tglogo.png

Downloading File

Filename: Safe Eval v1.2
; safe_eval 1.2
; myndzi  8/7/2008

; parse a mirc command line recursively, de-obfuscating without evaluating identifiers
; essentially, i escape everything and then selectively unescape some things, evaluate
; and repeat as necessary.
;
; remember to use a *single* slash when calling it as an alias:
;
; /safe_eval <dangerous code>
;
; or else call it like so:
;
; //safe_eval $cb
;
; after copying the code to your clipboard, otherwise you might get caught by pipes
; in the command.
;
; if you don't understand regular expressions yet, you may want to check out a different
; snippet.


;dangerous commands:
;scid          - double eval / obfuscated pipe
;scon          - double eval / obfuscated pipe
;timer         - double eval / obfuscated pipe
;flash         - double eval / obfuscated pipe [only if mirc is inactive]

;|             - command separator (multiple commands to mirc)
;}             - pipe synonym

;$findfile     - evaluation -> command
;$finddir      - evaluation -> command

;$() $eval()   - evaluation control
;$evalnext()   - evaluation control
;[ ]           - evaluation control

;$decode       - obfuscation
;$base         - obfuscation
;$chr          - obfuscation
;$left         - obfuscation
;$mid          - obfuscation
;$right        - obfuscation
;$+() $+       - obfuscation

;$crlf $cr $lf - newline (multiple commands to server)

;#$identifier  - will still evaluate
;=$identifier  - this too

alias safe_eval {
  var %t = $1-, %i, %j, %re, %pre, %suf

  ; thanks to Remy for finding the vulnerability this fixes
  var %re = /^(.*?)([^()]*(\((?2)\)|\([^()]*\))[^()]*)(.*)$/
  noop $regex(se, %t, %re)
  %t = $regml(se, 2)

  ; remove leading /'s
  if ($regex(%t, /^\/+(.*)/)) %t = $regml(1)

  ; for easier regexing -> force spaces before and after the real data
  %t = . %t .

  ; keep evaluating obfuscation identifiers until there are none left in the string
  %re = /\$(decode|chr|base|left|mid|right|regsubex|remove|replace|\+)/i

  while ($regex(%t, %re)) && ($safe_eval2(%t) != %t) %t = $ifmatch

  ; remove the surrounding periods
  %t = $mid(%t, 2, -1)

  %t = $regml(se, 1) $+ %t $+ $regml(se, 4)

  ; done
  if ($isid) return %t
  else echo -a * /safe_eval: %t
}

; this processes brackets in the correct order
alias -l safe_eval2 {
  var %re = /(\x20\[(\x20[^\[]*?\x20)\]\x20)/, %t = $1

  ; evaluate brackets
  while ($regex(se2, %t, %re)) { %t = $put(%t, $mid($safe_eval3(. $regml(se2, 2) .), 2, -1), $regml(se2, 1).pos, $len($regml(se2, 1))) }

  ; evaluate the entire line once
  %t = $safe_eval3(%t)

  return %t
}


; this part does the actual evaluating
alias -l safe_eval3 {
  var %t = $1, %%, %re

  ; put spaces after left parenthesis and commas
  %re = /(\(|,)/g
  %% = $regsub(%t, %re, $+(\1, $chr(32)), %t)

  ; put spaces before right parenthesis and commas
  %re = /(\)|,)/g
  %% = $regsub(%t, %re, $+($chr(32), \1), %t)

  ; escape all identifiers
  ; thanks Saturn    vvvv
  %re = /(?<=\x20)(?:\x23|\x3D)?\$(?!\x20)/g
  %% = $regsub(%t, %re, \$!, %t)

  ; escape all variables
  %re = /(?<=\x20)(\x25)([^\x20]+)/g
  %% = $regsub(%t, %re, \1 \$+ \2, %t)

  ; escape all flow symbols
  %re = /(\{|\||\})/g
  %% = $regsub(%t, %re, \\\1, %t)

  ; unescape selected identifiers
  %re = /(?<=\x20)(\$)!((?:decode|base|chr|left|mid|right|regsubex|remove|replace|\+)\(|(?:\+|null)(?=\x20))/gi
  %% = $regsub(%t, %re, \1\2, %t)

  ; evaluate one step

  %t = $eval(%t, 2)

  ; unescape all flow symbols
  %re = /\\(\{|\||\})/g
  %% = $regsub(%t, %re, \1, %t)

  ; convert crs and lfs embedded in encoded data into mircscript
  %t = $replace(%t, $crlf, $+($chr(32), $!crlf, $chr(32)), $cr, $+($chr(32), $!cr, $chr(32)), $lf, $+($chr(32), $!lf, $chr(32)))
  return %t
}

;$put(var, text, start, len)
;replaces len chars of var from start with text
alias -l put {
  var %t = $1, %r
  return $+(  $left(%t, $calc($3 - 1)), $2, $mid(%t, $calc($3 + $4))  )
}

Related Files


Please note that on our website we use cookies necessary for the functioning of our website, cookies that optimize the performance. To learn more about our cookies, how we use them and their benefits, please read our Cookie Policy.
I Understand