Parsing CloudFlare-protected emails

Sometimes on websites you see something like this

<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="LONG HEX STRING HERE">[email&#160;protected]</a>

In order to decrypt it, you can make use of the Jint interpreter and write this LoliScript piece of code:

BLOCK:Parse
  input = @data.SOURCE
  leftDelim = "cfemail=\""
  rightDelim = "\""
  MODE:LR
  => VAR @LONGHEX
ENDBLOCK

string DecodeEmail(string encodedString)
{
    string email = "";
    int r = Convert.ToInt32(encodedString.Substring(0, 2), 16), n, i;
    for (n = 2; encodedString.Length - n > 0; n += 2)
    {
        i = Convert.ToInt32(encodedString.Substring(n, 2), 16) ^ r;
        char character = (char)i;
        email += Convert.ToString(character);
    }

    return email;
}

var EMAIL = DecodeEmail(LONGHEX);
LOG EMAIL

It will print the email in cleartext :slight_smile:

If you need to decode more than 1 email, parse them all recursively and execute the operation on all of them like this

BLOCK:Parse
  input = @data.SOURCE
  leftDelim = "cfemail=\""
  rightDelim = "\""
  RECURSIVE
  MODE:LR
  => VAR @OBFUSCATED
ENDBLOCK

string DecodeEmail(string encodedString)
{
    string email = "";
    int r = Convert.ToInt32(encodedString.Substring(0, 2), 16), n, i;
    for (n = 2; encodedString.Length - n > 0; n += 2)
    {
        i = Convert.ToInt32(encodedString.Substring(n, 2), 16) ^ r;
        char character = (char)i;
        email += Convert.ToString(character);
    }

    return email;
}

var EMAILS = OBFUSCATED.Select(e => DecodeEmail(e)).ToList();
LOG EMAILS

Ruri

8 Likes