Updated _get_incapsula_sl #23
Comments
|
and for anyone interested, this is the mostly* recovered JS - readable enough (especially from what it was). *still some indirection left over from the obfuscator (function() {
var a = {
xew: function b(c, d) {
return c + d;
},
cyI: function e(f, g) {
return f + g;
},
YsT: function h(i, j) {
return i + j;
},
RJw: function k(l, m) {
return l + m;
},
QKY: function n(o, p) {
return o - p;
},
JXO: function q(r, s) {
return r - s;
},
hGl: function t(u, v) {
return u == v;
},
hzJ: function w(x, y) {
return x + y;
},
yYO: function z(A, B) {
return A - B;
},
gUN: function C(D, E) {
return D + E;
},
GkF: function F(G, H) {
return G + H;
}
};
var O = {
iSN: function P(Q, R) {
return a.xew(Q, R);
},
Eyo: function S(T, U) {
return a.cyI(T, U);
},
ezS: function V(W, X) {
return a.YsT(W, X);
},
wnb: function Y(Z, a0) {
return a.RJw(Z, a0);
},
EHR: function a1(a2, a3) {
return a.RJw(a2, a3);
},
tXb: function a4(a5, a6) {
return a.QKY(a5, a6);
},
yOw: function a7(a8, a9) {
return a.RJw(a8, a9);
},
fCp: function aa(ab, ac) {
return ab - ac;
},
tMw: function ad(ae, af) {
return ae + af;
},
mFx: function ag(ah, ai) {
return a.JXO(ah, ai);
},
lkO: function aj(ak, al) {
return a.JXO(ak, al);
},
jSv: function am(an, ao) {
return a.hGl(an, ao);
}
};
var L = this.window;
var as = L.document;
var M = L.encodeURIComponent;
var au = a.GkF("", "2546227503118832820,12098880163896299065,11318569247929361572,777916");
var K = new L.Date().getTime();
var at = "start";
var ar = new L.Array(3);
var N;
try {
L.onunload = function() {
ar[2] = O.iSN("r:", new L.Date().getTime() - K);
as.createElement("img").src = O.Eyo("/_Incapsula_Resource?ES2LURCT=67&t=78&d=", M(O.ezS(O.wnb(at, " (") + ar.join(), ")")));
};
if (L.XMLHttpRequest) {
N = new L.XMLHttpRequest();
} else {
N = new L.ActiveXObject("Microsoft.XMLHTTP");
}
N.onreadystatechange = function() {
switch (N.readyState) {
case 0:
at = O.EHR(O.tXb(new L.Date().getTime(), K), ": request not initialized");
break;
case 1:
at = O.yOw(O.fCp(new L.Date().getTime(), K), ": server connection established");
break;
case 2:
at = O.tMw(O.fCp(new L.Date().getTime(), K), ": request received");
break;
case 3:
at = O.tMw(O.mFx(new L.Date().getTime(), K), ": processing request");
break;
case 4:
at = "complete";
ar[1] = O.tMw("c:", O.lkO(new L.Date().getTime(), K));
if (O.jSv(N.status, 200)) {
L.location.reload();
}
break;
}
};
ar[0] = a.hzJ("s:", a.yYO(new L.Date().getTime(), K));
N.open("GET", a.RJw("/_Incapsula_Resource?SWHANEDL=", au), false);
N.send(null);
} catch (av) {
at += a.hzJ(a.gUN(a.yYO(new L.Date().getTime(), K), " incap_exc: "), av);
}
}());
(function() {
var a = function() {
var b = true;
return function(c, d) {
var e = b ? function() {
if (d) {
var f = d.apply(c, arguments);
d = null;
return f;
}
} : function() {};
b = false;
return e;
};
}();
var g = {
Chm: function h(i, j) {
return i(j);
},
YJF: function k(l) {
return l();
},
hkR: function m(n, o) {
return n < o;
},
ggR: function p(q, r) {
return q + r;
},
obC: function s(t, u) {
return t % u;
},
fcU: function v(w, x) {
return w(x);
},
cKP: function y(z, A) {
return z(A);
},
iLy: function B(C, D) {
return C + D;
},
LCL: function E(F, G) {
return F + G;
},
Xsy: function H(I, J) {
return I + J;
},
OeU: function K(L, M, N) {
return L(M, N);
},
AVs: function O(P, Q, R, S) {
return P(Q, R, S);
},
kkI: function T(U, V) {
return U * V;
},
Ifc: function W(X, Y) {
return X + Y;
},
sFk: function Z(a0, a1) {
return a0 + a1;
},
sKj: function a2(a3, a4) {
return a3 !== a4;
},
GUu: function a5(a6, a7) {
return a6 + a7;
},
uvK: function a8(a9, aa) {
return a9 / aa;
},
wLw: function ab(ac, ad) {
return ac % ad;
},
mTW: function ae(af, ag) {
return af(ag);
},
HCS: function ah(ai, aj) {
return ai(aj);
},
voC: function ak(al, am) {
return al > am;
},
bXh: function an(ao, ap) {
return ao - ap;
},
FrK: function aq(ar, as) {
return ar !== as;
},
Rpn: function at(au, av) {
return au(av);
},
gKL: function aw(ax, ay) {
return ax + ay;
},
Cqt: function az(aA, aB) {
return aA(aB);
},
Ykw: function aC(aD, aE) {
return aD + aE;
},
hfg: function aF(aG, aH) {
return aG + aH;
},
eTQ: function aI(aJ, aK) {
return aJ === aK;
},
PGc: function aL(aM, aN) {
return aM + aN;
},
Qrw: function aO(aP, aQ) {
return aP + aQ;
},
Ydg: function aR(aS, aT) {
return aS + aT;
},
JUg: function aU(aV, aW) {
return aV(aW);
},
Sfb: function aX(aY, aZ) {
return aY === aZ;
},
Goc: function b0(b1, b2) {
return b1(b2);
},
Qys: function b3(b4, b5) {
return b4 === b5;
},
qDx: function b6(b7, b8) {
return b7 > b8;
},
ivX: function b9(ba, bb) {
return ba == bb;
},
DFM: function bc(bd, be) {
return bd(be);
},
rtK: function bf(bg, bh) {
return bg(bh);
},
SQs: function bi(bj, bk) {
return bj(bk);
},
LEQ: function bl(bm) {
return bm();
},
Qjs: function bn(bo) {
return bo();
},
EEj: function bp(bq, br) {
return bq(br);
},
SYT: function bs(bt, bu) {
return bt(bu);
},
sOJ: function bv(bw, bx) {
return bw(bx);
}
};
var by = this.window;
var bz = by.document;
var bA = "";
var bB = "";
if (typeof by.console !== "undefined") {
bA = by.console;
bB = bA.log;
}
var bC = by.navigator;
var bD = by.encodeURIComponent;
var bE = new by.Date().getTime();
var bF = "";
function bG(bH) {
var bI = {
YNq: function bJ(bK, bL) {
return bK < bL;
},
RTJ: function bM(bN, bO) {
return bN == bO;
},
GSa: function bP(bQ, bR) {
return bQ >> bR;
},
NWi: function bS(bT, bU) {
return bT & bU;
},
BqS: function bV(bW, bX) {
return bW | bX;
},
TaZ: function bY(bZ, c0) {
return bZ << c0;
},
fwe: function c1(c2, c3) {
return c2 & c3;
},
ezO: function c4(c5, c6) {
return c5 | c6;
},
Jzm: function c7(c8, c9) {
return c8 << c9;
},
xeF: function ca(cb, cc) {
return cb >> cc;
},
VFB: function cd(ce, cf) {
return ce == cf;
},
NSA: function cg(ch, ci) {
return ch | ci;
},
XOT: function cj(ck, cl) {
return ck << cl;
}
};
var cw = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var co, ct, cp;
var cq, cr, cs;
cp = bH.length;
ct = 0;
co = "";
while (bI.YNq(ct, cp)) {
cq = bH.charCodeAt(ct++) & 255;
if (bI.RTJ(ct, cp)) {
co += cw.charAt(bI.GSa(cq, 2));
co += cw.charAt(bI.NWi(cq, 3) << 4);
co += "==";
break;
}
cr = bH.charCodeAt(ct++);
if (bI.VFB(ct, cp)) {
co += cw.charAt(bI.xeF(cq, 2));
co += cw.charAt(bI.NSA(bI.Jzm(bI.fwe(cq, 3), 4), bI.fwe(cr, 240) >> 4));
co += cw.charAt(bI.XOT(bI.fwe(cr, 15), 2));
co += "=";
break;
}
cs = bH.charCodeAt(ct++);
co += cw.charAt(bI.xeF(cq, 2));
co += cw.charAt(bI.ezO(bI.Jzm(cq & 3, 4), bI.GSa(bI.fwe(cr, 240), 4)));
co += cw.charAt(bI.BqS(bI.TaZ(cr & 15, 2), bI.NWi(cs, 192) >> 6));
co += cw.charAt(bI.fwe(cs, 63));
}
return co;
}
function cx(cy) {
var cz = a(this, function() {
var cA = function() {
return "dev";
},
cB = function() {
return "window";
};
var cC = function() {
var cD = new RegExp("\\w+ *\\(\\) *{\\w+ *['|\"].+['|\"];? *}");
return !cD.test(cA.toString());
};
var cE = function() {
var cF = new RegExp("(\\\\[x|u](\\w){2,4})+");
return cF.test(cB.toString());
};
var cG = function(cH) {
var cI = 0;
if (cH.indexOf("i" === cI)) {
cJ(cH);
}
};
var cJ = function(cK) {
var cL = 3;
if (cK.indexOf("e") !== cL) {
cG(cK);
}
};
if (!cC()) {
if (!cE()) {
cG("indеxOf");
} else {
cG("indexOf");
}
} else {
cG("indеxOf");
}
});
cz();
return function(cM) {
bF += cM;
return g.Chm(cy, cM);
};
}
function cN() {
/* getSessionCookies */
var cO = {
lPg: function cP(cQ, cR) {
return cQ < cR;
},
abE: function cS(cT, cU) {
return cT + cU;
}
};
var cX = new by.Array();
var d3 = new by.RegExp("^\\s?incap_ses_");
var cZ = bz.cookie.split(";");
for (var d0 = 0; cO.lPg(d0, cZ.length); d0++) {
var d1 = cZ[d0].substr(0, cZ[d0].indexOf("="));
var d2 = cZ[d0].substr(cO.abE(cZ[d0].indexOf("="), 1), cZ[d0].length);
if (d3.test(d1)) {
cX[cX.length] = d2;
}
}
cY();
return cX;
}
function d4(d5) {
/* setIncapCookie */
var d6;
var d7 = g.YJF(cN);
var d8 = new by.Array(d7.length);
for (var d9 = 0; g.hkR(d9, d7.length); d9++) {
d8[d9] = g.Chm(da, g.ggR(d5, d7[d9]));
}
g.YJF(cY);
var db = g.ggR("", "yG1+ABFXDCK7v5GNykQzSe9sJ6EB2rhQNt3tVg==");
var dc = d8.join();
var dd = "";
for (var d9 = 0; g.hkR(d9, db.length); d9++) {
dd += (db.charCodeAt(d9) + dc.charCodeAt(g.obC(d9, dc.length))).toString(16);
}
g.YJF(cY);
de.push(g.fcU(btoa, d5));
d6 = g.cKP(btoa, g.iLy(g.iLy(g.LCL(g.Xsy(g.OeU(df, de.length - 1, db.substr(0, 5)), ",digest="), dc), ",s="), dd));
de.pop();
g.AVs(dg, "___utmvc", d6, 20);
}
function da(dh) {
var di = 0;
for (var dj = 0; g.hkR(dj, dh.length); dj++) {
di += dh.charCodeAt(dj);
}
cY();
return di;
}
function dg(dk, dl, dm) {
var dn = "";
if (dm) {
var dp = new by.Date();
dp.setTime(g.Xsy(dp.getTime(), g.kkI(dm, 1000)));
var dn = "; expires=" + dp.toGMTString();
}
bz.cookie = g.Ifc(g.sFk(g.sFk(dk, "="), dl) + dn, "; path=/");
}
function dq() {
var dr = {
Jay: function ds(dt, du) {
return g.sKj(dt, du);
},
wPI: function dv(dw, dx) {
return g.GUu(dw, dx);
},
lub: function dy(dz, dA) {
return g.uvK(dz, dA);
},
Xpa: function dB(dC, dD) {
return g.wLw(dC, dD);
},
jOH: function dE(dF, dG) {
return g.mTW(dF, dG);
}
};
function dH(dI) {
if (dr.Jay(dr.wPI("", dr.lub(dI, dI)).length, 1) || dr.Xpa(dI, 20) === 0) {
(function() {}.constructor("debugger")());
} else {
(function() {}.constructor("debugger")());
}
return dr.jOH(dH, ++dI);
}
try {
return g.HCS(dH, 0);
} catch (dJ) {}
};
function cY() {
if (g.voC(g.bXh(new by.Date().getTime(), bE), 500)) {
dq();
}
}
function dK(dL) {
var dM = "";
var dN = new Array();
for (var dO = 0; g.hkR(dO, dL.length); dO++) {
var dP = dL[dO][0];
switch (dL[dO][1]) {
case "exists":
try {
if (g.FrK(typeof by.eval(dP), "undefined")) {
dN[dN.length] = g.Rpn(bD, g.gKL(dP, "=true"));
} else {
dN[dN.length] = g.Cqt(bD, g.Ykw(dP, "=false"));
}
} catch (dQ) {
dN[dN.length] = bD(g.hfg(dP, "=false"));
}
break;
case "value":
try {
try {
dM = by.eval(dP);
if (g.eTQ(typeof dM, "undefined")) {
dN[dN.length] = bD(g.hfg(dP, "=undefined"));
} else if (g.eTQ(dM, null)) {
dN[dN.length] = g.Cqt(bD, g.PGc(dP, "=null"));
} else {
dN[dN.length] = g.Cqt(bD, g.Qrw(g.Qrw(dP, "="), dM.toString()));
}
} catch (dR) {
dN[dN.length] = g.Cqt(bD, dP + "=cannot evaluate");
break;
}
break;
} catch (dS) {
dN[dN.length] = g.Cqt(bD, g.Ydg(g.Ydg(dP, "="), dS));
}
break;
case "plugin_extentions":
try {
var dW = [];
try {
dV = dW.indexOf("i");
} catch (dX) {
dN[dN.length] = g.JUg(bD, "plugin_ext=indexOf is not a function");
break;
}
try {
var e2 = bC.plugins.length;
if (g.ivX(e2, 0) || g.ivX(e2, null)) {
dN[dN.length] = g.Goc(bD, "plugin_ext=no plugins");
break;
}
} catch (e3) {
dN[dN.length] = g.DFM(bD, "plugin_ext=cannot evaluate");
break;
}
for (var dV = 0; g.hkR(dV, bC.plugins.length); dV++) {
if (g.Sfb(typeof bC.plugins[dV], "undefined")) {
dN[dN.length] = g.Goc(bD, "plugin_ext=plugins[i] is undefined");
break;
}
var e1 = bC.plugins[dV].filename;
var e0 = "no extention";
if (g.Qys(typeof e1, "undefined")) {
e0 = "filename is undefined";
} else if (g.qDx(e1.split(".").length, 1)) {
e0 = e1.split(".").pop();
}
if (dW.indexOf(e0) < 0) {
dW.push(e0);
}
}
for (var dV = 0; g.hkR(dV, dW.length); dV++) {
dN[dN.length] = g.rtK(bD, "plugin_ext=" + dW[dV]);
}
} catch (e4) {
dN[dN.length] = g.SQs(bD, "plugin_ext=" + e4);
}
break;
}
g.LEQ(cY);
}
return dN.join();
}
var e5 = [
[
"navigator",
"exists"
],
[
"navigator.vendor",
"value"
],
[
"navigator.appName",
"value"
],
[
"navigator.plugins.length==0",
"value"
],
[
"navigator.platform",
"value"
],
[
"navigator.webdriver",
"value"
],
[
"platform",
"plugin_extentions"
],
[
"ActiveXObject",
"exists"
],
[
"webkitURL",
"exists"
],
[
"_phantom",
"exists"
],
[
"callPhantom",
"exists"
],
[
"chrome",
"exists"
],
[
"yandex",
"exists"
],
[
"opera",
"exists"
],
[
"opr",
"exists"
],
[
"safari",
"exists"
],
[
"awesomium",
"exists"
],
[
"puffinDevice",
"exists"
],
[
"__nightmare",
"exists"
],
[
"domAutomation",
"exists"
],
[
"domAutomationController",
"exists"
],
[
"_Selenium_IDE_Recorder",
"exists"
],
[
"document.__webdriver_script_fn",
"exists"
],
[
"document.$cdc_asdjflasutopfhvcZLmcfl_",
"exists"
],
[
"process.version",
"exists"
],
[
"global",
"exists"
],
[
"global.require",
"exists"
],
[
"global.process",
"exists"
],
[
"JSON.stringify(global.process.argv)",
"value"
],
[
"JSON.stringify(global.process.env)",
"value"
],
[
"JSON.stringify(global.module)",
"value"
],
[
"WebAssembly",
"exists"
],
[
"'v15706909'.toString()",
"value"
],
[
"window.toString()",
"value"
],
[
"navigator.cpuClass",
"exists"
],
[
"navigator.oscpu",
"exists"
],
[
"navigator.connection",
"exists"
],
[
"navigator.language=='C'",
"value"
],
[
"window.outerWidth==0",
"value"
],
[
"window.outerHeight==0",
"value"
],
[
"window.WebGLRenderingContext",
"exists"
],
[
"window.constructor.toString()",
"value"
],
[
"document.documentMode",
"value"
],
[
"eval.toString().length",
"value"
]
];
try {
while (true) {
if (bB) {
try {
bA.log = g.EEj(cx, bB);
} catch (e8) {}
}
if (!by.btoa)
by.btoa = bG;
g.Qjs(cY);
d4(g.sOJ(dK, e5));
if (bF) {
e5.push([
bF,
"value"
]);
g.SYT(d4, dK(e5));
}
bz.createElement("img").src = "/_Incapsula_Resource?SWKMTFSR=1&e=" + by.Math.random();
break;
}
} catch (e9) {
bz.createElement("img").src = "/_Incapsula_Resource?SSATYUBA=jse:" + by.btoa(e9.message);
} finally {
if (bB)
bA.log = bB;
}
}()); |
|
oh and last but not least, if you were to do new a version... |
|
@Wh1terat Thanks a lot for your update :) |
|
@Wh1terat @lobstrio @ziplokk1 is this solution still working for you? Because it no longer finds the value of sl also method of building cookies has changed, i think. Any update? JS: |
|
There's definitely some slight changes even since my opening of this issue. I need to spend some time reversing it back to vaguely readable code once again. That said, for the JS you've posted it does contain the token. I haven't checked if cookie generation has changed at all. DEBUG:inscrapesula:Token Found: S3KrVzUpViIjqaQw76m6QTWCVJDTa853r/lQDw== |
|
Mixed news. Good news being I've worked out what's changed. It's a slow process recovering the original JS (see xkcd 1319) - the 3 files I have gathered over the last day have all been different (one was using original method, one was using new method with 1 key, one was using the new method with 2 keys.) I'll keep at it on the basis that I enjoy a challenge; but honestly even if (when) I find a suitable and reasonably reliable solution; they'll just change it again. I have no doubt they keep an eye on such projects as these. |
|
Hey @Wh1terat, recently uncovered your work in this repo and i'm interested in tagging along to help get this project to a functional state again. Do you have an email I can reach out too if you're interested in working together? I'm not sure if you're still invested into this. |
|
Hey folks, I'm sorry I have not been able to maintain this. If anyone is interested in becoming a maintainer please reach out to me and I will set you up with the proper permissions. You all have done great work and I am sincerely sorry that I haven't been able to test and merge these PRs. |
|
@ziplokk1 So, Incapsula use a modified version of JS-Obfuscator (obfuscator.io). My attempt in python - unfortunately javascript AST tools in python are largely broken or unmaintained (i.e escodegen) so this will output clean AST but will require escodegen to render back to javascript: My 2nd attempt due to getting annoyed with Python's lack of maintained javascript AST tools was to try to write it in node.js - not a language I use ever really. But it works and will provide a degree of parity with the above in Python: Although no longer working, this was my attempt to refactor my original code from this issue - obviously not currently working as needs to be updated but adding for reference: At this point unfortunately I just don't really have the time to finish anything as such - also kinda lost of the motivation as I no longer have a requirement for breaking incapsula in my other project. Hopefully someone (perhaps @cookieplug ?) will wish to run with this. |
|
No worries @ziplokk1, you've done awesome work with what you had. I will try to carry on yours and @Wh1terat's work but i'm just a beginner when it comes to reverse engineering/de-obfuscation as such. I will however try to work through what's here. Thanks for dropping the resources, will let you know how I go! |
Without doubt some of the roughest, dirtiest code I've ever ever written, but it works to return the "sl" value from the latest incapsula/imperva obfuscated js.
I'm logging it as an issue simply because although it works, it's just too damn nasty to be a pull request and in all honesty I just did this for the fun of the challenge and don't particularly feel like refactoring it into something pretty. (although if I did, I'd go down the pyjsparser route I think)
Enjoy.
The text was updated successfully, but these errors were encountered: