3

I searched over the internet but found no solution so far.

I have to scrape the content of a page (that has a video stream) compressed with the Dean Edwards packer tool, in real time.

Therefore, I need to decode the compressed JS via PHP only. (The full scenario: curl the content of the page, find the JS content and decode it in real time so I can get the dynamic video stream).

So, is there any way to decode this compressed js example via PHP only?

An example of the compressed code:

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();',10,10,'function|b|something|a|var|some|sample|packed|code|alert'.split('|'),0,{}))

Thank you

Improve this question
3
  • Perhaps the V8js extension is what you need? Also Can I execute JS files via PHP. Commented Apr 10, 2014 at 8:08
  • dont think so. it is a Chrome: "V8 is Google's open source JavaScript engine. V8 is written in C++ and is used in Google Chrome, the open source browser from Google." Commented Apr 10, 2014 at 8:11
  • 1
    Yes? It's the javascript engine that Chrome and Safari uses? So what? You still need to parse javascript. Use it with this and you should be good to go. Commented Apr 10, 2014 at 8:14

3 Answers 3

Reset to default
6

First of all, you have to split the packed javascript into the relevant parts.

The first part from "eval" to "}('" is not relevant to you:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('

The second part is your minimized function (payload):

(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();

The third part is the radix, that you'll use as your base when you decode the payload:

10

The fourth part is the word count:

10

The fifth relevant part are your keywords (separated by |): 

function|b|something|a|var|some|sample|packed|code|alert

The last part is also irrelevant:

'.split('|'),0,{}))

So basically you now have all the parts you need for the decoding:

$payload = '(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})()';
$radix = 10;
$wordCount = 10;
$words = array("function","b","something","a","var","some","sample","packed","code","alert);

Now you have to replace the all word characters within your payload with the corresponding word within your words array. It's easy in your example, because your source javascript just contains 10 words.

The first word charahter is 0, replace it with $words[0] = function

The second word character is 4, replace it with $words[4] = var

And so on...

When you're done your result should be:

(function(){var b="some sample packed code";function something(a){alert(a)}something(b)})();

Of course it's a little bit more complex, when it comes to words > 10.

But for that, you can check out my unpacker class PHP JavaScript unpacker.

Especially the Unbaser class within the source.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm using this script but i have error, you help to fix it? github.com/rkaradas/php-javascript-unpacker/issues/1
Just fixed the issue ;)
0

I think you have several things mixed up.

  • You don't need to decode this, as it is not encoded. (well, it is, as it obviously has a character encoding, but lets not go there)
  • It might be compressed, but that is not the issue here. Compressing does things for you like remove whitespace, make all variables very short, etc.
  • The code seems to be obfuscated on purpose, to avoid this type of issue.

So your real question is probably: how can I on-obfuscate this.

What you see is an eval of something. That eval 'runs' the javascript code, so the first step is to find out what the actual javascript code inside the eval returns, as that is what your browser/javascript parser will be running. If you are lucky, this is the code you are looking for, but it might need some massaging.

So strip the eval, and then see what the function actually does when run in javascript. This means you should run it on your server with either a special serverside method, or you can hack something yourself.

Now you can see what you have left that wil be evalled. Maybe now you start all over again, but having a javascript parsing method, this should not be an issue.

Example would be (random google hit): http://j4p5.sourceforge.net/

The http://www.php.net/manual/en/book.v8js.php mentioned in the comments is probably a much better choice.

Improve this answer

2 Comments

Thank you for your comment. Yes, indeed. if I run in the browser as javascript the code and replace eval with document.write everything is decoded. I have to find out a way to get it via CURL (eventually do an echo of the javacript as document.write and thus decoded and do a curl to that page. Thank you
a better option would be to use one of the parsers mentioned. CURL will not work, it will return the javascriptcode: if you look it up in your browser then you get the code which is parsed by that browser. So you still need a parser. That is your browser in this case, but that is cumbersome for coding. So check out the links above. If you consider this answer (not a comment ;) ) helpfull, you can mark it as a solution by the way
0

You can use JavaScriptUnpacker, it's written on PHP

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.