From 195761b8244d49fc23bec8a3d099deaf24f573d0 Mon Sep 17 00:00:00 2001
From: Sven Slootweg <jamsoftgamedev@gmail.com>
Date: Thu, 26 Sep 2013 11:51:57 +0200
Subject: [PATCH] Add Ioncube HTML page source decoder

---
 tools/decoding/decube.py | 55 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 tools/decoding/decube.py

diff --git a/tools/decoding/decube.py b/tools/decoding/decube.py
new file mode 100644
index 0000000..2154fdd
--- /dev/null
+++ b/tools/decoding/decube.py
@@ -0,0 +1,55 @@
+# Decodes Ioncube-encoded HTML page source from a terminal
+#
+# Instructions:
+#    python decube.py <URL of page>
+#
+# Author: Sven Slootweg
+# License: WTFPL, use it as you wish
+
+import requests, re, sys, urllib, math
+
+body = re.search("<script[^>]*>(.*)<\/script>", requests.get(sys.argv[1]).text).group(1)
+#script = re.search('eval\(unescape\("([^"]+)"\)\);', body).group(1)   # We don't actually need this, but we might in the future
+first_payload = re.search('c="([^"]+)"', body).group(1)
+second_payload = re.search('x\("([^"]+)"\);', body).group(1)
+
+deobfuscated = ""
+
+for i in xrange(0, len(first_payload)):
+	if i % 3 == 0:
+		deobfuscated += "%"
+	else:
+		deobfuscated += first_payload[i]
+
+decoded = urllib.unquote(deobfuscated)
+
+charmap = [int(x) for x in re.search("Array\(([^)]+)\)", decoded).group(1).split(",")]
+block_size = int(re.search(",b=([0-9]+),", decoded).group(1))
+payload_left = len(second_payload)
+
+block_count = int(math.ceil(float(payload_left) / block_size))
+shift = 0
+bit_buffer = 0  # This holds unprocessed data
+output_buffer = ""
+
+for block_num in xrange(0, block_count):
+	# Extract the data for this block
+	block_start = block_num * block_size
+	block_end = (block_num + 1) * block_size
+	block = second_payload[block_start:block_end]
+	
+	for pos in xrange(0, min(block_size, payload_left)):
+		charnum = ord(block[pos]) - 48
+		bit_buffer |= (charmap[charnum] << shift)
+		
+		if shift > 0:
+			output_buffer += chr(165 ^ bit_buffer & 255)
+			bit_buffer >>= 8
+			shift -= 2
+		else:
+			# Loop the shift value around
+			shift = 6
+			
+		payload_left -= 1
+
+print output_buffer