What is this bash snippet doing? PHP/perl equivalent?

Question

I'm trying to understand what this code snippet is doing. It's the bash syntax that I can't quite figure out.

# Static function
get_ofuscated_link() {
local VAR=$1
local I N C R

I=0
N=${#VAR}
while (( I < N )); do
    C=$((16#${VAR:$I:2} + 0x18))
    R="$R"$(printf \\$(($C/64*100+$C%64/8*10+$C%8)))
    (( I += 2 ))
done
echo "$R"
}

It is called by this command

JS_VAR=$(echo "$PAGE" |  parse 'function[[:space:]]*_' '"\([^"]\+\)";' 1) || return
FILE_URL=$(get_ofuscated_link "$JS_VAR" | parse_attr href) || return

Just wondering what the Colon's do within the C=$ line and what the R= line means.

Also does function[[:space:]]*_ have a specific meaning in bash or is that just a straight string it is looking through.

The source file comes from plowshare

Answer 1

In bash, you can select a substring of a parameter:

x=hello
y=${x:2:2}   # y = ll

the while loop is iterating over 2-digit chunks of VAR . Inside the arithmetic expansion construct $(( ... )) , "16#string" is the notation to treat string as a base-16 number.

The R line performs some arithmetic on C and appends the result to the previous value of R .

Answer 2

The colons are part of the ${parameter:offset:length} notation, bash's version of a substring function. ${VAR:$I:2} would translate into perl as substr($VAR, $I, 2) . The whole C= assignment is equivalent to

$C = hex(substr($VAR, $I, 2) + 0x18);

So $VAR is a string of hex digits, and the loop takes them two at a time, adds the magic number 0x18, and stores that into $C.

The R= line is simple enough. First of all, its top-level structure is:

R="$R"stuff

which simply appends some stuff to the string $R . Now let's look at the stuff. Its core is:

$(($C/64*100+$C%64/8*10+$C%8)))

which would be exactly the same in perl, without the $((...)) around it. The dollar-sign-double-parentheses is the shell's "arithmetic expansion" operator. If you study the formula you'll see that it converts $C to a three-digit octal number (the digits are $C/64 , $C%64/8 , and $C%8 ) and then converts that to a decimal number with the same three digits. So this is just a weird way of taking the number in $C and printing it as octal.

Now that we have that worked out, the stuff being appended to $R is:

$(printf \\000)

where the octal digits replace the 000. This is equivalent to perl's chr(oct("000")) .

So $R is being built as a string with one character for each pair of hex digits in the input $VAR , which represents a string of character codes which are obfuscated by having 0x18 subtracted from them, and this function adds the 0x18 back on.

The [[:space:]] operator is part of a regular expression. It's a POSIX equivalent to perl's \\s operator that matches various kinds of whitespace. We'd have to see your parse command or function to know for sure, but it looks like the regular expression has something to do with finding function definitions in a javascript source file.

Answer 3

It is converting the URL into an obfuscated notation, as its name suggests (though there's a typo in the name, further obfuscating everything).

for (i = 0; i < length(url); i += 2)
{
     c = hex value of two characters of URL + 0x18
     r += character c interpreted as octal
}

So, given 1234 , the output is *L . The * comes from 0x12 + 0x18 = 0x2A = 42 ₁₀ = 052 = ' * '. The 'L' comes from 0x34 + 0x18 = 0x4C = 76 ₁₀ = 0114 = ' L '.