js encryptor

To The Live Thread

Thread: js encryptor

Back to category: Javascript Discussions & Code

nop_90

fixed bug found by perks

also needs genshi template lib
(very easily could be modified to not use http://genshi.edgewall.org/)

#encode_js.py
from genshi.template import TextTemplate
from genshi.template import MarkupTemplate
import random
js_payload_tmpl = """
<script type="text/

javascript

">
%s
</script>
"""

js_decoder_tmpl = tmpl = TextTemplate(
"""
var file="${encoded_payload}";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
var chr=file.substring(i*2,i*2+2);
a.push(String.fromCharCode( parseInt("0x"+chr) ^ ${key} ));
}
document.write(a.join("" Applause

);
"""

def read_all(filename) :
f=open(filename,"r" Applause

c = f.read()
return c

def encode_txt(txt,key):
enc_array = []
for ch in txt :
enc_array.append("%02X" % (ord(ch) ^ key))
return "".join(enc_array)

def encode(js_file):
clear_payload = js_payload_tmpl % (js_file)
enc_key = random.randint(1,0xFF)
encoded_payload = encode_txt(clear_payload,enc_key)
stream = js_decoder_tmpl.generate(encoded_payload = encoded_payload,key = enc_key)
return stream.render("text" Applause

<>also note in both JS and in

python

how i used .join() to join the string arrays together.
with large string arrays this give very large performance increase.

used like
encode("some js to encode" Applause

what comes out of encode is stuck between script takes.

this type of encoder have advantage it does not use eval/escape unescape
also for each char in js to encode it use 2bytes instead of 3 like most other.

as with all encryptors the weakness is the decoder it could be made polymorphic
also String.fromCharCode( parseInt("0x"+chr) could be replaced with lookup.

scary part is G seems to be executing the encryptor and following a JS redirect off 2 server.
i am almost under the impression they have like a virtual browser, like the ones used to create preview shots of webpages

perkiset

Nop is that all straight JS? I don't recognize the def syntax, nor import random... perhaps I'm just being dumb here... but looks like I'd really like to understand that...

nop_90

woops sorry Applause

also good thing u ask me to explain, i find minor bug

thanx
bug was key was alway 99, i thought it was random

(i had it hardcoded for testing purpose, and forgot to change for production)
purpose of key is to make it so u have no footprint
i forget to tell people minor details, it is

python

code that encrypts JS code.

basically it takes your JS code which u supply
sticks it between a
CLEARCODE = <script>CLEAR JS CODE</script>
tag

then CLEARCODE is xor encrypted with a random int between 1,255

js_decoder_tmpl = tmpl = TextTemplate(

"""
var file="${encoded_payload}";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
var chr=file.substring(i*2,i*2+2);
a.push(String.fromCharCode( parseInt("0x"+chr) ^ ${key} ));
}
document.write(a.join("" Applause

);
"""

that part is the actual decoder ${encoded_payload} and ${key} is subsituted with ur actual encoded payload and key to decode.

thedarkness

Nop, can you post a before and after example of the

javascript

? I think it would help people to see what's going on.

Cheers,
td

nop_90

you have file
my_js.js
it contains

function tricky_redirect() {
document.location = "aaaaaaaaaaaa";
}
tricky_redirect();

you use my

python

code like this

print "<script type="text/

javascript

"> "+encode(read_all("my_js.js" Applause

)+" </script>"

if will output
[tt]
<script type="text/

javascript

">
var file="BF89C6D6C7DCC5C195C1CCC5D08897C1D0CDC19ADFD4C3D4C6D6C7DCC5C1978BBFD3C0DBD6C1DCDADB95C1C7DCD6DECCEAC7D0D1DCC7D0D6C19D9C95CEBF95959595D1DAD6C0D8D0DBC19BD9DAD6D4C1DCDADB95889597D4D4D4D4D4D4D4D4D4D4D4D4978EBFC8BFC1C7DCD6DECCEAC7D0D1DCC7D0D6C19D9C8EBFBF899AC6D6C7DCC5C18BBF";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
var chr=file.substring(i*2,i*2+2);
a.push(String.fromCharCode( parseInt("0x"+chr) ^ 181 ));
}
document.write(a.join("" Applause

);

</script>
[/tt]
181 in the above case is the decode key

KaptainKrayola

that's pretty awesome - thanks nop

nutballs

i wonder if google can decode that. Lately it is seeming like they are running a virtual browser, so i would guess they can. but regardless, very cool for keeping out prying eyes of the "first level".

nop_90

dropping in from cybercafe
that is the scareypart they can.

that thread it talk about on sydk8 where G IP pinging all the time, they decoding that.
they still pinging.

nutballs

oh i didnt make the connection that that thread was related to this. Its not surprising. JasonD showed me last year that google was definitely parsing and following JS. the question was how much so. I guess that answers it, lol.

Thread Categories

		Best of The Cache Home
		Search The Cache