(always) Courtesy of Fravia's page
of
reverse engineering
NOT edited
fra_00xx 98xxxx handle 1100 NA PC
.. if you can get 'ky' to output to a new window in its
raw html/Javascript/VBScript etc you have the pre encrypted page in all
it's glory.
There is a crack,
a crack in everything
That's how the light gets in
Rating
(x)Beginner ( )Intermediate (
)Advanced (
)Expert
A lesson to anyone wishing to use JS Self-decrypting pages, dont,
it's too simple to get them to decode. In fact this particular example does
it quicker than the original script!
Free the Source
Generic JS page decryption
Written by
-Sp!ke
Introduction
After a while away from Javascript I thought it was about time I had a look
at the Seekers_spy to see if the problem with the spaces in the
Show_Win_Part_HTML Function could be solved. It passes html output to the
seekers window, for those of you who haven't used it the output appears
like this
< c e n t e r > < T a b l e b o r d..........etc
When I solved the problem I stumbled on an interesting side effect, nameley
a generic decoder!
Tools
required
A Brain.
JS-enabled browser.
Seekers_spy.js (or write your own)
Target's
URL/FTP
Loads of different programs. The example I have used was Psyral Phobia V4
available at http://psyral.com/downloads.html<
(Cut and paste folks, were hidden ;)
Program
History
Lots of incarnations this works on all versions..
Essay
Here is my (lame) replacement for the Show_Win_Part_HTML function of
Seekers_spy.js.
Don't laugh I know it's a really silly solution. ;-P
function Show_Win_Raw_HTML (label, message)
{
Win_Show =
window.open('','Spy','menubar=no,scrollbars=yes,width=600,height=400,resizab
le=yes');
if (Win_Show != null)
{
if (Win_Show.opener == null)
Win_Show.opener = self;
}
if (Win_Show == null)
alert("Problem creating window, restart your browser");
if(message != null)
{
Win_Show.document.writeln("<xmp>",message,"</xmp>");
}
}
//
// Usage: function Show_Win_Raw_HTML ("","insert html here")
//
This gives a you a straight html output. Fairly self explanitory, just
writes the example tags before and after your code so it appears as you
wrote it.
Seeing the light
Now I had modified Seekers_spy I thought it better get put to use. What
better way than to tackle some page encryptions then?
Some months back I reversed Psyral Phobia's encryption (Version 1) so I
downloaded version 4 to see if it had improved any (it was cram before).
After installing (yuk .. Visual Basic) I encrypted a simple page which gave
me the following code:
(Tidied it up a bit)
<SCRIPT LANGUAGE="JavaScript"><!--
function Decode() {
d("R &OB; &OB;4/pghb34/pghb34nd34/sqhbqd34n#
ujmoh=0SQHBQD03BQCB4/n#3UTSRQPONMLKJIHGFEDCBA98765
utsrqponmlkjihgfedcbaZYXWV #]><zyxwv\"\nUTSRQPONMLKJIHGFEDCBA98765
utsrqponmlkjihgfedcbaZYXWV #]><zyxwv\"");
return 0;}
//--></SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
ky="";function d(msg){ky=ky+codeIt(key,msg);}
var key =
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
function codeIt (mC, eS)
var wTG, mcH = mC.length / 2, nS = "", dv;
for (var x = 0; x < eS.length; x++)
{
wTG = mC.indexOf(eS.charAt(x));
if (wTG > mcH)
{
dv = wTG - mcH;nS = nS + mC.charAt(33 - dv);
}
else
{
if (key.indexOf(eS.charAt(x)) < 0)
{
nS = nS + eS.charAt(x)
}
else
{
dv = mcH - wTG;
nS = nS + mC.charAt(33 + dv);
}
}
}
return nS;}
//--></SCRIPT><SCRIPT LANGUAGE="JavaScript"><!--
Decode();document.write(ky);//--></SCRIPT>
What is this code doing?
Well, the first script (Decode function) is the 'encrypted' text.
The second is the decryptor. (nonsensical variable names please feel free
to rename them if you wish (good exercise), I'm too lazy, since it isn't
really secure and therfore not interesting ;)
And the last writes it to the window.
If you do bother to study the decryption routine (I did eventually) you'll
see it's relatively straight forward. But do we need to? The answer lies in
the first line of the routine:
ky="";function d(msg){ky=ky+codeIt(key,msg);}
This function puts the decrypted text into 'ky' ready to display to the
page. How does this help? Since that text must be in a 'good' format, for
this system to work, if you can get 'ky' to output to a new window in its
raw html/Javascript/VBScript etc you have the pre encrypted page in all
it's glory.
Using the modified routine in seeker_spy insert the following code after
the above line.
Show_Win_Raw_HTML ("",ky);
Load the page into your browser and... Et Voila... Plain script... ;)
Exactly the same trick works with other Heavens Rage software such as:
Script Keeper version 1.0.35
In fact this will work with any encryption where it decodes itself,
with the caveat that the encyption 'key' is on the page itself and not in a
.js file or similar. (Heavens rage are you reading this? C'mon give us a
challenge ;)
Unfortunatly Seekers_spy doesn't work with Opera :(
So another quick solution is to alter the final scrip of the page as
follows:
To be honest it is _impossible_ to make this type of routine totally
un-decodeable as by its very nature it must decode itself without any user
input. (Dont want to confuse the lusers do we.)
The only advantage I can see with this program, is the work needed in
reformatting the code after you have de-crypted it. (Boring but neccesary
for readability)
Of course you can make this even harder by using a pre-processor like Jmyth before you encrypt it.(Jmyth randomly renames
your variables/function names and compresses code into a single line)
See Ya! -Sp!ke
Ob
Duh
"Ob Duh" section
doesn't apply since we aren't cracking anyones _program_, are we ;)
';
document.writeln(my_chunk);
}
}
// -->
