logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Fixing Dean Edwards Famous PHP Javascript Packer

 
Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner



View previous topic :: View next topic  
Author Message
C0nw0nk



Joined: 07 Oct 2013
Posts: 240
Location: United Kingdom, London

PostPosted: Thu 08 Jun '17 19:16    Post subject: Fixing Dean Edwards Famous PHP Javascript Packer Reply with quote

PHP Class Source Code : https://github.com/C0nw0nk/php-packer/blob/master/src/Packer.php

Code to use above Class and reproduce the error :

(example.php)
Code:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<h2>JavaScript Variables</h2>
<p>In this example, x, y, and z are variables</p>
<!-- This should be modified by javascript and output should be 11 -->
<p id="demo"></p>
<script>
<?php

$script = "var x=5;var y=6;var z=x + y;document.getElementById('demo').innerHTML=z;";
echo "/* code before packing output inside the HTML demo id should be 11 \n" . $script . "\n*/\n\n";

$encoding = (int)95; //High ASCII
$fast_decode = true;
$special_char = true;
$remove_semicolon = false; //default is true

$packer = new Packer($script, $encoding, $fast_decode, $special_char, $remove_semicolon);
$packed = $packer->pack();

echo $packed;
?>
</script>
</body>
</html>



The Javascript output should run fine and cause the HTML page to display the number "11".

But instead you get Javascript syntax errors in browser console.

The HIGH ASCII setting is the only setting that does this all others appear to be working fine.[/u]
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6153
Location: Germany, Next to Hamburg

PostPosted: Fri 09 Jun '17 10:36    Post subject: Reply with quote

That is why I wrote my own JS and CSS packer LOL

https://github.com/JBlond/bundle
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 240
Location: United Kingdom, London

PostPosted: Fri 09 Jun '17 17:23    Post subject: Reply with quote

James Blond wrote:
That is why I wrote my own JS and CSS packer LOL

https://github.com/JBlond/bundle


Ooo that's very nice and cool James the major difference is Dean Edwards is for obfuscation and creates an output that is to prevent problems like content scrappers etc.

The JavaScript output from Packer will always be obfuscated.
Code:
eval(function(p,a,c,k,e,d)


All the other settings work on it just not the High ASCII setting but it is hard to know why and to debug to find the root cause to fix it to prevent the High ASCII setting causing JavaScript syntax errors in the browser.


With the class I provided I can always run it in Normal mode like so.

Code:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<h2>JavaScript Variables</h2>
<p>In this example, x, y, and z are variables</p>
<!-- This should be modified by javascript and output should be 11 -->
<p id="demo"></p>
<script>
<?php

$script = "var x=5;var y=6;var z=x + y;document.getElementById('demo').innerHTML=z;";
echo "/* code before packing output inside the HTML demo id should be 11 \n" . $script . "\n*/\n\n";

$encoding = (int)62; //Normal
$fast_decode = true;
$special_char = true;
$remove_semicolon = false; //default is true

$packer = new Packer($script, $encoding, $fast_decode, $special_char, $remove_semicolon);
$packed = $packer->pack();

echo $packed;
?>
</script>
</body>
</html>


And the output from the above code will execute in the browser just fine.


Another cool feature that I liked and worked great while it is not to be used as security but just to prevent content scrappers / bots / leechers obtaining page contents from the plain text of the page. Is to encrypt the JavaScript output with a secured Key.
Code:

<?php

$script = "var x=5;var y=6;var z=x + y;document.getElementById('demo').innerHTML=z;";
echo "/* code before packing output inside the HTML demo id should be 11 \n" . $script . "\n*/\n\n";

$encoding = (int)95; //62 Normal //95 High ASCII
$fast_decode = true;
$special_char = true;
$remove_semicolon = true; //default is true

/* Encrypt javascript with a Key to only be unpacked by this key too */
$key = "theSecretKey11";

$packer = new Packer($script, $encoding, $fast_decode, $special_char, $remove_semicolon, $key);
$packed = $packer->pack();

echo "var UNPACK_KEY = '" . $key . "';" . $packed;
?>


The above output will require JavaScript to be unpacked with a Key before it can be executed.

You can pack things multiple times over hiding it behind multiple packed levels and as with the UNPACK_KEY you can run that through the packer hiding that too.

It is very nifty and preventing automated bots and python scripts etc stealing content and following links they are not suppose to follow wasting bandwidth on your site. It's one major downfall seems to be the High ASCII bug. ( https://github.com/C0nw0nk/php-packer/blob/master/src/Packer.php#L64 )

This is what the Javascript should look like when Packed with High ASCII encoding.

Code:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(c/a))+String.fromCharCode(c%a+161)};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\[\xa1-\xff]+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(e(c),'g'),k[c])}}return p}(' x=5; y=6; z=x+y;.("").=z;',5,5,'var|document|getElementById|demo|innerHTML'.split('|'),0,{}))


What the output I get is.

Code:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(c/a))+String.fromCharCode(c%a+161)};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\[\xa1-\xff]+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(e(c),'g'),k[c])}}return p}('� x=5;� y=6;� z=x+y;�.�(\'�\').�=z;',5,5,'var|document|getElementById|demo|innerHTML'.split('|'),0,{}))
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6153
Location: Germany, Next to Hamburg

PostPosted: Mon 12 Jun '17 11:50    Post subject: Reply with quote

The � is an encoding problem. Did you try to use utf8_encode and or utf8_decode before the output?
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 240
Location: United Kingdom, London

PostPosted: Mon 12 Jun '17 23:39    Post subject: Reply with quote

James Blond wrote:
The � is an encoding problem. Did you try to use utf8_encode and or utf8_decode before the output?


Thanks James I changed my example code here.

Code:

$packed = utf8_encode($packer->pack());


Works flawlessly so it was not any problem with the packer just me missing out that critical function. <3 Very Happy
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6153
Location: Germany, Next to Hamburg

PostPosted: Tue 13 Jun '17 15:06    Post subject: Reply with quote

That shows that one of your files is not saved as UTF-8 and or your apache does not send UTF-8 response header.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 240
Location: United Kingdom, London

PostPosted: Tue 13 Jun '17 21:19    Post subject: Reply with quote

Oh the header for UTF-8 was present and so was the Meta tag in the HTML document for UTF8.

It was the packer itself outputting these characters in Highascii setting.

https://github.com/C0nw0nk/php-packer/blob/master/src/Packer.php#L452

The PHP script outputs those characters but using the function you provided it now encodes them to make them UTF8 compatible it seems.

I don't know if they intentionally did not use the utf8_encode function for a reason but it does the trick.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner
Page 1 of 1