Python: decryption function for js code encrypted in packer mode, pythonpacker
Origin:
When parsing a website, the video information is dynamically generated for a piece of js code, which is encrypted by packer.
The encrypted code segment is as follows:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('G D="";G F=[y,8,r,z,l,9,4,j,8,l,9,m,6,t,o,o,c,8,x,5,5,8,0,1,i,q,u,8,t,k,l,4,q,w,r,5,8,p,0,0,1,d,0,1,1,1,d,h,d,1,d,h,2,f,0,f,e,5,0,2,b,h,2,f,5,0,2,b,1,b,3,5,0,2,7,2,i,e,5,a,a,d,3,4,a,3,e,h,2,f,9,k,2,a,7,7,3,g,a,i,3,0,3,0,g,0,3,e,1,1,4,g,n,k,p,b,3,4,0,b,3,2,b,p,a,9,9,n,g,9,7,C,7,2,1,q,v,c,7,6,j,o,A,c,4,m,6,u,w,n,4,r,5,v,c,7,6,j,s,k,g,4,s,m,6,7,2,1,c,6,j,l,4,8,m,6,7,2,1,6,B,y,8,r,z,l,9,4,j,8,l,9,m,6,t,o,o,c,8,x,5,5,8,0,1,i,q,u,8,t,k,l,4,q,w,r,5,8,p,0,0,1,d,0,1,1,1,d,h,d,1,d,h,2,f,0,f,e,5,0,2,b,h,2,f,5,0,2,b,1,b,3,5,0,2,7,2,i,e,5,a,a,d,3,4,a,3,e,h,2,f,9,k,2,a,7,7,3,g,a,i,3,0,3,0,g,0,3,e,1,1,4,g,n,k,p,b,3,4,0,b,3,2,b,p,a,9,9,n,g,9,7,C,f,i,1,q,v,c,7,6,j,o,A,c,4,m,6,u,w,n,4,r,5,v,c,7,6,j,s,k,g,4,s,m,6,f,i,1,c,6,j,l,4,8,m,6,f,i,1,6,B,y,8,r,z,l,9,4,j,8,l,9,m,6,t,o,o,c,8,x,5,5,8,0,1,i,q,u,8,t,k,l,4,q,w,r,5,8,p,0,0,1,d,0,1,1,1,d,h,d,1,d,h,2,f,0,f,e,5,0,2,b,h,2,f,5,0,2,b,1,b,3,5,0,2,7,2,i,e,5,a,a,d,3,4,a,3,e,h,2,f,9,k,2,a,7,7,3,g,a,i,3,0,3,0,g,0,3,e,1,1,4,g,n,k,p,b,3,4,0,b,3,2,b,p,a,9,9,n,g,9,7,C,e,7,1,q,v,c,7,6,j,o,A,c,4,m,6,u,w,n,4,r,5,v,c,7,6,j,s,k,g,4,s,m,6,e,7,1,c,6,j,l,4,8,m,6,e,7,1,6,B];F.J(L K(E){D+=M.N(O(E)-P)});$("#I").H(D);',52,52,'82695481|82695480|82695488|82695489|82695533|82695479|82695466|82695484|82695547|82695531|82695534|82695485|82695544|82695477|82695482|82695483|82695530|82695487|82695486|82695464|82695529|82695546|82695493|82695532|82695548|82695476|82695478|82695543|82695540|82695536|82695550|82695541|82695537|82695490|82695492|82695549|82695553|82695494|82695527|OzPwOHpTT|value|kdhtqgiya|var|append|videojs|forEach|ROrJdyTuoo|function|String|fromCharCode|parseInt|82695432'.split('|'),0,{}))
Therefore, the Websearch method is used for decryption, and PyExecjs is finally used for decryption. It is posted to the youtube-dl forum on github for guidance. In the youtube_dl framework, there are already decryption functions. Therefore, the record is as follows, for memo.
1. decryption functions
def decode_packed_codes(code): def encode_base_n(num, n, table=None): FULL_TABLE = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' if not table: table = FULL_TABLE[:n] if n > len(table): raise ValueError('base %d exceeds table length %d' % (n, len(table))) if num == 0: return table[0] ret = '' while num: ret = table[num % n] + ret num = num // n return ret pattern = r"}\('(.+)',(\d+),(\d+),'([^']+)'\.split\('\|'\)" mobj = re.search(pattern, code) obfucasted_code, base, count, symbols = mobj.groups() base = int(base) count = int(count) symbols = symbols.split('|') symbol_table = {} while count: count -= 1 base_n_count = encode_base_n(count, base) symbol_table[base_n_count] = symbols[count] or base_n_count return re.sub( r'\b(\w+)\b', lambda mobj: symbol_table[mobj.group(0)], obfucasted_code)
2. Routine Verification
s = ''' eval(...'''js = decode_packed_codes(s)print js
In fact, this function can match the eval code segment from the code of the entire page. Therefore, pass the obtained page source code as a parameter.
The decrypted js Code segment is:
var OzPwOHpTT="";var kdhtqgiya=[82695492,82695547,82695543,82695549,82695546,82695531,82695533,82695464,82695547,82695546,82695531,82695493,82695466,82695536,82695548,82695548,82695544,82695547,82695490,82695479,82695479,82695547,82695481,82695480,82695486,82695478,82695550,82695547,82695536,82695529,82695546,82695533,82695478,82695537,82695543,82695479,82695547,82695476,82695481,82695481,82695480,82695477,82695481,82695480,82695480,82695480,82695477,82695487,82695477,82695480,82695477,82695487,82695488,82695483,82695481,82695483,82695482,82695479,82695481,82695488,82695485,82695487,82695488,82695483,82695479,82695481,82695488,82695485,82695480,82695485,82695489,82695479,82695481,82695488,82695484,82695488,82695486,82695482,82695479,82695534,82695534,82695477,82695489,82695533,82695534,82695489,82695482,82695487,82695488,82695483,82695531,82695529,82695488,82695534,82695484,82695484,82695489,82695530,82695534,82695486,82695489,82695481,82695489,82695481,82695530,82695481,82695489,82695482,82695480,82695480,82695533,82695530,82695532,82695529,82695476,82695485,82695489,82695533,82695481,82695485,82695489,82695488,82695485,82695476,82695534,82695531,82695531,82695532,82695530,82695531,82695484,82695527,82695484,82695488,82695480,82695478,82695541,82695544,82695484,82695466,82695464,82695548,82695553,82695544,82695533,82695493,82695466,82695550,82695537,82695532,82695533,82695543,82695479,82695541,82695544,82695484,82695466,82695464,82695540,82695529,82695530,82695533,82695540,82695493,82695466,82695484,82695488,82695480,82695544,82695466,82695464,82695546,82695533,82695547,82695493,82695466,82695484,82695488,82695480,82695466,82695494,82695492,82695547,82695543,82695549,82695546,82695531,82695533,82695464,82695547,82695546,82695531,82695493,82695466,82695536,82695548,82695548,82695544,82695547,82695490,82695479,82695479,82695547,82695481,82695480,82695486,82695478,82695550,82695547,82695536,82695529,82695546,82695533,82695478,82695537,82695543,82695479,82695547,82695476,82695481,82695481,82695480,82695477,82695481,82695480,82695480,82695480,82695477,82695487,82695477,82695480,82695477,82695487,82695488,82695483,82695481,82695483,82695482,82695479,82695481,82695488,82695485,82695487,82695488,82695483,82695479,82695481,82695488,82695485,82695480,82695485,82695489,82695479,82695481,82695488,82695484,82695488,82695486,82695482,82695479,82695534,82695534,82695477,82695489,82695533,82695534,82695489,82695482,82695487,82695488,82695483,82695531,82695529,82695488,82695534,82695484,82695484,82695489,82695530,82695534,82695486,82695489,82695481,82695489,82695481,82695530,82695481,82695489,82695482,82695480,82695480,82695533,82695530,82695532,82695529,82695476,82695485,82695489,82695533,82695481,82695485,82695489,82695488,82695485,82695476,82695534,82695531,82695531,82695532,82695530,82695531,82695484,82695527,82695483,82695486,82695480,82695478,82695541,82695544,82695484,82695466,82695464,82695548,82695553,82695544,82695533,82695493,82695466,82695550,82695537,82695532,82695533,82695543,82695479,82695541,82695544,82695484,82695466,82695464,82695540,82695529,82695530,82695533,82695540,82695493,82695466,82695483,82695486,82695480,82695544,82695466,82695464,82695546,82695533,82695547,82695493,82695466,82695483,82695486,82695480,82695466,82695494,82695492,82695547,82695543,82695549,82695546,82695531,82695533,82695464,82695547,82695546,82695531,82695493,82695466,82695536,82695548,82695548,82695544,82695547,82695490,82695479,82695479,82695547,82695481,82695480,82695486,82695478,82695550,82695547,82695536,82695529,82695546,82695533,82695478,82695537,82695543,82695479,82695547,82695476,82695481,82695481,82695480,82695477,82695481,82695480,82695480,82695480,82695477,82695487,82695477,82695480,82695477,82695487,82695488,82695483,82695481,82695483,82695482,82695479,82695481,82695488,82695485,82695487,82695488,82695483,82695479,82695481,82695488,82695485,82695480,82695485,82695489,82695479,82695481,82695488,82695484,82695488,82695486,82695482,82695479,82695534,82695534,82695477,82695489,82695533,82695534,82695489,82695482,82695487,82695488,82695483,82695531,82695529,82695488,82695534,82695484,82695484,82695489,82695530,82695534,82695486,82695489,82695481,82695489,82695481,82695530,82695481,82695489,82695482,82695480,82695480,82695533,82695530,82695532,82695529,82695476,82695485,82695489,82695533,82695481,82695485,82695489,82695488,82695485,82695476,82695534,82695531,82695531,82695532,82695530,82695531,82695484,82695527,82695482,82695484,82695480,82695478,82695541,82695544,82695484,82695466,82695464,82695548,82695553,82695544,82695533,82695493,82695466,82695550,82695537,82695532,82695533,82695543,82695479,82695541,82695544,82695484,82695466,82695464,82695540,82695529,82695530,82695533,82695540,82695493,82695466,82695482,82695484,82695480,82695544,82695466,82695464,82695546,82695533,82695547,82695493,82695466,82695482,82695484,82695480,82695466,82695494];kdhtqgiya.forEach(function ROrJdyTuoo(value){OzPwOHpTT+=String.fromCharCode(parseInt(value)-82695432)});$("#videojs").append(OzPwOHpTT);
Execute the code in the js string group with execjs, And the content is full. execjs uses the JScript engine and does not know the forEach function.
# The parsed format is base = self. _ search_regex (R'-(\ d +) \) ', js, 'base') args = self. _ search_regex (R' (\ [^ \] + \]) ', js, 'args') js = ''' function f () {var v = % s; length = v. length; var r = ''; for (var k = 0; k <length; k ++) {r + = String. fromCharCode (parseInt (v [k])-% s);} return r;} ''' % (args, base) ctx = execjs. compile (js) source = ctx. call ('F ')
OK, the real code that is hard to hide is displayed in front of you.
References:
Http://dean.edwards.name/packer/
Http://dean.edwards.name/unpacker/
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
