def doDemystify(data): escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile( '((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile( '(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+' ) for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\\(function\\((?!w)\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass if '"result2":"' in data: r = re.compile(r""":("(?!http)\w+\.\w+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: _in = json.loads(g).split('.') aes = AES.new( '5e41564050447a7e4631795f33373037374f313337396d316862396c34654763' .decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) unpad = lambda s: s[0:-ord(s[-1])] try: _url = unpad(aes.decrypt(_in[0].decode('hex'))) except: _url = None if _url: data = data.replace(g, json.dumps(_url)) else: aes = AES.new( '5e6d59405052757e4b65795f393738373831313335396d316775336c346e7472' .decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) data = data.replace( g, json.dumps(unpad(aes.decrypt(_in[0].decode('hex'))))) r = re.compile(r""":("(?!http)[\w=\\/\+]+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: data = data.replace( g, json.dumps( decryptDES_ECB( json.loads(g)[:-5], '5333637233742600'.decode('hex')))) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s = '' for i in g: s += chr(ord(i) ^ 2) data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""", 'function(p,a,c,k)', data.replace('#', '|')) data = re.sub(r"""\(\w\w\w\w\+0\)%\w\w\w\w""", 'e%a', data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""", 'RegExp(e(c)', data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, '|') if """.replace(""" in data: r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0], g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted = g data = data.replace( quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile( '((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile( '(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+' ) for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s = '' for i in g: s += chr(ord(i) ^ 2) data = data.replace("""enkripsi=\"""" + g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""", 'function(p,a,c,k)', data.replace('#', '|')) data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""", 'e%a', data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""", 'RegExp(e(c)', data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, '|') if """.replace(""" in data: r = re.compile( r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0], g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) try: data = zdecode(data) except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile( '(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile( 'eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass if '"result2":"'in data: r = re.compile(r""":("(?!http)\w+\.\w+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: _in = json.loads(g).split('.') aes = AES.new('5e4542404f4c757e4431675f373837385649313133356f3152693935366e4361'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) unpad = lambda s : s[0:-ord(s[-1])] try: _url = unpad(aes.decrypt(_in[0].decode('hex'))) except: _url = None if _url: data = data.replace(g,json.dumps( _url )) else: aes = AES.new('5e5858405046757e4631775f33414141514e3133393973315775336c34695a5a'.decode('hex'), AES.MODE_CBC, _in[1].decode('hex')) _url = unpad(aes.decrypt(_in[0].decode('hex'))) data = data.replace(g,json.dumps( _url )) r = re.compile(r""":("(?!http)[\w=\\/\+]+\.m3u8")""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,json.dumps(decryptDES_ECB(json.loads(g)[:-5], '5333637233742600'.decode('hex')))) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|')) data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,'|') if """.replace(""" in data: r = re.compile(r""".replace\(["'](...[^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0],g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) try: data = zdecode(data) except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() # replace NUL data = data.replace('\0','') # unescape r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL) m = r.findall(data) if m: for tiny in m: data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 =JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() # replace NUL data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url #r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]',re.IGNORECASE + re.DOTALL) #m = r.findall(data) #if m: #for tiny in m: #data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=False #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again=True if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True # unescape again if escape_again: r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) return data
def doDemystify(data): escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() JsHive = hivelogic() # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile("""('%[\w%]{100,130}')""") while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, "unescape({0})".format(urllib.unquote_plus(quoted))) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('((?:eval\(decodeURIComponent\(|window\.)atob\([\'"][^\'"]+[\'"]\)+)') while r.findall(data): for g in r.findall(data): r2 = re.compile('(?:eval\(decodeURIComponent\(|window\.)atob\([\'"]([^\'"]+)[\'"]\)+') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\(function\((?!w)\w+,\w+,\w+,\w+\),\w+,\w+.*?\{\}\)\);)', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) if 'var enkripsi' in data: r = re.compile(r"""enkripsi="([^"]+)""") gs = r.findall(data) if gs: for g in gs: s='' for i in g: s+= chr(ord(i)^2) data = data.replace("""enkripsi=\""""+g, urllib.unquote(s)) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) if 'eval(function(' in data: data = re.sub(r"""function\(\w\w\w\w,\w\w\w\w,\w\w\w\w,\w\w\w\w""",'function(p,a,c,k)',data.replace('#','|')) data = re.sub(r"""\(\w\w\w\w\)%\w\w\w\w""",'e%a',data) data = re.sub(r"""RegExp\(\w\w\w\w\(\w\w\w\w\)""",'RegExp(e(c)',data) r = re.compile(r"""\.split\('([^']+)'\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,'|') if """.replace(""" in data: r = re.compile(r""".replace\(["']([^"']+)["'],\s*["']([^"']*)["']\)""") gs = r.findall(data) if gs: for g in gs: data = data.replace(g[0],g[1]) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) if JsHive.contains_hivelogic(data): data = JsHive.unpack_hivelogic(data) try: data = zdecode(data) except: pass # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() # replace NUL data = data.replace('\0', '') # unescape r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # Tiny url r = re.compile('[\'"](http://(?:www.)?tinyurl.com/[^\'"]+)[\'"]', re.IGNORECASE + re.DOTALL) m = r.findall(data) if m: for tiny in m: data = data.replace(tiny, get_redirected_url(tiny)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = False #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # unescape again if escape_again: r = re.compile('unescape\(\s*["\']([^\'"]+)["\']') gs = r.findall(data) if gs: for g in gs: quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) return data
def doDemystify(data): common.log('MR DECODE0: ' ) escape_again=False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() #MRKNOW START #common.log('MR DECODE1: ' + data) r = re.compile("eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);") while r.findall(data): for g in r.findall(data): common.log('MR DECODE2: ' + g) marian = re.compile( 'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);').findall( g) mysplit = re.compile('s\.split\("([^"]+)"').findall(urllib.unquote(marian[0][0]))[0] myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall(urllib.unquote(marian[0][0]))[0] myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall(urllib.unquote(marian[0][0]))[0] mystring = urllib.unquote(marian[0][2]) ile = mystring.split(str(mysplit)); k = ile[1] + str(myadd) print("Ile", ile[1], k) alina = [] # for y in k: # print("y",y) for i in range(0, len(mystring)): aa = ord(mystring[i]) bb = int(k[i % len(k)]) alina.append((bb ^ aa) + int(myadd2)) res = ''.join(map(chr, alina)) # common.log('Malina: %s ' % malina) data = data.replace(g, res) common.log('MR DECODE10: ' + data) #MRKNOW END # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile('(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile('eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace(g, urllib.unquote(escape_data.replace('@','%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace(g, urllib.unquote(base64_data.decode('base-64'))) escape_again=True r = re.compile('(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again=True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again=True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): common.log('MR DECODE0: ') escape_again = False #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsU2 = JsUnpackerV2() jsUW = JsUnwiser() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() #MRKNOW START #common.log('MR DECODE1: ' + data) r = re.compile( "eval\(unescape\(\'.*'\)\);\s.*eval\(unescape\(\'.*\'\).*\'.*\'.*?unescape\(\'.*\'\)\);" ) while r.findall(data): for g in r.findall(data): common.log('MR DECODE2: ' + g) marian = re.compile( 'eval\(unescape\(\'([^\']+)\'\)\);\s.*eval\(unescape\(\'([^\']+)\'\).*\'([^\']+)\'.*?unescape\(\'([^\']+)\'\)\);' ).findall(g) mysplit = re.compile('s\.split\("([^"]+)"').findall( urllib.unquote(marian[0][0]))[0] myadd = re.compile('unescape\(tmp\[1\] \+ "([^"]+)"\)').findall( urllib.unquote(marian[0][0]))[0] myadd2 = re.compile('charCodeAt\(i\)\)\+(.*?)\)\;').findall( urllib.unquote(marian[0][0]))[0] mystring = urllib.unquote(marian[0][2]) ile = mystring.split(str(mysplit)) k = ile[1] + str(myadd) print("Ile", ile[1], k) alina = [] # for y in k: # print("y",y) for i in range(0, len(mystring)): aa = ord(mystring[i]) bb = int(k[i % len(k)]) alina.append((bb ^ aa) + int(myadd2)) res = ''.join(map(chr, alina)) # common.log('Malina: %s ' % malina) data = data.replace(g, res) common.log('MR DECODE10: ' + data) #MRKNOW END # replace NUL #data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted = g data = data.replace(quoted, quoted.decode('unicode-escape')) r = re.compile('(\'\+dec\("\w+"\)\+\')') while r.findall(data): for g in r.findall(data): r2 = re.compile('dec\("(\w+)"\)') for dec_data in r2.findall(g): res = '' for i in dec_data: res = res + chr(ord(i) ^ 123) data = data.replace(g, res) r = re.compile( '(eval\(decodeURIComponent\(atob\([\'"][^\'"]+[\'"]\)\)\);)') while r.findall(data): for g in r.findall(data): r2 = re.compile( 'eval\(decodeURIComponent\(atob\([\'"]([^\'"]+)[\'"]\)\)\);') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) r = re.compile('(<script.*?str=\'@.*?str.replace)') while r.findall(data): for g in r.findall(data): r2 = re.compile('.*?str=\'([^\']+)') for escape_data in r2.findall(g): data = data.replace( g, urllib.unquote(escape_data.replace('@', '%'))) r = re.compile('(base\([\'"]*[^\'"\)]+[\'"]*\))') while r.findall(data): for g in r.findall(data): r2 = re.compile('base\([\'"]*([^\'"\)]+)[\'"]*\)') for base64_data in r2.findall(g): data = data.replace( g, urllib.unquote(base64_data.decode('base-64'))) escape_again = True r = re.compile( '(eval\\(function\\(\w+,\w+,\w+,\w+.*?join\\(\'\'\\);*}\\(.*?\\))', flags=re.DOTALL) for g in r.findall(data): try: data = data.replace(g, wdecode(g)) escape_again = True except: pass # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\', ''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again = True if jsU2.containsPacked(data): data = jsU2.unpackAll(data) escape_again = True if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again = True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again = True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again = True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again = True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again = True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data
def doDemystify(data): #init jsFunctions and jsUnpacker jsF = JsFunctions() jsU = JsUnpacker() jsUV2 =JsUnpackerV2() jsUW = JsUnwiser() jsUW2 = JsUnwiser2() jsUI = JsUnIonCube() jsUF = JsUnFunc() jsUP = JsUnPP() jsU95 = JsUnpacker95High() JsPush = JsUnPush() # replace NUL data = data.replace('\0','') # unescape r = re.compile('a1=["\'](%3C(?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*%\w\w)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, urllib.unquote_plus(quoted)) r = re.compile('unescape\(\s*["\']((?=[^\'"]*\\u00)[^\'"]+)["\']') while r.findall(data): for g in r.findall(data): quoted=g data = data.replace(quoted, quoted.decode('unicode-escape')) # n98c4d2c if 'function n98c4d2c(' in data: gs = parseTextToGroups(data, ".*n98c4d2c\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.n98c4d2c(gs[0])) # o61a2a8f if 'function o61a2a8f(' in data: gs = parseTextToGroups(data, ".*o61a2a8f\(''\).*?'(%[^']+)'.*") if gs != None and gs != []: data = data.replace(gs[0], jsF.o61a2a8f(gs[0])) # RrRrRrRr if 'function RrRrRrRr(' in data: r = re.compile("(RrRrRrRr\(\"(.*?)\"\);)</SCRIPT>", re.IGNORECASE + re.DOTALL) gs = r.findall(data) if gs != None and gs != []: for g in gs: data = data.replace(g[0], jsF.RrRrRrRr(g[1].replace('\\',''))) # hp_d01 if 'function hp_d01(' in data: r = re.compile("hp_d01\(unescape\(\"(.+?)\"\)\);//-->") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.hp_d01(g)) # ew_dc if 'function ew_dc(' in data: r = re.compile("ew_dc\(unescape\(\"(.+?)\"\)\);</SCRIPT>") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.ew_dc(g)) # pbbfa0 if 'function pbbfa0(' in data: r = re.compile("pbbfa0\(''\).*?'(.+?)'.\+.unescape") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, jsF.pbbfa0(g)) # util.de if 'Util.de' in data: r = re.compile("Util.de\(unescape\(['\"](.+?)['\"]\)\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g,g.decode('base64')) # 24cast if 'destreamer(' in data: r = re.compile("destreamer\(\"(.+?)\"\)") gs = r.findall(data) if gs: for g in gs: data = data.replace(g, destreamer(g)) # JS P,A,C,K,E,D if jsU.containsPacked(data): data = jsU.unpackAll(data) escape_again=False #if still exists then apply v2 if jsUV2.containsPacked(data): data = jsUV2.unpackAll(data) escape_again=True if jsU95.containsPacked(data): data = jsU95.unpackAll(data) escape_again=True # JS W,I,S,E if jsUW.containsWise(data): data = jsUW.unwiseAll(data) escape_again=True if jsUW2.containsWise(data): data = jsUW2.unwiseAll(data) escape_again=True # JS IonCube if jsUI.containsIon(data): data = jsUI.unIonALL(data) escape_again=True # Js unFunc if jsUF.cointainUnFunc(data): data = jsUF.unFuncALL(data) escape_again=True if jsUP.containUnPP(data): data = jsUP.UnPPAll(data) escape_again=True if JsPush.containUnPush(data): data = JsPush.UnPush(data) # unescape again if escape_again: data = doDemystify(data) return data