| <?php |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
|
| class UMSJavaScriptUnPacker |
| { |
| private $unbaser; |
| private $payload; |
| private $symtab; |
| private $radix; |
| private $count; |
| |
| function Detect($source) |
| { |
| $source = preg_replace("/ /","",$source); |
| preg_match("/eval\(function\(p,a,c,k,e,[r|d]?/", $source, $res); |
| |
| UMSDebug::Write($res,"detection result"); |
| |
| return (count($res) > 0); |
| } |
| |
| function Unpack($source) |
| { |
| preg_match_all("/}\('(.*)', *(\d+), *(\d+), *'(.*?)'\.split\('\|'\)/",$source,$out); |
| |
| UMSDebug::Write($out,"DOTALL", false); |
| |
| |
| $this->payload = $out[1][0]; |
| UMSDebug::Write($this->payload,"payload"); |
| |
| $this->symtab = preg_split("/\|/",$out[4][0]); |
| UMSDebug::Write($this->symtab,"symtab"); |
| |
| $this->radix = (int)$out[2][0]; |
| UMSDebug::Write($this->radix,"radix"); |
| |
| $this->count = (int)$out[3][0]; |
| UMSDebug::Write($this->count,"count"); |
| |
| if( $this->count != count($this->symtab)) return; |
| |
| |
| $this->unbaser = new UMSUnbaser($this->radix); |
| |
| $result = preg_replace_callback( |
| '/\b\w+\b/', |
| array($this, 'Lookup') |
| , |
| $this->payload |
| ); |
| $result = str_replace('\\', '', $result); |
| UMSDebug::Write($result); |
| $this->ReplaceStrings($result); |
| return $result; |
| } |
| |
| function Lookup($matches) |
| { |
| $word = $matches[0]; |
| $ub = $this->symtab[$this->unbaser->Unbase($word)]; |
| $ret = !empty($ub) ? $ub : $word; |
| return $ret; |
| } |
|
|
| function ReplaceStrings($source) |
| { |
| preg_match_all("/var *(_\w+)\=\[\"(.*?)\"\];/",$source,$out); |
| UMSDebug::Write($out); |
| } |
| |
| } |
|
|
| class UMSUnbaser |
| { |
| private $base; |
| private $dict; |
| private $selector = 52; |
| private $ALPHABET = array( |
| 52 => '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOP', |
| 54 => '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQR', |
| 62 => '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', |
| 95 => ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~' |
| ); |
| |
| |
| function __construct($base) |
| { |
| $this->base = $base; |
| |
| if($this->base > 62) $this->selector = 95; |
| else if($this->base > 54) $this->selector = 62; |
| else if($this->base > 52) $this->selector = 54; |
| } |
| |
| function Unbase($val) |
| { |
| if( 2 <= $this->base && $this->base <= 36) |
| { |
| return intval($val,$this->base); |
| }else{ |
| if(!isset($this->dict)){ |
| |
| $this->dict = array_flip(str_split($this->ALPHABET[$this->selector])); |
| } |
| $ret = 0; |
| $valArray = array_reverse(str_split($val)); |
| |
| for($i = 0; $i < count($valArray) ; $i++) |
| { |
| $cipher = $valArray[$i]; |
| $ret += pow($this->base, $i) * $this->dict[$cipher]; |
| } |
| return $ret; |
| |
| } |
| } |
| |
| } |
|
|
|
|
| class UMSDebug |
| { |
| public static $debug = false; |
| public static function Write($data, $header = "", $mDebug = true) |
| { |
| if(!self::$debug || !$mDebug) return; |
| |
| if(!empty($header)) |
| echo "<h4>".$header."</h4>"; |
| |
| echo "<pre>"; |
| print_r($data); |
| echo "</pre>"; |
| } |
|
|
| } |
| ?> |
