The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 11:06:40 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: js encryptor  (Read 3006 times)
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« on: June 14, 2007, 03:10:33 PM »

fixed bug found by perks Smiley
also needs genshi template lib
(very easily could be modified to not use http://genshi.edgewall.org/)

Code:
#encode_js.py
from genshi.template import TextTemplate
from genshi.template import MarkupTemplate
import random
js_payload_tmpl = """
<script type="text/javascript">
%s
</script>
"""

js_decoder_tmpl = tmpl = TextTemplate(
"""
var file="${encoded_payload}";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
    var chr=file.substring(i*2,i*2+2);
    a.push(String.fromCharCode( parseInt("0x"+chr) ^ ${key} ));
    }
document.write(a.join(""));
""")

def read_all(filename) :
    f=open(filename,"r")
    c = f.read()
    return c

def encode_txt(txt,key):
    enc_array = []
    for ch in txt :
        enc_array.append("%02X" % (ord(ch) ^ key))
    return "".join(enc_array)

def encode(js_file):
    clear_payload = js_payload_tmpl % (js_file)
    enc_key = random.randint(1,0xFF)
    encoded_payload = encode_txt(clear_payload,enc_key)
    stream = js_decoder_tmpl.generate(encoded_payload = encoded_payload,key = enc_key)
    return stream.render("text")
also note in both JS and in python how i used .join() to join the string arrays together.
with large string arrays this give very large performance increase.

used like
encode("some js to encode")
what comes out of encode is stuck between script takes.

this type of encoder have advantage it does not use eval/escape unescape
also for each char in js to encode it use 2bytes instead of 3 like most other.

as with all encryptors the weakness is the decoder it could be made polymorphic
also String.fromCharCode( parseInt("0x"+chr)  could be replaced with lookup.

scary part is G seems to be executing the encryptor and following a JS redirect off 2 server.
i am almost under the impression they have like a virtual browser, like the ones used to create preview shots of webpages
« Last Edit: June 14, 2007, 04:16:03 PM by nop_90 » Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: June 14, 2007, 03:47:33 PM »

Nop is that all straight JS? I don't recognize the def syntax, nor import random... perhaps I'm just being dumb here... but looks like I'd really like to understand that...
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #2 on: June 14, 2007, 04:12:33 PM »

woops sorry  ROFLMAO
also good thing u ask me to explain, i find minor bug Smiley thanx
bug was key was alway 99, i thought it was random Smiley
(i had it hardcoded for testing purpose, and forgot to change for production)
purpose of key is to make it so u have no footprint
i forget to tell people minor details, it is python code that encrypts JS code.

basically it takes your JS code which u supply
sticks it between a
CLEARCODE = <script>CLEAR JS CODE</script>
tag

then CLEARCODE is xor encrypted with a random int between 1,255

js_decoder_tmpl = tmpl = TextTemplate(
Code:
"""
var file="${encoded_payload}";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
    var chr=file.substring(i*2,i*2+2);
    a.push(String.fromCharCode( parseInt("0x"+chr) ^ ${key} ));
    }
document.write(a.join(""));
"""
that part is the actual decoder ${encoded_payload} and ${key} is subsituted with ur actual encoded payload and key to decode.
Logged
thedarkness
Lifer
*****
Offline Offline

Posts: 585



View Profile
« Reply #3 on: June 15, 2007, 01:27:06 AM »

Nop, can you post a before and after example of the javascript? I think it would help people to see what's going on.

Cheers,
td
Logged

"I want to be the guy my dog thinks I am."
 - Unknown
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #4 on: June 15, 2007, 02:45:45 AM »

you have file
my_js.js
it contains
Code:
function tricky_redirect() {
    document.location = "aaaaaaaaaaaa";
}
tricky_redirect();

you use my python code like this
Code:
print "<script type=\"text/javascript\">\n"+encode(read_all("my_js.js"))+"\n</script>"

if will output

<script type="text/javascript">
var file="BF89C6D6C7DCC5C195C1CCC5D08897C1D0CDC19ADFD4C3D4C6D6C7DCC5C1978 BBFD3C0DBD6C1DCDADB95C1C7DCD6DECCEAC7D0D1DCC7D0D6C19D9C95CEBF95 959595D1DAD6C0D8D0DBC19BD9DAD6D4C1DCDADB95889597D4D4D4D4D4D4D4D 4D4D4D4D4978EBFC8BFC1C7DCD6DECCEAC7D0D1DCC7D0D6C19D9C8EBFBF899A C6D6C7DCC5C18BBF";
var a = new Array();
for (var i = 0; i<file.length/2; i++){
    var chr=file.substring(i*2,i*2+2);
    a.push(String.fromCharCode( parseInt("0x"+chr) ^ 181 ));
    }
document.write(a.join(""));

</script>

181 in the above case is the decode key
Logged
KaptainKrayola
Keeper of Pie
Global Moderator
Lifer
*****
Offline Offline

Posts: 994



View Profile WWW
« Reply #5 on: June 15, 2007, 08:35:24 AM »

that's pretty awesome - thanks nop
Logged

We can't stop here, this is bat country.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #6 on: June 18, 2007, 04:53:02 PM »

i wonder if google can decode that. Lately it is seeming like they are running a virtual browser, so i would guess they can. but regardless, very cool for keeping out prying eyes of the "first level".
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #7 on: June 18, 2007, 06:07:33 PM »

dropping in from cybercafe
that is the scareypart they can.

that thread it talk about on sydk8 where G IP pinging all the time, they decoding that.
they still pinging.
Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #8 on: June 18, 2007, 06:13:46 PM »

oh i didnt make the connection that that thread was related to this. Its not surprising. JasonD showed me last year that google was definitely parsing and following JS. the question was how much so. I guess that answers it, lol.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!