通过PHP进行JS解包-功能（p，a，c，k，e，r）

Question

I searched over the internet but found no solution so far.

I have to scrape the content of a page (that has a video stream) compressed with the Dean Edwards packer tool , in real time.

Therefore, I need to decode the compressed JS via PHP only. (The full scenario: curl the content of the page, find the JS content and decode it in real time so I can get the dynamic video stream).

So, is there any way to decode this compressed js example via PHP only?

An example of the compressed code:

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();',10,10,'function|b|something|a|var|some|sample|packed|code|alert'.split('|'),0,{}))

Thank you

Answer 1

First of all, you have to split the packed javascript into the relevant parts.

The first part from "eval" to "}('" is not relevant to you:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('

The second part is your minimized function (payload):

(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();

The third part is the radix, that you'll use as your base when you decode the payload:

10

The fourth part is the word count:

10

The fifth relevant part are your keywords (separated by |):

function|b|something|a|var|some|sample|packed|code|alert

The last part is also irrelevant:

'.split('|'),0,{})) 

So basically you now have all the parts you need for the decoding:

$payload = '(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})()';
$radix = 10;
$wordCount = 10;
$words = array("function","b","something","a","var","some","sample","packed","code","alert);

Now you have to replace the all word characters within your payload with the corresponding word within your words array. It's easy in your example, because your source javascript just contains 10 words.

The first word charahter is 0, replace it with $words[0] = function

The second word character is 4, replace it with $words[4] = var

And so on...

When you're done your result should be:

(function(){var b="some sample packed code";function something(a){alert(a)}something(b)})();

Of course it's a little bit more complex, when it comes to words > 10.

But for that, you can check out my unpacker class PHP JavaScript unpacker .

Especially the Unbaser class within the source.

Answer 2

I think you have several things mixed up.

• You don't need to decode this, as it is not encoded. (well, it is, as it obviously has a character encoding, but lets not go there)
• It might be compressed, but that is not the issue here. Compressing does things for you like remove whitespace, make all variables very short, etc.
• The code seems to be obfuscated on purpose, to avoid this type of issue.

So your real question is probably: how can I on-obfuscate this.

What you see is an eval of something. That eval 'runs' the javascript code, so the first step is to find out what the actual javascript code inside the eval returns, as that is what your browser/javascript parser will be running. If you are lucky, this is the code you are looking for, but it might need some massaging.

So strip the eval , and then see what the function actually does when run in javascript . This means you should run it on your server with either a special serverside method, or you can hack something yourself.

Now you can see what you have left that wil be evalled. Maybe now you start all over again, but having a javascript parsing method, this should not be an issue.

Example would be (random google hit): http://j4p5.sourceforge.net/

The http://www.php.net/manual/en/book.v8js.php mentioned in the comments is probably a much better choice.

Answer 3

您可以使用JavaScriptUnpacker ，它是用PHP编写的