javascriptobfuscator_unpacker.js
3.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
//
// simple unpacker/deobfuscator for scripts messed up with javascriptobfuscator.com
// written by Einar Lielmanis <einar@jsbeautifier.org>
//
// usage:
//
// if (JavascriptObfuscator.detect(some_string)) {
// var unpacked = JavascriptObfuscator.unpack(some_string);
// }
//
//
var JavascriptObfuscator = {
detect: function(str) {
return /^var _0x[a-f0-9]+ ?\= ?\[/.test(str);
},
unpack: function(str) {
if (JavascriptObfuscator.detect(str)) {
var matches = /var (_0x[a-f\d]+) ?\= ?\[(.*?)\];/.exec(str);
if (matches) {
var var_name = matches[1];
var strings = JavascriptObfuscator._smart_split(matches[2]);
str = str.substring(matches[0].length);
for (var k in strings) {
str = str.replace(new RegExp(var_name + '\\[' + k + '\\]', 'g'),
JavascriptObfuscator._fix_quotes(JavascriptObfuscator._unescape(strings[k])));
}
}
}
return str;
},
_fix_quotes: function(str) {
var matches = /^"(.*)"$/.exec(str);
if (matches) {
str = matches[1];
str = "'" + str.replace(/'/g, "\\'") + "'";
}
return str;
},
_smart_split: function(str) {
var strings = [];
var pos = 0;
while (pos < str.length) {
if (str.charAt(pos) === '"') {
// new word
var word = '';
pos += 1;
while (pos < str.length) {
if (str.charAt(pos) === '"') {
break;
}
if (str.charAt(pos) === '\\') {
word += '\\';
pos++;
}
word += str.charAt(pos);
pos++;
}
strings.push('"' + word + '"');
}
pos += 1;
}
return strings;
},
_unescape: function(str) {
// inefficient if used repeatedly or on small strings, but wonderful on single large chunk of text
for (var i = 32; i < 128; i++) {
str = str.replace(new RegExp('\\\\x' + i.toString(16), 'ig'), String.fromCharCode(i));
}
str = str.replace(/\\x09/g, "\t");
return str;
},
run_tests: function(sanity_test) {
var t = sanity_test || new SanityTest();
t.test_function(JavascriptObfuscator._smart_split, "JavascriptObfuscator._smart_split");
t.expect('', []);
t.expect('"a", "b"', ['"a"', '"b"']);
t.expect('"aaa","bbbb"', ['"aaa"', '"bbbb"']);
t.expect('"a", "b\\\""', ['"a"', '"b\\\""']);
t.test_function(JavascriptObfuscator._unescape, 'JavascriptObfuscator._unescape');
t.expect('\\x40', '@');
t.expect('\\x10', '\\x10');
t.expect('\\x1', '\\x1');
t.expect("\\x61\\x62\\x22\\x63\\x64", 'ab"cd');
t.test_function(JavascriptObfuscator.detect, 'JavascriptObfuscator.detect');
t.expect('', false);
t.expect('abcd', false);
t.expect('var _0xaaaa', false);
t.expect('var _0xaaaa = ["a", "b"]', true);
t.expect('var _0xaaaa=["a", "b"]', true);
t.expect('var _0x1234=["a","b"]', true);
return t;
}
};