corrade-nucleus-nucleons – Blame information for rev 4
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 2 | office | 1 | # |
| 2 | # deobfuscator for scripts messed up with myobfuscate.com |
||
| 3 | # by Einar Lielmanis <einar@jsbeautifier.org> |
||
| 4 | # |
||
| 5 | # written by Stefano Sanfilippo <a.little.coder@gmail.com> |
||
| 6 | # |
||
| 7 | # usage: |
||
| 8 | # |
||
| 9 | # if detect(some_string): |
||
| 10 | # unpacked = unpack(some_string) |
||
| 11 | # |
||
| 12 | |||
| 13 | # CAVEAT by Einar Lielmanis |
||
| 14 | |||
| 15 | # |
||
| 16 | # You really don't want to obfuscate your scripts there: they're tracking |
||
| 17 | # your unpackings, your script gets turned into something like this, |
||
| 18 | # as of 2011-08-26: |
||
| 19 | # |
||
| 20 | # var _escape = 'your_script_escaped'; |
||
| 21 | # var _111 = document.createElement('script'); |
||
| 22 | # _111.src = 'http://api.www.myobfuscate.com/?getsrc=ok' + |
||
| 23 | # '&ref=' + encodeURIComponent(document.referrer) + |
||
| 24 | # '&url=' + encodeURIComponent(document.URL); |
||
| 25 | # var 000 = document.getElementsByTagName('head')[0]; |
||
| 26 | # 000.appendChild(_111); |
||
| 27 | # document.write(unescape(_escape)); |
||
| 28 | # |
||
| 29 | |||
| 30 | """Deobfuscator for scripts messed up with MyObfuscate.com""" |
||
| 31 | |||
| 32 | import re |
||
| 33 | import base64 |
||
| 34 | |||
| 35 | # Python 2 retrocompatibility |
||
| 36 | # pylint: disable=F0401 |
||
| 37 | # pylint: disable=E0611 |
||
| 38 | try: |
||
| 39 | from urllib import unquote |
||
| 40 | except ImportError: |
||
| 41 | from urllib.parse import unquote |
||
| 42 | |||
| 43 | from jsbeautifier.unpackers import UnpackingError |
||
| 44 | |||
| 45 | PRIORITY = 1 |
||
| 46 | |||
| 47 | CAVEAT = """// |
||
| 48 | // Unpacker warning: be careful when using myobfuscate.com for your projects: |
||
| 49 | // scripts obfuscated by the free online version call back home. |
||
| 50 | // |
||
| 51 | |||
| 52 | """ |
||
| 53 | |||
| 54 | SIGNATURE = (r'["\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F' |
||
| 55 | r'\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65' |
||
| 56 | r'\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75' |
||
| 57 | r'\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B' |
||
| 58 | r'\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78' |
||
| 59 | r'\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","' |
||
| 60 | r'\x6C\x65\x6E\x67\x74\x68"]') |
||
| 61 | |||
| 62 | def detect(source): |
||
| 63 | """Detects MyObfuscate.com packer.""" |
||
| 64 | return SIGNATURE in source |
||
| 65 | |||
| 66 | def unpack(source): |
||
| 67 | """Unpacks js code packed with MyObfuscate.com""" |
||
| 68 | if not detect(source): |
||
| 69 | return source |
||
| 70 | payload = unquote(_filter(source)) |
||
| 71 | match = re.search(r"^var _escape\='<script>(.*)<\/script>'", |
||
| 72 | payload, re.DOTALL) |
||
| 73 | polished = match.group(1) if match else source |
||
| 74 | return CAVEAT + polished |
||
| 75 | |||
| 76 | def _filter(source): |
||
| 77 | """Extracts and decode payload (original file) from `source`""" |
||
| 78 | try: |
||
| 79 | varname = re.search(r'eval\(\w+\(\w+\((\w+)\)\)\);', source).group(1) |
||
| 80 | reverse = re.search(r"var +%s *\= *'(.*)';" % varname, source).group(1) |
||
| 81 | except AttributeError: |
||
| 82 | raise UnpackingError('Malformed MyObfuscate data.') |
||
| 83 | try: |
||
| 84 | return base64.b64decode(reverse[::-1].encode('utf8')).decode('utf8') |
||
| 85 | except TypeError: |
||
| 86 | raise UnpackingError('MyObfuscate payload is not base64-encoded.') |