def doDemystify(data):
escape_again = False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile(
'((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile(
'(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+'
)
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
r = re.compile(
'(eval\\(function\\((?!w)\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))',
flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again = True
except:
pass
if '"result2":"' in data:
r = re.compile(r""":("(?!http)\w+\.\w+\.m3u8")""")
gs = r.findall(data)
if gs:
for g in gs:
_in = json.loads(g).split('.')
aes = AES.new(
'5e41564050447a7e4631795f33373037374f313337396d316862396c34654763'
.decode('hex'), AES.MODE_CBC, _in[1].decode('hex'))
unpad = lambda s: s[0:-ord(s[-1])]
try:
_url = unpad(aes.decrypt(_in[0].decode('hex')))
except:
_url = None
if _url:
data = data.replace(g, json.dumps(_url))
else:
aes = AES.new(
'5e6d59405052757e4b65795f393738373831313335396d316775336c346e7472'
.decode('hex'), AES.MODE_CBC, _in[1].decode('hex'))
data = data.replace(
g,
json.dumps(unpad(aes.decrypt(_in[0].decode('hex')))))
r = re.compile(r""":("(?!http)[\w=\\/\+]+\.m3u8")""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(
g,
json.dumps(
decryptDES_ECB(
json.loads(g)[:-5],
'5333637233742600'.decode('hex'))))
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s = ''
for i in g:
s += chr(ord(i) ^ 2)
data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>",
re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', '')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
if 'eval(function(' in data:
data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",
'function(p,a,c,k)', data.replace('#', '|'))
data = re.sub(r"""\(\w\w\w\w\+0\)%\w\w\w\w""", 'e%a', data)
data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""", 'RegExp(e(c)', data)
r = re.compile(r"""\.split\('([^']+)'\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, '|')
if """.replace(""" in data:
r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g[0], g[1])
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again = False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(
quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile(
'((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile(
'(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+'
)
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
r = re.compile(
'(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)',
flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again = True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s = ''
for i in g:
s += chr(ord(i) ^ 2)
data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>",
re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', '')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
if 'eval(function(' in data:
data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",
'function(p,a,c,k)', data.replace('#', '|'))
data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""", 'e%a', data)
data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""", 'RegExp(e(c)', data)
r = re.compile(r"""\.split\('([^']+)'\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, '|')
if """.replace(""" in data:
r = re.compile(
r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g[0], g[1])
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
try:
data = zdecode(data)
except:
pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again=False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again=True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\','')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again=False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again=True
except:
pass
if '"result2":"'in data:
r = re.compile(r""":("(?!http)\w+\.\w+\.m3u8")""")
gs = r.findall(data)
if gs:
for g in gs:
_in = json.loads(g).split('.')
aes = AES.new('5e4542404f4c757e4431675f373837385649313133356f3152693935366e4361'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex'))
unpad = lambda s : s[0:-ord(s[-1])]
try:
_url = unpad(aes.decrypt(_in[0].decode('hex')))
except:
_url = None
if _url:
data = data.replace(g,json.dumps( _url ))
else:
aes = AES.new('5e5858405046757e4631775f33414141514e3133393973315775336c34695a5a'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex'))
_url = unpad(aes.decrypt(_in[0].decode('hex')))
data = data.replace(g,json.dumps( _url ))
r = re.compile(r""":("(?!http)[\w=\\/\+]+\.m3u8")""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,json.dumps(decryptDES_ECB(json.loads(g)[:-5], '5333637233742600'.decode('hex'))))
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s=''
for i in g:
s+= chr(ord(i)^2)
data = data.replace("""enkripsi=\""""+g, urllib.unquote(s))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\','')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
if 'eval(function(' in data:
data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|'))
data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data)
data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data)
r = re.compile(r"""\.split\('([^']+)'\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,'|')
if """.replace(""" in data:
r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g[0],g[1])
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
try: data = zdecode(data)
except: pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
from base64 import b64decode
escape_again = False
#lib.common.log("JairoDemyst:" + data)
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(
quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
#sebn
#(?:file\s*:|source\s*:|src\s*:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))
#"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))"""
r = re.compile(
'(?:file\s*:|source\s*:|src\s*:|\w+\s*=)\s*(window\.atob\([\'"][^\'"]+[\'"]\))'
)
#lib.common.log("JairoXDecrypt: " + data)
if r.findall(data):
for g in r.findall(data):
#r"""window\.atob\(['"]([^'"]+)['"]\)"""
r2 = re.compile('window\.atob\([\'"]([^\'"]+)[\'"]\)')
for base64_data in r2.findall(g):
data = data.replace(
g,
'"' + urllib.unquote(base64_data.decode('base-64') + '"'))
#r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
#while r.findall(data):
#for g in r.findall(data):
#r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
#for base64_data in r2.findall(g):
#data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
#jairox: ustreamix -- Obfuscator HTML : https://github.com/BlueEyesHF/Obfuscator-HTML
r = re.compile(
r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)"
)
if r.findall(data):
try:
matches = re.compile(
r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)"
).findall(data)
chunks = matches[0][1].split(',')
op = int(matches[0][2])
dec_data = r""
for chunk in chunks:
try:
tmp = chunk.replace('"', '')
tmp = str(b64decode(tmp))
dig = int(re.sub('[\D\s\n]', '', tmp))
dig = dig - op
dec_data += chr(dig)
except:
pass
data = re.sub(
r"(?s)<script>\s*var\s*\w+\s*=.*?var\s*(\w+)\s*=\s*\[.*<\/script>[\"']?",
dec_data, data)
except:
pass
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
if not 'sawlive' in data:
r = re.compile('\?i=([^&]+)&r=([^&\'"]+)')
for g in r.findall(data):
print g
try:
_a, _b = g[0].split('%2F')
_res = (_a +
'=').decode('base-64') + '?' + _b.decode('base-64')
data = data.replace(g[0], _res)
data = data.replace(g[1],
urllib.unquote(g[1]).decode('base-64'))
except:
pass
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s = ''
for i in g:
s += chr(ord(i) ^ 2)
data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s))
if """.replace(""" in data:
r = re.compile(
r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(), g[1])
data = data.replace(g[0], g[1])
r = re.compile(
r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(), g[1])
data = data.replace(g[0], g[1])
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
if re.search(r'hiro":".*?[\(\)\[\]\!\+]+', data) != None:
data = unFuckFirst(data)
#lib.common.log("JairoDemyst: " + data)
if re.search(r"zoomtv", data, re.IGNORECASE) != None:
#lib.common.log("JairoZoom:" + data)
data = zadd(data)
data = zadd2(data)
try:
data = zdecode(data)
escape_again = True
except:
pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsUV2 =JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
# replace NUL
data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\','')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# Tiny url
#r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL)
#m = r.findall(data)
#if m:
#for tiny in m:
#data = data.replace(tiny, get_redirected_url(tiny))
# JS P,A,C,K,E,D
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=False
#if still exists then apply v2
if jsUV2.containsPacked(data):
data = jsUV2.unpackAll(data)
escape_again=True
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
# unescape again
if escape_again:
r = re.compile('unescape\(\s*["\']([^\'"]+)["\']')
gs = r.findall(data)
if gs:
for g in gs:
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
return data
def doDemystify(data):
escape_again = False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile(
'(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile(
'eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
r = re.compile(
'(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))',
flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again = True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>",
re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', '')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again = False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUF = JsUnFunc()
jsUP = JsUnPP()
JsPush = JsUnPush()
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(
quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
#sebn
r = re.compile(
r"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))""")
if r.findall(data):
for g in r.findall(data):
r2 = re.compile(r"""window\.atob\(['"]([^'"]+)['"]\)""")
for base64_data in r2.findall(g):
data = data.replace(
g,
'"' + urllib.unquote(base64_data.decode('base-64') + '"'))
#r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
#while r.findall(data):
#for g in r.findall(data):
#r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
#for base64_data in r2.findall(g):
#data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
r = re.compile('\?i=([^&]+)&r=([^&\'"]+)')
for g in r.findall(data):
print g
try:
_a, _b = g[0].split('%2F')
_res = (_a + '=').decode('base-64') + '?' + _b.decode('base-64')
data = data.replace(g[0], _res)
data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64'))
except:
pass
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s = ''
for i in g:
s += chr(ord(i) ^ 2)
data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s))
if """.replace(""" in data:
r = re.compile(r""".replace\(/([^/]+)/g,\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(), g[1])
data = data.replace(g[0], g[1])
r = re.compile(
r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(), g[1])
data = data.replace(g[0], g[1])
# JS P,A,C,K,E,D
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
try:
data = zdecode(data)
escape_again = True
except:
pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
from base64 import b64decode
escape_again=False
#lib.common.log("JairoDemyst:" + data)
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
#sebn
#(?:file\s*:|source\s*:|src\s*:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))
#"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))"""
r = re.compile('(?:file\s*:|source\s*:|src\s*:|\w+\s*=)\s*(window\.atob\([\'"][^\'"]+[\'"]\))')
#lib.common.log("JairoXDecrypt: " + data)
if r.findall(data):
for g in r.findall(data):
#r"""window\.atob\(['"]([^'"]+)['"]\)"""
r2 = re.compile('window\.atob\([\'"]([^\'"]+)[\'"]\)')
for base64_data in r2.findall(g):
data = data.replace(g, '"'+urllib.unquote(base64_data.decode('base-64')+'"'))
#r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
#while r.findall(data):
#for g in r.findall(data):
#r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
#for base64_data in r2.findall(g):
#data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
#jairox: ustreamix -- Obfuscator HTML : https://github.com/BlueEyesHF/Obfuscator-HTML
r = re.compile(r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)")
if r.findall(data):
try:
matches = re.compile(r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)").findall(data)
chunks = matches[0][1].split(',')
op = int(matches[0][2])
dec_data = r""
for chunk in chunks:
try:
tmp = chunk.replace('"','')
tmp = str(b64decode(tmp))
dig = int(re.sub('[\D\s\n]','',tmp))
dig = dig - op
dec_data += chr(dig)
except:
pass
data = re.sub(r"(?s)<script>\s*var\s*\w+\s*=.*?var\s*(\w+)\s*=\s*\[.*<\/script>[\"']?", dec_data, data)
except:
pass
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
if not 'sawlive' in data:
r = re.compile('\?i=([^&]+)&r=([^&\'"]+)')
for g in r.findall(data):
print g
try:
_a, _b = g[0].split('%2F')
_res = (_a+'=').decode('base-64')+'?'+_b.decode('base-64')
data = data.replace(g[0], _res)
data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64'))
except:
pass
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s=''
for i in g:
s+= chr(ord(i)^2)
data = data.replace("""enkripsi=\""""+g, urllib.unquote(s))
if """.replace(""" in data:
r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(),g[1])
data = data.replace(g[0],g[1])
r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(),g[1])
data = data.replace(g[0],g[1])
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
if re.search(r'hiro":".*?[\(\)\[\]\!\+]+', data) != None:
data = unFuckFirst(data)
#lib.common.log("JairoDemyst: " + data)
if re.search(r"zoomtv", data, re.IGNORECASE) != None:
#lib.common.log("JairoZoom:" + data)
data = zadd(data)
data = zadd2(data)
try:
data = zdecode(data)
escape_again=True
except: pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again=False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
JsHive = hivelogic()
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again=True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s=''
for i in g:
s+= chr(ord(i)^2)
data = data.replace("""enkripsi=\""""+g, urllib.unquote(s))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\','')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
if 'eval(function(' in data:
data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|'))
data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data)
data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data)
r = re.compile(r"""\.split\('([^']+)'\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,'|')
if """.replace(""" in data:
r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g[0],g[1])
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
if JsHive.contains_hivelogic(data):
data = JsHive.unpack_hivelogic(data)
try: data = zdecode(data)
except: pass
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
common.log('MR DECODE0: ' )
escape_again=False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
#MRKNOW START
#common.log('MR DECODE1: ' + data)
r = re.compile("eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);")
while r.findall(data):
for g in r.findall(data):
common.log('MR DECODE2: ' + g)
marian = re.compile(
'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);').findall(
g)
mysplit = re.compile('s\.split\("([^"]+)"').findall(urllib.unquote(marian[0][0]))[0]
myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall(urllib.unquote(marian[0][0]))[0]
myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall(urllib.unquote(marian[0][0]))[0]
mystring = urllib.unquote(marian[0][2])
ile = mystring.split(str(mysplit));
k = ile[1] + str(myadd)
print("Ile", ile[1], k)
alina = []
# for y in k:
# print("y",y)
for i in range(0, len(mystring)):
aa = ord(mystring[i])
bb = int(k[i % len(k)])
alina.append((bb ^ aa) + int(myadd2))
res = ''.join(map(chr, alina))
# common.log('Malina: %s ' % malina)
data = data.replace(g, res)
common.log('MR DECODE10: ' + data)
#MRKNOW END
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again=True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\','')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g,g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again=True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsUV2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
# replace NUL
data = data.replace('\0', '')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>",
re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', '')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# Tiny url
#r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL)
#m = r.findall(data)
#if m:
#for tiny in m:
#data = data.replace(tiny, get_redirected_url(tiny))
# JS P,A,C,K,E,D
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = False
#if still exists then apply v2
if jsUV2.containsPacked(data):
data = jsUV2.unpackAll(data)
escape_again = True
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
# unescape again
if escape_again:
r = re.compile('unescape\(\s*["\']([^\'"]+)["\']')
gs = r.findall(data)
if gs:
for g in gs:
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
return data
def doDemystify(data):
common.log('MR DECODE0: ')
escape_again = False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUI = JsUnIonCube()
jsUF = JsUnFunc()
jsUP = JsUnPP()
jsU95 = JsUnpacker95High()
JsPush = JsUnPush()
#MRKNOW START
#common.log('MR DECODE1: ' + data)
r = re.compile(
"eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);"
)
while r.findall(data):
for g in r.findall(data):
common.log('MR DECODE2: ' + g)
marian = re.compile(
'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);'
).findall(g)
mysplit = re.compile('s\.split\("([^"]+)"').findall(
urllib.unquote(marian[0][0]))[0]
myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall(
urllib.unquote(marian[0][0]))[0]
myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall(
urllib.unquote(marian[0][0]))[0]
mystring = urllib.unquote(marian[0][2])
ile = mystring.split(str(mysplit))
k = ile[1] + str(myadd)
print("Ile", ile[1], k)
alina = []
# for y in k:
# print("y",y)
for i in range(0, len(mystring)):
aa = ord(mystring[i])
bb = int(k[i % len(k)])
alina.append((bb ^ aa) + int(myadd2))
res = ''.join(map(chr, alina))
# common.log('Malina: %s ' % malina)
data = data.replace(g, res)
common.log('MR DECODE10: ' + data)
#MRKNOW END
# replace NUL
#data = data.replace('\0','')
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted = g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
r = re.compile(
'(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile(
'eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(escape_data.replace('@', '%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(
g, urllib.unquote(base64_data.decode('base-64')))
escape_again = True
r = re.compile(
'(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))',
flags=re.DOTALL)
for g in r.findall(data):
try:
data = data.replace(g, wdecode(g))
escape_again = True
except:
pass
# n98c4d2c
if 'function n98c4d2c(' in data:
gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.n98c4d2c(gs[0]))
# o61a2a8f
if 'function o61a2a8f(' in data:
gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*")
if gs != None and gs != []:
data = data.replace(gs[0], jsF.o61a2a8f(gs[0]))
# RrRrRrRr
if 'function RrRrRrRr(' in data:
r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>",
re.IGNORECASE + re.DOTALL)
gs = r.findall(data)
if gs != None and gs != []:
for g in gs:
data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', '')))
# hp_d01
if 'function hp_d01(' in data:
r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.hp_d01(g))
# ew_dc
if 'function ew_dc(' in data:
r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.ew_dc(g))
# pbbfa0
if 'function pbbfa0(' in data:
r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, jsF.pbbfa0(g))
# util.de
if 'Util.de' in data:
r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, g.decode('base64'))
# 24cast
if 'destreamer(' in data:
r = re.compile("destreamer\(\"(.+?)\"\)")
gs = r.findall(data)
if gs:
for g in gs:
data = data.replace(g, destreamer(g))
# JS P,A,C,K,E,D
if jsU95.containsPacked(data):
data = jsU95.unpackAll(data)
escape_again = True
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again = True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again = True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again = True
# JS IonCube
if jsUI.containsIon(data):
data = jsUI.unIonALL(data)
escape_again = True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again = True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again = True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
# unescape again
if escape_again:
data = doDemystify(data)
return data
def doDemystify(data):
escape_again=False
#init jsFunctions and jsUnpacker
jsF = JsFunctions()
jsU = JsUnpacker()
jsU2 = JsUnpackerV2()
jsUW = JsUnwiser()
jsUF = JsUnFunc()
jsUP = JsUnPP()
JsPush = JsUnPush()
# unescape
r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, urllib.unquote_plus(quoted))
r = re.compile("""('%[\w%]{100,130}')""")
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted)))
r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']')
while r.findall(data):
for g in r.findall(data):
quoted=g
data = data.replace(quoted, quoted.decode('unicode-escape'))
r = re.compile('(\'\+dec\("\w+"\)\+\')')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('dec\("(\w+)"\)')
for dec_data in r2.findall(g):
res = ''
for i in dec_data:
res = res + chr(ord(i) ^ 123)
data = data.replace(g, res)
#sebn
r = re.compile(r"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))""")
if r.findall(data):
for g in r.findall(data):
r2 = re.compile(r"""window\.atob\(['"]([^'"]+)['"]\)""")
for base64_data in r2.findall(g):
data = data.replace(g, '"'+urllib.unquote(base64_data.decode('base-64')+'"'))
#r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)')
#while r.findall(data):
#for g in r.findall(data):
#r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+')
#for base64_data in r2.findall(g):
#data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
r = re.compile('(<script.*?str=\'@.*?str.replace)')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('.*?str=\'([^\']+)')
for escape_data in r2.findall(g):
data = data.replace(g, urllib.unquote(escape_data.replace('@','%')))
r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))')
while r.findall(data):
for g in r.findall(data):
r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)')
for base64_data in r2.findall(g):
data = data.replace(g, urllib.unquote(base64_data.decode('base-64')))
escape_again=True
r = re.compile('\?i=([^&]+)&r=([^&\'"]+)')
for g in r.findall(data):
print g
try:
_a, _b = g[0].split('%2F')
_res = (_a+'=').decode('base-64')+'?'+_b.decode('base-64')
data = data.replace(g[0], _res)
data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64'))
except:
pass
if 'var enkripsi' in data:
r = re.compile(r"""enkripsi="([^"]+)""")
gs = r.findall(data)
if gs:
for g in gs:
s=''
for i in g:
s+= chr(ord(i)^2)
data = data.replace("""enkripsi=\""""+g, urllib.unquote(s))
if """.replace(""" in data:
r = re.compile(r""".replace\(/([^/]+)/g,\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(),g[1])
data = data.replace(g[0],g[1])
r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""")
gs = r.findall(data)
if gs:
for g in gs:
if '\\' in g[0]:
data = data.replace(g[0].lower(),g[1])
data = data.replace(g[0],g[1])
# JS P,A,C,K,E,D
if jsU2.containsPacked(data):
data = jsU2.unpackAll(data)
escape_again=True
if jsU.containsPacked(data):
data = jsU.unpackAll(data)
escape_again=True
# JS W,I,S,E
if jsUW.containsWise(data):
data = jsUW.unwiseAll(data)
escape_again=True
# Js unFunc
if jsUF.cointainUnFunc(data):
data = jsUF.unFuncALL(data)
escape_again=True
if jsUP.containUnPP(data):
data = jsUP.UnPPAll(data)
escape_again=True
if JsPush.containUnPush(data):
data = JsPush.UnPush(data)
try:
data = zdecode(data)
escape_again=True
except: pass
# unescape again
if escape_again:
data = doDemystify(data)
return data