Greasy Fork

Wow this worked! Thanks so much. I couldn't figure out how they encoded it.

How were you able to unobfuscate their code or at least figure out the encoding?

right? That javascript is insane :D

+1 for having no idea how the link code was deciphered lol

any input?

any input?

It may be easier than you think, you dont have to understand the whole thing.

Skimming through the Goroi_n_Create_Button function you should quickly see below line has something to do with url,

document[cidkez(0x203)]('url')[cidkez(0x215)]('value', cidken)

Add a breakpoint to that line and once the debugger pause, type in the cidkez function call into the console quickly reveals the line above translate to something like this,

document['getElementById']('url')['setAttribute']('value', cidken)

This confirm our suspicion and now we have to know where the cidken value comes from. This lead us to the below code segment,

var cidken = '';
for (i = d_roi[cidkez(0x1f8)] / 0x2 - 0x5; i >= 0x0; i = i - 0x2) {
    cidken += d_roi[i];
}
for (i = d_roi[cidkez(0x1f8)] / 0x2 + 0x4; i < d_roi[cidkez(0x1f8)]; i = i + 0x2) {
    cidken += d_roi[i];
}

Again, we do some translations so it becomes this,

var cidken = '';
for (i = d_roi.length / 2 - 5; i >= 0; i = i - 2) {
    cidken += d_roi[i];
}
for (i = d_roi.length / 2 + 4; i < d_roi.length; i = i + 2) {
    cidken += d_roi[i];
}

the d_roi value is the encoded string supplied to the function.

Now we can test the unobfuscated code segment. Let say we have d_roi value of akPofZsHo3VOrjT/ijkSjHJyYp3FKik2a+HoRWJwk84qd0f9lnE6Zt3KqHU8ka4F5EtYG8qTXMy7ngPueUNZNH8L8fUPMT5qxy3oALbGYsRgGsceJ2zxHy/fYkx9MX35qa5GeG8Oljw5XZkowj+89Vg5F4KMlBdO2TSA9ZeP24oTFesSQGLyLz+oi4WJ5516LgDTzUGHojiyvRjuGc4yB8hsh09F9uRU9avSzEcIWfk5jw20Yn1H2BtV77WmtaNzbbmUcT. Lets run it in the console with a mock up function below,

((enc) => {
    let dec = '';
    for (i = enc.length / 2 - 5; i >= 0; i = i - 2) {
        dec += enc[i];
    }
    for (i = enc.length / 2 + 4; i < enc.length; i = i + 2) {
        dec += enc[i];
    }
    return dec;
})('akPofZsHo3VOrjT/ijkSjHJyYp3FKik2a+HoRWJwk84qd0f9lnE6Zt3KqHU8ka4F5EtYG8qTXMy7ngPueUNZNH8L8fUPMT5qxy3oALbGYsRgGsceJ2zxHy/fYkx9MX35qa5GeG8Oljw5XZkowj+89Vg5F4KMlBdO2TSA9ZeP24oTFesSQGLyLz+oi4WJ5516LgDTzUGHojiyvRjuGc4yB8hsh09F9uRU9avSzEcIWfk5jw20Yn1H2BtV77WmtaNzbbmUcT');

gives the output of 3MxY/HzJcGRYbA3x5MU88NNePnyXqGt54kUq3ZElfd4kJRHakK3YJjkiTrVosfPaOj5Zoj8V54MBOTAZP4TeSGyzo4J56gTUHjyRucy8s0FuUaSEIf5w0nHBV7mazbUT.

And combine with the url http://bluemediafiles.com/get-url.php?url=3MxY/HzJcGRYbA3x5MU88NNePnyXqGt54kUq3ZElfd4kJRHakK3YJjkiTrVosfPaOj5Zoj8V54MBOTAZP4TeSGyzo4J56gTUHjyRucy8s0FuUaSEIf5w0nHBV7mazbUT

And volia! We get what we want. Hope this satisfy your curiosity.

Damn thx. This helped a lot! I think I learned a lot about debugging and deobfuscation.

One quick question, how did you bypass their debugger protection?

I just always paused execution before the timer was up and did "step over" twice to get into the method where I could then execute cidkez(0x___) but I was just lucky that worked I think, since it works with and without the breakpoint at the line with "url".

Was that also your approach or do you have more tricks up your sleeve?

@Alistair1231 Just right click on the line number and select "Never pause here".

I cant say i have more "tricks up my sleeve", i just do what i used to do when i was debugging. There is a million ways to get the job done, just take the one that works for you.

Have fun messing around :)