Geekly Articles each Day
📜 ⬆️ ⬇️

Decrypt Javascript on the example of file hosting mediafire.com

Nowadays, javascript encryption on sites is gaining popularity with the help of nested eval commands. I recently encountered this encryption on mediafire.com file hosting. Encryption was unusual, I was interested and I decided to understand how well this method works.

The site mediafire.com allows you to download files without captcha and at the same time, recently, it has become quite successful in defending against all kinds of automatic robots. It does this using the built-in javascript code generator. Moreover, the code is created new each time, which makes it difficult to emulate automatic means.

In this article, I will discuss how it is very easy to bypass such protection without deep analysis of the encrypted code and create an automatic script to download files from mediafire.com.

First, let me show you how the code looks like:
Copy Source | Copy HTML var h5u= '' ; var ybb=unescape( 'rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<< >>>Z%3D--%3Fareh%2Cl%7Djg-%3F' ); for (i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4)); eval(h5u);
  1. Copy Source | Copy HTML var h5u= '' ; var ybb=unescape( 'rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<< >>>Z%3D--%3Fareh%2Cl%7Djg-%3F' ); for (i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4)); eval(h5u);
  2. Copy Source | Copy HTML var h5u= '' ; var ybb=unescape( 'rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<< >>>Z%3D--%3Fareh%2Cl%7Djg-%3F' ); for (i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4)); eval(h5u);
  3. Copy Source | Copy HTML var h5u= '' ; var ybb=unescape( 'rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<< >>>Z%3D--%3Fareh%2Cl%7Djg-%3F' ); for (i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4)); eval(h5u);
  4. Copy Source | Copy HTML var h5u= '' ; var ybb=unescape( 'rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<< >>>Z%3D--%3Fareh%2Cl%7Djg-%3F' ); for (i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4)); eval(h5u);

As you can see from the example, the code is encrypted. Also, with each access to the page, the code changes: the encryption codes (XOR) change, the eval nesting changes, the names of variables and functions change.
')
The code calls one of the N functions (generated in html), which in turn turns on one of the N blocks on the screen (also generated in html) and displays it on the screen. Then, an additional script (also encrypted) is loaded, which writes the links to the pseudo-correct path to the file download to all blocks and writes the correct path to only one of these blocks.

So, we need to solve the problem of automatically downloading files from such
system.

Draw up a plan of action.

1. Download the main page, decrypt and determine which of the N functions is called and which of the N blocks it includes (find out the key)
2. Download the file with links by key, decrypt and determine which of the N links is real (determine by key)
3. Download file

Honestly, I dismissed the idea of ​​parsing the code and the encryption method right away, since the code is constantly changing, there is no sense in it. Therefore, I offer you a different way, namely the emulation of some functions of the browser.

We will solve this problem with the attraction of improvised means: spidermonkey .

Install spidermonkey on the system (in my FreeBSD example):

cd /usr/ports/lang/spidermonkey
make install clean

The biggest problem I encountered is that it is not known in advance where exactly the executable code will save the links and what function it will call. In order not to parse the code itself, I created some similarity to the getElementById () function, the function is used to load values ​​into a specific HTML element. I did it like this:
Copy Source | Copy HTML
  1. var element = new Object ();
  2. element.innerHTML = "" ;
  3. var parent = new Object ();
  4. parent.document = new Object ();
  5. parent.document.getElementById = function theGetElementByID ( x ) {
  6. print ( "HTML:" + element.innerHTML );
  7. print ( "\ n" );
  8. print ( "ELEMENT:" + x + ":" );
  9. return element;
  10. };
  12. // INSERT CODE HERE
  14. print ( "HTML:" + element.innerHTML );

The code itself, unchanged, is inserted inside this wrapper and executed. If the code calls the getElementById () function, my code will display everything that is saved in innerHTML.

Thus, without changing the code, it becomes possible to determine what and where the script is stored.

And in conclusion, I suggest that you familiarize yourself with the working example of downloading files from mediafire.com:
Copy Source | Copy HTML
  1. / * <br/> * Copyright (C) AIG <br/> * aignospam at gmail.com * * modification , </ i * * met: < br /> * 1. You must have your copyright code . <br/> * 2. Redistributions in binary form should be noted . <br/> * <br/> THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `` AS IS '' AND <br/> * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE <br/> * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE <br/> * ARE DISCLAIMED. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL <br /> * DAMAGES (INCLUDING, BUT NOT LIMITED, PROCUREMENT OF SUBSTITUTE GOODS <br/> * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE ) ARISING IN ANY WAY <br/> * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF <br/> * SUCH DAMAGE. <br/> * /
  3. function jsDecode ( $ code )
  4. {
  5. $ fh = fopen ( './code.js' , 'w' );
  6. fwrite ( $ fh , 'var element = new Object (); element.innerHTML = "";' );
  7. fwrite ( $ fh , 'var parent = new Object (); parent.document = new Object ();' );
  8. fwrite ( $ fh , 'parent.document.getElementById = function theGetElementByID (x) {print ("HTML:" + element.innerHTML); print ("\ n"); print ("ELEMENT:" + x + ":" ); return element;}; ' );
  9. fwrite ( $ fh , $ code );
  10. fwrite ( $ fh , 'print ("HTML:" + element.innerHTML);' );
  11. fclose ( $ fh );
  12. return `js ./code.js 2 > & 1`;
  13. }
  15. function downloadMediafire ( $ url )
  16. {
  17. $ cookie_file = './cookie.mediafire.txt' ;
  18. @unlink ( $ cookie_file );
  20. $ user_agent = "Mozilla / 4.0 (compatible; MSIE 5.01; Windows NT 5.0)" ;
  22. $ ch = curl_init ( $ url );
  23. curl_setopt ( $ ch , CURLOPT_RETURNTRANSFER, 1 );
  24. curl_setopt ( $ ch , CURLOPT_USERAGENT, $ user_agent );
  25. curl_setopt ( $ ch , CURLOPT_FOLLOWLOCATION, 1 );
  26. curl_setopt ( $ ch , CURLOPT_COOKIEJAR, $ cookie_file );
  27. curl_setopt ( $ ch , CURLOPT_COOKIEFILE, $ cookie_file );
  28. $ result_parent = curl_exec ( $ ch );
  30. $ referer = $ url ;
  32. // search all functions
  33. if (! preg_match_all ( "/ function \ s + ([a-z0-9] +) \ (qk \, pk \, r \) /" , $ result_parent , $ match_function_names )) {
  34. print "unable to find generated functions \ n" ;
  35. print $ result_parent ;
  36. return false ;
  37. }
  39. $ code_header = '' ;
  40. foreach ( $ match_function_names [ 1 ] as $ function_name ) {
  41. $ code_header . = 'function' ;
  42. $ code_header . = $ function_name ;
  43. $ code_header . = '(qk, pk, r)' ;
  44. $ code_header . = '{print ("KEY:" + qk + ":" + pk + ":" + r + ":" + "' . $ function_name . '" + ":");};' ;
  45. }
  47. if (! preg_match ( '/Eo\(\\;;(.*?eval.*?)if/' , $ result_parent , $ match_code )) {
  48. print "unable to find key code \ n" ;
  49. print $ result_parent ;
  50. return false ;
  51. }
  53. // decode eval functions ...
  54. $ code = jsDecode ( $ code_header . $ match_code [ 1 ]);
  56. if (! preg_match ( '/KEY:(.*?):(.*?):(.*?):(.*?):/' , $ code , $ match_key )) {
  57. print $ code ;
  58. return false ;
  59. }
  61. $ qk = $ match_key [ 1 ];
  62. $ pk = $ match_key [ 2 ];
  63. $ r = $ match_key [ 3 ];
  65. $ valid_function_name = $ match_key [ 4 ];
  67. // search for visible element ...
  68. if (! preg_match ( '/ function' . $ valid_function_name . '\ (. *? document.getElementById \ (\' (. {32}) \ '\) /' , $ result_parent , $ match_id )) {
  69. print $ result_parent ;
  70. return false ;
  71. }
  73. $ element_id = $ match_id [ 1 ];
  75. $ url = 'http://www.mediafire.com/dynamic/download.php?qk=' . $ qk . '& pk =' . $ pk . '& r =' . $ r ;
  77. print "URL = $ url \ n" ;
  79. curl_setopt ( $ ch , CURLOPT_URL, $ url );
  80. curl_setopt ( $ ch , CURLOPT_REFERER, $ referer );
  81. $ result_fetch = curl_exec ( $ ch );
  82. curl_close ( $ ch );
  84. if (! preg_match ( '/(var\s+et\s*=\s*15.*?)function/' , $ result_fetch , $ match_header )) {
  85. print "unable to find link header \ n" ;
  86. print $ result_fetch ;
  87. return false ;
  88. }
  90. $ code_header = $ match_header [ 1 ];
  92. if (! preg_match ( '/case\s+15: ( ..??)break;/' , $ result_fetch , $ match_code )) {
  93. print "unable to find link code \ n" ;
  94. print $ result_fetch ;
  95. return false ;
  96. }
  98. // decode eval functions ...
  99. $ code = jsDecode ( $ code_header . $ match_code [ 1 ]);
  101. if (! preg_match ( '/' . $ element_id . '. *? href = "http: \ / \ / ([^"] +) "/' , $ code , $ match_url )) {
  102. print "unable to find element url \ n" ;
  103. print $ code ;
  104. return false ;
  105. }
  107. $ file_url = $ match_url [ 1 ];
  109. print "URL = $ file_url \ n" ;
  111. $ file = basename ( $ file_url );
  112. $ url = "http: // $ file_url" ;
  114. if (file_exists ( $ file )) {
  115. return true ;
  116. }
  118. $ fp = fopen ( $ file , 'w' );
  120. $ ch = curl_init ( $ url );
  121. curl_setopt ( $ ch , CURLOPT_RETURNTRANSFER, 1 );
  122. curl_setopt ( $ ch , CURLOPT_USERAGENT, $ user_agent );
  123. curl_setopt ( $ ch , CURLOPT_FOLLOWLOCATION, 1 );
  124. curl_setopt ( $ ch , CURLOPT_COOKIEJAR, $ cookie_file );
  125. curl_setopt ( $ ch , CURLOPT_COOKIEFILE, $ cookie_file );
  126. curl_setopt ( $ ch , CURLOPT_REFERER, $ referer );
  127. curl_setopt ( $ ch , CURLOPT_FILE, $ fp );
  128. $ result = curl_exec ( $ ch );
  129. $ info = curl_getinfo ( $ ch );
  130. curl_close ( $ ch );
  132. fclose ( $ fp );
  134. if ( $ info [ 'http_code' ]! = 200 ) {
  135. print_r ( $ info );
  136. return false ;
  137. }
  139. return true ;
  140. }

Source: https://habr.com/ru/post/87705/

More articles:


All Articles