1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Decoding iframe protected page

Discussion in 'PHP & Perl' started by neoakenz, Sep 4, 2011.

  1. neoakenz

    neoakenz Newbie

    Joined:
    Nov 26, 2008
    Messages:
    45
    Likes Received:
    1
    How does this website do it:

    http://www.video2k.tv/Decrypt/jTgfYfHg9LXeOjOWuPQqpfVpO5BFX2PTaF5J2u5gOGNdRnWAah1K-oK32okqrTxCpc3GKmD-Zx9PSWuZ0VQSdw==

    I want to find the link that it hides.
     
  2. webblackart

    webblackart Registered Member

    Joined:
    May 13, 2009
    Messages:
    60
    Likes Received:
    9
    if you only need the link look into the http traffic with a tool like http live headers for firefox. else analyze the javascript. do not miss the code on the second page, the page displays an iframe inside an iframe.
     
  3. neoakenz

    neoakenz Newbie

    Joined:
    Nov 26, 2008
    Messages:
    45
    Likes Received:
    1
    How do I analyze the javascript?
     
  4. xenon2010

    xenon2010 Regular Member

    Joined:
    Apr 27, 2010
    Messages:
    231
    Likes Received:
    48
    Occupation:
    web and desktop apps programmer
    Location:
    prison
    Home Page:
    you need to get the REAL url of the iFrame and then do further processing...
    its not hard to break these kinds of protections.. all you need is Live Http Headers the firefox extension and you need to monitor what is really going on in this page. it needs some time to figure it out...
     
  5. typeslowly

    typeslowly Registered Member

    Joined:
    Nov 30, 2008
    Messages:
    61
    Likes Received:
    9
    Location:
    United States
    View source to view the javascript.

    Code:
    var OHB = {
        HKOzsD: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
        HQOu: function (Zl) {
            String.prototype.UkrBeyp = function () {
                splitext = this.split("");
                a = splitext.reverse();
                b = a.join("");
                return b;
            }
            var tNQt = "";
            var xTx3476, Mhx7351, RJx7783;
            var dTx9870, GWx8226, ezx5437, jvx5046;
            var hUpvjDw = 0;
            Zl = new String(Zl).replace(/\?\?\?/g, "=").trim().UkrBeyp().replace(/[^A-Za-z0-9\+\/\=]/g, "");
            while (hUpvjDw < Zl.length) {
                dTx9870 = this.HKOzsD.indexOf(Zl.charAt(hUpvjDw++));
                GWx8226 = this.HKOzsD.indexOf(Zl.charAt(hUpvjDw++));
                ezx5437 = this.HKOzsD.indexOf(Zl.charAt(hUpvjDw++));
                jvx5046 = this.HKOzsD.indexOf(Zl.charAt(hUpvjDw++));
                xTx3476 = (dTx9870 << 2) | (GWx8226 >> 4);
                Mhx7351 = ((GWx8226 & 15) << 4) | (ezx5437 >> 2);
                RJx7783 = ((ezx5437 & 3) << 6) | jvx5046;
                tNQt = tNQt + String.fromCharCode(xTx3476);
                if (ezx5437 != 64) {
                    tNQt = tNQt + String.fromCharCode(Mhx7351);
                }
                if (jvx5046 != 64) {
                    tNQt = tNQt + String.fromCharCode(RJx7783);
                }
            }
            tNQt = new String(OHB.kQDjJn(tNQt)).UkrBeyp();
            return tNQt;
        },
        kQDjJn: function (utftext) {
            var string = "";
            var i = 0;
            var c = c1 = c2 = 0;
            while (i < utftext.length) {
                c = utftext.charCodeAt(i);
                if (c < 128) {
                    string += String.fromCharCode(c);
                    i++;
                } else if ((c > 191) && (c < 224)) {
                    c2 = utftext.charCodeAt(i + 1);
                    string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
                    i += 2;
                } else {
                    c2 = utftext.charCodeAt(i + 1);
                    c3 = utftext.charCodeAt(i + 2);
                    string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
                    i += 3;
                }
            }
            return string;
        }
    } /* jTgfYfHg9LXeOjOWuPQqpfVpO5BFX2PTaF5J2u5gOGNdRnWAah1K+oK32okqrTxCpc3GKmD+Zx9PSWuZ0VQSdw==*/
    
    function ifReady() {
        window.frames["ifr"].bla(OHB.HQOu("??????QODJDM2MkQxE0NChjQyI0QvUGbpZ2Lt92YuUmchh2crN2bz5yd3d3LvoDc0RHa"));
    } <

    He's basically doing some string manipulation & 'crypto' to determine which url to open in the iframe. Out of curiosity, how did you stumble upon this OP?


    edit the function call
    Code:
     OHB.HQOu("??????QODJDM2MkQxE0NChjQyI0QvUGbpZ2Lt92YuUmchh2crN2bz5yd3d3LvoDc0RHa"));

    returns "9C206CB1A7B8B2BC/elif/moc.erahskcos.www//:ptth"
     
    Last edited: Sep 7, 2011
  6. jokerfaces

    jokerfaces Newbie

    Joined:
    Sep 7, 2011
    Messages:
    15
    Likes Received:
    2
    its relly difficult
     
  7. xenon2010

    xenon2010 Regular Member

    Joined:
    Apr 27, 2010
    Messages:
    231
    Likes Received:
    48
    Occupation:
    web and desktop apps programmer
    Location:
    prison
    Home Page:
    basically download it with webpage control (with C#) the javascript in webpage control will translate this JS crap into HTML. so all you need is to get the innerHTML of the "body" or "document" out of it... you will get the iFrame data very easily.. then look for the url involved to process you to the downloading link.. etc.
     
  8. hip_hop_x

    hip_hop_x Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 27, 2009
    Messages:
    299
    Likes Received:
    61
    Occupation:
    Developer
    Home Page:
    just do alert(document.getelementsbytagname('body')); it should display the processed js code :)