AST还原实战|某reese84参数混淆代码还原分析

最新推荐文章于 2024-04-11 15:58:11 发布
最新推荐文章于 2024-04-11 15:58:11 发布
阅读量1.7k 收藏 6
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq523176585/article/details/131990109
版权

关注它,不迷路。       

本文章中所有内容仅供学习交流,不可用于任何商业用途和非法用途,否则后果自负,如有侵权,请联系作者立即删除!

1. 需求分析

最近关于 reese84 参数的需求比较旺盛,主要是因为某个购票网站吧。

目标网站:

https://www.flyscoot.com/en

抓包可以看到有一个混淆代码的js:

5046788090fb7ee1d3d7798584ea4ee1.png

它由两个自执行函数组成,第二段混淆代码看变量名即可猜出是ob混淆,直接拿ob混淆一键还原脚步即可还原,因此不在本文研究的范围之内。

2. 思路详解

我们来分析第一段混淆代码:

3cbfc3f6e5de51d98f563276dd820c8b.png

可以看到,有很多的字符串被取子串,因此,我们写个插件将其还原即可。

还原核心其实只有一个,就是在 ast反混淆文件中拿到这些字符串即可。

这段代码也很好抠,直接把需要的代码抠出来即可:

var MC = [];
var Ur = 0;
var rt = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244].length;
var Dd = 0;
var G2 = "hoDG/7Y8pcXVPSM5SqtcylkyJLARBYGEfWw4bcwg+yU6w/DZiNk3pi4OhALGAa+7L0ub+mZ8B3AcCFwynizMR/1GgHR4bkqWcJiuiizbBxP46G9NyICH+DS8pQ7be571AGNXQtHrX6Q+yf+DLyWr3PmdfWb9Sa5Qt5bzaC0RhPXzLvT83MzbuyR1ySvZQwt1JOxOQcBDPS2yZgVVNV4wSq6dy9o2o69NvQMIgPL7rY2WPaezyyxZCls2ZO7NRP7IL7Q374zb/SR8B++eCBzz5CsOgP4IPPJ7qr9a+iKriS2ZDNh1ou7NRP7I/bK6bUof++Q6Bq5Xy1s25yyPBsCGPuqwZUEWedz1vyVVhtEtHebLvfa/NOvyIgYSfFo4SjCdDBHy6CxPg8DEfPK854TUeZ+zwSxYS911n29Nxf0FwPI8K4TaeiT9B3CbCJKwZixNSH3Hv3C7Ko4d+qJ7iS1cStm36SQRBX48tSwvZsjTOBy0hegTAVOuouRFgPU99+n6rY2fPaWwtl9RtxzzKSsPwMBDPS1q8Mld/Wa0QqaVf9EvoiaIfzY9d+626EKXNht1henQAp01HSzQSP0HbOVnIc1a++O7httOTNh3lq5OxQJDPjV3LAzacij9ySvah9m2nyzMR/6HPTI4ZsXVOmW7y/HZzJ20pC2QPP0EPnE85cQWtl0wQCMUxBt1JfBMhID+PzW6a0sd9+c5hyydB921I3BN90FEgfN7643bu2a7hiwUhtGrHapPCf+GPbQ4psib+qX7hzAYCJlzZi2QyYGDQXU97Q2e+mY5yyzbBxzy3/BNhbY9/bQ5L4meviJ7iS2dB1l1Z29NyUBF+emy5YJZd53zBK/dCZnyZzGQhwBEN/K3LI7buyJ8y/HRxNMipy2MSICIbOi7qkqbfaLofKxZikt1JexRBEHHgHQ5b0mc+1r5xyudStk3HCwRBP6HvLK2rkkfPSK4tt7WQ9AunudH/bqHPTY5bgraM9v0OWSRw1s2oyOQBUBEAXU55Q4d+2cxx+zYh9q06K7F/vq/N3V6rUtefiQ7SiycQlNuXSkRR/5F/3HoKozcv6Y6SufZCtgtpCsRyD1EwWQ4q0nd/Fg4yyuZi501Ja4Ixn1Iv679Kkzg+uX8ii2Z/Q2mk29Rxn5FObZ4rc1dPqI6AaeVARBxG+UIv/VGgHR4LIzXvyO8R2xbwhTvI/BMvYAILqL+KQ6ceyQ5wG/ZzN11pyzNBALEf/H65kMWt563/+ZRQtDsX+jIQHgAtOp0qUQWdVsyQShXxBPrHqREQDbC+ukyYH+eOiO9eSxZB9v0o25RRXwIAPN7qs1ZPiN9CG+ZR9l3oqrMBsJEfPH57gzaMls+hm7ZiNBzZi1PBsJEAPf0MEmdtmU4hmvdg51yKOzPSMFJffO4bUsev6Z0geQTABXz6CtRx/2IPXB7K47cPuN4B7BXhp1yJGcPx/+E7Ovzrkqf/2I6SvCd/524JPCPh3UIPXL4Kw2e+ma9STBXS9k3JW8Nyj7CuzC13Ejh+SP5iavZTNq3I27KisJEwDJ4pUwefWM6STBYCZq3pqRSSAIIf/Kv7syffiP8DPDZi9hqZyzRh7jGAfQ3bspdPt45yyvZS1j1KC0NBfg4Meqvro3bPyR7A+1cCBwzJG8+yf+DLyWr3PmdfWb9Sa5Qt5bzaC0RhPXzLvT83I3bACL7wu7YCBQlZyxSBMD///E4Zg7S++O7fm/YyVi1Iy2Q/K0IAKcr7A7atmUyy27aipR2JR0At/I4cKQsH32MOqN8+l6bihy3Zq7EtDG87DU4MEmdtuU4B2cLzVh1Jm8RSICDPLZ6K0zfeqXxy27ZzBt1o6nQBQBF+bI3rQzd/+d7BzDcCFSvHi5OR/6IPax2qBAZrFIx+t/RO40lF6uRBC06wHE468xaqpjtyi5LitmzJXAOg4FDgTQ3qgrbPqV8SiwcCJ01JCzQCYBGf3Q578kd/1v5B27aSNmzZjBSSIAIwPP5rkqeAN85CS3bjFs1HGlGgHx/NSpwJ4EW89tz/2dXxdDt6K+Hf/e/eOp0qUJT8h+xQSOThlEtHeREvnnHf/O4Lwye+2Y4CfCaiNo1oqrOhP8GvLR360bctaN7CCaUCJsyI/DMBcAGv3F6LztPLdboud+Iuo2mV9v/OLE37vF3q43bvyI9ySsdCFc2JHBOSL4JfXC2q82ZOg==";
var rT = window.atob(G2);
var m0 = rT.length;
var Xn = [];
while (Dd < m0) {
    var lp = rT.charCodeAt(Dd);
    Xn.push(lp);
    Dd += 1;
}
var gK = Xn;
var O0 = gK.length;
var Cd = [];
while (Ur < O0) {
    var FX = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244][Ur % rt] & 127;
    var Ok = gK[Ur];
    Cd.push((Ok + 256 - FX) % 256 ^ 128);
    Ur += 1;
}
var B4 = Cd;
var Vn = B4.length;
var kc = Vn - 1;
while (kc >= 0) {
    MC.push(B4[kc]);
    kc -= 1;
}
var vF = MC;
var A0 = vF.length;
var M7 = 131 % 7 + 1;
var Bc = 0;
var kU = [];
while (Bc < A0) {
    kU.push((vF[Bc] >> M7 | vF[Bc] << 8 - M7) & 255);
    Bc += 1;
}
function i9(oF, nc) {
    var Fd = oF;
    var wS = nc;
    return function() {
        var lJ = wS;
        var rc = Fd;
        rc ^= rc << 23;
        rc ^= rc >> 17;
        rc ^= lJ;
        rc ^= lJ >> 26;
        wS = rc;
        Fd = lJ;
        return (Fd + wS) % 4294967296;
    }
    ;
}
var sR = "qX7wf5UzCL9YFq4Pw/GSVC1jze5/dJM7BGWISsVUohQprForiBrT7oBGI13Z8ig2zz0FYuArtCPIdmDlKkfiQZumyAJOIIq2JzvbY0I//Cm2IN1nW+8fSddOkLrJA3c+lqQxKtZ+HSfJXvhIiRcRv2UCnSnCw5BgOmnSxF9VqQE/VJFY1128BjCkZAK+P/jKgkEoV/TARkqpECBNsGHjcoA8B6JFCqgLxvC/exFpwfctIcdKeBnhL6kk/kRz6gNCuXe3kf87TDmfojcqzGNXLeQVihbufELBN3DdSZOlzTFVLpehJw//RmQFxgqnLcZ2RdkWQNJziYXdN2IsoqMeOet6biHYIoAq4GtmyC961FaRsNUMUzuTsy4kw29YD8cMkRDqXF7KMHvdWJeW/yR2A6+ZFSjkSGo9/T24OdVjbvIeSfFmuIrvMFkngr85JON3ai/sJLwt2WNH2Slu0ESYrcAAaDGIuiEa7FRkD88GhC3dbFDOPkzlarGS/hJhGrKSCwH/TnIX1h6ZEOBTZOcJW/JzvIruNFsom+d+K9kxEiHuLrEhwHpq7x5d+36+hPY8US6Trx4D9V96HNkwrzjPdVXBM3DfT4W40DxQI6GWMA7QTXg17yO6LtRuT9c6cdxSiL7RPUk9jrglKdRmRSjhDIAN4Fdg4jRixUyNu88VegKwhxswz3YJbYh49lqzACC0UwepJ/vHqGoZdsj+bWWCOx5XiVjRXKo5CphzJYEOxfKRTSRM89BLWqoYJ06DUORzhTMAknwynS7l2rNyH3DaxFhUqCASb4ZLxVe6CzulQgq0N/3HqWMKZMbzdWiSPgp6klvAQbAbKppxJ4ge//SeUzBP8NdQTeJKfRzRBogB6xQlpksN+nnpi6Q3USKIqTgtyCoIaaR0yUG9CymvXxKrP/DXvHAFbtfhRke4ATNenUzkcoo5Do1rJ4MM0NezdRtk4sVpUJUWFVixQPRIlB8ZsGAXgifE3pl3KHfy9FRlmxQwV55I1V61DxikbwmOO9PfkHMnfNbBUFynGCdOh0X6epYmHI5/OJAR8tKxdxhw1PR0arBMaQ/REZ8VrActmXclnRLO+JlCJU3yxHlJkgkeSapD/Fm1DjelUhS1NvfDpGQUYcTyZ1upATFbkkTEc5o8QNQzVfputITrLUw4h7ciL/5Oag3FDosG3WVP0TpK6G+2kfM5SzWIsjQp3y4eYLlw72rEflyfcymTHPbAo2MOYcTyUl6gFShFh0vUVbwMP6NIGrUh3OKYXhNs3/9ncs8hPW2JYN9vlRomtlUBvC/j1blxFVDp1URVsgAlTI9DxU+jEySmQQ+zMv/JoGcDddv6Q1WCGx9erUXgTaIpH4dqLYpF3/zcSCde8MdAW+oLLEXYHsELpj1enz9Y/W+gh+41Wy6LmQEe6VBsEc0YlgDwTHf1GVTzM/nPunwMe9alPirNcFdkun78YZ8uCts6fZdFiq/WC2UWuL8ICPRHcgjKBpkcvgQ5vlgTtHSzgaloSHvX/1RAoTsNZKdBxU3pRHP0QgO/d6uZ8CZyBrWDGCPCcUkl6COtPZRnBNlga+B9vIvpInFF/NtOU58uCF+RUchIpxExpVIvkhzT8oJdOUb/z1pHsRk9d71+52aWPgiXYi+MCsj3kVc2XvDObkWCHw1MpF70QosDA7d8DZMgwNakXzFK5NBNeJ0vGnu4eOQv1G4Hm3p41lmUop9DNQ3+3QldoQs4Qp1R1xHmVnfpClj3dLuL5yRMBqORCgb2R3MJ0RW7OsZ1Qt4oZMdluJ/tNlcotYsNENBtUjvaDIkC+Eh//ApJwkedutMOewOtihsU4F5QNPc7qT7Fd0nXNFT1e7quxh1+DaK8HCb7cmInwDaZOPd3a98SdOFTuLz7Fl4IppQUGOVcbhXOA4EA/E9+/RpK9HWTpegTVwGplQwB/EVzD9cXiT7XeFjGIXf4fKaN4ylAKYywIinIe08k5yyiKNJ+RcYwYvpctafiAFQAmJQhEcdfazHvOKEq3E5z7BdB7n6/r9wBdwSpmx0M60R9NvY6nh7tUGH1AVfxcLud8T1cI7ydBBXpUHUI0zX+d4Q9HYNjJYEAjrbaEmIBuYIAWLMKewfeCpsW3C8Si2IjiB/U8Z10B3yZoj4V5VZwE8kNoCHZalDSPUzqa4O80hJhD42WKhXPTEkP0R2ZEelVbusHSvN+sa/7LFksj78kDPFEZhrjA6cR3FBO9gdgy1+FpMosSSeCozsi1GpSPcEKlRDWYVf5EkLte4qr3Rd7AKqMHRHtV3IU1gaLBu1dPaESVuw9s5TmCGkajLMcTb8NNUuGRMZWoRE3lXY=";
var Ra = window.atob(sR);
var kd = Ra.length;
var DS = [];
var tP = 0;
var LB = kU;
var hq = LB.length;
while (tP < hq) {
    var vr = LB[tP];
    var bz = window.String.fromCharCode(vr);
    DS.push(bz);
    tP += 1;
}
var tp = DS.join("");
var Cl = tp;
var NV = [];
var kz = 0;
var Lp = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244, 120, 147, 220, 81, 8].length;
var Zc = 0;
var pG = [];
while (Zc < kd) {
    var rQ = Ra.charCodeAt(Zc);
    pG.push(rQ);
    Zc += 1;
}
var o4 = pG;
var Og = [];
var Kt = 113;
var kB = o4.length;
while (kz < kB) {
    var Vi = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244, 120, 147, 220, 81, 8][kz % Lp];
    var E0 = o4[kz];
    var rv = Kt;
    Kt = E0;
    Og.push(E0 ^ Vi ^ rv);
    kz += 1;
}
var q1 = Og;
for (var Au in q1) {
    var gr = q1[Au];
    if (q1.hasOwnProperty(Au)) {
        NV.push(gr);
    }
}
var XA = NV;
var F6 = XA;
var Lt = F6.length;
var ht = 0;
while (ht + 1 < Lt) {
    var X9 = F6[ht];
    F6[ht] = F6[ht + 1];
    F6[ht + 1] = X9;
    ht += 2;
}
var M4 = F6;
var oU = M4.length;
var M9 = [];
var Oz = 0;
var In = "LG6Oqe2MLcwtrIxqaEopCoosbI6uLI1I7a7NjC3N7EjtD4mszI6t7a5urO2ujm6uzMwtD6xuqawtTi/tqikKiMjFCozMaI5OjWyN7W6sCiyODY7tqg4OrE5oLG6s6qkKjSwvrE7F6WgLbO3NjiwtzaxOiayOjqxO6O2ODS1sLI6OLGwNag0sjKxObqyNrM0trq2lrM4sja4sjqwOjSyOzO1OrakoC+vKKEorKcno68qoaIrpSmpuTmzKqEpqKenJSqjJiKhKqEqp6UvrqAuK646sD46uTqzrzC2NjqxO6yzNLW7tjk7tDi1s5EaMhaksbE7trayMLSzIjSxuDQosDqxOxaksbE7trayMLSzIjSxuDQosDqxO626sjazNLa6tji3NbqxOjkiszO1OrOushkYmTExGJyjsaO3Njk7tjcUo7GjtzY5O7Y3o6YoJKKnOrE6OrA8K7W4oTk4sL6krSikoiApK6YioCooJ60gpimrsrI4ojo5OLUyujqzsrI4KTu2O7Y4vDqzpzKzNLEyNrMqsTo6sDyiOjk4tTChOTiwvKE5OLC8sjo5OyqxOjqwPrm6sCk7t7E4srcwtjY1qji+NrCyujC3tTK7MzKxOiCyOLK0tzSxObG5uji+NrCxsjq4sjUjtrs2MLc3sSO0PKG5srM2O6qxM6IlGSqzNjKxOLc3saO3NjqwPjqtri64GBgcGpYuuyMjIyKuOLa2sao4srQ6NrM3sjg2NLM3srizsrG6sTi3MjS3NbQpO7exOLK2sD46sTs0sjSmtLOysra6Nji0OjS+N";
var e_ = window.atob(In);
var Gx = e_.length;
var rh = [];
while (Oz < Gx) {
    var c4 = e_.charCodeAt(Oz);
    rh.push(c4);
    Oz += 1;
}
var oS = rh;
var Na = 0;
var IB = 172 % 7 + 1;
var Yf = [];
var IV = oS.length;
var rH = 0;
while (rH < IV) {
    Yf.push((oS[rH] >> IB | oS[rH] << 8 - IB) & 255);
    rH += 1;
}
var kS = Yf;
var K6 = kS.length;
var u3 = 0;
var Ih = [];
var AV = 131 % K6;
while (u3 < K6) {
    Ih.push(kS[(u3 + K6 - AV) % K6]);
    u3 += 1;
}
var tL = Ih;
var f5 = tL.length;
while (Na < f5) {
    var sk = tL[Na];
    var Az = window.String.fromCharCode(sk);
    M9.push(Az);
    Na += 1;
}
var Lu = M9.join("");
var Df = Lu;
function Tf(UC, B6) {
    return UC[Cl.substr(1055, 9)](UC[Df.substr(79, 6)] - B6[Df.substr(79, 6)]) === B6;
}
var aY = [];
var Wd = 0;
var DQ = 131 % oU;
var bP = 0;
var Ky = [];
while (bP < oU) {
    Ky.push(M4[(bP + oU - DQ) % oU]);
    bP += 1;
}
var Hn = Ky;
var Tr = Hn.length;
while (Wd < Tr) {
    var TX = Hn[Wd];
    var h3 = window.String.fromCharCode(TX);
    aY.push(h3);
    Wd += 1;
}
var Ia = aY.join("");
var hQ = Ia;
var Bq = new window[hQ.substr(434, 6)](Cl.substr(1, 2),Cl.substr(3, 1));
var hA = new window[hQ.substr(434, 6)](Df.substr(55, 15),Cl.substr(3, 1));
var pN = new window[hQ.substr(434, 6)](hQ.substr(178, 2),Cl.substr(3, 1));
var aV = 0;
var v4 = [131, 172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26].length;
var QA = 113;
var Vp = [];
var tk = 0;
var gC = [203, 83, 244, 120, 147, 220, 81, 8, 240, 11, 230, 196, 19, 254, 37, 70, 53, 69, 36, 149, 28, 255].length;
var xw = 0;
var Cr = [43, 168, 153, 221, 57, 88, 20, 27, 198, 141, 39, 227, 194, 202, 134, 113, 42, 255, 12, 184, 23].length;
var tZ = 113;
var MS = [];
var oE = [];
var cz = 0;
var NE = "O7ulfVNf0b0w/QL4WZ3HvKn/wsJNXYXn8bgNs6djId5JC6Q+b6wl9840aPA/akXX6ennm7r2kBXDuKic7H5btbW5JxjL92gcHjnR5EjTgFWMvZEuAIRr6UTA9q5BGGt8MQtdbFmFPtHHDMfjrlKLo7gUtb44WTtu/l1Y1gMjrfbe28tMMnsmzm/cSEUwYGdIesO5Kt5MPuKm1J2gqt1rE+VX6h4m/uG585phhY/XQzavIypbmVG3So4+vSLV+sel0NHuMjRH5ZH6Xuhp8CdzHdHg/SEv2arxSB84tBb77PU0FOkXnc+iU+EJoDdPO6BrblxInitPD2DiHnmDKHp6OxW30idkgOpiqnNtQ1NZ0IFRF94Wl9of8CyqeDWTE5cHzN1ojd3RlvTs/aFLdLF4LIPckjYEkQp3x9WQFx2AEu7sUTA5wfA/D4cbLIAtK9M7rVRdc6XW3JTQRPYUkxAzkeYJtlKmZm3LpTO4Ug7o7NMTbx12iN+gz5qnZjD2/rhuuIogT37Bj3anApwMhZUzT4MPtji5QABmdipDhyvZOr6js5CPE+QXMlYYGofDnPZvXpa8iD1dDpLpPFG7iAVNonN7bst0t3sYyhBzdLCC/NpveVQXUpkBB5INkX5y7ZyT5qlenDaW9vKLEKDuPqr9506dh6kcd2sWbcwEAMPSlih+KoW/wRzavkPQJ1cJjVYprbzA68VUWL/E5eH/FuOMkR4VKCjb64PoTzOOVxMIyGHFgff3kEYc5kcGShIzZugn4rSFP2JoYkR4f7cWcZtZSyUEjJEHH/FZMyPanx4DD+19FSWDwVNT3Am706IhESFCQi0R4tToiyE02w0x/pc1ZvXOJNypU5TcevCCu1GEvitK+95P3RkQYS5ErhKREgUv6prdL204GiWfOAbv4jndizUNhxMMvzG3T1Y8/IoM/Nens+l6guk1d9c2oRK7z4UQHtWYqgWU5Nz88HdAEB2ST6TKbNgVzGNdiWceiAJEwNZ/TZCnR0OTTgSjPQJePk/hmpma47cnK4A5I0drfaizud8ipywuDLxzThk0xHWHCgVfXc5qVtuwl9TsEwF5BLPCeNhEg3J3ep3ceN5dtbgBmdfmdGwc8onWdDbZDzEbrU6jT3Jh30akcC7Aqc8rPZnY2QK/WSxqi7pITSdJroIfKvCYnORgrOJSKPmRRw72vK5Z7a2/SQvq0sYsuOQNq4T3rWX8WBx/ZQlQ1SI1YolUgOQmlUpucPX6btWpSahnG0Fl6NpFw8oa+CQ7bPeZPmI6F+JYQivp+ahj+G9C04grY75JtHy5xWcnSeck/BH+pZlWBJg8Yypedjmr0PuHxdENpL8PgzK8vwcSdyIoQ5PHg02JAX779CUR8kwRrzrmUkiGgZ0V7N4IXJit6ogKUtjVuOKNgNM07pOkeJVa2GUjg9wxZIL8oP3elED4Nkd3oT4BIpp6+XmcTE0tX0695xaeFtjXfZ0aQqbDg2C6kkWZqTH/xxxnjibgT0bcQ4N1DV33JMGBBNOGdSg6bNjIdgRL7b6VTKSmK83EFzRaQyX6/zLYzNVPaW3YzLBfuRxq5i6kNquHF9zB1Q0ahQmrMFQ82sTkzi1JEcNbxaabZHE1JcsRRX2fQR36CWoKgNOE+HaqTskME4c3HzEfO1cKLwYeH5U4BXSYvogBC4ilRJtpoSlZMAVszIb8cWHP+HG+FlCJIpyS6BKrLnfW9+9ilQA/H2hUxzm0xyUCbBm5J60l+oxdK9V6yEgia8Gjjk4WlWUt5mfgKjWDTy85Sy+316y/a545XROf9xwLq5tsBLwcuKuZ5ZDM2lCqODARmhcpeeDWn8ZpY7WfhwrRtQkFm9aj3G+qPltu4DQiw6ltqQVTLfmC/q2OXnmpmgoN5roRNX3rIKccH66AdyqoGyAmQv4/HSlIAVB6CL8px0VxWvAoEUnHVuCwQj5dV3e+aEhSeLLyVfPiUdCfAA5bK3tJFEy61Cv0YZGhTTgq4U4i+9KKtcaTe76JEb+ryLtMFBca7saBQU5P6s6PguNFEfdsqcVz9au68ras659DYqkUVuWTeUqf70s57Z4/elEU0zoA021HyzZ6hC0Z0kT0WIafWcF92GzvP9JHnTJMnC43I/tHUlwwWDrs+3vd0OOv6EDjRxqNi0CzNe9FNJ+mSj+7DyyqOPfHYwKiVjnmsTrOh1DORL9/BKHPtPjyq55Gng8EYjwVCV/qA5SfYzRf6oQIHCQAL/nr1t3LxwBRXw0l2SUUnWPe3a5lmfnHwG8OYMg1yNcMDu4M43r0WputETaPshbmyb5N50SfBAA52tAquDChKwSZW4tJcXGuF3URdbcVOnUawFEIBmGIUMFlwt1L0iSua3mwAqmBwUlseu9J8g4t334uXt1UqNCgeKxmmm86sH1jnSzg7ss1bQLAk8sFa5ix7z9ObULiVcHJnTQVUYvKfeb/6N5pmaDbux6J+CuEGbGtePpaOopNFWWbwpcP42l1GgsfW2RgBz8JKb0zcbHJ+2DmdoPQMql94+E=";
var IA = window.atob(NE);
var ld = IA.length;
while (cz < ld) {
    var Id = IA.charCodeAt(cz);
    oE.push(Id);
    cz += 1;
}
var wh = oE;
var RN = wh.length;
while (xw < RN) {
    var Db = [43, 168, 153, 221, 57, 88, 20, 27, 198, 141, 39, 227, 194, 202, 134, 113, 42, 255, 12, 184, 23][xw % Cr];
    var fE = tZ;
    var GN = wh[xw];
    tZ = GN;
    MS.push(GN ^ Db ^ fE);
    xw += 1;
}
var kY = MS;
var mI = kY.length;
while (tk < mI) {
    var b4 = [203, 83, 244, 120, 147, 220, 81, 8, 240, 11, 230, 196, 19, 254, 37, 70, 53, 69, 36, 149, 28, 255][tk % gC] & 127;
    var HY = kY[tk];
    Vp.push((HY + 256 - b4) % 256 ^ 128);
    tk += 1;
}
var JG = Vp;
var wY = JG.length;
var Ud = [];
while (aV < wY) {
    var dB = [131, 172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26][aV % v4];
    var bT = JG[aV];
    var EZ = QA;
    QA = bT;
    Ud.push(bT ^ dB ^ EZ);
    aV += 1;
}
var A_ = Ud;
var dM = 0;
var rB = A_.length;
var Hw = [];
while (dM < rB) {
    var XN = A_[dM];
    var ez = window.String.fromCharCode(XN);
    Hw.push(ez);
    dM += 1;
}
var xV = Hw.join("");
var AX = xV;

控制台运行,看看是否能拿到:

3fa20600c01c3e53ac4a2299424eb9fd.png

确实很轻松就拿到了。

3. 代码源码:

代码写下来很简单,只需要将上面的代码复制到ast反混淆文件里即可,然后遍历 CallExpression 类型,过滤一些条件即可,代码如下:

const fs            = require('fs');
const types         = require("@babel/types");
const parser        = require("@babel/parser");
const traverse      = require("@babel/traverse").default;
const generator     = require("@babel/generator").default;
const template      = require("@babel/template").default;


//js混淆代码读取
process.argv.length > 2 ? encodeFile = process.argv[2]: encodeFile ="./encode.js";
process.argv.length > 3 ? decodeFile = process.argv[3]: decodeFile ="./decodeResult.js";


//将源代码解析为AST
let sourceCode = fs.readFileSync(encodeFile, {encoding: "utf-8"});


let ast    = parser.parse(sourceCode);




console.time("处理完毕,耗时");




window = global;
var MC = [];
var Ur = 0;
var rt = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244].length;
var Dd = 0;
var G2 = "hoDG/7Y8pcXVPSM5SqtcylkyJLARBYGEfWw4bcwg+yU6w/DZiNk3pi4OhALGAa+7L0ub+mZ8B3AcCFwynizMR/1GgHR4bkqWcJiuiizbBxP46G9NyICH+DS8pQ7be571AGNXQtHrX6Q+yf+DLyWr3PmdfWb9Sa5Qt5bzaC0RhPXzLvT83MzbuyR1ySvZQwt1JOxOQcBDPS2yZgVVNV4wSq6dy9o2o69NvQMIgPL7rY2WPaezyyxZCls2ZO7NRP7IL7Q374zb/SR8B++eCBzz5CsOgP4IPPJ7qr9a+iKriS2ZDNh1ou7NRP7I/bK6bUof++Q6Bq5Xy1s25yyPBsCGPuqwZUEWedz1vyVVhtEtHebLvfa/NOvyIgYSfFo4SjCdDBHy6CxPg8DEfPK854TUeZ+zwSxYS911n29Nxf0FwPI8K4TaeiT9B3CbCJKwZixNSH3Hv3C7Ko4d+qJ7iS1cStm36SQRBX48tSwvZsjTOBy0hegTAVOuouRFgPU99+n6rY2fPaWwtl9RtxzzKSsPwMBDPS1q8Mld/Wa0QqaVf9EvoiaIfzY9d+626EKXNht1henQAp01HSzQSP0HbOVnIc1a++O7httOTNh3lq5OxQJDPjV3LAzacij9ySvah9m2nyzMR/6HPTI4ZsXVOmW7y/HZzJ20pC2QPP0EPnE85cQWtl0wQCMUxBt1JfBMhID+PzW6a0sd9+c5hyydB921I3BN90FEgfN7643bu2a7hiwUhtGrHapPCf+GPbQ4psib+qX7hzAYCJlzZi2QyYGDQXU97Q2e+mY5yyzbBxzy3/BNhbY9/bQ5L4meviJ7iS2dB1l1Z29NyUBF+emy5YJZd53zBK/dCZnyZzGQhwBEN/K3LI7buyJ8y/HRxNMipy2MSICIbOi7qkqbfaLofKxZikt1JexRBEHHgHQ5b0mc+1r5xyudStk3HCwRBP6HvLK2rkkfPSK4tt7WQ9AunudH/bqHPTY5bgraM9v0OWSRw1s2oyOQBUBEAXU55Q4d+2cxx+zYh9q06K7F/vq/N3V6rUtefiQ7SiycQlNuXSkRR/5F/3HoKozcv6Y6SufZCtgtpCsRyD1EwWQ4q0nd/Fg4yyuZi501Ja4Ixn1Iv679Kkzg+uX8ii2Z/Q2mk29Rxn5FObZ4rc1dPqI6AaeVARBxG+UIv/VGgHR4LIzXvyO8R2xbwhTvI/BMvYAILqL+KQ6ceyQ5wG/ZzN11pyzNBALEf/H65kMWt563/+ZRQtDsX+jIQHgAtOp0qUQWdVsyQShXxBPrHqREQDbC+ukyYH+eOiO9eSxZB9v0o25RRXwIAPN7qs1ZPiN9CG+ZR9l3oqrMBsJEfPH57gzaMls+hm7ZiNBzZi1PBsJEAPf0MEmdtmU4hmvdg51yKOzPSMFJffO4bUsev6Z0geQTABXz6CtRx/2IPXB7K47cPuN4B7BXhp1yJGcPx/+E7Ovzrkqf/2I6SvCd/524JPCPh3UIPXL4Kw2e+ma9STBXS9k3JW8Nyj7CuzC13Ejh+SP5iavZTNq3I27KisJEwDJ4pUwefWM6STBYCZq3pqRSSAIIf/Kv7syffiP8DPDZi9hqZyzRh7jGAfQ3bspdPt45yyvZS1j1KC0NBfg4Meqvro3bPyR7A+1cCBwzJG8+yf+DLyWr3PmdfWb9Sa5Qt5bzaC0RhPXzLvT83I3bACL7wu7YCBQlZyxSBMD///E4Zg7S++O7fm/YyVi1Iy2Q/K0IAKcr7A7atmUyy27aipR2JR0At/I4cKQsH32MOqN8+l6bihy3Zq7EtDG87DU4MEmdtuU4B2cLzVh1Jm8RSICDPLZ6K0zfeqXxy27ZzBt1o6nQBQBF+bI3rQzd/+d7BzDcCFSvHi5OR/6IPax2qBAZrFIx+t/RO40lF6uRBC06wHE468xaqpjtyi5LitmzJXAOg4FDgTQ3qgrbPqV8SiwcCJ01JCzQCYBGf3Q578kd/1v5B27aSNmzZjBSSIAIwPP5rkqeAN85CS3bjFs1HGlGgHx/NSpwJ4EW89tz/2dXxdDt6K+Hf/e/eOp0qUJT8h+xQSOThlEtHeREvnnHf/O4Lwye+2Y4CfCaiNo1oqrOhP8GvLR360bctaN7CCaUCJsyI/DMBcAGv3F6LztPLdboud+Iuo2mV9v/OLE37vF3q43bvyI9ySsdCFc2JHBOSL4JfXC2q82ZOg==";
var rT = window.atob(G2);
var m0 = rT.length;
var Xn = [];
while (Dd < m0) {
    var lp = rT.charCodeAt(Dd);
    Xn.push(lp);
    Dd += 1;
}
var gK = Xn;
var O0 = gK.length;
var Cd = [];
while (Ur < O0) {
    var FX = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244][Ur % rt] & 127;
    var Ok = gK[Ur];
    Cd.push((Ok + 256 - FX) % 256 ^ 128);
    Ur += 1;
}
var B4 = Cd;
var Vn = B4.length;
var kc = Vn - 1;
while (kc >= 0) {
    MC.push(B4[kc]);
    kc -= 1;
}
var vF = MC;
var A0 = vF.length;
var M7 = 131 % 7 + 1;
var Bc = 0;
var kU = [];
while (Bc < A0) {
    kU.push((vF[Bc] >> M7 | vF[Bc] << 8 - M7) & 255);
    Bc += 1;
}
function i9(oF, nc) {
    var Fd = oF;
    var wS = nc;
    return function() {
        var lJ = wS;
        var rc = Fd;
        rc ^= rc << 23;
        rc ^= rc >> 17;
        rc ^= lJ;
        rc ^= lJ >> 26;
        wS = rc;
        Fd = lJ;
        return (Fd + wS) % 4294967296;
    }
    ;
}
var sR = "qX7wf5UzCL9YFq4Pw/GSVC1jze5/dJM7BGWISsVUohQprForiBrT7oBGI13Z8ig2zz0FYuArtCPIdmDlKkfiQZumyAJOIIq2JzvbY0I//Cm2IN1nW+8fSddOkLrJA3c+lqQxKtZ+HSfJXvhIiRcRv2UCnSnCw5BgOmnSxF9VqQE/VJFY1128BjCkZAK+P/jKgkEoV/TARkqpECBNsGHjcoA8B6JFCqgLxvC/exFpwfctIcdKeBnhL6kk/kRz6gNCuXe3kf87TDmfojcqzGNXLeQVihbufELBN3DdSZOlzTFVLpehJw//RmQFxgqnLcZ2RdkWQNJziYXdN2IsoqMeOet6biHYIoAq4GtmyC961FaRsNUMUzuTsy4kw29YD8cMkRDqXF7KMHvdWJeW/yR2A6+ZFSjkSGo9/T24OdVjbvIeSfFmuIrvMFkngr85JON3ai/sJLwt2WNH2Slu0ESYrcAAaDGIuiEa7FRkD88GhC3dbFDOPkzlarGS/hJhGrKSCwH/TnIX1h6ZEOBTZOcJW/JzvIruNFsom+d+K9kxEiHuLrEhwHpq7x5d+36+hPY8US6Trx4D9V96HNkwrzjPdVXBM3DfT4W40DxQI6GWMA7QTXg17yO6LtRuT9c6cdxSiL7RPUk9jrglKdRmRSjhDIAN4Fdg4jRixUyNu88VegKwhxswz3YJbYh49lqzACC0UwepJ/vHqGoZdsj+bWWCOx5XiVjRXKo5CphzJYEOxfKRTSRM89BLWqoYJ06DUORzhTMAknwynS7l2rNyH3DaxFhUqCASb4ZLxVe6CzulQgq0N/3HqWMKZMbzdWiSPgp6klvAQbAbKppxJ4ge//SeUzBP8NdQTeJKfRzRBogB6xQlpksN+nnpi6Q3USKIqTgtyCoIaaR0yUG9CymvXxKrP/DXvHAFbtfhRke4ATNenUzkcoo5Do1rJ4MM0NezdRtk4sVpUJUWFVixQPRIlB8ZsGAXgifE3pl3KHfy9FRlmxQwV55I1V61DxikbwmOO9PfkHMnfNbBUFynGCdOh0X6epYmHI5/OJAR8tKxdxhw1PR0arBMaQ/REZ8VrActmXclnRLO+JlCJU3yxHlJkgkeSapD/Fm1DjelUhS1NvfDpGQUYcTyZ1upATFbkkTEc5o8QNQzVfputITrLUw4h7ciL/5Oag3FDosG3WVP0TpK6G+2kfM5SzWIsjQp3y4eYLlw72rEflyfcymTHPbAo2MOYcTyUl6gFShFh0vUVbwMP6NIGrUh3OKYXhNs3/9ncs8hPW2JYN9vlRomtlUBvC/j1blxFVDp1URVsgAlTI9DxU+jEySmQQ+zMv/JoGcDddv6Q1WCGx9erUXgTaIpH4dqLYpF3/zcSCde8MdAW+oLLEXYHsELpj1enz9Y/W+gh+41Wy6LmQEe6VBsEc0YlgDwTHf1GVTzM/nPunwMe9alPirNcFdkun78YZ8uCts6fZdFiq/WC2UWuL8ICPRHcgjKBpkcvgQ5vlgTtHSzgaloSHvX/1RAoTsNZKdBxU3pRHP0QgO/d6uZ8CZyBrWDGCPCcUkl6COtPZRnBNlga+B9vIvpInFF/NtOU58uCF+RUchIpxExpVIvkhzT8oJdOUb/z1pHsRk9d71+52aWPgiXYi+MCsj3kVc2XvDObkWCHw1MpF70QosDA7d8DZMgwNakXzFK5NBNeJ0vGnu4eOQv1G4Hm3p41lmUop9DNQ3+3QldoQs4Qp1R1xHmVnfpClj3dLuL5yRMBqORCgb2R3MJ0RW7OsZ1Qt4oZMdluJ/tNlcotYsNENBtUjvaDIkC+Eh//ApJwkedutMOewOtihsU4F5QNPc7qT7Fd0nXNFT1e7quxh1+DaK8HCb7cmInwDaZOPd3a98SdOFTuLz7Fl4IppQUGOVcbhXOA4EA/E9+/RpK9HWTpegTVwGplQwB/EVzD9cXiT7XeFjGIXf4fKaN4ylAKYywIinIe08k5yyiKNJ+RcYwYvpctafiAFQAmJQhEcdfazHvOKEq3E5z7BdB7n6/r9wBdwSpmx0M60R9NvY6nh7tUGH1AVfxcLud8T1cI7ydBBXpUHUI0zX+d4Q9HYNjJYEAjrbaEmIBuYIAWLMKewfeCpsW3C8Si2IjiB/U8Z10B3yZoj4V5VZwE8kNoCHZalDSPUzqa4O80hJhD42WKhXPTEkP0R2ZEelVbusHSvN+sa/7LFksj78kDPFEZhrjA6cR3FBO9gdgy1+FpMosSSeCozsi1GpSPcEKlRDWYVf5EkLte4qr3Rd7AKqMHRHtV3IU1gaLBu1dPaESVuw9s5TmCGkajLMcTb8NNUuGRMZWoRE3lXY=";
var Ra = window.atob(sR);
var kd = Ra.length;
var DS = [];
var tP = 0;
var LB = kU;
var hq = LB.length;
while (tP < hq) {
    var vr = LB[tP];
    var bz = window.String.fromCharCode(vr);
    DS.push(bz);
    tP += 1;
}
var tp = DS.join("");
var Cl = tp;
var NV = [];
var kz = 0;
var Lp = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244, 120, 147, 220, 81, 8].length;
var Zc = 0;
var pG = [];
while (Zc < kd) {
    var rQ = Ra.charCodeAt(Zc);
    pG.push(rQ);
    Zc += 1;
}
var o4 = pG;
var Og = [];
var Kt = 113;
var kB = o4.length;
while (kz < kB) {
    var Vi = [172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26, 203, 83, 244, 120, 147, 220, 81, 8][kz % Lp];
    var E0 = o4[kz];
    var rv = Kt;
    Kt = E0;
    Og.push(E0 ^ Vi ^ rv);
    kz += 1;
}
var q1 = Og;
for (var Au in q1) {
    var gr = q1[Au];
    if (q1.hasOwnProperty(Au)) {
        NV.push(gr);
    }
}
var XA = NV;
var F6 = XA;
var Lt = F6.length;
var ht = 0;
while (ht + 1 < Lt) {
    var X9 = F6[ht];
    F6[ht] = F6[ht + 1];
    F6[ht + 1] = X9;
    ht += 2;
}
var M4 = F6;
var oU = M4.length;
var M9 = [];
var Oz = 0;
var In = "LG6Oqe2MLcwtrIxqaEopCoosbI6uLI1I7a7NjC3N7EjtD4mszI6t7a5urO2ujm6uzMwtD6xuqawtTi/tqikKiMjFCozMaI5OjWyN7W6sCiyODY7tqg4OrE5oLG6s6qkKjSwvrE7F6WgLbO3NjiwtzaxOiayOjqxO6O2ODS1sLI6OLGwNag0sjKxObqyNrM0trq2lrM4sja4sjqwOjSyOzO1OrakoC+vKKEorKcno68qoaIrpSmpuTmzKqEpqKenJSqjJiKhKqEqp6UvrqAuK646sD46uTqzrzC2NjqxO6yzNLW7tjk7tDi1s5EaMhaksbE7trayMLSzIjSxuDQosDqxOxaksbE7trayMLSzIjSxuDQosDqxO626sjazNLa6tji3NbqxOjkiszO1OrOushkYmTExGJyjsaO3Njk7tjcUo7GjtzY5O7Y3o6YoJKKnOrE6OrA8K7W4oTk4sL6krSikoiApK6YioCooJ60gpimrsrI4ojo5OLUyujqzsrI4KTu2O7Y4vDqzpzKzNLEyNrMqsTo6sDyiOjk4tTChOTiwvKE5OLC8sjo5OyqxOjqwPrm6sCk7t7E4srcwtjY1qji+NrCyujC3tTK7MzKxOiCyOLK0tzSxObG5uji+NrCxsjq4sjUjtrs2MLc3sSO0PKG5srM2O6qxM6IlGSqzNjKxOLc3saO3NjqwPjqtri64GBgcGpYuuyMjIyKuOLa2sao4srQ6NrM3sjg2NLM3srizsrG6sTi3MjS3NbQpO7exOLK2sD46sTs0sjSmtLOysra6Nji0OjS+N";
var e_ = window.atob(In);
var Gx = e_.length;
var rh = [];
while (Oz < Gx) {
    var c4 = e_.charCodeAt(Oz);
    rh.push(c4);
    Oz += 1;
}
var oS = rh;
var Na = 0;
var IB = 172 % 7 + 1;
var Yf = [];
var IV = oS.length;
var rH = 0;
while (rH < IV) {
    Yf.push((oS[rH] >> IB | oS[rH] << 8 - IB) & 255);
    rH += 1;
}
var kS = Yf;
var K6 = kS.length;
var u3 = 0;
var Ih = [];
var AV = 131 % K6;
while (u3 < K6) {
    Ih.push(kS[(u3 + K6 - AV) % K6]);
    u3 += 1;
}
var tL = Ih;
var f5 = tL.length;
while (Na < f5) {
    var sk = tL[Na];
    var Az = window.String.fromCharCode(sk);
    M9.push(Az);
    Na += 1;
}
var Lu = M9.join("");
var Df = Lu;
function Tf(UC, B6) {
    return UC[Cl.substr(1055, 9)](UC[Df.substr(79, 6)] - B6[Df.substr(79, 6)]) === B6;
}
var aY = [];
var Wd = 0;
var DQ = 131 % oU;
var bP = 0;
var Ky = [];
while (bP < oU) {
    Ky.push(M4[(bP + oU - DQ) % oU]);
    bP += 1;
}
var Hn = Ky;
var Tr = Hn.length;
while (Wd < Tr) {
    var TX = Hn[Wd];
    var h3 = window.String.fromCharCode(TX);
    aY.push(h3);
    Wd += 1;
}
var Ia = aY.join("");
var hQ = Ia;
var Bq = new window[hQ.substr(434, 6)](Cl.substr(1, 2),Cl.substr(3, 1));
var hA = new window[hQ.substr(434, 6)](Df.substr(55, 15),Cl.substr(3, 1));
var pN = new window[hQ.substr(434, 6)](hQ.substr(178, 2),Cl.substr(3, 1));
var aV = 0;
var v4 = [131, 172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26].length;
var QA = 113;
var Vp = [];
var tk = 0;
var gC = [203, 83, 244, 120, 147, 220, 81, 8, 240, 11, 230, 196, 19, 254, 37, 70, 53, 69, 36, 149, 28, 255].length;
var xw = 0;
var Cr = [43, 168, 153, 221, 57, 88, 20, 27, 198, 141, 39, 227, 194, 202, 134, 113, 42, 255, 12, 184, 23].length;
var tZ = 113;
var MS = [];
var oE = [];
var cz = 0;
var NE = "O7ulfVNf0b0w/QL4WZ3HvKn/wsJNXYXn8bgNs6djId5JC6Q+b6wl9840aPA/akXX6ennm7r2kBXDuKic7H5btbW5JxjL92gcHjnR5EjTgFWMvZEuAIRr6UTA9q5BGGt8MQtdbFmFPtHHDMfjrlKLo7gUtb44WTtu/l1Y1gMjrfbe28tMMnsmzm/cSEUwYGdIesO5Kt5MPuKm1J2gqt1rE+VX6h4m/uG585phhY/XQzavIypbmVG3So4+vSLV+sel0NHuMjRH5ZH6Xuhp8CdzHdHg/SEv2arxSB84tBb77PU0FOkXnc+iU+EJoDdPO6BrblxInitPD2DiHnmDKHp6OxW30idkgOpiqnNtQ1NZ0IFRF94Wl9of8CyqeDWTE5cHzN1ojd3RlvTs/aFLdLF4LIPckjYEkQp3x9WQFx2AEu7sUTA5wfA/D4cbLIAtK9M7rVRdc6XW3JTQRPYUkxAzkeYJtlKmZm3LpTO4Ug7o7NMTbx12iN+gz5qnZjD2/rhuuIogT37Bj3anApwMhZUzT4MPtji5QABmdipDhyvZOr6js5CPE+QXMlYYGofDnPZvXpa8iD1dDpLpPFG7iAVNonN7bst0t3sYyhBzdLCC/NpveVQXUpkBB5INkX5y7ZyT5qlenDaW9vKLEKDuPqr9506dh6kcd2sWbcwEAMPSlih+KoW/wRzavkPQJ1cJjVYprbzA68VUWL/E5eH/FuOMkR4VKCjb64PoTzOOVxMIyGHFgff3kEYc5kcGShIzZugn4rSFP2JoYkR4f7cWcZtZSyUEjJEHH/FZMyPanx4DD+19FSWDwVNT3Am706IhESFCQi0R4tToiyE02w0x/pc1ZvXOJNypU5TcevCCu1GEvitK+95P3RkQYS5ErhKREgUv6prdL204GiWfOAbv4jndizUNhxMMvzG3T1Y8/IoM/Nens+l6guk1d9c2oRK7z4UQHtWYqgWU5Nz88HdAEB2ST6TKbNgVzGNdiWceiAJEwNZ/TZCnR0OTTgSjPQJePk/hmpma47cnK4A5I0drfaizud8ipywuDLxzThk0xHWHCgVfXc5qVtuwl9TsEwF5BLPCeNhEg3J3ep3ceN5dtbgBmdfmdGwc8onWdDbZDzEbrU6jT3Jh30akcC7Aqc8rPZnY2QK/WSxqi7pITSdJroIfKvCYnORgrOJSKPmRRw72vK5Z7a2/SQvq0sYsuOQNq4T3rWX8WBx/ZQlQ1SI1YolUgOQmlUpucPX6btWpSahnG0Fl6NpFw8oa+CQ7bPeZPmI6F+JYQivp+ahj+G9C04grY75JtHy5xWcnSeck/BH+pZlWBJg8Yypedjmr0PuHxdENpL8PgzK8vwcSdyIoQ5PHg02JAX779CUR8kwRrzrmUkiGgZ0V7N4IXJit6ogKUtjVuOKNgNM07pOkeJVa2GUjg9wxZIL8oP3elED4Nkd3oT4BIpp6+XmcTE0tX0695xaeFtjXfZ0aQqbDg2C6kkWZqTH/xxxnjibgT0bcQ4N1DV33JMGBBNOGdSg6bNjIdgRL7b6VTKSmK83EFzRaQyX6/zLYzNVPaW3YzLBfuRxq5i6kNquHF9zB1Q0ahQmrMFQ82sTkzi1JEcNbxaabZHE1JcsRRX2fQR36CWoKgNOE+HaqTskME4c3HzEfO1cKLwYeH5U4BXSYvogBC4ilRJtpoSlZMAVszIb8cWHP+HG+FlCJIpyS6BKrLnfW9+9ilQA/H2hUxzm0xyUCbBm5J60l+oxdK9V6yEgia8Gjjk4WlWUt5mfgKjWDTy85Sy+316y/a545XROf9xwLq5tsBLwcuKuZ5ZDM2lCqODARmhcpeeDWn8ZpY7WfhwrRtQkFm9aj3G+qPltu4DQiw6ltqQVTLfmC/q2OXnmpmgoN5roRNX3rIKccH66AdyqoGyAmQv4/HSlIAVB6CL8px0VxWvAoEUnHVuCwQj5dV3e+aEhSeLLyVfPiUdCfAA5bK3tJFEy61Cv0YZGhTTgq4U4i+9KKtcaTe76JEb+ryLtMFBca7saBQU5P6s6PguNFEfdsqcVz9au68ras659DYqkUVuWTeUqf70s57Z4/elEU0zoA021HyzZ6hC0Z0kT0WIafWcF92GzvP9JHnTJMnC43I/tHUlwwWDrs+3vd0OOv6EDjRxqNi0CzNe9FNJ+mSj+7DyyqOPfHYwKiVjnmsTrOh1DORL9/BKHPtPjyq55Gng8EYjwVCV/qA5SfYzRf6oQIHCQAL/nr1t3LxwBRXw0l2SUUnWPe3a5lmfnHwG8OYMg1yNcMDu4M43r0WputETaPshbmyb5N50SfBAA52tAquDChKwSZW4tJcXGuF3URdbcVOnUawFEIBmGIUMFlwt1L0iSua3mwAqmBwUlseu9J8g4t334uXt1UqNCgeKxmmm86sH1jnSzg7ss1bQLAk8sFa5ix7z9ObULiVcHJnTQVUYvKfeb/6N5pmaDbux6J+CuEGbGtePpaOopNFWWbwpcP42l1GgsfW2RgBz8JKb0zcbHJ+2DmdoPQMql94+E=";
var IA = window.atob(NE);
var ld = IA.length;
while (cz < ld) {
    var Id = IA.charCodeAt(cz);
    oE.push(Id);
    cz += 1;
}
var wh = oE;
var RN = wh.length;
while (xw < RN) {
    var Db = [43, 168, 153, 221, 57, 88, 20, 27, 198, 141, 39, 227, 194, 202, 134, 113, 42, 255, 12, 184, 23][xw % Cr];
    var fE = tZ;
    var GN = wh[xw];
    tZ = GN;
    MS.push(GN ^ Db ^ fE);
    xw += 1;
}
var kY = MS;
var mI = kY.length;
while (tk < mI) {
    var b4 = [203, 83, 244, 120, 147, 220, 81, 8, 240, 11, 230, 196, 19, 254, 37, 70, 53, 69, 36, 149, 28, 255][tk % gC] & 127;
    var HY = kY[tk];
    Vp.push((HY + 256 - b4) % 256 ^ 128);
    tk += 1;
}
var JG = Vp;
var wY = JG.length;
var Ud = [];
while (aV < wY) {
    var dB = [131, 172, 165, 235, 228, 153, 223, 82, 241, 130, 34, 202, 224, 174, 83, 0, 175, 0, 26][aV % v4];
    var bT = JG[aV];
    var EZ = QA;
    QA = bT;
    Ud.push(bT ^ dB ^ EZ);
    aV += 1;
}
var A_ = Ud;
var dM = 0;
var rB = A_.length;
var Hw = [];
while (dM < rB) {
    var XN = A_[dM];
    var ez = window.String.fromCharCode(XN);
    Hw.push(ez);
    dM += 1;
}
var xV = Hw.join("");
var AX = xV;






const decodeMemberExpression = 
{
  CallExpression(path)
  {
    let {callee,arguments} = path.node;
    if (!types.isMemberExpression (callee) || arguments.length != 2)
    {
      return;
    }
    
    let {object,property} = callee;
    if (!types.isIdentifier(object) || !types.isIdentifier(property,{"name":"substr"}))
    {
      return;
    }
    console.log(object.name)
    if (!["AX","Cl","Df","hQ"].includes(object.name))
    {
      return;
    }
    let value = eval(path.toString());
    console.log(path.toString(),"--->",value);
    path.replaceWith(types.valueToNode(value));
    
  }
}


traverse(ast,decodeMemberExpression);


console.timeEnd("处理完毕,耗时");




let {code} = generator(ast,opts = {jsescOption:{"minimal":true}});


fs.writeFile(decodeFile, code, (err) => {});

思考:专用的插件很好写,问题是这个混淆的js是动态的,每隔一段时间变量名都不同,只能还原一次?

大家可以参考我写的通用插件:

https://t.zsxq.com/10dsy8slw

今天的文章就分享到这里,后续分享更多的技巧,敬请期待。

e5c06f954f4507025452f4af65d72124.jpeg

欢迎加入知识星球,学习更多AST和爬虫技巧。

悦来客栈的老板
关注
  • 0
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
reese-tools:SpigotBukkit插件
02-10
reese-tools:SpigotBukkit插件
MySQL权威指南(George Reese 著)
08-31
MySQL权威指南(George Reese 著)_阅读密码www.zasp.net_如需要请购买原版书- cn
Python库 | incapsula-cracker-py3-0.1.4.tar.gz
04-09
资源分类:Python库 所属语言:Python 资源全名:incapsula-cracker-py3-0.1.4.tar.gz 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059
Incapsula reese84 分析处理
qq_39832685的博客
02-05 428
reese84 爬虫逆向案例分享
Incapsula-Bypass
03-10
仅用于教育目的。 该服务器基于对“虚拟dom” polyfill中的Incapsula JS代码的评估。 步骤1。 GET 头:用户代理:Mozilla / 5.0(Windows NT 10.0; Win64; x64)AppleWebKit / 537.36(KHTML,如Gecko)Chrome / 68.0.3440.106 Safari / 537.36逻辑:析到js的链接封装析的代码:从_analytics_scr.src ='/ _Incapsula_Resource到'或从src =“ / _ Incapsula_Resource到”没有js代码的链接-验证码/块 第2步。 使用代码获取资源示例链接: ://website.com/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3标头:用户代
关于Incapsula reese84加密的特征研究
it_chen的博客
09-02 1125
最近研究了下reese84的加密算法,基本上两个参数的加密__utmvc和token,因为nodejs调用会有内存问题,没有采用补环境的方式决,用python扣的算法。2:reese84中token的生成相对麻烦一点,主要是动态参数比较多,ast处理完之后也很好调试。1:__utmvc参数的生成是一个ob混淆ast处理之后调试难度不是很大。如果有侵权行为请联系博主删除。博主qq:1458342294。
Incapsula reese84 分析与破
hero706309的专栏
12-25 7114
Incapsula reese84
Imperva incapsula逆向分析
weixin_65690166的博客
12-01 2062
incapsula逆向
reese84算法还原
m0_61275808的博客
08-30 943
最近看大佬把那个reese84搞定之后手痒,就尝试也搞一下,打开之后发现那混淆真恶心啊,但是我又不会ast, 所以只能喊人了,ast后长这个样。还有fantastic的帮助。搞定 p和cr就好了 ,cr是最后一个返回的。就是说你搞定p了 基本上这个就搞定了
reese84分析
dyf_py的博客
11-28 619
reese84笔记
reese-power-11ty
03-30
地位Reese Power网站,网址:11ty 基于Stephanie Eckles( )创建的11ty Netlify Jumpstart 有关所有功能的详细信息,请访问或继续并以在本地查看信息。快速开始启动开发环境并运行确保您拥有最新版本的NodeJS(当前...
Reese Fortnite Skin Wallpapers New Tab-crx插件
04-06
Reese Fortnite Skin的最佳壁纸和个性化新标签主题。 Reese Fortnite皮肤壁纸New Tab-Supertabthemes创建的扩展名此扩展名是为所有Fortnite粉丝创建的。 通过下载,您将收到与Reese Fortnite Skin相关的惊人壁纸,...
AST还原实战|第二届猿人学js逆向比赛第二题混淆还原
Python3 爬虫实战 1:应对特殊字体,爬取猫眼电影实时排行榜
08-11 1092
关注它,不迷路。 本文章中所有内容仅供学习交流,不可用于任何商业用途和非法用途,否则后果自负,如有侵权,请联系作者立即删除!1. 目标地址https://match2023.yuanrenxue.cn/topic/2其加密参数token的核心代码混淆了,地址:https://download.python-spider.com/match2023/corejs/match2.js2....
AST混淆|如何使用在线析网站反混淆代码
最新发布
Python3 爬虫实战 1:应对特殊字体,爬取猫眼电影实时排行榜
04-11 302
关注它,不迷路。 本文章中所有内容仅供学习交流,不可用于任何商业用途和非法用途,否则后果自负,如有侵权,请联系作者立即删除!1.冷知识做过反混淆的兄弟,应该都知道这个在线析网站:https://astexplorer.net/以前我都是将混淆代码复制到这个网站进行析,然后对着它来下插件。其实它也是可以写插件的,并能帮你处理混淆代码。2.设置1.如下图,点击Transform 按钮...
reese84分析流程
qq_60611058的博客
03-29 253
最终生成的然后请求接口获的一个token值也就是cookie["reese84"]=token。会有20个list环境需要根据html的window环境配置信息填补。最后一个S4[20]()会生成一个p值和cr。如有兴趣研究可以:17376323095。还原后部分JavaScript源码。注:请勿用于非法用途。环境填补完成后,引用。
reese84
qq_44657571的博客
10-30 547
航空reese84
AST混淆混淆笔记:逗号表达式混淆
码王吴彦祖的博客
02-18 318
本文主要是作者记笔记为主,温故而知新,记录混淆混淆代码,后期可能会更新文章细节。本次就是将return语句增加改为逗号表达式,来混淆部分阅读逻辑。
js混淆还原
weixin_42156283的博客
02-29 7448
1.数组类混淆 现象:定义一个数组,然后js代码中用 [ ] 式访问数组成员 处理后:将数组内成员字符串替换到js中 # -*- coding: utf-8 -*- # 混淆前js js = """ var arr = ["Date", "getTime"]; console.log(window[arr[0]]()[arr[1]]) """ import re # 1.正则匹配出列表 js...
Understanding and Using C Pointers 原版pdf by Reese
04-27
Numerous books have been written about C. They usually offer a broad coverage of the language while addressing pointers only to the extent necessary for the topic at hand. Rarely do they venture ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值