Created by
Alexander Hanel
| import base64
import sys
"""
JSE Header: dword="#@~^", qword=size of the encoded JS stored in base64
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 23 40 7E 5E 6A 68 30 46 41 41 3D 3D 64 6D 33 72 #@~^jh0FAA==dm3r
struct.unpack("<I",base64.b64decode("jh0FAA=="))
(335246,)
"""
def is_jse(data):
header = data[:4]
b64_data = data[4:]
if "#@~^" in header:
try:
base64.decodestring(b64_data)
return True
except:
return False
with open(sys.argv[1], "rb") as f:
data = f.read(0xC)
print is_jse(data)
|