated by the free online version may call back home.\n" + |
"\n//\n" + unpacked; |
throw unpacked; |
}; // jshint ignore:line |
__eval(str); // should throw |
} catch (e) { |
// well, it failed. we'll just return the original, instead of crashing on user. |
if (typeof e === "string") { |
str = e; |
} |
} |
eval = __eval; // jshint ignore:line |
} |
return str; |
}, |
|
starts_with: function(str, what) { |
return str.substr(0, what.length) === what; |
}, |
|
ends_with: function(str, what) { |
return str.substr(str.length - what.length, what.length) === what; |
}, |
|
run_tests: function(sanity_test) { |
var t = sanity_test || new SanityTest(); |
|
return t; |
} |
|
|
}; |
/script-kiddie/002_script_kiddie/script-kiddie/node_modules/js-beautify/js/lib/unpackers/p_a_c_k_e_r_unpacker.js |
@@ -0,0 +1,83 @@ |
// |
// Unpacker for Dean Edward's p.a.c.k.e.r, a part of javascript beautifier |
// written by Einar Lielmanis <einar@jsbeautifier.org> |
// |
// Coincidentally, it can defeat a couple of other eval-based compressors. |
// |
// usage: |
// |
// if (P_A_C_K_E_R.detect(some_string)) { |
// var unpacked = P_A_C_K_E_R.unpack(some_string); |
// } |
// |
// |
|
var P_A_C_K_E_R = { |
detect: function(str) { |
return (P_A_C_K_E_R.get_chunks(str).length > 0); |
}, |
|
get_chunks: function(str) { |
var chunks = str.match(/eval\(\(?function\(.*?(,0,\{\}\)\)|split\('\|'\)\)\))($|\n)/g); |
return chunks ? chunks : []; |
}, |
|
unpack: function(str) { |
var chunks = P_A_C_K_E_R.get_chunks(str), |
chunk; |
for (var i = 0; i < chunks.length; i++) { |
chunk = chunks[i].replace(/\n$/, ''); |
str = str.split(chunk).join(P_A_C_K_E_R.unpack_chunk(chunk)); |
} |
return str; |
}, |
|
unpack_chunk: function(str) { |
var unpacked_source = ''; |
var __eval = eval; |
if (P_A_C_K_E_R.detect(str)) { |
try { |
eval = function(s) { // jshint ignore:line |
unpacked_source += s; |
return unpacked_source; |
}; // jshint ignore:line |
__eval(str); |
if (typeof unpacked_source === 'string' && unpacked_source) { |
str = unpacked_source; |
} |
} catch (e) { |
// well, it failed. we'll just return the original, instead of crashing on user. |
} |
} |
eval = __eval; // jshint ignore:line |
return str; |
}, |
|
run_tests: function(sanity_test) { |
var t = sanity_test || new SanityTest(); |
|
var pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('0 2=1',3,3,'var||a'.split('|'),0,{}))"; |
var unpk1 = 'var a=1'; |
var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('0 2=1',3,3,'foo||b'.split('|'),0,{}))"; |
var unpk2 = 'foo b=1'; |
var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('0 2=1',3,3,'var||a'.split('|'),0,{}))"; |
var pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('0 2=1{}))',3,3,'var||a'.split('|'),0,{}))"; |
var unpk3 = 'var a=1{}))'; |
|
t.test_function(P_A_C_K_E_R.detect, "P_A_C_K_E_R.detect"); |
t.expect('', false); |
t.expect('var a = b', false); |
t.test_function(P_A_C_K_E_R.unpack, "P_A_C_K_E_R.unpack"); |
t.expect(pk_broken, pk_broken); |
t.expect(pk1, unpk1); |
t.expect(pk2, unpk2); |
t.expect(pk3, unpk3); |
|
var filler = '\nfiller\n'; |
t.expect(filler + pk1 + "\n" + pk_broken + filler + pk2 + filler, filler + unpk1 + "\n" + pk_broken + filler + unpk2 + filler); |
|
return t; |
} |
|
|
}; |
/script-kiddie/002_script_kiddie/script-kiddie/node_modules/js-beautify/js/lib/unpackers/urlencode_unpacker.js |
@@ -0,0 +1,73 @@ |
/*global unescape */ |
/*jshint curly: false, scripturl: true */ |
// |
// trivial bookmarklet/escaped script detector for the javascript beautifier |
// written by Einar Lielmanis <einar@jsbeautifier.org> |
// |
// usage: |
// |
// if (Urlencoded.detect(some_string)) { |
// var unpacked = Urlencoded.unpack(some_string); |
// } |
// |
// |
|
var isNode = (typeof module !== 'undefined' && module.exports); |
if (isNode) { |
var SanityTest = require(__dirname + '/../../test/sanitytest'); |
} |
|
var Urlencoded = { |
detect: function(str) { |
// the fact that script doesn't contain any space, but has %20 instead |
// should be sufficient check for now. |
if (str.indexOf(' ') === -1) { |
if (str.indexOf('%2') !== -1) return true; |
if (str.replace(/[^%]+/g, '').length > 3) return true; |
} |
return false; |
}, |
|
unpack: function(str) { |
if (Urlencoded.detect(str)) { |
if (str.indexOf('%2B') !== -1 || str.indexOf('%2b') !== -1) { |
// "+" escaped as "%2B" |
return unescape(str.replace(/\+/g, '%20')); |
} else { |
return unescape(str); |
} |
} |
return str; |
}, |
|
|
|
run_tests: function(sanity_test) { |
var t = sanity_test || new SanityTest(); |
t.test_function(Urlencoded.detect, "Urlencoded.detect"); |
t.expect('', false); |
t.expect('var a = b', false); |
t.expect('var%20a+=+b', true); |
t.expect('var%20a=b', true); |
t.expect('var%20%21%22', true); |
t.expect('javascript:(function(){var%20whatever={init:function(){alert(%22a%22+%22b%22)}};whatever.init()})();', true); |
t.test_function(Urlencoded.unpack, 'Urlencoded.unpack'); |
|
t.expect('javascript:(function(){var%20whatever={init:function(){alert(%22a%22+%22b%22)}};whatever.init()})();', |
'javascript:(function(){var whatever={init:function(){alert("a"+"b")}};whatever.init()})();' |
); |
t.expect('', ''); |
t.expect('abcd', 'abcd'); |
t.expect('var a = b', 'var a = b'); |
t.expect('var%20a=b', 'var a=b'); |
t.expect('var%20a=b+1', 'var a=b+1'); |
t.expect('var%20a=b%2b1', 'var a=b+1'); |
return t; |
} |
|
|
}; |
|
if (isNode) { |
module.exports = Urlencoded; |
} |