We decipher Javascript on the example of file hosting mediafire.com

Currently, a way to encrypt javascript on sites using nested eval commands is gaining popularity. Recently, I came across such encryption on mediafire.com file hosting. Encryption was unusual, it interested me and I decided to understand how well this method works.

Mediafire.com site allows you to download files without captcha and at the same time, recently, it has become quite successfully protected from all kinds of automatic robots. He does this using the built-in javascript code generator. Moreover, each time a new code is created, which makes it difficult to emulate it by automatic means.

In this article, I’ll talk about how you can very easily circumvent such protection without in-depth analysis of encrypted code and create an automatic file upload script from mediafire.com.

First, I’ll show you how this code looks:

Copy Source | Copy HTML

1. var h5u='';
2. var ybb=unescape('rev%24l%7Djg9%23%23%3Frev%24swhsp4l9qjawgeta%2C%23%213Bl%213F%216%3Da4c0%2A%2A6%213Bl%<<<тут был длинный код шифрованных символов>>>Z%3D--%3Fareh%2Cl%7Djg-%3F');
3. for(i=0;i<1324;i++)h5u=h5u+(String.fromCharCode(ybb.charCodeAt(i)^4));
4. eval(h5u);

As you can see from the example, the code is encrypted. Also, each time you access the page, the code changes: the encryption codes (XOR) change, the nesting of eval changes, the names of variables and functions change.

The code calls one of the N functions (generated in html), which in turn includes one of the N blocks on the screen (also generated in html) and displays it on the screen. Then, an additional script (also encrypted) is loaded, which writes links to the pseudo-correct path to the file download to all blocks and writes the correct path to one of these blocks.

So, we need to solve the problem of automatically downloading files from such a
system.

Draw up an action plan.

1. Download the main page, decrypt and determine which of the N functions is called and in which of the N blocks it includes (find out the key)
2. Download the file with links by key, decrypt and determine which of the N links is real (determine by key)
3. Download the file

Honestly, I dismissed the idea of ​​parsing the code and the encryption method right away, since the code is constantly changing, there is no sense in this. Therefore, I bring to your attention another way, namely emulating some browser functions.

We will solve this problem with the help of improvised means: spidermonkey .

Install spidermonkey on the system (in my FreeBSD example):

cd /usr/ports/lang/spidermonkey
make install clean

The biggest problem that I encountered is that it is not known in advance exactly where the executable code will store links and which function it will call. In order not to parse the code itself, I created some kind of getElementById () function, the function is used to load values ​​into a specific HTML element. I did it like this:

Copy Source | Copy HTML

1. var element = new Object();
2. element.innerHTML = "";
3. var parent = new Object();
4. parent.document = new Object();
5. parent.document.getElementById = functiontheGetElementByID(x) {
6.  print("HTML:" + element.innerHTML);
7.  print("\n");
8.  print("ELEMENT:" + x + ":");
9.  return element;
10. };
11.  
12. // INSERT CODE HERE
13.  
14. print("HTML:" + element.innerHTML);

The code itself, unchanged, is inserted inside this wrapper and executed. If the code calls the getElementById () function, my code will display everything that is stored in innerHTML.

Thus, without changing the code, it becomes possible to determine what and where the script saves.

And in conclusion, I suggest you familiarize yourself with a working example of downloading files from the mediafire.com resource:

Copy Source | Copy HTML

1. /*
    * Copyright (C) AIG
    * aignospam at gmail.com
    *
    * Redistribution and use in source and binary forms, with or without
    * modification, are permitted provided that the following conditions
    * are met:
    * 1. Redistributions of source code must retain the above copyright
    *    notice, this list of conditions and the following disclaimer.
    * 2. Redistributions in binary form must reproduce the above copyright
    *    notice, this list of conditions and the following disclaimer in the
    *    documentation and/or other materials provided with the distribution.
    *
    * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
    * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    * SUCH DAMAGE.
    */
2.  
3. function jsDecode($code)
4. {
5.   $fh = fopen('./code.js', 'w');
6.   fwrite($fh, 'var element = new Object();element.innerHTML = "";');
7.   fwrite($fh, 'var parent = new Object();parent.document = new Object();');
8.   fwrite($fh, 'parent.document.getElementById = function theGetElementByID(x) {print("HTML:" + element.innerHTML);print("\n");print("ELEMENT:" + x + ":");return element;};');
9.   fwrite($fh, $code);
10.   fwrite($fh, 'print("HTML:" + element.innerHTML);');
11.   fclose($fh);
12.   return `js ./code.js 2>&1`;
13. }
14.  
15. function downloadMediafire($url)
16. {
17.   $cookie_file = './cookie.mediafire.txt';
18.   @unlink($cookie_file);
19.  
20.   $user_agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)";
21.  
22.   $ch = curl_init($url);
23.   curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
24.   curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
25.   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
26.   curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
27.   curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
28.   $result_parent = curl_exec($ch);
29.  
30.   $referer = $url;
31.  
32.   // search all functions
33.   if (!preg_match_all("/function\s+([a-z0-9]+)\(qk\,pk\,r\)/", $result_parent, $match_function_names)) {
34.     print "unable to find generated functions\n";
35.     print $result_parent;
36.     return false;
37.   }
38.  
39.   $code_header = '';
40.   foreach ($match_function_names[1] as $function_name) {
41.     $code_header .= 'function ';
42.     $code_header .= $function_name;
43.     $code_header .= '(qk,pk,r)';
44.     $code_header .= '{print("KEY:" + qk + ":" + pk + ":" + r + ":" + "' . $function_name . '" + ":");};';
45.   }
46.  
47.   if (!preg_match('/Eo\(\);(.*?eval.*?)if/', $result_parent, $match_code)) {
48.     print "unable to find key code\n";
49.     print $result_parent;
50.     return false;
51.   }
52.  
53.   // decode eval functions...
54.   $code = jsDecode($code_header . $match_code[1]);
55.  
56.   if (!preg_match('/KEY:(.*?):(.*?):(.*?):(.*?):/', $code, $match_key)) {
57.     print $code;
58.     return false;
59.   }
60.  
61.   $qk = $match_key[1];
62.   $pk = $match_key[2];
63.   $r = $match_key[3];
64.  
65.   $valid_function_name = $match_key[4];
66.  
67.   // search for visible element...
68.   if (!preg_match('/function ' . $valid_function_name . '\(.*?document.getElementById\(\'(.{32})\'\)/', $result_parent, $match_id)) {
69.     print $result_parent;
70.     return false;
71.   }
72.  
73.   $element_id = $match_id[1];
74.  
75.   $url = 'http://www.mediafire.com/dynamic/download.php?qk=' . $qk . '&pk=' . $pk . '&r=' . $r;
76.  
77.   print "URL=$url\n";
78.  
79.   curl_setopt($ch, CURLOPT_URL, $url);
80.   curl_setopt($ch, CURLOPT_REFERER, $referer);
81.   $result_fetch = curl_exec($ch);
82.   curl_close($ch);
83.  
84.   if (!preg_match('/(var\s+et\s*=\s*15.*?)function/', $result_fetch, $match_header)) {
85.     print "unable to find link header\n";
86.     print $result_fetch;
87.     return false;
88.   }
89.  
90.   $code_header = $match_header[1];
91.  
92.   if (!preg_match('/case\s+15:(.*?)break;/', $result_fetch, $match_code)) {
93.     print "unable to find link code\n";
94.     print $result_fetch;
95.     return false;
96.   }
97.  
98.   // decode eval functions...
99.   $code = jsDecode($code_header . $match_code[1]);
100.  
101.   if (!preg_match('/' . $element_id . '.*?href="http:\/\/([^"]+)"/', $code, $match_url)) {
102.     print "unable to find element url\n";
103.     print $code;
104.     return false;
105.   }
106.  
107.   $file_url = $match_url[1];
108.  
109.   print "URL=$file_url\n";
110.  
111.   $file = basename($file_url);
112.   $url = "http://$file_url";
113.  
114.   if (file_exists($file)) {
115.     return true;
116.   }
117.  
118.   $fp = fopen($file, 'w');
119.  
120.   $ch = curl_init($url);
121.   curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
122.   curl_setopt($ch,CURLOPT_USERAGENT, $user_agent);
123.   curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
124.   curl_setopt($ch,CURLOPT_COOKIEJAR, $cookie_file);
125.   curl_setopt($ch,CURLOPT_COOKIEFILE, $cookie_file);
126.   curl_setopt($ch,CURLOPT_REFERER, $referer);
127.   curl_setopt($ch, CURLOPT_FILE, $fp);
128.   $result = curl_exec($ch);
129.   $info = curl_getinfo($ch);
130.   curl_close($ch);
131.  
132.   fclose($fp);
133.  
134.   if ($info['http_code'] != 200) {
135.     print_r($info);
136.     return false;
137.   }
138.  
139.   return true;
140. }
141.