Skip to content

Commit 7db7d2a

Browse files
LostMyCodeLostMyCode
committed
Fixed regex bug (allowed space between 2 args)
1 parent fef5f8b commit 7db7d2a

File tree

1 file changed

+119
-0
lines changed

1 file changed

+119
-0
lines changed

functions/xDecoder.js

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,119 @@
1+
/* eslint-disable no-cond-assign */
2+
/* eslint-disable no-unused-vars */
3+
module.exports = function () {
4+
const Decoder = {};
5+
6+
Decoder.decode = function decode(type, targetName, code) {
7+
switch (type) {
8+
case 0:
9+
return Decoder.decodeType0(targetName, code);
10+
case 1:
11+
return Decoder.decodeType1(targetName, code);
12+
case 2:
13+
return Decoder.decodeType2(targetName, code);
14+
}
15+
}
16+
17+
Decoder.decodeType0 = function (targetName, code) { // array like _0xf13b[274] not func
18+
eval(`var ${targetName} = null`);
19+
try {
20+
eval(code.replace(new RegExp(`var ${targetName}=`), `${targetName}=`));
21+
} catch (e) {
22+
console.log("Eval err but continue");
23+
}
24+
25+
const stringArray = eval(targetName);
26+
const regArg = `${targetName}\\[([0-9]+)\\]`;
27+
const defaultRegex = new RegExp(regArg);
28+
29+
let regex = new RegExp(regArg);
30+
let m;
31+
32+
while (m = code.match(regex)) {
33+
const val = stringArray[m[1]].replace(/'/g, "\\x27");
34+
regex = new RegExp(`${targetName}\\[${m[1]}\\]`, 'g');
35+
code = code.replace(regex, `'${val}'`);
36+
regex = defaultRegex;
37+
}
38+
39+
return code;
40+
}
41+
42+
Decoder.decodeType1 = function (targetName, code) { // 1 args like _0xabc('0x00')
43+
eval(`var ${targetName} = null`);
44+
try {
45+
eval(code);
46+
} catch (e) {
47+
console.log("Eval err but continue");
48+
}
49+
50+
const decode = eval(targetName);
51+
const regArg = `${targetName}\\(.([a-zA-Z0-9]+).\\)`;
52+
const defaultRegex = new RegExp(regArg);
53+
54+
let regex = new RegExp(regArg);
55+
let m;
56+
57+
while (m = code.match(regex)) {
58+
// let val = eval(`${targetName}('${m[1]}')`).replace(/'/g, "\\x27");
59+
const val = decode(m[1]).replace(/'/g, "\\x27");
60+
regex = new RegExp(`${targetName}\\(.${m[1]}.\\)`, 'g');
61+
code = code.replace(regex, `'${val}'`);
62+
regex = defaultRegex;
63+
}
64+
65+
return code;
66+
}
67+
68+
Decoder.decodeType2 = function (targetName, code) { // 2 args like _0xabc('asd', 'asd') RC4
69+
let targetNameRegex = new RegExp(`var ${targetName}=`);
70+
eval(`var ${targetName} = null`);
71+
try {
72+
//eval(code.replace(targetNameRegex, `window.${targetName} = `));
73+
eval(code);
74+
} catch (e) {
75+
console.log("Eval err but continue");
76+
}
77+
78+
const decode = eval(targetName);
79+
const quoType = code.match(new RegExp(`${targetName}\\((.)[a-zA-Z0-9]+.,.[^']+.\\)`))[1];
80+
// there are 2 types like _0x4763("0x120b","EEc$") or _0x4763('0x120b','EEc$')
81+
// so quotation type check is needed
82+
const regArg = `${targetName}\\(.([a-zA-Z0-9]+).,\\s*.([^${quoType}]+).\\)`;
83+
const defaultRegex = new RegExp(regArg);
84+
const amount = code.match(new RegExp(regArg, "g")).length;
85+
console.log(amount);
86+
87+
let regex = new RegExp(regArg);
88+
let m;
89+
90+
while ((m = code.match(regex))) {
91+
m[2] = m[2].replace(/"/, "");
92+
// console.log(m[1], m[2])
93+
/* let val = eval(`${targetName}('${m[1]}','${m[2]}')`).replace(
94+
/'/g,
95+
"\\x27"
96+
); */
97+
const val = decode(m[1], m[2]).replace(
98+
/'/g,
99+
"\\x27"
100+
);
101+
102+
m[2] = m[2]
103+
.replace(/\(/g, "\\(")
104+
.replace(/\)/g, "\\)")
105+
.replace(/\$/g, "\\$")
106+
.replace(/\[/g, "\\[")
107+
.replace(/\]/g, "\\]")
108+
.replace(/\^/g, "\\^")
109+
.replace(/\*/g, "\\*");
110+
regex = new RegExp(`${targetName}\\(.${m[1]}.,.${m[2]}.\\)`, "g");
111+
code = code.replace(regex, `'${val}'`);
112+
regex = defaultRegex;
113+
}
114+
115+
return code;
116+
}
117+
118+
return Decoder;
119+
}

0 commit comments

Comments
 (0)