def doDemystify(data): # unescape r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) # n98c4d2c if data.find('function n98c4d2c(') > -1: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0],n98c4d2c(gs[0])) # o61a2a8f if data.find('function o61a2a8f(') > -1: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0],o61a2a8f(gs[0])) # RrRrRrRr if data.find('function RrRrRrRr(') > -1: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0],RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if data.find('function hp_d01(') > -1: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,hp_d01(g)) # ew_dc if data.find('function ew_dc(') > -1: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,ew_dc(g)) # pbbfa0 if data.find('function pbbfa0(') > -1: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,pbbfa0(g)) # util.de if data.find('Util.de') > -1: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if data.find('destreamer(') > -1: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,destreamer(g)) # Tiny url r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL) m = r.findall(data) if m: for tiny in m: data = data.replace(tiny, get_redirected_url(tiny)) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() # replace NUL data = data.replace('\0','') # unescape r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL) m = r.findall(data) if m: for tiny in m: data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() # replace NUL data = data.replace('\0', '') # unescape r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]', re.IGNORECASE + re.DOTALL) m = r.findall(data) if m: for tiny in m: data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = False #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # unescape again if escape_again: r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) return data