AST反混淆实战-经典ob混淆

最新推荐文章于 2024-04-24 09:22:16 发布

jia666666

最新推荐文章于 2024-04-24 09:22:16 发布

阅读量2.4k

点赞数 7

分类专栏： Ast反混淆进阶文章标签： javascript html5 ast ob混淆

本文链接：https://blog.csdn.net/jia666666/article/details/120427994

版权

Ast反混淆进阶专栏收录该内容

31 篇文章 105 订阅

订阅专栏

Ast实战：反混淆解析经典ob混淆

一、混淆demo获取

ob混淆源码
来自猿人学14题
https://match.yuanrenxue.com/api/match/14/m

demo.js
//为便于阅读，仅进行格式化处理

var $_0x5b3f = ['\x77\x34\x6a\x43\x68\x38\x4f\x4d', '\x77\x36\x44\x44\x6a\x6c\x34\x3d', '\x77\x71\x2f\x43\x67\x73\x4f\x74', '\x77\x37\x37\x43\x69\x73\x4b\x4f', '\x77\x36\x35\x46\x50\x77\x3d\x3d', '\x77\x72\x72\x44\x6d\x63\x4f\x45', '\x77\x35\x46\x65\x48\x51\x3d\x3d', '\x54\x32\x48\x44\x71\x77\x3d\x3d', '\x59\x63\x4f\x75\x56\x51\x3d\x3d', '\x77\x36\x7a\x44\x6a\x42\x34\x3d', '\x4e\x63\x4b\x61\x77\x34\x34\x3d', '\x58\x55\x7a\x43\x6e\x77\x3d\x3d', '\x77\x71\x56\x7a\x54\x51\x3d\x3d', '\x58\x4d\x4b\x76\x77\x70\x4d\x3d', '\x52\x33\x54\x43\x6d\x77\x3d\x3d', '\x77\x36\x44\x43\x6e\x78\x59\x3d', '\x77\x71\x6f\x32\x51\x77\x3d\x3d', '\x4f\x73\x4f\x39\x77\x6f\x30\x3d', '\x4e\x38\x4f\x45\x46\x51\x3d\x3d', '\x77\x34\x5a\x47\x77\x34\x41\x3d', '\x42\x54\x50\x44\x6f\x51\x3d\x3d', '\x77\x35\x6e\x43\x6e\x4d\x4b\x30', '\x77\x70\x55\x6d\x77\x36\x6b\x3d', '\x41\x56\x74\x37', '\x48\x51\x6c\x42', '\x47\x6c\x33\x43\x76\x51\x3d\x3d', '\x77\x34\x48\x44\x67\x53\x67\x3d', '\x77\x36\x56\x6a\x56\x67\x3d\x3d', '\x47\x4d\x4f\x6a\x77\x37\x30\x3d', '\x77\x71\x6b\x4a\x65\x67\x3d\x3d', '\x77\x70\x67\x78\x77\x70\x38\x3d', '\x77\x71\x30\x33\x51\x77\x3d\x3d', '\x56\x47\x41\x48', '\x77\x35\x44\x44\x71\x6d\x34\x3d', '\x53\x73\x4b\x76\x77\x71\x55\x3d', '\x52\x69\x66\x44\x70\x77\x3d\x3d', '\x77\x71\x73\x2b\x77\x37\x55\x3d', '\x44\x67\x7a\x43\x6b\x51\x3d\x3d', '\x47\x6c\x72\x44\x68\x41\x3d\x3d', '\x4f\x77\x51\x52', '\x77\x70\x33\x44\x70\x58\x77\x3d', '\x77\x36\x58\x43\x76\x42\x4d\x3d', '\x77\x72\x62\x43\x70\x63\x4b\x46', '\x77\x35\x2f\x44\x75\x51\x6b\x3d', '\x77\x37\x51\x34\x55\x67\x3d\x3d', '\x77\x6f\x66\x43\x6a\x51\x67\x3d', '\x77\x72\x30\x6e\x55\x77\x3d\x3d', '\x44\x38\x4b\x59\x4a\x41\x3d\x3d', '\x4b\x42\x77\x32', '\x53\x73\x4b\x5a\x77\x71\x6f\x3d', '\x77\x37\x6a\x44\x6b\x6a\x34\x3d', '\x45\x32\x44\x44\x67\x77\x3d\x3d', '\x77\x34\x33\x43\x67\x38\x4f\x64', '\x77\x34\x52\x77\x77\x36\x77\x3d', '\x47\x52\x50\x44\x75\x77\x3d\x3d', '\x77\x36\x6c\x61\x65\x77\x3d\x3d', '\x77\x34\x50\x44\x72\x54\x6f\x3d', '\x77\x70\x38\x35\x4f\x67\x3d\x3d', '\x59\x32\x49\x5a', '\x66\x6b\x6f\x59', '\x77\x70\x62\x43\x74\x38\x4f\x6c', '\x48\x56\x37\x44\x6d\x67\x3d\x3d', '\x77\x35\x44\x43\x67\x4d\x4b\x37', '\x77\x34\x6c\x4d\x57\x67\x3d\x3d', '\x4c\x63\x4f\x4f\x77\x35\x77\x3d', '\x77\x35\x44\x43\x68\x4d\x4b\x71', '\x77\x37\x38\x43\x77\x71\x73\x3d', '\x77\x36\x54\x44\x6a\x4d\x4b\x7a', '\x47\x42\x63\x79', '\x77\x37\x48\x44\x6b\x43\x30\x3d', '\x77\x36\x42\x65\x77\x37\x73\x3d', '\x77\x34\x42\x41\x54\x67\x3d\x3d', '\x77\x35\x46\x53\x77\x72\x63\x3d', '\x61\x6d\x6e\x43\x73\x67\x3d\x3d', '\x77\x71\x44\x44\x6b\x46\x77\x3d', '\x63\x63\x4b\x51\x77\x6f\x51\x3d', '\x54\x31\x77\x47', '\x77\x70\x51\x36\x65\x77\x3d\x3d', '\x77\x34\x35\x62\x51\x67\x3d\x3d', '\x77\x36\x4e\x74\x77\x72\x41\x3d', '\x47\x4d\x4f\x32\x42\x41\x3d\x3d', '\x77\x36\x35\x4f\x61\x77\x3d\x3d', '\x77\x71\x56\x31\x77\x35\x6b\x3d', '\x77\x70\x66\x44\x6a\x63\x4b\x73', '\x4d\x41\x5a\x55', '\x77\x35\x58\x43\x73\x73\x4b\x44', '\x47\x79\x30\x37', '\x42\x33\x70\x34', '\x4d\x38\x4b\x72\x4c\x41\x3d\x3d', '\x77\x72\x6f\x48\x63\x41\x3d\x3d', '\x77\x36\x54\x44\x6e\x43\x30\x3d', '\x77\x37\x46\x31\x52\x51\x3d\x3d', '\x57\x33\x44\x43\x73\x41\x3d\x3d', '\x62\x4d\x4f\x75\x55\x77\x3d\x3d', '\x77\x35\x5a\x64\x77\x34\x63\x3d', '\x77\x34\x6c\x35\x66\x67\x3d\x3d', '\x53\x73\x4f\x4e\x77\x35\x63\x3d', '\x77\x71\x64\x50\x77\x37\x38\x3d', '\x77\x72\x51\x52\x77\x35\x4d\x3d', '\x77\x70\x37\x43\x73\x73\x4b\x46', '\x77\x70\x4d\x2b\x77\x37\x51\x3d', '\x77\x37\x74\x66\x65\x51\x3d\x3d', '\x77\x6f\x45\x30\x77\x37\x45\x3d', '\x43\x63\x4b\x6d\x77\x37\x77\x3d', '\x77\x70\x66\x43\x67\x73\x4f\x42', '\x77\x36\x66\x43\x67\x4d\x4f\x53', '\x52\x48\x73\x49', '\x77\x36\x58\x44\x68\x56\x77\x3d', '\x44\x63\x4b\x47\x44\x67\x3d\x3d', '\x77\x36\x72\x43\x6b\x63\x4f\x78', '\x48\x73\x4b\x42\x77\x35\x59\x3d', '\x77\x34\x6e\x44\x72\x69\x77\x3d', '\x77\x34\x37\x43\x68\x38\x4b\x67', '\x4a\x43\x50\x44\x68\x77\x3d\x3d', '\x4f\x38\x4f\x2f\x77\x35\x63\x3d', '\x42\x6d\x62\x44\x73\x51\x3d\x3d', '\x77\x34\x58\x44\x71\x67\x55\x3d', '\x54\x63\x4b\x54\x77\x71\x59\x3d', '\x77\x72\x4c\x43\x6b\x6a\x59\x3d', '\x44\x38\x4b\x32\x63\x51\x3d\x3d', '\x4b\x73\x4f\x68\x49\x67\x3d\x3d', '\x77\x35\x68\x4d\x58\x77\x3d\x3d', '\x4f\x63\x4b\x36\x49\x67\x3d\x3d', '\x77\x72\x30\x61\x62\x51\x3d\x3d', '\x77\x6f\x77\x55\x66\x67\x3d\x3d', '\x77\x70\x50\x44\x6c\x69\x77\x3d', '\x77\x34\x35\x36\x77\x6f\x49\x3d', '\x5a\x63\x4b\x51\x77\x6f\x67\x3d', '\x4e\x58\x55\x79', '\x50\x73\x4b\x74\x44\x51\x3d\x3d', '\x45\x38\x4b\x33\x77\x36\x6f\x3d', '\x4a\x41\x4d\x4c', '\x4b\x46\x63\x30', '\x77\x6f\x62\x44\x76\x67\x67\x3d', '\x77\x35\x6a\x44\x6a\x54\x41\x3d', '\x77\x6f\x48\x43\x73\x6a\x4d\x3d', '\x77\x35\x46\x68\x62\x77\x3d\x3d', '\x77\x6f\x34\x79\x77\x71\x34\x3d', '\x77\x6f\x6b\x6a\x77\x36\x73\x3d', '\x77\x34\x35\x52\x50\x51\x3d\x3d', '\x62\x73\x4f\x50\x55\x77\x3d\x3d', '\x45\x6b\x34\x55', '\x77\x35\x72\x43\x68\x73\x4b\x71', '\x77\x34\x4c\x43\x73\x73\x4b\x75', '\x44\x78\x37\x44\x67\x51\x3d\x3d', '\x77\x34\x6c\x4b\x77\x72\x51\x3d', '\x77\x6f\x66\x44\x6c\x73\x4b\x77', '\x48\x38\x4b\x6e\x50\x51\x3d\x3d', '\x77\x36\x33\x44\x6e\x52\x67\x3d', '\x77\x36\x66\x43\x74\x73\x4f\x64', '\x48\x38\x4f\x70\x77\x37\x45\x3d', '\x77\x72\x68\x55\x77\x37\x49\x3d', '\x77\x35\x42\x32\x77\x72\x41\x3d', '\x77\x6f\x6b\x2f\x77\x35\x38\x3d', '\x57\x73\x4b\x43\x77\x72\x59\x3d', '\x77\x35\x48\x44\x6a\x53\x63\x3d', '\x52\x33\x50\x43\x6c\x41\x3d\x3d', '\x77\x34\x42\x34\x77\x35\x6f\x3d', '\x45\x63\x4b\x35\x61\x67\x3d\x3d', '\x77\x34\x44\x43\x74\x69\x6f\x3d', '\x77\x37\x37\x43\x75\x73\x4b\x32', '\x77\x6f\x7a\x43\x6c\x48\x67\x3d', '\x77\x36\x7a\x44\x6b\x68\x73\x3d', '\x53\x73\x4b\x62\x77\x70\x34\x3d', '\x77\x37\x33\x44\x68\x67\x51\x3d', '\x77\x37\x48\x43\x75\x73\x4f\x48', '\x77\x34\x66\x43\x6e\x63\x4b\x6f', '\x64\x63\x4b\x51\x77\x70\x77\x3d', '\x64\x48\x2f\x44\x70\x67\x3d\x3d', '\x77\x70\x37\x43\x6f\x32\x45\x3d', '\x77\x36\x66\x43\x68\x63\x4b\x71', '\x77\x34\x48\x44\x71\x6d\x63\x3d', '\x77\x36\x6c\x41\x5a\x51\x3d\x3d', '\x77\x70\x54\x43\x69\x79\x63\x3d', '\x77\x6f\x41\x37\x58\x67\x3d\x3d', '\x48\x4d\x4b\x37\x62\x67\x3d\x3d', '\x77\x35\x52\x2f\x66\x41\x3d\x3d', '\x50\x68\x66\x44\x71\x67\x3d\x3d', '\x77\x34\x76\x43\x74\x7a\x30\x3d', '\x77\x70\x6a\x43\x74\x47\x63\x3d', '\x56\x4d\x4f\x49\x77\x35\x63\x3d', '\x77\x35\x52\x52\x77\x37\x30\x3d', '\x77\x70\x67\x34\x77\x36\x6b\x3d', '\x4d\x6c\x55\x53', '\x77\x37\x33\x44\x6e\x51\x4d\x3d', '\x47\x51\x73\x77', '\x55\x56\x59\x36', '\x62\x63\x4f\x50\x77\x34\x73\x3d', '\x77\x36\x52\x79\x51\x77\x3d\x3d', '\x77\x34\x37\x44\x6b\x44\x41\x3d', '\x77\x36\x78\x68\x62\x51\x3d\x3d', '\x77\x36\x39\x4c\x77\x71\x6b\x3d', '\x77\x36\x33\x44\x68\x67\x59\x3d', '\x4b\x73\x4b\x4c\x41\x77\x3d\x3d', '\x77\x35\x48\x43\x67\x63\x4f\x57', '\x77\x6f\x4a\x52\x77\x34\x34\x3d', '\x77\x36\x6c\x66\x5a\x51\x3d\x3d', '\x4c\x33\x51\x35', '\x77\x36\x7a\x43\x67\x6b\x30\x3d', '\x77\x37\x39\x58\x61\x67\x3d\x3d', '\x77\x37\x7a\x43\x69\x73\x4f\x63', '\x65\x56\x6a\x44\x69\x67\x3d\x3d', '\x77\x34\x49\x63\x42\x77\x3d\x3d', '\x4b\x4d\x4b\x61\x48\x77\x3d\x3d', '\x53\x57\x2f\x43\x72\x41\x3d\x3d', '\x77\x34\x51\x44\x48\x51\x3d\x3d', '\x77\x36\x4c\x43\x75\x4d\x4f\x55', '\x77\x37\x46\x4c\x77\x35\x63\x3d', '\x59\x30\x46\x46', '\x44\x56\x39\x36', '\x77\x70\x44\x44\x75\x4d\x4b\x6f', '\x77\x6f\x41\x71\x77\x71\x6b\x3d', '\x77\x36\x73\x53\x77\x36\x38\x3d', '\x54\x79\x44\x44\x67\x51\x3d\x3d', '\x54\x58\x62\x43\x6f\x77\x3d\x3d', '\x77\x34\x30\x63\x44\x67\x3d\x3d', '\x77\x34\x72\x43\x74\x69\x6b\x3d', '\x77\x34\x70\x69\x51\x67\x3d\x3d', '\x48\x4d\x4b\x52\x64\x67\x3d\x3d', '\x77\x34\x42\x41\x77\x35\x77\x3d', '\x77\x72\x77\x4c\x61\x77\x3d\x3d', '\x77\x34\x6a\x43\x6d\x69\x38\x3d', '\x77\x35\x4c\x43\x6d\x4d\x4b\x71', '\x77\x36\x54\x44\x6c\x31\x63\x3d', '\x77\x6f\x67\x34\x77\x36\x73\x3d', '\x47\x41\x2f\x44\x67\x67\x3d\x3d', '\x51\x32\x6f\x61', '\x48\x4d\x4b\x54\x44\x41\x3d\x3d', '\x77\x70\x6a\x44\x67\x4d\x4f\x36', '\x77\x37\x6a\x44\x72\x73\x4f\x4a', '\x42\x4d\x4f\x50\x77\x71\x55\x3d', '\x77\x71\x37\x44\x76\x63\x4f\x6d', '\x77\x6f\x6e\x43\x6d\x56\x51\x3d', '\x77\x34\x6e\x44\x6a\x63\x4b\x54', '\x77\x36\x37\x44\x75\x53\x63\x3d', '\x50\x54\x51\x71', '\x77\x37\x50\x43\x6a\x73\x4b\x34', '\x77\x35\x6a\x44\x67\x7a\x49\x3d', '\x77\x35\x54\x43\x69\x38\x4f\x57', '\x77\x34\x7a\x44\x68\x63\x4b\x58', '\x77\x37\x5a\x62\x61\x41\x3d\x3d', '\x42\x6d\x37\x43\x6e\x77\x3d\x3d', '\x77\x34\x62\x44\x74\x7a\x6b\x3d', '\x58\x4d\x4b\x56\x77\x72\x41\x3d', '\x77\x34\x78\x70\x64\x41\x3d\x3d', '\x77\x34\x72\x44\x67\x63\x4b\x47', '\x4a\x55\x39\x57', '\x77\x34\x37\x43\x6e\x73\x4f\x30', '\x44\x67\x76\x44\x6c\x77\x3d\x3d', '\x41\x68\x54\x44\x6a\x51\x3d\x3d', '\x77\x34\x4a\x6f\x55\x77\x3d\x3d', '\x77\x70\x58\x44\x6b\x73\x4b\x79', '\x4e\x38\x4f\x70\x45\x67\x3d\x3d', '\x56\x58\x4c\x44\x71\x41\x3d\x3d', '\x77\x34\x33\x43\x68\x63\x4f\x43', '\x45\x38\x4b\x72\x77\x37\x63\x3d', '\x41\x63\x4b\x38\x77\x71\x45\x3d', '\x77\x71\x42\x58\x77\x36\x6f\x3d', '\x77\x35\x78\x44\x57\x77\x3d\x3d', '\x61\x73\x4f\x35\x54\x77\x3d\x3d', '\x52\x4d\x4f\x77\x51\x77\x3d\x3d', '\x77\x70\x6b\x39\x77\x36\x49\x3d', '\x41\x6a\x64\x2b', '\x77\x36\x30\x56\x4a\x51\x3d\x3d', '\x77\x34\x66\x44\x75\x54\x41\x3d'];
(function (_0x17d596, _0x5b3fee) {
    var _0x3ac350 = function (_0x1b742b) {
        while (--_0x1b742b) {
            _0x17d596['push'](_0x17d596['shift']());
        }
    };
    var _0x53e89c = function () {
        var _0x4ea972 = {
            'data': {'key': 'cookie', 'value': 'timeout'},
            'setCookie': function (_0x5acb35, _0x2d01fc, _0x249233, _0x1e92c3) {
                _0x1e92c3 = _0x1e92c3 || {};
                var _0xa8ed0d = _0x2d01fc + '=' + _0x249233;
                var _0x400f76 = 0x0;
                for (var _0x2737b3 = 0x0, _0x1ee260 = _0x5acb35['length']; _0x2737b3 < _0x1ee260; _0x2737b3++) {
                    var _0x476747 = _0x5acb35[_0x2737b3];
                    _0xa8ed0d += ';\x20' + _0x476747;
                    var _0x425c3a = _0x5acb35[_0x476747];
                    _0x5acb35['push'](_0x425c3a);
                    _0x1ee260 = _0x5acb35['length'];
                    if (_0x425c3a !== !![]) {
                        _0xa8ed0d += '=' + _0x425c3a;
                    }
                }
                _0x1e92c3['cookie'] = _0xa8ed0d;
            },
            'removeCookie': function () {
                return 'dev';
            },
            'getCookie': function (_0x3d1f47, _0xfce388) {
                _0x3d1f47 = _0x3d1f47 || function (_0x495817) {
                    return _0x495817;
                };
                var _0x44bc9f = _0x3d1f47(new RegExp('(?:^|;\x20)' + _0xfce388['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)'));
                var _0x1af11b = function (_0x14254d, _0x38d10e) {
                    _0x14254d(++_0x38d10e);
                };
                _0x1af11b(_0x3ac350, _0x5b3fee);
                return _0x44bc9f ? decodeURIComponent(_0x44bc9f[0x1]) : undefined;
            }
        };
        var _0x3bf07b = function () {
            var _0x3fb972 = new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');
            return _0x3fb972['test'](_0x4ea972['removeCookie']['toString']());
        };
        _0x4ea972['updateCookie'] = _0x3bf07b;
        var _0x5a4513 = '';
        var _0x5b810f = _0x4ea972['updateCookie']();
        if (!_0x5b810f) {
            _0x4ea972['setCookie'](['*'], 'counter', 0x1);
        } else if (_0x5b810f) {
            _0x5a4513 = _0x4ea972['getCookie'](null, 'counter');
        } else {
            _0x4ea972['removeCookie']();
        }
    };
    _0x53e89c();
}($_0x5b3f, 0xc8));
var $_0x3ac3 = function (_0x17d596, _0x5b3fee) {
    _0x17d596 = _0x17d596 - 0x0;
    var _0x3ac350 = $_0x5b3f[_0x17d596];
    if ($_0x3ac3['YqVHst'] === undefined) {
        (function () {
            var _0x4ea972 = function () {
                var _0x5b810f;
                try {
                    _0x5b810f = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')();
                } catch (_0x5acb35) {
                    _0x5b810f = window;
                }
                return _0x5b810f;
            };
            var _0x3bf07b = _0x4ea972();
            var _0x5a4513 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x3bf07b['atob'] || (_0x3bf07b['atob'] = function (_0x2d01fc) {
                var _0x249233 = String(_0x2d01fc)['replace'](/=+$/, '');
                var _0x1e92c3 = '';
                for (var _0xa8ed0d = 0x0, _0x400f76, _0x2737b3, _0x1ee260 = 0x0; _0x2737b3 = _0x249233['charAt'](_0x1ee260++); ~_0x2737b3 && (_0x400f76 = _0xa8ed0d % 0x4 ? _0x400f76 * 0x40 + _0x2737b3 : _0x2737b3, _0xa8ed0d++ % 0x4) ? _0x1e92c3 += String['fromCharCode'](0xff & _0x400f76 >> (-0x2 * _0xa8ed0d & 0x6)) : 0x0) {
                    _0x2737b3 = _0x5a4513['indexOf'](_0x2737b3);
                }
                return _0x1e92c3;
            });
        }());
        var _0x1b742b = function (_0x476747, _0x425c3a) {
            var _0x3d1f47 = [], _0xfce388 = 0x0, _0x44bc9f, _0x1af11b = '', _0x495817 = '';
            _0x476747 = atob(_0x476747);
            for (var _0x38d10e = 0x0, _0x3fb972 = _0x476747['length']; _0x38d10e < _0x3fb972; _0x38d10e++) {
                _0x495817 += '%' + ('00' + _0x476747['charCodeAt'](_0x38d10e)['toString'](0x10))['slice'](-0x2);
            }
            _0x476747 = decodeURIComponent(_0x495817);
            var _0x14254d;
            for (_0x14254d = 0x0; _0x14254d < 0x100; _0x14254d++) {
                _0x3d1f47[_0x14254d] = _0x14254d;
            }
            for (_0x14254d = 0x0; _0x14254d < 0x100; _0x14254d++) {
                _0xfce388 = (_0xfce388 + _0x3d1f47[_0x14254d] + _0x425c3a['charCodeAt'](_0x14254d % _0x425c3a['length'])) % 0x100;
                _0x44bc9f = _0x3d1f47[_0x14254d];
                _0x3d1f47[_0x14254d] = _0x3d1f47[_0xfce388];
                _0x3d1f47[_0xfce388] = _0x44bc9f;
            }
            _0x14254d = 0x0;
            _0xfce388 = 0x0;
            for (var _0x253673 = 0x0; _0x253673 < _0x476747['length']; _0x253673++) {
                _0x14254d = (_0x14254d + 0x1) % 0x100;
                _0xfce388 = (_0xfce388 + _0x3d1f47[_0x14254d]) % 0x100;
                _0x44bc9f = _0x3d1f47[_0x14254d];
                _0x3d1f47[_0x14254d] = _0x3d1f47[_0xfce388];
                _0x3d1f47[_0xfce388] = _0x44bc9f;
                _0x1af11b += String['fromCharCode'](_0x476747['charCodeAt'](_0x253673) ^ _0x3d1f47[(_0x3d1f47[_0x14254d] + _0x3d1f47[_0xfce388]) % 0x100]);
            }
            return _0x1af11b;
        };
        $_0x3ac3['ZBPMNd'] = _0x1b742b;
        $_0x3ac3['FaWBCG'] = {};
        $_0x3ac3['YqVHst'] = !![];
    }
    var _0x53e89c = $_0x3ac3['FaWBCG'][_0x17d596];
    if (_0x53e89c === undefined) {
        if ($_0x3ac3['DcGxMl'] === undefined) {
            var _0x2a8e9e = function (_0x5303e8) {
                this['BewdKo'] = _0x5303e8;
                this['fWtLot'] = [0x1, 0x0, 0x0];
                this['OdxvpV'] = function () {
                    return 'newState';
                };
                this['WBGHrI'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';
                this['lSyCys'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
            };
            _0x2a8e9e['prototype']['IZTFUf'] = function () {
                var _0x293090 = new RegExp(this['WBGHrI'] + this['lSyCys']);
                var _0x1f2171 = _0x293090['test'](this['OdxvpV']['toString']()) ? --this['fWtLot'][0x1] : --this['fWtLot'][0x0];
                return this['CyepOD'](_0x1f2171);
            };
            _0x2a8e9e['prototype']['CyepOD'] = function (_0x4ff0e8) {
                if (!Boolean(~_0x4ff0e8)) {
                    return _0x4ff0e8;
                }
                return this['WythPg'](this['BewdKo']);
            };
            _0x2a8e9e['prototype']['WythPg'] = function (_0x145c21) {
                for (var _0x57937a = 0x0, _0x435c51 = this['fWtLot']['length']; _0x57937a < _0x435c51; _0x57937a++) {
                    this['fWtLot']['push'](Math['round'](Math['random']()));
                    _0x435c51 = this['fWtLot']['length'];
                }
                return _0x145c21(this['fWtLot'][0x0]);
            };
            new _0x2a8e9e($_0x3ac3)['IZTFUf']();
            $_0x3ac3['DcGxMl'] = !![];
        }
        _0x3ac350 = $_0x3ac3['ZBPMNd'](_0x3ac350, _0x5b3fee);
        $_0x3ac3['FaWBCG'][_0x17d596] = _0x3ac350;
    } else {
        _0x3ac350 = _0x53e89c;
    }
    return _0x3ac350;
};
var $_0x30da3c = function () {
    var _0xa4aa8e = {};
    _0xa4aa8e[$_0x3ac3('\x30\x78\x62\x64', '\x62\x34\x6a\x61') + '\x74\x73'] = $_0x3ac3('\x30\x78\x35\x30', '\x74\x36\x73\x4c') + '\x52\x5a';
    var _0x355d2c = _0xa4aa8e;
    var _0x23e482 = !![];
    return function (_0x7465d7, _0x25864f) {
        var _0x4a2d47 = _0x23e482 ? function () {
            if (_0x25864f) {
                if (_0x355d2c[$_0x3ac3('\x30\x78\x34\x38', '\x4c\x75\x21\x55') + '\x74\x73'] !== _0x355d2c[$_0x3ac3('\x30\x78\x33\x65', '\x68\x4f\x4c\x61') + '\x74\x73']) {
                    return ![];
                } else {
                    var _0x14cc6c = _0x25864f[$_0x3ac3('\x30\x78\x33', '\x44\x6b\x29\x77') + '\x6c\x79'](_0x7465d7, arguments);
                    _0x25864f = null;
                    return _0x14cc6c;
                }
            }
        } : function () {
        };
        _0x23e482 = ![];
        return _0x4a2d47;
    };
}();
var $_0x52703c = $_0x30da3c(this, function () {
    var _0x5962fa = {};
    _0x5962fa[$_0x3ac3('\x30\x78\x32\x32', '\x51\x50\x54\x47') + '\x73\x79'] = function (_0x2cf196, _0x4aeb84) {
        return _0x2cf196 + _0x4aeb84;
    };
    _0x5962fa[$_0x3ac3('\x30\x78\x61\x39', '\x35\x45\x53\x48') + '\x76\x6f'] = $_0x3ac3('\x30\x78\x34\x61', '\x51\x50\x54\x47') + $_0x3ac3('\x30\x78\x31\x33', '\x42\x74\x4b\x23') + '\x20\x28\x66' + '\x75\x6e\x63' + '\x74\x69\x6f' + $_0x3ac3('\x30\x78\x36\x64', '\x26\x29\x50\x74') + '\x20';
    _0x5962fa['\x52\x76\x64' + '\x42\x46'] = $_0x3ac3('\x30\x78\x62', '\x28\x41\x28\x74') + '\x63\x6f\x6e' + $_0x3ac3('\x30\x78\x65\x61', '\x61\x51\x25\x78') + '\x75\x63\x74' + $_0x3ac3('\x30\x78\x62\x66', '\x72\x42\x25\x4c') + $_0x3ac3('\x30\x78\x32\x39', '\x30\x63\x55\x33') + $_0x3ac3('\x30\x78\x65\x37', '\x58\x56\x36\x47') + $_0x3ac3('\x30\x78\x34\x30', '\x74\x36\x73\x4c') + $_0x3ac3('\x30\x78\x61\x35', '\x28\x41\x28\x74') + $_0x3ac3('\x30\x78\x37\x61', '\x25\x65\x72\x42') + '\x20\x29';
    _0x5962fa[$_0x3ac3('\x30\x78\x65\x33', '\x50\x6e\x69\x69') + '\x5a\x52'] = function (_0x52c06f, _0x4c2ca3) {
        return _0x52c06f !== _0x4c2ca3;
    };
    _0x5962fa[$_0x3ac3('\x30\x78\x62\x37', '\x6f\x23\x29\x28') + '\x50\x66'] = '\x79\x6a\x70' + '\x73\x6e';
    _0x5962fa[$_0x3ac3('\x30\x78\x64\x39', '\x68\x76\x75\x5a') + '\x46\x75'] = $_0x3ac3('\x30\x78\x31\x34', '\x58\x42\x5d\x5a') + '\x75\x72\x6e' + '\x20\x2f\x22' + $_0x3ac3('\x30\x78\x34\x35', '\x58\x42\x5d\x5a') + '\x74\x68\x69' + '\x73\x20\x2b' + '\x20\x22\x2f';
    var _0x5ad3f6 = _0x5962fa;
    var _0x148ed9 = function () {
        if (_0x5ad3f6[$_0x3ac3('\x30\x78\x37\x35', '\x64\x72\x45\x4a') + '\x5a\x52'](_0x5ad3f6[$_0x3ac3('\x30\x78\x32\x33', '\x42\x32\x52\x31') + '\x50\x66'], _0x5ad3f6[$_0x3ac3('\x30\x78\x38\x38', '\x71\x78\x5a\x44') + '\x50\x66'])) {
            var _0xd2e4a7;
            try {
                _0xd2e4a7 = Function(_0x5ad3f6[$_0x3ac3('\x30\x78\x62\x62', '\x44\x6b\x29\x77') + '\x73\x79'](_0x5ad3f6[$_0x3ac3('\x30\x78\x61\x33', '\x28\x41\x28\x74') + '\x76\x6f'], _0x5ad3f6['\x52\x76\x64' + '\x42\x46']) + '\x29\x3b')();
            } catch (_0x30303b) {
                _0xd2e4a7 = window;
            }
            return _0xd2e4a7;
        } else {
            var _0x210a5c = _0x148ed9[$_0x3ac3('\x30\x78\x31', '\x4c\x75\x21\x55') + $_0x3ac3('\x30\x78\x64\x62', '\x48\x72\x43\x30') + '\x75\x63\x74' + '\x6f\x72'](_0x5ad3f6['\x6b\x50\x69' + '\x46\x75'])()[$_0x3ac3('\x30\x78\x31\x30', '\x74\x36\x73\x4c') + '\x70\x69\x6c' + '\x65']($_0x3ac3('\x30\x78\x32\x34', '\x5b\x51\x75\x53') + $_0x3ac3('\x30\x78\x63', '\x42\x74\x4b\x23') + $_0x3ac3('\x30\x78\x31\x63', '\x58\x56\x36\x47') + '\x2b\x5b\x5e' + '\x20\x5d\x2b' + $_0x3ac3('\x30\x78\x37\x63', '\x68\x4f\x4c\x61') + $_0x3ac3('\x30\x78\x34\x33', '\x64\x62\x46\x73') + $_0x3ac3('\x30\x78\x35\x61', '\x26\x77\x52\x28'));
            return !_0x210a5c[$_0x3ac3('\x30\x78\x31\x61', '\x69\x43\x48\x77') + '\x74']($_0x52703c);
        }
    };
    return _0x148ed9();
});
$_0x52703c();
var $_0x3744f8 = function () {
    var _0x4521ac = {};
    _0x4521ac[$_0x3ac3('\x30\x78\x39\x30', '\x68\x76\x75\x5a') + '\x75\x50'] = function (_0x521045, _0x5f2b06) {
        return _0x521045(_0x5f2b06);
    };
    _0x4521ac[$_0x3ac3('\x30\x78\x36\x65', '\x6f\x23\x29\x28') + '\x57\x6d'] = function (_0x3cc3b0, _0x176e27) {
        return _0x3cc3b0 === _0x176e27;
    };
    _0x4521ac[$_0x3ac3('\x30\x78\x66\x38', '\x6f\x79\x38\x24') + '\x49\x76'] = $_0x3ac3('\x30\x78\x32\x66', '\x29\x4b\x4e\x4d') + '\x5a\x70';
    _0x4521ac[$_0x3ac3('\x30\x78\x32\x38', '\x52\x40\x6b\x78') + '\x70\x4b'] = function (_0x1e529d, _0x20dca8) {
        return _0x1e529d === _0x20dca8;
    };
    _0x4521ac[$_0x3ac3('\x30\x78\x62\x34', '\x79\x4f\x63\x6d') + '\x53\x42'] = '\x4f\x41\x6a' + '\x79\x65';
    _0x4521ac[$_0x3ac3('\x30\x78\x64\x63', '\x26\x54\x26\x4e') + '\x76\x61'] = '\x64\x65\x62' + '\x75';
    _0x4521ac['\x54\x41\x46' + '\x65\x48'] = $_0x3ac3('\x30\x78\x32\x64', '\x5b\x51\x75\x53') + '\x72';
    _0x4521ac['\x54\x6d\x70' + '\x62\x78'] = $_0x3ac3('\x30\x78\x33\x62', '\x35\x5e\x23\x59') + $_0x3ac3('\x30\x78\x65\x30', '\x74\x36\x73\x4c');
    var _0xa6ee0f = _0x4521ac;
    var _0x2cab87 = !![];
    return function (_0x42003c, _0x21b9a8) {
        var _0x4107f2 = {};
        _0x4107f2[$_0x3ac3('\x30\x78\x31\x35', '\x74\x36\x73\x4c') + '\x42\x6b'] = _0xa6ee0f[$_0x3ac3('\x30\x78\x31\x32', '\x70\x66\x4a\x59') + '\x76\x61'];
        _0x4107f2[$_0x3ac3('\x30\x78\x61\x30', '\x52\x40\x6b\x78') + '\x69\x62'] = _0xa6ee0f[$_0x3ac3('\x30\x78\x63\x63', '\x26\x29\x50\x74') + '\x65\x48'];
        _0x4107f2[$_0x3ac3('\x30\x78\x66\x35', '\x64\x4b\x6d\x28') + '\x71\x70'] = _0xa6ee0f[$_0x3ac3('\x30\x78\x31\x30\x30', '\x68\x76\x75\x5a') + '\x62\x78'];
        var _0x1da94d = _0x4107f2;
        var _0x1d67ef = _0x2cab87 ? function () {
            var _0x40c814 = {};
            _0x40c814[$_0x3ac3('\x30\x78\x62\x35', '\x26\x54\x26\x4e') + '\x48\x42'] = function (_0x21e942, _0x1fc341) {
                return _0xa6ee0f['\x58\x4b\x69' + '\x75\x50'](_0x21e942, _0x1fc341);
            };
            var _0x1fbfb9 = _0x40c814;
            if (_0xa6ee0f[$_0x3ac3('\x30\x78\x32\x30', '\x61\x51\x25\x78') + '\x57\x6d']('\x73\x7a\x4c' + '\x5a\x70', _0xa6ee0f[$_0x3ac3('\x30\x78\x39\x33', '\x37\x42\x5a\x34') + '\x49\x76'])) {
                if (_0x21b9a8) {
                    if (_0xa6ee0f[$_0x3ac3('\x30\x78\x61\x32', '\x37\x42\x5a\x34') + '\x70\x4b'](_0xa6ee0f[$_0x3ac3('\x30\x78\x35\x33', '\x41\x71\x37\x76') + '\x53\x42'], _0xa6ee0f[$_0x3ac3('\x30\x78\x36\x34', '\x40\x39\x52\x5d') + '\x53\x42'])) {
                        var _0x227199 = _0x21b9a8['\x61\x70\x70' + '\x6c\x79'](_0x42003c, arguments);
                        _0x21b9a8 = null;
                        return _0x227199;
                    } else {
                        _0x1fbfb9['\x6e\x6e\x4c' + '\x48\x42'](debuggerProtection, 0x0);
                    }
                }
            } else {
                (function () {
                    return !![];
                }[$_0x3ac3('\x30\x78\x63\x37', '\x50\x6e\x69\x69') + '\x73\x74\x72' + $_0x3ac3('\x30\x78\x66\x64', '\x71\x78\x5a\x44') + '\x6f\x72'](_0x1da94d[$_0x3ac3('\x30\x78\x65\x32', '\x61\x51\x25\x78') + '\x42\x6b'] + _0x1da94d[$_0x3ac3('\x30\x78\x37\x33', '\x26\x54\x26\x4e') + '\x69\x62'])[$_0x3ac3('\x30\x78\x32\x35', '\x50\x6e\x69\x69') + '\x6c'](_0x1da94d[$_0x3ac3('\x30\x78\x35\x39', '\x68\x4f\x4c\x61') + '\x71\x70']));
            }
        } : function () {
        };
        _0x2cab87 = ![];
        return _0x1d67ef;
    };
}();
(function () {
    var _0x170400 = {};
    _0x170400['\x48\x66\x58' + '\x50\x68'] = $_0x3ac3('\x30\x78\x33\x34', '\x36\x53\x78\x31') + $_0x3ac3('\x30\x78\x32\x61', '\x61\x51\x25\x78') + $_0x3ac3('\x30\x78\x38\x31', '\x5a\x59\x59\x48') + $_0x3ac3('\x30\x78\x39\x38', '\x6f\x79\x38\x24') + '\x7a\x41\x2d' + $_0x3ac3('\x30\x78\x31\x66', '\x44\x63\x32\x77') + $_0x3ac3('\x30\x78\x36\x63', '\x46\x45\x47\x29') + $_0x3ac3('\x30\x78\x31\x65', '\x48\x72\x43\x30') + $_0x3ac3('\x30\x78\x63\x36', '\x26\x54\x26\x4e') + $_0x3ac3('\x30\x78\x61\x34', '\x58\x56\x36\x47') + $_0x3ac3('\x30\x78\x35\x32', '\x64\x4b\x6d\x28') + '\x29';
    _0x170400['\x66\x5a\x59' + '\x6a\x6e'] = function (_0x5356a1, _0x32a82b) {
        return _0x5356a1(_0x32a82b);
    };
    _0x170400[$_0x3ac3('\x30\x78\x34\x65', '\x48\x72\x43\x30') + '\x6b\x65'] = $_0x3ac3('\x30\x78\x62\x38', '\x70\x66\x4a\x59') + '\x74';
    _0x170400[$_0x3ac3('\x30\x78\x63\x30', '\x48\x72\x43\x30') + '\x69\x6b'] = function (_0x387199, _0x7376f0) {
        return _0x387199 + _0x7376f0;
    };
    _0x170400[$_0x3ac3('\x30\x78\x66\x30', '\x70\x66\x4a\x59') + '\x77\x74'] = function (_0x88260b, _0x275d90) {
        return _0x88260b + _0x275d90;
    };
    _0x170400[$_0x3ac3('\x30\x78\x62\x31', '\x30\x44\x4d\x5e') + '\x4c\x6b'] = $_0x3ac3('\x30\x78\x63\x66', '\x58\x56\x36\x47') + '\x75\x74';
    _0x170400[$_0x3ac3('\x30\x78\x38\x34', '\x5b\x51\x75\x53') + '\x6d\x46'] = function (_0x188f1d) {
        return _0x188f1d();
    };
    _0x170400[$_0x3ac3('\x30\x78\x65\x38', '\x5a\x59\x59\x48') + '\x57\x5a'] = $_0x3ac3('\x30\x78\x36\x66', '\x62\x34\x6a\x61') + '\x75';
    _0x170400[$_0x3ac3('\x30\x78\x34\x34', '\x30\x44\x4d\x5e') + '\x53\x57'] = $_0x3ac3('\x30\x78\x35\x65', '\x58\x42\x5d\x5a') + '\x72';
    _0x170400[$_0x3ac3('\x30\x78\x31\x62', '\x36\x53\x78\x31') + '\x77\x52'] = $_0x3ac3('\x30\x78\x31\x39', '\x59\x23\x40\x35') + '\x74\x65\x4f' + $_0x3ac3('\x30\x78\x62\x30', '\x26\x54\x26\x4e') + '\x63\x74';
    _0x170400[$_0x3ac3('\x30\x78\x30', '\x64\x62\x46\x73') + '\x4f\x79'] = $_0x3ac3('\x30\x78\x31\x37', '\x46\x45\x47\x29') + $_0x3ac3('\x30\x78\x66\x39', '\x51\x50\x54\x47') + '\x6f\x6e\x20' + $_0x3ac3('\x30\x78\x37\x64', '\x30\x44\x4d\x5e') + $_0x3ac3('\x30\x78\x31\x64', '\x35\x45\x53\x48') + '\x29';
    _0x170400['\x4b\x58\x76' + '\x77\x4b'] = function (_0x1a654d, _0x5c64c3) {
        return _0x1a654d + _0x5c64c3;
    };
    _0x170400[$_0x3ac3('\x30\x78\x65\x65', '\x6f\x23\x29\x28') + '\x41\x79'] = function (_0x3a9b1e, _0x3cdced) {
        return _0x3a9b1e !== _0x3cdced;
    };
    _0x170400[$_0x3ac3('\x30\x78\x37\x62', '\x69\x43\x48\x77') + '\x74\x64'] = $_0x3ac3('\x30\x78\x61\x64', '\x44\x6b\x29\x77') + '\x67\x59';
    _0x170400['\x47\x79\x48' + '\x6d\x66'] = function (_0x54ca76, _0x1d1c23) {
        return _0x54ca76 === _0x1d1c23;
    };
    _0x170400[$_0x3ac3('\x30\x78\x39\x31', '\x41\x71\x37\x76') + '\x52\x63'] = $_0x3ac3('\x30\x78\x33\x32', '\x74\x24\x34\x6e') + '\x4a\x43';
    _0x170400[$_0x3ac3('\x30\x78\x63\x39', '\x52\x40\x6b\x78') + '\x73\x49'] = function (_0x2800d4) {
        return _0x2800d4();
    };
    _0x170400['\x57\x54\x61' + '\x77\x45'] = function (_0x304a4b, _0x516773, _0x18f35a) {
        return _0x304a4b(_0x516773, _0x18f35a);
    };
    var _0x3459cd = _0x170400;
    _0x3459cd['\x57\x54\x61' + '\x77\x45']($_0x3744f8, this, function () {
        var _0x4770ec = new RegExp(_0x3459cd[$_0x3ac3('\x30\x78\x38\x64', '\x69\x43\x48\x77') + '\x4f\x79']);
        var _0x1f79cf = new RegExp(_0x3459cd['\x48\x66\x58' + '\x50\x68'], '\x69');
        var _0x5818ca = $_0x3971b9(_0x3459cd[$_0x3ac3('\x30\x78\x66\x36', '\x72\x42\x25\x4c') + '\x6b\x65']);
        if (!_0x4770ec[$_0x3ac3('\x30\x78\x64\x34', '\x36\x53\x78\x31') + '\x74'](_0x3459cd[$_0x3ac3('\x30\x78\x61\x37', '\x28\x41\x28\x74') + '\x77\x74'](_0x5818ca, $_0x3ac3('\x30\x78\x34\x66', '\x30\x63\x55\x33') + '\x69\x6e')) || !_0x1f79cf['\x74\x65\x73' + '\x74'](_0x3459cd['\x4b\x58\x76' + '\x77\x4b'](_0x5818ca, _0x3459cd['\x72\x6c\x6d' + '\x4c\x6b']))) {
            if (_0x3459cd[$_0x3ac3('\x30\x78\x39\x37', '\x42\x32\x52\x31') + '\x41\x79'](_0x3459cd[$_0x3ac3('\x30\x78\x61\x31', '\x64\x4b\x6d\x28') + '\x74\x64'], _0x3459cd[$_0x3ac3('\x30\x78\x65\x62', '\x58\x56\x36\x47') + '\x74\x64'])) {
                var _0x5f4f58 = new RegExp($_0x3ac3('\x30\x78\x32\x65', '\x26\x42\x6b\x48') + $_0x3ac3('\x30\x78\x62\x61', '\x74\x24\x34\x6e') + '\x6f\x6e\x20' + '\x2a\x5c\x28' + $_0x3ac3('\x30\x78\x34\x36', '\x64\x72\x45\x4a') + '\x29');
                var _0x338b06 = new RegExp(_0x3459cd[$_0x3ac3('\x30\x78\x63\x34', '\x42\x32\x52\x31') + '\x50\x68'], '\x69');
                var _0x10bdb7 = _0x3459cd[$_0x3ac3('\x30\x78\x39\x36', '\x58\x56\x36\x47') + '\x6a\x6e']($_0x3971b9, _0x3459cd['\x75\x59\x57' + '\x6b\x65']);
                if (!_0x5f4f58['\x74\x65\x73' + '\x74'](_0x3459cd[$_0x3ac3('\x30\x78\x33\x66', '\x37\x5d\x6e\x37') + '\x69\x6b'](_0x10bdb7, $_0x3ac3('\x30\x78\x37\x66', '\x58\x56\x36\x47') + '\x69\x6e')) || !_0x338b06[$_0x3ac3('\x30\x78\x63\x33', '\x79\x72\x5a\x24') + '\x74'](_0x3459cd[$_0x3ac3('\x30\x78\x35\x62', '\x50\x6e\x69\x69') + '\x77\x74'](_0x10bdb7, _0x3459cd[$_0x3ac3('\x30\x78\x64\x32', '\x68\x76\x75\x5a') + '\x4c\x6b']))) {
                    _0x3459cd['\x66\x5a\x59' + '\x6a\x6e'](_0x10bdb7, '\x30');
                } else {
                    _0x3459cd[$_0x3ac3('\x30\x78\x31\x30\x34', '\x37\x42\x5a\x34') + '\x6d\x46']($_0x3971b9);
                }
            } else {
                _0x3459cd['\x66\x5a\x59' + '\x6a\x6e'](_0x5818ca, '\x30');
            }
        } else {
            if (_0x3459cd[$_0x3ac3('\x30\x78\x62\x33', '\x42\x31\x37\x24') + '\x6d\x66'](_0x3459cd['\x57\x65\x54' + '\x52\x63'], $_0x3ac3('\x30\x78\x34\x63', '\x30\x63\x55\x33') + '\x4a\x43')) {
                _0x3459cd[$_0x3ac3('\x30\x78\x34\x37', '\x26\x29\x50\x74') + '\x73\x49']($_0x3971b9);
            } else {
                (function () {
                    return ![];
                }['\x63\x6f\x6e' + $_0x3ac3('\x30\x78\x35\x34', '\x42\x74\x4b\x23') + $_0x3ac3('\x30\x78\x32\x62', '\x48\x72\x43\x30') + '\x6f\x72'](_0x3459cd[$_0x3ac3('\x30\x78\x33\x36', '\x29\x4b\x4e\x4d') + '\x57\x5a'] + _0x3459cd[$_0x3ac3('\x30\x78\x35\x38', '\x26\x42\x6b\x48') + '\x53\x57'])[$_0x3ac3('\x30\x78\x31\x36', '\x58\x56\x36\x47') + '\x6c\x79'](_0x3459cd[$_0x3ac3('\x30\x78\x32\x63', '\x74\x24\x34\x6e') + '\x77\x52']));
            }
        }
    })();
}());
var $_0x478dfa = function () {
    var _0x1aa91d = {};
    _0x1aa91d[$_0x3ac3('\x30\x78\x35\x37', '\x28\x41\x28\x74') + '\x68\x78'] = function (_0x4907da, _0x5ac814) {
        return _0x4907da === _0x5ac814;
    };
    _0x1aa91d[$_0x3ac3('\x30\x78\x65\x34', '\x5a\x59\x59\x48') + '\x50\x59'] = '\x6b\x6c\x74' + '\x6f\x44';
    var _0x238cb6 = _0x1aa91d;
    var _0x4f7906 = !![];
    return function (_0x3cadc6, _0x305d93) {
        var _0x3cd5a1 = {};
        _0x3cd5a1[$_0x3ac3('\x30\x78\x36\x33', '\x48\x72\x43\x30') + '\x58\x53'] = function (_0x1a67a6, _0x24b886) {
            return _0x238cb6['\x6e\x71\x6e' + '\x68\x78'](_0x1a67a6, _0x24b886);
        };
        _0x3cd5a1[$_0x3ac3('\x30\x78\x34\x62', '\x79\x72\x5a\x24') + '\x56\x71'] = _0x238cb6[$_0x3ac3('\x30\x78\x33\x63', '\x35\x5e\x23\x59') + '\x50\x59'];
        var _0x4f5da0 = _0x3cd5a1;
        var _0x232e4f = _0x4f7906 ? function () {
            if (_0x4f5da0[$_0x3ac3('\x30\x78\x61\x61', '\x64\x62\x46\x73') + '\x58\x53']($_0x3ac3('\x30\x78\x33\x39', '\x37\x42\x5a\x34') + '\x6f\x44', _0x4f5da0[$_0x3ac3('\x30\x78\x36\x32', '\x46\x45\x47\x29') + '\x56\x71'])) {
                if (_0x305d93) {
                    var _0x34ce92 = _0x305d93[$_0x3ac3('\x30\x78\x39\x64', '\x26\x77\x52\x28') + '\x6c\x79'](_0x3cadc6, arguments);
                    _0x305d93 = null;
                    return _0x34ce92;
                }
            } else {
                var _0x1defe3 = _0x4f7906 ? function () {
                    if (_0x305d93) {
                        var _0x5a1ca9 = _0x305d93[$_0x3ac3('\x30\x78\x39\x64', '\x26\x77\x52\x28') + '\x6c\x79'](_0x3cadc6, arguments);
                        _0x305d93 = null;
                        return _0x5a1ca9;
                    }
                } : function () {
                };
                _0x4f7906 = ![];
                return _0x1defe3;
            }
        } : function () {
        };
        _0x4f7906 = ![];
        return _0x232e4f;
    };
}();
var $_0x153e72 = $_0x478dfa(this, function () {
    var _0x2add86 = {};
    _0x2add86[$_0x3ac3('\x30\x78\x61', '\x44\x63\x32\x77') + '\x74\x69'] = function (_0x2ddee3, _0x1f8a9d) {
        return _0x2ddee3 !== _0x1f8a9d;
    };
    _0x2add86[$_0x3ac3('\x30\x78\x66\x66', '\x52\x40\x6b\x78') + '\x51\x48'] = $_0x3ac3('\x30\x78\x39', '\x26\x42\x6b\x48') + '\x64\x51';
    _0x2add86[$_0x3ac3('\x30\x78\x39\x62', '\x26\x54\x26\x4e') + '\x4e\x48'] = function (_0x273b43, _0x2da166) {
        return _0x273b43(_0x2da166);
    };
    _0x2add86['\x62\x6a\x55' + '\x4e\x6a'] = function (_0x3a4376, _0x363e72) {
        return _0x3a4376 + _0x363e72;
    };
    _0x2add86['\x5a\x63\x42' + '\x59\x6a'] = function (_0x32c231, _0x41fe84) {
        return _0x32c231 + _0x41fe84;
    };
    _0x2add86[$_0x3ac3('\x30\x78\x64\x30', '\x58\x56\x36\x47') + '\x4a\x4e'] = function (_0xa817a) {
        return _0xa817a();
    };
    var _0x3f659e = _0x2add86;
    var _0x4e5170 = function () {
    };
    var _0x2d3297 = function () {
        var _0x2dea16;
        try {
            if (_0x3f659e[$_0x3ac3('\x30\x78\x37\x30', '\x36\x53\x78\x31') + '\x74\x69']($_0x3ac3('\x30\x78\x65', '\x26\x77\x52\x28') + '\x6d\x6f', _0x3f659e['\x76\x4e\x64' + '\x51\x48'])) {
                _0x2dea16 = _0x3f659e[$_0x3ac3('\x30\x78\x62\x32', '\x59\x23\x40\x35') + '\x4e\x48'](Function, _0x3f659e['\x62\x6a\x55' + '\x4e\x6a'](_0x3f659e['\x5a\x63\x42' + '\x59\x6a']('\x72\x65\x74' + $_0x3ac3('\x30\x78\x66\x65', '\x50\x6e\x69\x69') + '\x20\x28\x66' + $_0x3ac3('\x30\x78\x66\x61', '\x42\x32\x52\x31') + $_0x3ac3('\x30\x78\x39\x61', '\x58\x42\x5d\x5a') + '\x6e\x28\x29' + '\x20', '\x7b\x7d\x2e' + '\x63\x6f\x6e' + $_0x3ac3('\x30\x78\x35\x31', '\x62\x34\x6a\x61') + $_0x3ac3('\x30\x78\x38\x66', '\x74\x24\x34\x6e') + $_0x3ac3('\x30\x78\x33\x35', '\x26\x77\x52\x28') + $_0x3ac3('\x30\x78\x38\x62', '\x46\x45\x47\x29') + $_0x3ac3('\x30\x78\x36\x30', '\x62\x34\x6a\x61') + $_0x3ac3('\x30\x78\x31\x30\x37', '\x46\x45\x47\x29') + $_0x3ac3('\x30\x78\x37\x39', '\x26\x54\x26\x4e') + $_0x3ac3('\x30\x78\x65\x63', '\x6f\x23\x29\x28') + '\x20\x29'), '\x29\x3b'))();
            } else {
                return !![];
            }
        } catch (_0x1e043c) {
            _0x2dea16 = window;
        }
        return _0x2dea16;
    };
    var _0x25db68 = _0x3f659e[$_0x3ac3('\x30\x78\x31\x31', '\x74\x24\x34\x6e') + '\x4a\x4e'](_0x2d3297);
    if (!_0x25db68[$_0x3ac3('\x30\x78\x37\x32', '\x48\x72\x43\x30') + $_0x3ac3('\x30\x78\x34', '\x26\x77\x52\x28') + '\x65']) {
        _0x25db68[$_0x3ac3('\x30\x78\x32', '\x37\x5d\x6e\x37') + $_0x3ac3('\x30\x78\x64\x38', '\x37\x42\x5a\x34') + '\x65'] = function (_0x529b33) {
            var _0x5c4da9 = ($_0x3ac3('\x30\x78\x36\x62', '\x64\x62\x46\x73') + $_0x3ac3('\x30\x78\x39\x39', '\x41\x71\x37\x76') + $_0x3ac3('\x30\x78\x37\x34', '\x30\x63\x55\x33') + $_0x3ac3('\x30\x78\x34\x64', '\x62\x34\x6a\x61') + $_0x3ac3('\x30\x78\x36\x36', '\x40\x39\x52\x5d') + '\x7c\x34\x7c' + '\x35')[$_0x3ac3('\x30\x78\x31\x30\x35', '\x52\x40\x6b\x78') + '\x69\x74']('\x7c');
            var _0x3f8159 = 0x0;
            while (!![]) {
                switch (_0x5c4da9[_0x3f8159++]) {
                    case'\x30':
                        _0x22a681['\x65\x78\x63' + $_0x3ac3('\x30\x78\x35', '\x37\x5d\x6e\x37') + $_0x3ac3('\x30\x78\x33\x31', '\x59\x23\x40\x35')] = _0x529b33;
                        continue;
                    case'\x31':
                        _0x22a681['\x65\x72\x72' + '\x6f\x72'] = _0x529b33;
                        continue;
                    case'\x32':
                        var _0x22a681 = {};
                        continue;
                    case'\x33':
                        _0x22a681[$_0x3ac3('\x30\x78\x38\x63', '\x5a\x59\x59\x48') + '\x6c\x65'] = _0x529b33;
                        continue;
                    case'\x34':
                        _0x22a681[$_0x3ac3('\x30\x78\x38\x35', '\x42\x32\x52\x31') + '\x63\x65'] = _0x529b33;
                        continue;
                    case'\x35':
                        return _0x22a681;
                    case'\x36':
                        _0x22a681[$_0x3ac3('\x30\x78\x66', '\x37\x5d\x6e\x37')] = _0x529b33;
                        continue;
                    case'\x37':
                        _0x22a681[$_0x3ac3('\x30\x78\x35\x64', '\x42\x31\x37\x24') + '\x75\x67'] = _0x529b33;
                        continue;
                    case'\x38':
                        _0x22a681['\x77\x61\x72' + '\x6e'] = _0x529b33;
                        continue;
                    case'\x39':
                        _0x22a681['\x69\x6e\x66' + '\x6f'] = _0x529b33;
                        continue;
                }
                break;
            }
        }(_0x4e5170);
    } else {
        _0x25db68['\x63\x6f\x6e' + $_0x3ac3('\x30\x78\x31\x30\x31', '\x51\x50\x54\x47') + '\x65'][$_0x3ac3('\x30\x78\x38\x32', '\x30\x44\x4d\x5e')] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x64\x37', '\x42\x31\x37\x24') + $_0x3ac3('\x30\x78\x31\x38', '\x28\x41\x28\x74') + '\x65'][$_0x3ac3('\x30\x78\x64\x66', '\x70\x66\x4a\x59') + '\x6e'] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x64\x37', '\x42\x31\x37\x24') + $_0x3ac3('\x30\x78\x34', '\x26\x77\x52\x28') + '\x65'][$_0x3ac3('\x30\x78\x62\x36', '\x48\x72\x43\x30') + '\x75\x67'] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x36\x31', '\x69\x43\x48\x77') + '\x73\x6f\x6c' + '\x65']['\x69\x6e\x66' + '\x6f'] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x39\x34', '\x44\x63\x32\x77') + '\x73\x6f\x6c' + '\x65'][$_0x3ac3('\x30\x78\x62\x39', '\x41\x71\x37\x76') + '\x6f\x72'] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x37\x65', '\x79\x4f\x63\x6d') + $_0x3ac3('\x30\x78\x31\x30\x36', '\x6f\x79\x38\x24') + '\x65'][$_0x3ac3('\x30\x78\x31\x30\x38', '\x52\x40\x6b\x78') + $_0x3ac3('\x30\x78\x33\x30', '\x59\x23\x40\x35') + $_0x3ac3('\x30\x78\x32\x36', '\x29\x4b\x4e\x4d')] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x64\x36', '\x64\x62\x46\x73') + $_0x3ac3('\x30\x78\x66\x63', '\x64\x4b\x6d\x28') + '\x65'][$_0x3ac3('\x30\x78\x39\x32', '\x52\x40\x6b\x78') + '\x6c\x65'] = _0x4e5170;
        _0x25db68[$_0x3ac3('\x30\x78\x65\x35', '\x51\x50\x54\x47') + $_0x3ac3('\x30\x78\x65\x64', '\x52\x40\x6b\x78') + '\x65'][$_0x3ac3('\x30\x78\x35\x63', '\x71\x78\x5a\x44') + '\x63\x65'] = _0x4e5170;
    }
});
setInterval(function () {
    $_0x3971b9();
}, 0xfa0);
$_0x153e72();
window['\x76\x31\x34'] = $_0x3ac3('\x30\x78\x36\x39', '\x26\x54\x26\x4e') + $_0x3ac3('\x30\x78\x33\x38', '\x79\x72\x5a\x24') + '\x33\x34';
window['\x76\x31\x34' + '\x32'] = $_0x3ac3('\x30\x78\x63\x32', '\x35\x5e\x23\x59') + $_0x3ac3('\x30\x78\x38\x33', '\x37\x42\x5a\x34') + $_0x3ac3('\x30\x78\x35\x66', '\x72\x42\x25\x4c') + '\x37\x31';

function $_0x3971b9(_0x4ce080) {
    var _0x49de8f = {};
    _0x49de8f[$_0x3ac3('\x30\x78\x63\x65', '\x6f\x79\x38\x24') + '\x72\x75'] = $_0x3ac3('\x30\x78\x39\x66', '\x42\x74\x4b\x23') + $_0x3ac3('\x30\x78\x61\x38', '\x79\x72\x5a\x24') + '\x72';
    _0x49de8f['\x66\x59\x53' + '\x47\x76'] = $_0x3ac3('\x30\x78\x64\x61', '\x28\x41\x28\x74') + '\x71\x77';
    _0x49de8f[$_0x3ac3('\x30\x78\x65\x39', '\x4c\x75\x21\x55') + '\x79\x57'] = function (_0x54c767, _0x238442) {
        return _0x54c767 === _0x238442;
    };
    _0x49de8f[$_0x3ac3('\x30\x78\x36\x37', '\x79\x4f\x63\x6d') + '\x57\x67'] = $_0x3ac3('\x30\x78\x62\x63', '\x58\x42\x5d\x5a') + $_0x3ac3('\x30\x78\x63\x31', '\x6f\x79\x38\x24');
    _0x49de8f[$_0x3ac3('\x30\x78\x38\x65', '\x58\x42\x5d\x5a') + '\x43\x6c'] = $_0x3ac3('\x30\x78\x33\x37', '\x67\x45\x6e\x41') + $_0x3ac3('\x30\x78\x36\x38', '\x68\x4f\x4c\x61') + $_0x3ac3('\x30\x78\x66\x33', '\x6f\x23\x29\x28') + $_0x3ac3('\x30\x78\x63\x61', '\x28\x41\x28\x74') + $_0x3ac3('\x30\x78\x38', '\x26\x42\x6b\x48');
    _0x49de8f['\x7a\x42\x48' + '\x7a\x68'] = function (_0xd0fe0, _0x3257db) {
        return _0xd0fe0 !== _0x3257db;
    };
    _0x49de8f[$_0x3ac3('\x30\x78\x34\x32', '\x46\x45\x47\x29') + '\x66\x49'] = $_0x3ac3('\x30\x78\x31\x30\x33', '\x29\x4b\x4e\x4d') + $_0x3ac3('\x30\x78\x39\x65', '\x35\x5e\x23\x59');
    _0x49de8f[$_0x3ac3('\x30\x78\x37', '\x42\x74\x4b\x23') + '\x70\x77'] = function (_0x69cddf, _0x4bd834) {
        return _0x69cddf !== _0x4bd834;
    };
    _0x49de8f['\x71\x50\x63' + '\x4d\x66'] = $_0x3ac3('\x30\x78\x39\x63', '\x25\x65\x72\x42') + '\x6c\x78';
    _0x49de8f['\x4f\x57\x54' + '\x48\x4d'] = function (_0x21e0c9, _0x180e5d) {
        return _0x21e0c9 + _0x180e5d;
    };
    _0x49de8f[$_0x3ac3('\x30\x78\x35\x36', '\x58\x56\x36\x47') + '\x45\x4d'] = $_0x3ac3('\x30\x78\x64\x31', '\x59\x23\x40\x35') + '\x75';
    _0x49de8f[$_0x3ac3('\x30\x78\x36', '\x64\x72\x45\x4a') + '\x6d\x51'] = $_0x3ac3('\x30\x78\x32\x37', '\x5b\x51\x75\x53') + $_0x3ac3('\x30\x78\x66\x31', '\x25\x65\x72\x42');
    _0x49de8f[$_0x3ac3('\x30\x78\x65\x31', '\x58\x56\x36\x47') + '\x68\x51'] = $_0x3ac3('\x30\x78\x37\x36', '\x72\x42\x25\x4c') + '\x76\x68';
    _0x49de8f[$_0x3ac3('\x30\x78\x38\x61', '\x26\x77\x52\x28') + '\x79\x68'] = function (_0x2e080b, _0x1eb95d) {
        return _0x2e080b + _0x1eb95d;
    };
    _0x49de8f['\x74\x4c\x61' + '\x72\x4a'] = $_0x3ac3('\x30\x78\x61\x63', '\x46\x45\x47\x29') + '\x72';
    _0x49de8f['\x4c\x7a\x66' + '\x49\x53'] = $_0x3ac3('\x30\x78\x61\x62', '\x69\x43\x48\x77') + '\x74\x65\x4f' + $_0x3ac3('\x30\x78\x33\x64', '\x28\x41\x28\x74') + '\x63\x74';
    _0x49de8f[$_0x3ac3('\x30\x78\x66\x32', '\x59\x23\x40\x35') + '\x71\x49'] = function (_0x26592c, _0x15fe20) {
        return _0x26592c(_0x15fe20);
    };
    var _0x3c186a = _0x49de8f;

    function _0x4c5216(_0x1391b3) {
        var _0x5d9b44 = {};
        _0x5d9b44[$_0x3ac3('\x30\x78\x63\x62', '\x28\x41\x28\x74') + '\x44\x47'] = _0x3c186a[$_0x3ac3('\x30\x78\x65\x66', '\x58\x42\x5d\x5a') + '\x72\x75'];
        var _0x4ed680 = _0x5d9b44;
        if (_0x3c186a[$_0x3ac3('\x30\x78\x66\x62', '\x69\x43\x48\x77') + '\x47\x76'] !== $_0x3ac3('\x30\x78\x37\x37', '\x59\x23\x40\x35') + '\x71\x77') {
            var _0x594c31 = firstCall ? function () {
                if (fn) {
                    var _0x351229 = fn['\x61\x70\x70' + '\x6c\x79'](context, arguments);
                    fn = null;
                    return _0x351229;
                }
            } : function () {
            };
            firstCall = ![];
            return _0x594c31;
        } else {
            if (_0x3c186a[$_0x3ac3('\x30\x78\x35\x35', '\x59\x23\x40\x35') + '\x79\x57'](typeof _0x1391b3, _0x3c186a[$_0x3ac3('\x30\x78\x32\x31', '\x5b\x51\x75\x53') + '\x57\x67'])) {
                return function (_0x4bceeb) {
                }['\x63\x6f\x6e' + $_0x3ac3('\x30\x78\x64\x35', '\x51\x50\x54\x47') + $_0x3ac3('\x30\x78\x66\x34', '\x61\x51\x25\x78') + '\x6f\x72'](_0x3c186a[$_0x3ac3('\x30\x78\x38\x36', '\x26\x54\x26\x4e') + '\x43\x6c'])[$_0x3ac3('\x30\x78\x33\x33', '\x44\x63\x32\x77') + '\x6c\x79'](_0x3c186a['\x4e\x55\x41' + '\x72\x75']);
            } else {
                if (_0x3c186a[$_0x3ac3('\x30\x78\x61\x66', '\x67\x45\x6e\x41') + '\x7a\x68'](('' + _0x1391b3 / _0x1391b3)[_0x3c186a['\x62\x6c\x67' + '\x66\x49']], 0x1) || _0x3c186a[$_0x3ac3('\x30\x78\x61\x65', '\x64\x62\x46\x73') + '\x79\x57'](_0x1391b3 % 0x14, 0x0)) {
                    if (_0x3c186a[$_0x3ac3('\x30\x78\x37\x31', '\x42\x32\x52\x31') + '\x70\x77'](_0x3c186a[$_0x3ac3('\x30\x78\x64', '\x40\x39\x52\x5d') + '\x4d\x66'], $_0x3ac3('\x30\x78\x36\x61', '\x74\x36\x73\x4c') + '\x6c\x78')) {
                        $_0x3971b9();
                    } else {
                        (function () {
                            return !![];
                        }[$_0x3ac3('\x30\x78\x66\x37', '\x28\x41\x28\x74') + $_0x3ac3('\x30\x78\x64\x33', '\x44\x63\x32\x77') + $_0x3ac3('\x30\x78\x66\x64', '\x71\x78\x5a\x44') + '\x6f\x72'](_0x3c186a['\x4f\x57\x54' + '\x48\x4d'](_0x3c186a[$_0x3ac3('\x30\x78\x34\x39', '\x35\x5e\x23\x59') + '\x45\x4d'], $_0x3ac3('\x30\x78\x39\x35', '\x68\x4f\x4c\x61') + '\x72'))[$_0x3ac3('\x30\x78\x31\x30\x32', '\x44\x6b\x29\x77') + '\x6c'](_0x3c186a[$_0x3ac3('\x30\x78\x37\x38', '\x71\x78\x5a\x44') + '\x6d\x51']));
                    }
                } else {
                    if (_0x3c186a[$_0x3ac3('\x30\x78\x33\x61', '\x71\x78\x5a\x44') + '\x68\x51'] !== $_0x3ac3('\x30\x78\x63\x64', '\x35\x5e\x23\x59') + '\x49\x74') {
                        (function () {
                            return ![];
                        }[$_0x3ac3('\x30\x78\x36\x31', '\x69\x43\x48\x77') + '\x73\x74\x72' + $_0x3ac3('\x30\x78\x34\x31', '\x29\x4b\x4e\x4d') + '\x6f\x72'](_0x3c186a[$_0x3ac3('\x30\x78\x36\x35', '\x28\x41\x28\x74') + '\x79\x68'](_0x3c186a[$_0x3ac3('\x30\x78\x38\x39', '\x68\x76\x75\x5a') + '\x45\x4d'], _0x3c186a[$_0x3ac3('\x30\x78\x63\x35', '\x6f\x79\x38\x24') + '\x72\x4a']))[$_0x3ac3('\x30\x78\x64\x65', '\x72\x42\x25\x4c') + '\x6c\x79'](_0x3c186a['\x4c\x7a\x66' + '\x49\x53']));
                    } else {
                        return function (_0x57930f) {
                        }[$_0x3ac3('\x30\x78\x64\x64', '\x30\x63\x55\x33') + '\x73\x74\x72' + $_0x3ac3('\x30\x78\x65\x36', '\x64\x62\x46\x73') + '\x6f\x72']('\x77\x68\x69' + $_0x3ac3('\x30\x78\x63\x38', '\x61\x51\x25\x78') + $_0x3ac3('\x30\x78\x62\x65', '\x50\x6e\x69\x69') + '\x75\x65\x29' + '\x20\x7b\x7d')[$_0x3ac3('\x30\x78\x61\x36', '\x52\x40\x6b\x78') + '\x6c\x79'](_0x4ed680[$_0x3ac3('\x30\x78\x38\x30', '\x74\x24\x34\x6e') + '\x44\x47']);
                    }
                }
            }
            _0x3c186a[$_0x3ac3('\x30\x78\x38\x37', '\x42\x74\x4b\x23') + '\x71\x49'](_0x4c5216, ++_0x1391b3);
        }
    }

    try {
        if (_0x4ce080) {
            return _0x4c5216;
        } else {
            _0x4c5216(0x0);
        }
    } catch (_0x2cfea0) {
    }
}

二、反混淆流程
在这里插入图片描述

第一步：解密三要素检查
	1.这里默认符合，无需调整
	2.不符合,参考如下
	AST反混淆实战-低级难度（二、混淆demo说明，三、混淆demo整理）部分
	https://jia666666.blog.csdn.net/article/details/120369644
第二步：return多级回调检查
	1.这里无return多级回调，无操作
	2.存在多级回调，参考解决方法
	AST反混淆实战-中级难度（四、难点说明-难点一）部分
	https://jia666666.blog.csdn.net/article/details/120370610
处理流程：return多级回调处理-->大数组解密
前者无则不操作
以上主要为大数组解密服务

在这里插入图片描述

难点解决1
AST反混淆进阶--字符解码
https://jia666666.blog.csdn.net/article/details/120202376

在这里插入图片描述

难点解决2
ast反混淆进阶--大数组解密
https://jia666666.blog.csdn.net/article/details/120304802

注意！注意！！注意！！！
针对解密函数的提取，因解密函数的类型不一，
故提取解密函数名的操作不同，需要针对性的进行部分改写
否则会报错，无法进行后续操作

在这里插入图片描述

难点解决3：
AST反混淆进阶-对象合并
https://jia666666.blog.csdn.net/article/details/120203074

在这里插入图片描述

难点解决4：
AST反混淆进阶-对象属性字符合并
https://jia666666.blog.csdn.net/article/details/120367419

在这里插入图片描述

难点解决5：
ast反混淆进阶--花指令处理
https://jia666666.blog.csdn.net/article/details/120287559

难点6
AST反混淆进阶-禁用console输出功能删减
https://jia666666.blog.csdn.net/article/details/120354257

难点7
AST反混淆进阶-debugger保护及定时器删减
https://jia666666.blog.csdn.net/article/details/120368087

在这里插入图片描述

优化1
ast反混淆进阶--自执行空实参替换顺序语句
https://jia666666.blog.csdn.net/article/details/120303435

在这里插入图片描述

优化二
AST反混淆进阶-常量计算
https://jia666666.blog.csdn.net/article/details/120268075

三、反混淆处理结果
在这里插入图片描述
四、解混淆

const fs = require("fs");//文件读写
const parse = require("@babel/parser"); //解析为ast
const traverse = require('@babel/traverse').default;//遍历节点
const t = require('@babel/types');//类型
const generator = require('@babel/generator').default;//ast解析为代码


//读取js文件
const jscode = fs.readFileSync(
    './demo.js', {
        encoding: 'utf-8'
    }
);
let ast = parse.parse(jscode);//js转ast

try {


    // //TODO 1 字符还原
    ast = decry_str(ast)//16进制数字还原与字符还原
    console.log('第一步：准备工作已完成')


    //TODO 2 大数组解密
    ast = parse.parse(generator(ast).code);//刷新ast
    ast = decrypt_arr(ast)//大数组还原
    console.log('第二步：大数组解密已完成')

    //TODO 3 拆分对象合并
    ast = parse.parse(generator(ast).code);//刷新ast
    traverse(ast, {VariableDeclarator: {exit: [merge_obj]},});  // 将拆分的对象重新合并-花指令还原准备工作
    console.log('第三步：拆分对象合并已完成')

    //TODO 4 对象表达式字符串合并

    traverse(ast, {ObjectProperty: {exit: [AddObjPro]},});  //

    console.log('第四步：对象表达式字符串合并已完成')
    //TODO 5 花指令函数处理
    ast = parse.parse(generator(ast).code);//刷新ast
    traverse(ast, {VariableDeclarator: {exit: [callToStr]},});  // 对象替换
    console.log('第五步：花指令处理已完成')
    //
    //TODO 6 禁用console删减
    ast = parse.parse(generator(ast).code)//刷新ast
    traverse(ast, {VariableDeclarator: {exit: [DelConsole_one]},});
    ast = parse.parse(generator(ast).code)//刷新ast
    traverse(ast, {VariableDeclarator: {exit: [DelConsole_two]},});
    console.log('第六步：禁用console删减已完成')


    //TODO 8 删除定时器部分
    traverse(ast, {CallExpression: {exit: [del_setInterval]},});  // 删减定时器


    // //TODO 9 删减debugger部分
    traverse(ast, {VariableDeclarator: {exit: [DelDebuger_one]}});  //禁用debugger删减
    ast = parse.parse(generator(ast).code);
    traverse(ast, {FunctionDeclaration: {enter: [DelDebuger_two]}});  //禁用debugger删减


    //TODO 10 替换空参数的自执行方法为顺序语句
    traverse(ast, {ExpressionStatement: delConvParam,})      // 替换空参数的自执行方法为顺序语句

    //TODO 11 常量计算
    traverse(ast, {                                         // 常量计算，慎用！
        "UnaryExpression|BinaryExpression|ConditionalExpression|CallExpression": eval_constant,
    });


} catch (e) {
    console.log(e);
} finally {
    //TODO Finally ast还原js
    code = generator(ast, opts = {jsescOption: {"minimal": true}}).code// 处理中文Unicode
//文件保存
    fs.writeFile('./demoNew.js', code, (err) => {
    });
}


function add_Mem_str(path) {
    let node = path.node;
    if (node.computed && t.isBinaryExpression(node.property) && node.property.operator == '+') {
        let BinNode = node.property;//属性节点
        let tmpast = parse.parse(generator(BinNode).code);
        let addstr = '';
        traverse(tmpast, {
            BinaryExpression: {
                exit: function (_p) {
                    if (t.isStringLiteral(_p.node.right) && t.isStringLiteral(_p.node.left)) {//二进制表达式左右有一个类型为字符型
                        _p.replaceWith(t.StringLiteral(eval(generator(_p.node).code)))      // 值替换节点
                    }
                    addstr = _p.toString();
                }

            }
        })
        node.property = t.Identifier(addstr);
    }
}

function decrypt_arr(ast) {
    //TODO 1 解密三部分的代码执行
    let end = 3;//切片需要处理的代码块
    let newAst = parse.parse('');//新建ast
    let decrypt_code = ast.program.body.slice(0, end);//切片
    newAst.program.body = decrypt_code// 将前3个节点替换进新建ast
    let stringDecryptFunc = generator(newAst, {compact: true},).code;//转为js，由于存在格式化检测，需要指定选项，来压缩代码// 自动转义
    eval(stringDecryptFunc);//执行三部分的代码


    //TODO 2 准备工作及对解密三部分节点删除
    let stringDecryptFuncAst = ast.program.body[end - 1];// 拿到解密函数所在的节点

    let DecryptFuncName = stringDecryptFuncAst.declarations[0].id.name;//拿到解密函数的名字
    var rest_code = ast.program.body.slice(end); // 剩下的节点
    ast.program.body = rest_code;//剩下的节点替换


    //TODO 3 加密数组还原
    traverse(ast, {
        CallExpression(path) {//回调表达式匹配--替换加密数组为对应的值
            if (t.isIdentifier(path.node.callee, {name: DecryptFuncName})) {       //当变量名与解密函数名相同时，就执行相应操作
                path.replaceWith(t.valueToNode(eval(path.toString())));      // 值替换节点
            }
        },
    });
    traverse(ast, {MemberExpression: {exit: [add_Mem_str]},});  // 成员表达式字符串合并

    return ast;

}

function merge_obj(path) {
    // 将拆分的对象重新合并
    const {id, init} = path.node;//提取节点指定的值
    if (!t.isObjectExpression(init))//如果指定属性不是对象表达式，退出
        return;

    let name = id.name;//获取id的名称
    let properties = init.properties;//获取初始属性数组
    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(name);//

    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }
    let paths = binding.referencePaths;//绑定引用的路径
    paths.map(function (refer_path) {
        let bindpath = refer_path.parentPath;//父路径
        if (!t.isVariableDeclarator(bindpath.node)) return;//变量声明
        let bindname = bindpath.node.id.name;//获取变量节点声明的值
        bindpath.scope.rename(bindname, name, bindpath.scope.block);//变量名重命名，传作用域参数
        bindpath.remove();//删除节点
    });

    scope.traverse(scope.block, {
        AssignmentExpression: function (_path) {//赋值表达式
            const left = _path.get("left");//节点路径左侧信息
            const right = _path.get("right");//节点路径右侧信息
            if (!left.isMemberExpression())//左侧是否为成员表达式
                return;
            const object = left.get("object");//获取左侧信息的对象
            const property = left.get("property");//获取左侧信息的属性
            //a={},a['b']=5；合并后a={'b':5}
            if (object.isIdentifier({name: name}) && property.isStringLiteral() && _path.scope == scope) {
                properties.push(t.ObjectProperty(t.valueToNode(property.node.value), right.node));
                _path.remove();
            }
            //a={},a.b=5；合并后a={'b':5}
            if (object.isIdentifier({name: name}) && property.isIdentifier() && _path.scope == scope) {
                properties.push(t.ObjectProperty(t.valueToNode(property.node.name), right.node));
                _path.remove();
            }
        }
    })
}

function callToStr(path) {
    // 将对象进行替换
    var node = path.node;//获取路径节点
    if (!t.isObjectExpression(node.init))//不是对象表达式则退出
        return;
    var objPropertiesList = node.init.properties;    // 获取对象内所有属性
    if (objPropertiesList.length == 0) // 对象内属性列表为0则退出
        return;
    var objName = node.id.name;   // 对象名
    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(objName);//

    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }
    let paths = binding.referencePaths;//绑定引用的路径
    let paths_sums = 0;//路径计数

    objPropertiesList.forEach(prop => {
        var key = prop.key.value;//属性名

        if (t.isFunctionExpression(prop.value))//属性值为函数表达式
        {
            var retStmt = prop.value.body.body[0];//定位到ReturnStatement

            path.scope.traverse(path.scope.block, {
                CallExpression: function (_path) {//调用表达式匹配
                    let _path_binding = _path.scope.getBinding(objName);//当前作用域获取绑定
                    if (_path_binding != binding) return;//两者绑定对比
                    if (!t.isMemberExpression(_path.node.callee))//成员表达式判定
                        return;
                    var _node = _path.node.callee;//回调函数节点
                    if (!t.isIdentifier(_node.object) || _node.object.name !== objName)//非标识符检测||节点对象名全等验证
                        return;
                    if (!(t.isStringLiteral(_node.property) || t.isIdentifier(_node.property)))//节点属性非可迭代字符验证||节点属性标识符验证
                        return;
                    if (!(_node.property.value == key || _node.property.name == key))//节点属性值与名称等于指定值验证
                        return;
                    if (!t.isStringLiteral(_node.property) || _node.property.value != key)//节点属性可迭代字符验证与节点属性值与指定值等于验证
                        return;

                    var args = _path.node.arguments;//获取节点的参数

                    // 二元运算
                    if (t.isBinaryExpression(retStmt.argument) && args.length === 2)//二进制表达式判定且参数为两个
                    {
                        _path.replaceWith(t.binaryExpression(retStmt.argument.operator, args[0], args[1]));//二进制表达式替换当前节点
                    }
                    // 逻辑运算
                    else if (t.isLogicalExpression(retStmt.argument) && args.length == 2)//与二元运算一样
                    {
                        _path.replaceWith(t.logicalExpression(retStmt.argument.operator, args[0], args[1]));
                    }
                    // 函数调用
                    else if (t.isCallExpression(retStmt.argument) && t.isIdentifier(retStmt.argument.callee))//回调函数表达式判定及回调参数部分判定
                    {
                        _path.replaceWith(t.callExpression(args[0], args.slice(1)))
                    }
                    paths_sums += 1;//删除计数标志
                }
            })
        } else if (t.isStringLiteral(prop.value)) {//属性值为可迭代字符类型
            var retStmt = prop.value.value;//属性值的值即A:B中的B部分
            path.scope.traverse(path.scope.block, {
                MemberExpression: function (_path) {//成员表达式
                    let _path_binding = _path.scope.getBinding(objName);//当前作用域获取绑定
                    if (_path_binding != binding) return;//两者绑定对比
                    var _node = _path.node;
                    if (!t.isIdentifier(_node.object) || _node.object.name !== objName)//节点对象标识符验证|节点对象名验证
                        return;
                    if (!(t.isStringLiteral(_node.property) || t.isIdentifier(_node.property)))//节点属性可迭代字符验证|标识符验证
                        return;
                    if (!(_node.property.value == key || _node.property.name == key))//节点属性值与名称等于指定值验证
                        return;
                    if (!t.isStringLiteral(_node.property) || _node.property.value != key)//节点属性可迭代字符判定|节点属性值等于指定值验证
                        return;
                    _path.replaceWith(t.stringLiteral(retStmt))//节点替换
                    paths_sums += 1;//删除计数标志
                }
            })
        }
    });
    if (paths_sums == paths.length) {//若绑定的每个路径都已处理 ，则移除当前路径
        path.remove();//删除路径
    }
}

function DelConsole_one(path) {
    // 删除console
    let node = path.node;//获取路径节点
    if (!t.isCallExpression(node.init)) return;//不是回调表达式，退出
    if (node.init.arguments.length !== 2) return;//形参不等于2个
    if (!t.isThisExpression(node.init.arguments[0])) return;//this表达式
    let thisname = node.id.name;//节点名称

    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(thisname);//获取绑定
    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }
    let paths = binding.referencePaths;//绑定引用的路径
    paths.map(function (refer_path) {
        let bindpath = refer_path.parentPath;//父路径
        if (!t.isCallExpression(bindpath)) return;//回调表达式判断
        if (!t.isIdentifier(bindpath.node.callee)) return;//标识符判定
        bindpath.remove();//删除路径
    });
    path.remove();//删除路径
}

function DelConsole_two(path) {
    // 删除console遗留下列未使用的定义变量
    let node = path.node;//获取路径节点
    if (!t.isCallExpression(node.init)) return;//不是回调表达式，退出
    if (node.init.arguments.length !== 0) return;//形参不等于0个
    if (!t.isFunctionExpression(node.init.callee)) return;//this表达式
    let thisname = node.id.name;//节点名称

    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(thisname);//获取绑定
    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }
    let paths = binding.referencePaths;//绑定引用的路径
    if (paths.length !== 0) return;

    path.remove();//删除路径
}

function remove_comma(path) {
    // 去除逗号表达式
    let {expression} = path.node
    if (!t.isSequenceExpression(expression))
        return;
    let body = []
    expression.expressions.forEach(
        express => {
            body.push(t.expressionStatement(express))
        }
    )
    path.replaceInline(body)
}

function del_setInterval(path) {
    // 将对象进行替换
    var node = path.node;//获取路径节点

    if (!t.isIdentifier(node.callee))//不是标识符则退出
        return;
    if (node.callee.name != 'setInterval') return;//不是定时器退出
    if (node.arguments.length !== 2) return;
    if (!t.isFunctionExpression(node.arguments[0]) || node.arguments[0].params.length !== 0) return;
    let InterNode = node.arguments[0].body.body[0];
    if (!t.isExpressionStatement(InterNode)) return;
    if (!t.isCallExpression(InterNode.expression)) return;
    if (!t.isIdentifier(InterNode.expression.callee)) return;
    let InterName = InterNode.expression.callee.name;
    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(InterName);//

    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }

    let paths = binding.referencePaths;//绑定引用的路径

    // if(paths.length==0)return;//引用路径必须等于1
    let paths_sums = 0;//路径计数

    paths.map(function (refer_path) {
        let bindpath = refer_path.parentPath;//父路径
        let break_sign = true;//while循环控制

        while (break_sign) {
            try {
                bindpath.remove();//路径删除
                paths_sums += 1;//处理数+1
                break_sign = false;//while循环终止
            } catch (e) {
                bindpath = bindpath.parentPath;
            }
        }

    });
    if (paths_sums == paths.length) {//若绑定的每个路径都已处理 ，则移除当前路径
        path.remove();//删除路径
    }
}

function DelDebuger_one(path) {
    // 将对象进行替换
    var node = path.node;//获取路径节点
    if (!t.isCallExpression(node.init)) return;//回调表达式过滤
    if (node.init.arguments.length !== 0) return;//实参个数为0
    if (!t.isFunctionExpression(node.init.callee)) return;//函数表达式过滤
    if (node.init.callee.params.length !== 0) return;//形参个数过滤
    let varName = node.id.name;//定义的变量名称

    let scope = path.scope;//获取路径的作用域

    let binding = scope.getBinding(varName);//

    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }

    let paths = binding.referencePaths;//绑定引用的路径
    // if(paths.length===0)return;//引用路径必须等于1
    let paths_sums = 0;//路径计数

    paths.map(function (refer_path) {
        let bindpath = refer_path.parentPath;//父路径
        let BinNode = bindpath.node;//获取路径节点
        if (!t.isCallExpression(BinNode)) return;//不是回调表达式，退出
        if (BinNode.arguments.length !== 2) return;//形参不等于2个
        if (!t.isThisExpression(BinNode.arguments[0])) return;//this表达式
        let thisname = BinNode.callee.name;//节点名称
        if (thisname !== varName) return;//二次确认，名称不等退出
        let break_sign = true;//while循环控制

        while (break_sign) {
            try {
                bindpath.remove();//路径删除
                paths_sums += 1;//处理数+1
                break_sign = false;//while循环终止
            } catch (e) {
                bindpath = bindpath.parentPath;
            }


        }
    });
    if (paths_sums == paths.length) {//若绑定的每个路径都已处理 ，则移除当前路径
        path.remove();//删除路径
    }
}

function DelDebuger_two(path) {
    //删减deugger未引用的函数
    var node = path.node;//获取路径节点

    let varName = node.id.name;//定义的变量名称

    let scope = path.scope;//获取路径的作用域
    let binding = scope.getBinding(varName);//

    if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
        return;
    }
    let paths = binding.referencePaths;//绑定引用的路径
    if (paths.length !== 0) return;//引用路径必须等于1

    path.remove();//删除路径


}

function AddObjPro(path) {
    if (t.isBinaryExpression(path.node.value)) {
        let BinNode = path.node.value;//属性节点
        if (!t.isBinaryExpression(BinNode)) return;//二相式表达式验证
        try {
            path.node.value = t.StringLiteral(eval(generator(BinNode).code));      // 值替换节点
        } catch (e) {
        }
    }
}

function delConvParam(path) {
    // 替换空参数的自执行方法为顺序语句
    let node = path.node;//路径节点
    let node_exp = node.expression;//节点表达式

    //回调表达式|一元表达式
    if (!t.isCallExpression(node_exp) && !t.isUnaryExpression(node_exp))
        return;
    //实参列表为空且长度不大于0
    if (node.expression.arguments !== undefined && node.expression.arguments.length > 0)
        return;
    if (t.isUnaryExpression(node_exp) && node_exp.operator == '!') {//第二种自执行修改为第一种类型
        node_exp = node_exp.argument;
    }
    if (t.isCallExpression(node_exp)) {//第一种自执行
        if (!t.isFunctionExpression(node_exp.callee))//函数表达式判断
            return;
        let paramsList = node_exp.callee.params//形参列表
        if (paramsList.length > 0) {
            paramsList.map(function (letname) {
                if (t.isIdentifier(letname)) {
                    //定义一个变量，并添加到结构体中
                    let varDec = t.VariableDeclarator(t.identifier(letname.name))//
                    let localAST = t.VariableDeclaration('var', [varDec]);//
                    node_exp.callee.body.body.unshift(localAST);//添加
                }
            })
        }
        // 替换节点
        path.replaceInline(node_exp.callee.body.body);
    }

}

function eval_constant(path) {
    // 常量计算
    if (path.type == "UnaryExpression") {
        const {operator, argument} = path.node;
        if (operator == "-" && t.isLiteral(argument)) {
            return;
        }
    }
    const {confident, value} = path.evaluate();
    // 无限计算则退出，如1/0与-(1/0)
    if (value == Infinity || value == -Infinity)
        return;
    confident && path.replaceWith(t.valueToNode(value));

}

function decry_str(ast) {
    //数字与字符还原
    traverse(ast, {
        'StringLiteral|NumericLiteral|DirectiveLiteral'(path) {//迭代字符串|迭代数组匹配--16进制文本还原
            delete path.node.extra; //删除节点的额外部分-触发原始值处理
        },
    });
    return ast;
}

五、解混淆完成

window["v14"] = "6a5fn834";
window["v142"] = "57649599571";

六、建议

在解混淆源码中，可以逐步一个个的开启功能解析
对比解析前后的情况，更好的明白每个功能解析达到的目的

jia666666

关注

7
点赞
踩
19

收藏

觉得还不错? 一键收藏
打赏
1
评论
AST反混淆实战-经典ob混淆

Ast实战：反混淆解析经典ob混淆一、混淆demo获取ob混淆源码来自猿人学14题https://match.yuanrenxue.com/api/match/14/mdemo.js//为便于阅读，仅进行格式化处理var $_0x5b3f = ['\x77\x34\x6a\x43\x68\x38\x4f\x4d', '\x77\x36\x44\x44\x6a\x6c\x34\x3d', '\x77\x71\x2f\x43\x67\x73\x4f\x74', '\x77\x37\x37\x
复制链接

扫一扫