def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass if '"result2":"'in data: r = re.compile(r""":("(?!http)\w+\.\w+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: _in = json.loads(g).split('.') aes = AES.new('5e4542404f4c757e4431675f373837385649313133356f3152693935366e4361'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) unpad = lambda s : s[0:-ord(s[-1])] try: _url = unpad(aes.decrypt(_in[0].decode('hex'))) except: _url = None if _url: data = data.replace(g,json.dumps( _url )) else: aes = AES.new('5e5858405046757e4631775f33414141514e3133393973315775336c34695a5a'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) _url = unpad(aes.decrypt(_in[0].decode('hex'))) data = data.replace(g,json.dumps( _url )) r = re.compile(r""":("(?!http)[\w=\\/\+]+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,json.dumps(decryptDES_ECB(json.loads(g)[:-5], '5333637233742600'.decode('hex')))) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|')) data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,'|') if """.replace(""" in data: r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0],g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) try: data = zdecode(data) except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): from base64 import b64decode escape_again=False #lib.common.log("JairoDemyst:" + data) #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) #sebn #(?:file\s*:|source\s*:|src\s*:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\)) #"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))""" r = re.compile('(?:file\s*:|source\s*:|src\s*:|\w+\s*=)\s*(window\.atob\([\'"][^\'"]+[\'"]\))') #lib.common.log("JairoXDecrypt: " + data) if r.findall(data): for g in r.findall(data): #r"""window\.atob\(['"]([^'"]+)['"]\)""" r2 = re.compile('window\.atob\([\'"]([^\'"]+)[\'"]\)') for base64_data in r2.findall(g): data = data.replace(g, '"'+urllib.unquote(base64_data.decode('base-64')+'"')) #r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') #while r.findall(data): #for g in r.findall(data): #r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') #for base64_data in r2.findall(g): #data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) #jairox: ustreamix -- Obfuscator HTML : https://github.com/BlueEyesHF/Obfuscator-HTML r = re.compile(r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)") if r.findall(data): try: matches = re.compile(r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)").findall(data) chunks = matches[0][1].split(',') op = int(matches[0][2]) dec_data = r"" for chunk in chunks: try: tmp = chunk.replace('"','') tmp = str(b64decode(tmp)) dig = int(re.sub('[\D\s\n]','',tmp)) dig = dig - op dec_data += chr(dig) except: pass data = re.sub(r"(?s)<script>\s*var\s*\w+\s*=.*?var\s*(\w+)\s*=\s*\[.*<\/script>[\"']?", dec_data, data) except: pass r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True if not 'sawlive' in data: r = re.compile('\?i=([^&]+)&r=([^&\'"]+)') for g in r.findall(data): print g try: _a, _b = g[0].split('%2F') _res = (_a+'=').decode('base-64')+'?'+_b.decode('base-64') data = data.replace(g[0], _res) data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64')) except: pass if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) if """.replace(""" in data: r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(),g[1]) data = data.replace(g[0],g[1]) r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(),g[1]) data = data.replace(g[0],g[1]) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) if re.search(r'hiro":".*?[\(\)\[\]\!\+]+', data) != None: data = unFuckFirst(data) #lib.common.log("JairoDemyst: " + data) if re.search(r"zoomtv", data, re.IGNORECASE) != None: #lib.common.log("JairoZoom:" + data) data = zadd(data) data = zadd2(data) try: data = zdecode(data) escape_again=True except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 =JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() # replace NUL data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url #r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL) #m = r.findall(data) #if m: #for tiny in m: #data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=False #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again=True if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True # unescape again if escape_again: r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) return data
def doDemystify(data): common.log('MR DECODE0: ' ) escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() #MRKNOW START #common.log('MR DECODE1: ' + data) r = re.compile("eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);") while r.findall(data): for g in r.findall(data): common.log('MR DECODE2: ' + g) marian = re.compile( 'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);').findall( g) mysplit = re.compile('s\.split\("([^"]+)"').findall(urllib.unquote(marian[0][0]))[0] myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall(urllib.unquote(marian[0][0]))[0] myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall(urllib.unquote(marian[0][0]))[0] mystring = urllib.unquote(marian[0][2]) ile = mystring.split(str(mysplit)); k = ile[1] + str(myadd) print("Ile", ile[1], k) alina = [] # for y in k: # print("y",y) for i in range(0, len(mystring)): aa = ord(mystring[i]) bb = int(k[i % len(k)]) alina.append((bb ^ aa) + int(myadd2)) res = ''.join(map(chr, alina)) # common.log('Malina: %s ' % malina) data = data.replace(g, res) common.log('MR DECODE10: ' + data) #MRKNOW END # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|')) data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,'|') if """.replace(""" in data: r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0],g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) try: data = zdecode(data) except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUF = JsUnFunc() jsUP = JsUnPP() JsPush = JsUnPush() # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) #sebn r = re.compile(r"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))""") if r.findall(data): for g in r.findall(data): r2 = re.compile(r"""window\.atob\(['"]([^'"]+)['"]\)""") for base64_data in r2.findall(g): data = data.replace(g, '"'+urllib.unquote(base64_data.decode('base-64')+'"')) #r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') #while r.findall(data): #for g in r.findall(data): #r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') #for base64_data in r2.findall(g): #data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('\?i=([^&]+)&r=([^&\'"]+)') for g in r.findall(data): print g try: _a, _b = g[0].split('%2F') _res = (_a+'=').decode('base-64')+'?'+_b.decode('base-64') data = data.replace(g[0], _res) data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64')) except: pass if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) if """.replace(""" in data: r = re.compile(r""".replace\(/([^/]+)/g,\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(),g[1]) data = data.replace(g[0],g[1]) r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(),g[1]) data = data.replace(g[0],g[1]) # JS P,A,C,K,E,D if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) try: data = zdecode(data) escape_again=True except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): from base64 import b64decode escape_again = False #lib.common.log("JairoDemyst:" + data) #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted = g data = data.replace( quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) #sebn #(?:file\s*:|source\s*:|src\s*:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\)) #"""(?:file:|source:|\w+=)\s*(window\.atob\(['"][^'"]+['"]\))""" r = re.compile( '(?:file\s*:|source\s*:|src\s*:|\w+\s*=)\s*(window\.atob\([\'"][^\'"]+[\'"]\))' ) #lib.common.log("JairoXDecrypt: " + data) if r.findall(data): for g in r.findall(data): #r"""window\.atob\(['"]([^'"]+)['"]\)""" r2 = re.compile('window\.atob\([\'"]([^\'"]+)[\'"]\)') for base64_data in r2.findall(g): data = data.replace( g, '"' + urllib.unquote(base64_data.decode('base-64') + '"')) #r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') #while r.findall(data): #for g in r.findall(data): #r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') #for base64_data in r2.findall(g): #data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) #jairox: ustreamix -- Obfuscator HTML : https://github.com/BlueEyesHF/Obfuscator-HTML r = re.compile( r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)" ) if r.findall(data): try: matches = re.compile( r"var\s*(\w+)\s*=\s*\[([A-Za-z0-9+=\/\",\s]+)\];\s*\1\.forEach.*-\s*(\d+)" ).findall(data) chunks = matches[0][1].split(',') op = int(matches[0][2]) dec_data = r"" for chunk in chunks: try: tmp = chunk.replace('"', '') tmp = str(b64decode(tmp)) dig = int(re.sub('[\D\s\n]', '', tmp)) dig = dig - op dec_data += chr(dig) except: pass data = re.sub( r"(?s)<script>\s*var\s*\w+\s*=.*?var\s*(\w+)\s*=\s*\[.*<\/script>[\"']?", dec_data, data) except: pass r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True if not 'sawlive' in data: r = re.compile('\?i=([^&]+)&r=([^&\'"]+)') for g in r.findall(data): print g try: _a, _b = g[0].split('%2F') _res = (_a + '=').decode('base-64') + '?' + _b.decode('base-64') data = data.replace(g[0], _res) data = data.replace(g[1], urllib.unquote(g[1]).decode('base-64')) except: pass if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s = '' for i in g: s += chr(ord(i) ^ 2) data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s)) if """.replace(""" in data: r = re.compile( r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(), g[1]) data = data.replace(g[0], g[1]) r = re.compile( r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: if '\\' in g[0]: data = data.replace(g[0].lower(), g[1]) data = data.replace(g[0], g[1]) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) if re.search(r'hiro":".*?[\(\)\[\]\!\+]+', data) != None: data = unFuckFirst(data) #lib.common.log("JairoDemyst: " + data) if re.search(r"zoomtv", data, re.IGNORECASE) != None: #lib.common.log("JairoZoom:" + data) data = zadd(data) data = zadd2(data) try: data = zdecode(data) escape_again = True except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): #common.log('MR DECODE0: ' ) escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() #MRKNOW START #common.log('MR DECODE1: ' + data) r = re.compile("eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);") while r.findall(data): for g in r.findall(data): common.log('MR DECODE2: ' + g) marian = re.compile( 'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);').findall( g) mysplit = re.compile('s\.split\("([^"]+)"').findall(urllib.unquote(marian[0][0]))[0] myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall(urllib.unquote(marian[0][0]))[0] myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall(urllib.unquote(marian[0][0]))[0] mystring = urllib.unquote(marian[0][2]) ile = mystring.split(str(mysplit)); k = ile[1] + str(myadd) print("Ile", ile[1], k) alina = [] # for y in k: # print("y",y) for i in range(0, len(mystring)): aa = ord(mystring[i]) bb = int(k[i % len(k)]) alina.append((bb ^ aa) + int(myadd2)) res = ''.join(map(chr, alina)) # common.log('Malina: %s ' % malina) data = data.replace(g, res) common.log('MR DECODE10: ' + data) #MRKNOW END # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile( '((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile( '(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+' ) for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\\(function\\((?!w)\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass if '"result2":"' in data: r = re.compile(r""":("(?!http)[^\.]+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: data = data.replace( g, json.dumps( decryptDES_ECB( json.loads(g)[:-5], '5333637233742600'.decode('hex')))) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s = '' for i in g: s += chr(ord(i) ^ 2) data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""", 'function(p,a,c,k)', data.replace('#', '|')) data = re.sub(r"""\(\w\w\w\w\+0\)%\w\w\w\w""", 'e%a', data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""", 'RegExp(e(c)', data) if """.replace(""" in data: r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0], g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() # replace NUL data = data.replace('\0', '') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile( '(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile( 'eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again = True if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data