jsunpacker in urlresolver broken/ needs updating?

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Ok so you know i have trying to unpack some packed javascript, tried jsunpacker in urlresolver nd it couldnt do it, so I went on a search on google, found this site http://yaisb.blogspot.co.uk/2006/10/defeating-dean-edwards-javascript.html and thought oh great why not use the app by the dev who developed p,a,c,k,e,d I had to use the reEnable: to get the decode button working,and you know what, it decoded it, so this

Code:
eval(function(p,a,c,k,e,d){while(c--)if(k[c])p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c]);return p}('4(\'30\').2z({2y:\'5://a.8.7/i/z/y/w.2x\',2w:{b:\'2v\',19:\'<p><u><2 d="20" c="#17">2u 19.</2></u><16/><u><2 d="18" c="#15">2t 2s 2r 2q.</2></u></p>\',2p:\'<p><u><2 d="20" c="#17">2o 2n b.</2></u><16/><u><2 d="18" c="#15">2m 2l 2k 2j.</2></u></p>\',},2i:\'2h\',2g:[{14:"11",b:"5://a.8.7/2f/13.12"},{14:"2e",b:"5://a.8.7/2d/13.12"},],2c:"11",2b:[{10:\'2a\',29:\'5://v.8.7/t-m/m.28\'},{10:\'27\'}],26:{\'25-3\':{\'24\':{\'23\':22,\'21\':\'5://a.8.7/i/z/y/\',\'1z\':\'w\',\'1y\':\'1x\'}}},s:\'5://v.8.7/t-m/s/1w.1v\',1u:"1t",1s:"1r",1q:\'1p\',1o:"1n",1m:"1l",1k:\'5\',1j:\'o\',});l e;l k=0;l 6=0;4().1i(9(x){f(6>0)k+=x.r-6;6=x.r;f(q!=0&&k>=q){6=-1;4().1h();4().1g(o);$(\'#1f\').j();$(\'h.g\').j()}});4().1e(9(x){6=-1});4().1d(9(x){n(x)});4().1c(9(){$(\'h.g\').j()});9 n(x){$(\'h.g\').1b();f(e)1a;e=1;}',36,109,'||font||jwplayer|http|p0102895|me|vidto|function|edge3|file|color|size|vvplay|if|video_ad|div||show|tt102895|var|player|doPlay|false||21600|position|skin|test||static|1y7okrqkv4ji||00020|01|type|360p|mp4|video|label|FFFFFF|br|FF0000||deleted|return|hide|onComplete|onPlay|onSeek|play_limit_box|setFullscreen|stop|onTime|dock|provider|391|height|650|width|over|controlbar|5110|duration|uniform|stretching|zip|stormtrooper|213|frequency|prefix||path|true|enabled|preview|timeslidertooltipplugin|plugins|html5|swf|src|flash|modes|hd_default|3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkblz6sfgq6uz6zt77gxia|240p|3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkba36sfgq6uzy3tv2oidq|hd|original|ratio|broken|is|link|Your|such|No|nofile|more|any|availabe|Not|File|OK|previw|jpg|image|setup|flvplayer'.split('|')))
became this

Code:
jwplayer('flvplayer').setup({image:'http://edge3.vidto.me/i/01/00020/1y7okrqkv4ji.jpg',previw:{file:'OK',deleted:'<p><u><font size="20" color="#FF0000">File deleted.</font></u><br/><u><font size="18" color="#FFFFFF">Not availabe any more.</font></u></p>',nofile:'<p><u><font size="20" color="#FF0000">No such file.</font></u><br/><u><font size="18" color="#FFFFFF">Your link is broken.</font></u></p>',},ratio:'original',hd:[{label:"360p",file:"http://edge3.vidto.me/3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkba36sfgq6uzwvun2oidq/video.mp4"},{label:"240p",file:"http://edge3.vidto.me/3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkblz6sfgq6uzqxuh7gxia/video.mp4"},],hd_default:"360p",modes:[{type:'flash',src:'http://static.vidto.me/test-player/player.swf'},{type:'html5'}],plugins:{'timeslidertooltipplugin-3':{'preview':{'enabled':true,'path':'http://edge3.vidto.me/i/01/00020/','prefix':'1y7okrqkv4ji','frequency':'213'}}},skin:'http://static.vidto.me/test-player/skin/stormtrooper.zip',stretching:"uniform",duration:"5110",controlbar:'over',width:"650",height:"391",provider:'http',dock:'false',});var vvplay;var tt102895=0;var p0102895=0;jwplayer().onTime(function(x){if(p0102895>0)tt102895+=x.position-p0102895;p0102895=x.position;if(21600!=0&&tt102895>=21600){p0102895=-1;jwplayer().stop();jwplayer().setFullscreen(false);$('#play_limit_box').show();$('div.video_ad').show()}});jwplayer().onSeek(function(x){p0102895=-1});jwplayer().onPlay(function(x){doPlay(x)});jwplayer().onComplete(function(){$('div.video_ad').show()});function doPlay(x){$('div.video_ad').hide();if(vvplay)return;vvplay=1;}
so does this mean jsunpacker needs updating?

here is the full cleaned up code
http://pastebin.com/wjn9LfTM

this is line that causes jsunpack to fail
aSplit = sJavascript.split(";',")

because there is no ;', in the newer js p,a,c,k,e,d files?
 
Last edited:

voinage

Banned
May 9, 2012
574
0
0
Or you could add a try/except then use the new code.
That way we get both ? ; )

Some sites still use the variant
 

Bstrdsmkr

New member
Mar 16, 2012
763
0
0
Ok, test this out with both the "new" style and the old one
Adapted from https://github.com/einars/js-beautify
Code:
# usage:
#
# if detect(some_string):
#     unpacked = unpack(some_string)
#

"""Unpacker for Dean Edward's p.a.c.k.e.r"""

import re
import string

PRIORITY = 1

def detect(source):
    """Detects whether `source` is P.A.C.K.E.R. coded."""
    return source.replace(' ', '').startswith('eval(function(p,a,c,k,e,r')

def unpack(source):
    """Unpacks P.A.C.K.E.R. packed js code."""
    payload, symtab, radix, count = _filterargs(source)

    if count != len(symtab):
        raise UnpackingError('Malformed p.a.c.k.e.r. symtab.')

    try:
        unbase = Unbaser(radix)
    except TypeError:
        raise UnpackingError('Unknown p.a.c.k.e.r. encoding.')

    def lookup(match):
        """Look up symbols in the synthetic symtab."""
        word  = match.group(0)
        return symtab[unbase(word)] or word

    source = re.sub(r'\b\w+\b', lookup, payload)
    return _replacestrings(source)

def _filterargs(source):
    """Juice from a source file the four args needed by decoder."""
    argsregex = (r"}\('(.*)', *(\d+), *(\d+), *'(.*)'\."
                 r"split\('\|'\), *(\d+), *(.*)\)\)")
    args = re.search(argsregex, source, re.DOTALL).groups()

    try:
        return args[0], args[3].split('|'), int(args[1]), int(args[2])
    except ValueError:
        raise UnpackingError('Corrupted p.a.c.k.e.r. data.')

def _replacestrings(source):
    """Strip string lookup table (list) and replace values in source."""
    match = re.search(r'var *(_\w+)\=\["(.*?)"\];', source, re.DOTALL)

    if match:
        varname, strings = match.groups()
        startpoint = len(match.group(0))
        lookup = strings.split('","')
        variable = '%s[%%d]' % varname
        for index, value in enumerate(lookup):
            source = source.replace(variable % index, '"%s"' % value)
        return source[startpoint:]
    return source


class Unbaser(object):
    """Functor for a given base. Will efficiently convert
    strings to natural numbers."""
    ALPHABET  = {
        62 : '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
        95 : (' !"#$%&\'()*+,-./0123456789:;<=>[email protected]'
              '[\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
    }

    def __init__(self, base):
        self.base = base

        # If base can be handled by int() builtin, let it do it for us
        if 2 <= base <= 36:
            self.unbase = lambda string: int(string, base)
        else:
            # Build conversion dictionary cache
            try:
                self.dictionary = dict((cipher, index) for
                    index, cipher in enumerate(self.ALPHABET[base]))
            except KeyError:
                raise TypeError('Unsupported base encoding.')

            self.unbase = self._dictunbaser

    def __call__(self, string):
        return self.unbase(string)

    def _dictunbaser(self, string):
        """Decodes a  value to an integer."""
        ret = 0
        for index, cipher in enumerate(string[::-1]):
            ret += (self.base ** index) * self.dictionary[cipher]
        return ret

class UnpackingError(Exception):
    """Badly packed source or general error. Argument is a
    meaningful description."""
    pass
If it works, I'll put lipstick on it and send a PR
 

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Ok, test this out with both the "new" style and the old one
Adapted from https://github.com/einars/js-beautify
Code:
# usage:
#
# if detect(some_string):
#     unpacked = unpack(some_string)
#

"""Unpacker for Dean Edward's p.a.c.k.e.r"""

import re
import string

PRIORITY = 1

def detect(source):
    """Detects whether `source` is P.A.C.K.E.R. coded."""
    return source.replace(' ', '').startswith('eval(function(p,a,c,k,e,r')

def unpack(source):
    """Unpacks P.A.C.K.E.R. packed js code."""
    payload, symtab, radix, count = _filterargs(source)

    if count != len(symtab):
        raise UnpackingError('Malformed p.a.c.k.e.r. symtab.')

    try:
        unbase = Unbaser(radix)
    except TypeError:
        raise UnpackingError('Unknown p.a.c.k.e.r. encoding.')

    def lookup(match):
        """Look up symbols in the synthetic symtab."""
        word  = match.group(0)
        return symtab[unbase(word)] or word

    source = re.sub(r'\b\w+\b', lookup, payload)
    return _replacestrings(source)

def _filterargs(source):
    """Juice from a source file the four args needed by decoder."""
    argsregex = (r"}\('(.*)', *(\d+), *(\d+), *'(.*)'\."
                 r"split\('\|'\), *(\d+), *(.*)\)\)")
    args = re.search(argsregex, source, re.DOTALL).groups()

    try:
        return args[0], args[3].split('|'), int(args[1]), int(args[2])
    except ValueError:
        raise UnpackingError('Corrupted p.a.c.k.e.r. data.')

def _replacestrings(source):
    """Strip string lookup table (list) and replace values in source."""
    match = re.search(r'var *(_\w+)\=\["(.*?)"\];', source, re.DOTALL)

    if match:
        varname, strings = match.groups()
        startpoint = len(match.group(0))
        lookup = strings.split('","')
        variable = '%s[%%d]' % varname
        for index, value in enumerate(lookup):
            source = source.replace(variable % index, '"%s"' % value)
        return source[startpoint:]
    return source


class Unbaser(object):
    """Functor for a given base. Will efficiently convert
    strings to natural numbers."""
    ALPHABET  = {
        62 : '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
        95 : (' !"#$%&\'()*+,-./0123456789:;<=>[email protected]'
              '[\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
    }

    def __init__(self, base):
        self.base = base

        # If base can be handled by int() builtin, let it do it for us
        if 2 <= base <= 36:
            self.unbase = lambda string: int(string, base)
        else:
            # Build conversion dictionary cache
            try:
                self.dictionary = dict((cipher, index) for
                    index, cipher in enumerate(self.ALPHABET[base]))
            except KeyError:
                raise TypeError('Unsupported base encoding.')

            self.unbase = self._dictunbaser

    def __call__(self, string):
        return self.unbase(string)

    def _dictunbaser(self, string):
        """Decodes a  value to an integer."""
        ret = 0
        for index, cipher in enumerate(string[::-1]):
            ret += (self.base ** index) * self.dictionary[cipher]
        return ret

class UnpackingError(Exception):
    """Badly packed source or general error. Argument is a
    meaningful description."""
    pass
If it works, I'll put lipstick on it and send a PR
Thank you, but that looks for p,a,c,k,e,r and not p,a,c,k,e,d
 

Bstrdsmkr

New member
Mar 16, 2012
763
0
0
Sorry, didn't adapt the detect. skip the detect and just feed the string to unpack()
It looks like it should still work
 

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Sorry, didn't adapt the detect. skip the detect and just feed the string to unpack()
It looks like it should still work

Thanks man, will do that now

well after checking it out, it seems that the parts of the eval it grabs are also, in a different places

Code:
argsregex = (r"}\('(.*)', *(\d+), *(\d+), *'(.*)'\."
                 r"split\('\|'\), *(\d+), *(.*)\)\)")
I am working my way through this, as in the long run it can only benefit the community as sooner or later we will need to decode both if not more versions of the p,a,c,k,e,d
 
Last edited:

Bstrdsmkr

New member
Mar 16, 2012
763
0
0
ok, their regex was jacked up. They were trying to capture 2 extra groups that weren't even being returned. Hacking that part off the end and making it non-greedy seems to have done the trick. I tested this one against your string, but not against the existing ones:
Code:
# usage:
#
# if detect(some_string):
#     unpacked = unpack(some_string)
#

"""Unpacker for Dean Edward's p.a.c.k.e.r"""

import re
import string

PRIORITY = 1

def detect(source):
    """Detects whether `source` is P.A.C.K.E.R. coded."""
    source = source.replace(' ','')
    if re.search('eval(function(p,a,c,k,e,(?:r|d)') return True
    else: return False

def unpack(source):
    """Unpacks P.A.C.K.E.R. packed js code."""
    payload, symtab, radix, count = _filterargs(source)

    if count != len(symtab):
        raise UnpackingError('Malformed p.a.c.k.e.r. symtab.')

    try:
        unbase = Unbaser(radix)
    except TypeError:
        raise UnpackingError('Unknown p.a.c.k.e.r. encoding.')

    def lookup(match):
        """Look up symbols in the synthetic symtab."""
        word  = match.group(0)
        return symtab[unbase(word)] or word

    source = re.sub(r'\b\w+\b', lookup, payload)
    return _replacestrings(source)

def _filterargs(source):
    """Juice from a source file the four args needed by decoder."""
    argsregex = (r"}\('(.*)', *(\d+), *(\d+), *'(.*?)'\.split\('\|'\)")
    args = re.search(argsregex, source, re.DOTALL).groups()

    try:
        return args[0], args[3].split('|'), int(args[1]), int(args[2])
    except ValueError:
        raise UnpackingError('Corrupted p.a.c.k.e.r. data.')

def _replacestrings(source):
    """Strip string lookup table (list) and replace values in source."""
    match = re.search(r'var *(_\w+)\=\["(.*?)"\];', source, re.DOTALL)

    if match:
        varname, strings = match.groups()
        startpoint = len(match.group(0))
        lookup = strings.split('","')
        variable = '%s[%%d]' % varname
        for index, value in enumerate(lookup):
            source = source.replace(variable % index, '"%s"' % value)
        return source[startpoint:]
    return source


class Unbaser(object):
    """Functor for a given base. Will efficiently convert
    strings to natural numbers."""
    ALPHABET  = {
        62 : '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
        95 : (' !"#$%&\'()*+,-./0123456789:;<=>[email protected]'
              '[\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
    }

    def __init__(self, base):
        self.base = base

        # If base can be handled by int() builtin, let it do it for us
        if 2 <= base <= 36:
            self.unbase = lambda string: int(string, base)
        else:
            # Build conversion dictionary cache
            try:
                self.dictionary = dict((cipher, index) for
                    index, cipher in enumerate(self.ALPHABET[base]))
            except KeyError:
                raise TypeError('Unsupported base encoding.')

            self.unbase = self._dictunbaser

    def __call__(self, string):
        return self.unbase(string)

    def _dictunbaser(self, string):
        """Decodes a  value to an integer."""
        ret = 0
        for index, cipher in enumerate(string[::-1]):
            ret += (self.base ** index) * self.dictionary[cipher]
        return ret

class UnpackingError(Exception):
    """Badly packed source or general error. Argument is a
    meaningful description."""
    pass

test='''eval(function(p,a,c,k,e,d){while(c--)if(k[c])p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c]);return p}('4(\'30\').2z({2y:\'5://a.8.7/i/z/y/w.2x\',2w:{b:\'2v\',19:\'<p><u><2 d="20" c="#17">2u 19.</2></u><16/><u><2 d="18" c="#15">2t 2s 2r 2q.</2></u></p>\',2p:\'<p><u><2 d="20" c="#17">2o 2n b.</2></u><16/><u><2 d="18" c="#15">2m 2l 2k 2j.</2></u></p>\',},2i:\'2h\',2g:[{14:"11",b:"5://a.8.7/2f/13.12"},{14:"2e",b:"5://a.8.7/2d/13.12"},],2c:"11",2b:[{10:\'2a\',29:\'5://v.8.7/t-m/m.28\'},{10:\'27\'}],26:{\'25-3\':{\'24\':{\'23\':22,\'21\':\'5://a.8.7/i/z/y/\',\'1z\':\'w\',\'1y\':\'1x\'}}},s:\'5://v.8.7/t-m/s/1w.1v\',1u:"1t",1s:"1r",1q:\'1p\',1o:"1n",1m:"1l",1k:\'5\',1j:\'o\',});l e;l k=0;l 6=0;4().1i(9(x){f(6>0)k+=x.r-6;6=x.r;f(q!=0&&k>=q){6=-1;4().1h();4().1g(o);$(\'#1f\').j();$(\'h.g\').j()}});4().1e(9(x){6=-1});4().1d(9(x){n(x)});4().1c(9(){$(\'h.g\').j()});9 n(x){$(\'h.g\').1b();f(e)1a;e=1;}',36,109,'||font||jwplayer|http|p0102895|me|vidto|function|edge3|file|color|size|vvplay|if|video_ad|div||show|tt102895|var|player|doPlay|false||21600|position|skin|test||static|1y7okrqkv4ji||00020|01|type|360p|mp4|video|label|FFFFFF|br|FF0000||deleted|return|hide|onComplete|onPlay|onSeek|play_limit_box|setFullscreen|stop|onTime|dock|provider|391|height|650|width|over|controlbar|5110|duration|uniform|stretching|zip|stormtrooper|213|frequency|prefix||path|true|enabled|preview|timeslidertooltipplugin|plugins|html5|swf|src|flash|modes|hd_default|3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkblz6sfgq6uz6zt77gxia|240p|3bjhohfxpiqwws4phvqtsnolxocychumk274dsnkba36sfgq6uzy3tv2oidq|hd|original|ratio|broken|is|link|Your|such|No|nofile|more|any|availabe|Not|File|OK|previw|jpg|image|setup|flvplayer'.split('|')))'''

print unpack(test)
 

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Thanks mate, I will check this against a few differnent strings and get back to you

well i tried 4 lots of urls with my scraper to scrape the eval

#url ='http://vidto.me/3e8git6x5fou.html'
#url = 'http://vidto.me/mdc0i0ih9u3u.html'
#url = 'http://vidto.me/ra68qpe1guqy.html'
url = 'http://vidto.me/b4dacxt15jwt.html'

it worked on each one of them, im now trying to hunt down an older(for want of better word) version of the eval to try.


But Mate thats top work, I didnt bother with the detect though, this is what i knocked up to scrape the site
Code:
html = GET_HTML(url)
r = re.findall('type="hidden" name="(.+?)" value="(.+?)">',html)
post_data = {}
for name, value in r:
    post_data[name] = value
post_data['usr_login'] = ''
post_data['referer'] = url
time.sleep(7)
html = net.http_POST(url,post_data)
r = re.findall(r'(eval\(function\(p,a,c,k,e,d\)\{while.+?flvplayer.+?)</script>',html.content,re.M|re.DOTALL)
#print r
for temp in r:
    test = unpack(temp)
print test
 
Last edited:

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Just an update tried it with an older film link http://movdivx.com/tmhu3cmme3ck/Bee_Movie_p1-1.flv.html and it also worked perfectly:)

Code:
var s1=new SWFObject('http://www.movdivx.com/player/player.swf','player','640','318','9');s1.addParam('allowfullscreen','true');s1.addParam('allowscriptaccess','always');s1.addParam('wmode','opaque');s1.addVariable('duration','');s1.addVariable('file','http://nlfs1.movdivx.com:182/d/cn6klukvenig7afzplyvsgshxfqwnsz3idflfkkvvgymxqfuzslkaoe6/video.flv');s1.addVariable('image','http://nlfs1.movdivx.com/i/00015/tmhu3cmme3ck.jpg');s1.addVariable('provider','http');s1.addVariable('skin','http://www.movdivx.com/player/skin/stormtrooper/stormtrooper.xml');s1.addVariable('controlbar','over');s1.write('flvplayer');
 

jas0npc

Banned
May 5, 2012
2,449
0
0
UK
Bstrdsmkr + Jas0npc = LEDGENDS!!!
No mate, the legend is Bstrdsmkr, im just glad that we found out that the js packer had been updated, Now to get back to work on that vidto resolver :) While keeping an eye on the things to keep in mind thread :)
 
Last edited: