js逆向-ast混淆还原入门案例(1)

最新推荐文章于 2024-06-18 17:17:57 发布
最新推荐文章于 2024-06-18 17:17:57 发布
阅读量3.5k 收藏 18
点赞数 1
文章标签: js nodejs javascript
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42748190/article/details/106135484
版权

recast资料太少,在大佬的建议下转到babel了。

搬运各个地方的案例学习后,分享给大家,也给自己一个记录。

案例需2个文件:运行文件1_run.js       源码文件1_read.js

1_read.js

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function(_0xf486e7, _0x2075d7) {
    var _0x5c3a18 = function(_0x5b65b1) {
        while (--_0x5b65b1) {
            _0xf486e7['push'](_0xf486e7['shift']());
        }
    };
    _0x5c3a18(++_0x2075d7);
}(_0x2075, 0xa4));
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
    _0xf486e7 = _0xf486e7 - 0x0;
    var _0x5c3a18 = _0x2075[_0xf486e7];
    if (_0x5c3a['vEVEZj'] === undefined) {
        (function() {
            var _0x2e1ca4;
            try {
                var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x2e1ca4 = _0x28e173();
            } catch (_0x16acc9) {
                _0x2e1ca4 = window;
            }
            var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
                var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
                var _0x5e030c = '';
                for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
                _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
                    _0x29200e = _0x16f958['indexOf'](_0x29200e);
                }
                return _0x5e030c;
            }
            );
        }());
        var _0x3acf89 = function(_0x593a19, _0xfee22e) {
            var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
            _0x593a19 = atob(_0x593a19);
            for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
                _0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
            }
            _0x593a19 = decodeURIComponent(_0xbdd0c6);
            var _0x1a120c;
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x1b5349[_0x1a120c] = _0x1a120c;
            }
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
            }
            _0x1a120c = 0x0;
            _0x4ddb21 = 0x0;
            for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
                _0x1a120c = (_0x1a120c + 0x1) % 0x100;
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
                _0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
            }
            return _0x4b4996;
        };
        _0x5c3a['HKkhxp'] = _0x3acf89;
        _0x5c3a['eabUGz'] = {};
        _0x5c3a['vEVEZj'] = !![];
    }
    var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
    if (_0x5b65b1 === undefined) {
        if (_0x5c3a['vszZjY'] === undefined) {
            _0x5c3a['vszZjY'] = !![];
        }
        _0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
        _0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
    } else {
        _0x5c3a18 = _0x5b65b1;
    }
    return _0x5c3a18;
};
var _0x2e1ca4 = function() {
    var _0x564fd8 = !![];
    return function(_0x157886, _0x3f8543) {
        var _0x3aa335 = _0x564fd8 ? function() {
            if (_0x3f8543) {
                var _0x35f411 = _0x3f8543[_0x5c3a('0x15', 'qqhd')](_0x157886, arguments);
                _0x3f8543 = null;
                return _0x35f411;
            }
        }
        : function() {}
        ;
        _0x564fd8 = ![];
        return _0x3aa335;
    }
    ;
}();
setInterval(function() {
    _0x3acf89();
}, 0xfa0);
(function() {
    _0x2e1ca4(this, function() {
        var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');
        var _0x28f488 = new RegExp(_0x5c3a('0x13', 'l02m'),'i');
        var _0x5783e7 = _0x3acf89('init');
        if (!_0x13f533['test'](_0x5783e7 + _0x5c3a('0xb', 'mvpW')) || !_0x28f488['test'](_0x5783e7 + _0x5c3a('0x6', 'S&fJ'))) {
            _0x5783e7('0');
        } else {
            _0x3acf89();
        }
    })();
}());
window = {};
window['atob'] = function(_0x44004e) {
    e = _0x5c3a('0x8', 'CwZq');
    var _0x2761c0 = String(_0x44004e)[_0x5c3a('0x9', 'F%XZ')](/=+$/, '');
    if (_0x2761c0[_0x5c3a('0x7', 'KMc0')] % 0x4 == 0x1)
        throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');
    for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0['charAt'](_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4,
    _0x1076e1++ % 0x4) ? _0x5766d9 += String[_0x5c3a('0x16', '%Fh)')](0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0)
        _0x228da4 = e[_0x5c3a('0xe', 'ivHf')](_0x228da4);
    return _0x5766d9;
}
window['btoa'] = function(_0x140387) {
    e = _0x5c3a('0x11', '1t8u');
    for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71[_0x5c3a('0x10', 'G%UZ')](0x0 | _0x3a865d) || (_0x388744 = '=',
    _0x3a865d % 0x1); _0x171f9b += _0x388744[_0x5c3a('0x5', '#%vS')](0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
        if (_0x5c4afc = _0x414c71[_0x5c3a('0xa', '(eE#')](_0x3a865d += 0.75),
        _0x5c4afc > 0xff)
            throw new t(_0x5c3a('0xf', '!zyq'));
        _0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
    }
    return _0x171f9b;
}
function _0x3acf89(_0x1a61bd) {
    function _0x50b4d2(_0x5c1045) {
        if (typeof _0x5c1045 === 'string') {
            return function(_0xaf1ee8) {}
            ['constructor'](_0x5c3a('0x3', 'mvpW'))[_0x5c3a('0xc', 'dtRw')](_0x5c3a('0x1', 'g1Ep'));
        } else {
            if (('' + _0x5c1045 / _0x5c1045)['length'] !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
                (function() {
                    return !![];
                }
                ['constructor']('debu' + 'gger')[_0x5c3a('0x4', '%Fh)')](_0x5c3a('0x0', 'zu[n')));
            } else {
                (function() {
                    return ![];
                }
                [_0x5c3a('0x2', 'g1Ep')](_0x5c3a('0x12', 'LPae') + _0x5c3a('0x14', 'N5*X'))['apply'](_0x5c3a('0xd', 'qOO9')));
            }
        }
        _0x50b4d2(++_0x5c1045);
    }
    try {
        if (_0x1a61bd) {
            return _0x50b4d2;
        } else {
            _0x50b4d2(0x0);
        }
    } catch (_0x524e63) {}
}

1_run.js

/*
* 安装 npm install @babel/core
* */

// 将JS源码转换成语法树
const parser = require("@babel/parser");
// 为parser提供模板引擎
const template = require("@babel/template").default;
// 遍历AST
const traverse = require("@babel/traverse").default;
// 操作节点,比如判断节点类型,生成新的节点等
const t = require("@babel/types");
// 将语法树转换为源代码
const generator = require("@babel/generator").default;
// 操作文件
const fs = require("fs");
//
const path = require('path');

var file_path = 'F:\\FILE\\Python\\Exercises\\js\\js-ast混淆还原\\'
var jscode = fs.readFileSync(file_path+"1_read.js", {
    encoding: "utf-8"
});

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function(_0xf486e7, _0x2075d7) {
    var _0x5c3a18 = function(_0x5b65b1) {
        while (--_0x5b65b1) {
            _0xf486e7['push'](_0xf486e7['shift']());
        }
    };
    _0x5c3a18(++_0x2075d7);
}(_0x2075, 0xa4));
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
    _0xf486e7 = _0xf486e7 - 0x0;
    var _0x5c3a18 = _0x2075[_0xf486e7];
    if (_0x5c3a['vEVEZj'] === undefined) {
        (function() {
            var _0x2e1ca4;
            try {
                var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x2e1ca4 = _0x28e173();
            } catch (_0x16acc9) {
                _0x2e1ca4 = window;
            }
            var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
                var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
                var _0x5e030c = '';
                for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
                _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
                    _0x29200e = _0x16f958['indexOf'](_0x29200e);
                }
                return _0x5e030c;
            }
            );
        }());
        var _0x3acf89 = function(_0x593a19, _0xfee22e) {
            var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
            _0x593a19 = atob(_0x593a19);
            for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
                _0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
            }
            _0x593a19 = decodeURIComponent(_0xbdd0c6);
            var _0x1a120c;
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x1b5349[_0x1a120c] = _0x1a120c;
            }
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
            }
            _0x1a120c = 0x0;
            _0x4ddb21 = 0x0;
            for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
                _0x1a120c = (_0x1a120c + 0x1) % 0x100;
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
                _0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
            }
            return _0x4b4996;
        };
        _0x5c3a['HKkhxp'] = _0x3acf89;
        _0x5c3a['eabUGz'] = {};
        _0x5c3a['vEVEZj'] = !![];
    }
    var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
    if (_0x5b65b1 === undefined) {
        if (_0x5c3a['vszZjY'] === undefined) {
            _0x5c3a['vszZjY'] = !![];
        }
        _0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
        _0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
    } else {
        _0x5c3a18 = _0x5b65b1;
    }
    return _0x5c3a18;
};

function traverse_all(ast) {
    // 遍历节点,当遇到下列类型的时候会调用函数
    traverse(ast, {
        CallExpression: {
            enter: [replace_function_to_string]
        }
    })
    traverse(ast, {
        MemberExpression: {
            enter: [replace]
        }
    })


}
// a["length"]转变为a.length
function replace(path)
{
    const node = path.node;
    let property = path.get('property')
    if(t.isStringLiteral(node.property)) {
        let value  = node.property.value;
        console.log(value)
        //原为true,改后的效果把[]变为.
        node.computed = false
        //如果写成path.replaceWith是将整个MemberExpression节点换为value,节点类型也变为Identifier,例:window.btoa变为btoa
        //我们仅需要替换property节点
        property.replaceWith(t.Identifier(value))
        }
}

//调用_0x5c3a进行解密,在替换原来的
function replace_function_to_string(path)
{//对节点进行处理
  const node = path.node;
  //判断节点类型及函数名,不是则返回
  if (!t.isIdentifier(node.callee,{name:"_0x5c3a"})) return;
  //取实参值
  let first_arg  = node.arguments[0].value;
  let second_arg = node.arguments[1].value;
  //调用本地的_0x5c3a函数
  let value = _0x5c3a(first_arg,second_arg);
  //打印看结果
  console.log(node.callee.name,first_arg,second_arg,value);
  //替换CallExpression节点,为StringLiteral类型的value
  path.replaceWith(t.StringLiteral(value));
}

let ast = parser.parse(jscode);
traverse_all(ast);
let {code} = generator(ast);
fs.writeFile(file_path+'1_decoded.js', code, (err)=>{});

生成1_decoded.js

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];

(function (_0xf486e7, _0x2075d7) {
  var _0x5c3a18 = function (_0x5b65b1) {
    while (--_0x5b65b1) {
      _0xf486e7.push(_0xf486e7.shift());
    }
  };

  _0x5c3a18(++_0x2075d7);
})(_0x2075, 0xa4);

var _0x5c3a = function (_0xf486e7, _0x2075d7) {
  _0xf486e7 = _0xf486e7 - 0x0;
  var _0x5c3a18 = _0x2075[_0xf486e7];

  if (_0x5c3a.vEVEZj === undefined) {
    (function () {
      var _0x2e1ca4;

      try {
        var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');

        _0x2e1ca4 = _0x28e173();
      } catch (_0x16acc9) {
        _0x2e1ca4 = window;
      }

      var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
      _0x2e1ca4.atob || (_0x2e1ca4.atob = function (_0x5a7812) {
        var _0x3c7e74 = String(_0x5a7812).replace(/=+$/, '');

        var _0x5e030c = '';

        for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74.charAt(_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e, _0x4eaee2++ % 0x4) ? _0x5e030c += String.fromCharCode(0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
          _0x29200e = _0x16f958.indexOf(_0x29200e);
        }

        return _0x5e030c;
      });
    })();

    var _0x3acf89 = function (_0x593a19, _0xfee22e) {
      var _0x1b5349 = [],
          _0x4ddb21 = 0x0,
          _0x28ed27,
          _0x4b4996 = '',
          _0xbdd0c6 = '';

      _0x593a19 = atob(_0x593a19);

      for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19.length; _0x1d6343 < _0x3f947e; _0x1d6343++) {
        _0xbdd0c6 += '%' + ('00' + _0x593a19.charCodeAt(_0x1d6343).toString(0x10)).slice(-0x2);
      }

      _0x593a19 = decodeURIComponent(_0xbdd0c6);

      var _0x1a120c;

      for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x1b5349[_0x1a120c] = _0x1a120c;
      }

      for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e.charCodeAt(_0x1a120c % _0xfee22e.length)) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
      }

      _0x1a120c = 0x0;
      _0x4ddb21 = 0x0;

      for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19.length; _0x585b7f++) {
        _0x1a120c = (_0x1a120c + 0x1) % 0x100;
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
        _0x4b4996 += String.fromCharCode(_0x593a19.charCodeAt(_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
      }

      return _0x4b4996;
    };

    _0x5c3a.HKkhxp = _0x3acf89;
    _0x5c3a.eabUGz = {};
    _0x5c3a.vEVEZj = !![];
  }

  var _0x5b65b1 = _0x5c3a.eabUGz[_0xf486e7];

  if (_0x5b65b1 === undefined) {
    if (_0x5c3a.vszZjY === undefined) {
      _0x5c3a.vszZjY = !![];
    }

    _0x5c3a18 = _0x5c3a.HKkhxp(_0x5c3a18, _0x2075d7);
    _0x5c3a.eabUGz[_0xf486e7] = _0x5c3a18;
  } else {
    _0x5c3a18 = _0x5b65b1;
  }

  return _0x5c3a18;
};

var _0x2e1ca4 = function () {
  var _0x564fd8 = !![];

  return function (_0x157886, _0x3f8543) {
    var _0x3aa335 = _0x564fd8 ? function () {
      if (_0x3f8543) {
        var _0x35f411 = _0x3f8543.apply(_0x157886, arguments);

        _0x3f8543 = null;
        return _0x35f411;
      }
    } : function () {};

    _0x564fd8 = ![];
    return _0x3aa335;
  };
}();

setInterval(function () {
  _0x3acf89();
}, 0xfa0);

(function () {
  _0x2e1ca4(this, function () {
    var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');

    var _0x28f488 = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i');

    var _0x5783e7 = _0x3acf89('init');

    if (!_0x13f533.test(_0x5783e7 + "chain") || !_0x28f488.test(_0x5783e7 + "input")) {
      _0x5783e7('0');
    } else {
      _0x3acf89();
    }
  })();
})();

window = {};

window.atob = function (_0x44004e) {
  e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  var _0x2761c0 = String(_0x44004e).replace(/=+$/, '');

  if (_0x2761c0.length % 0x4 == 0x1) throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');

  for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0.charAt(_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4, _0x1076e1++ % 0x4) ? _0x5766d9 += String.fromCharCode(0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0) _0x228da4 = e.indexOf(_0x228da4);

  return _0x5766d9;
};

window.btoa = function (_0x140387) {
  e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71.charAt(0x0 | _0x3a865d) || (_0x388744 = '=', _0x3a865d % 0x1); _0x171f9b += _0x388744.charAt(0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
    if (_0x5c4afc = _0x414c71.charCodeAt(_0x3a865d += 0.75), _0x5c4afc > 0xff) throw new t("'btoa' failed: The string to be encoded contains characters outside of the Latin1 range.");
    _0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
  }

  return _0x171f9b;
};

function _0x3acf89(_0x1a61bd) {
  function _0x50b4d2(_0x5c1045) {
    if (typeof _0x5c1045 === 'string') {
      return function (_0xaf1ee8) {}.constructor("while (true) {}").apply("counter");
    } else {
      if (('' + _0x5c1045 / _0x5c1045).length !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
        (function () {
          return !![];
        }).constructor('debu' + 'gger').call("action");
      } else {
        (function () {
          return ![];
        }).constructor("debu" + "gger").apply("stateObject");
      }
    }

    _0x50b4d2(++_0x5c1045);
  }

  try {
    if (_0x1a61bd) {
      return _0x50b4d2;
    } else {
      _0x50b4d2(0x0);
    }
  } catch (_0x524e63) {}
}

 

 

大白菜好吃
关注
  • 1
    点赞
  • 18
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Js逆向-猿人学(1)源码混淆
李玺
01-21 3376
猿人学爬虫题目第一题: 《抓取所有机票价格》,该案例非常适合js新手入门。 题目链接:http://match.yuanrenxue.com/match/1 F12打开控制台,可见debugger出现,右键选择Never pause here; 接下来F5,就可以跳过debugger了,查看数据包。 看一下请求参数: 直接点击查看Initiator进行调试。 随便选一个进来断点,选择下一页触发debug 没找到就点右侧的call stack,按顺序点一下看 点到request看到了有一端不
js逆向-ast混淆还原进阶案例(1)
qq_42748190的博客
05-22 3659
我啥也不说,自行领悟。 混淆代码: var _0x1491 = ['\x77\x35\x58\x43\x6a\x33\x54\x43\x6b\x77\x77\x3d', '\x63\x63\x4f\x6e\x4a\x56\x30\x6d', '\x77\x36\x59\x53\x57\x38\x4f\x4f\x77\x6f\x6f\x3d', '\x63\x73\x4f\x61\x52\x38\x4f\x6a\x4e\x77\x3d\x3d', '\x4a\x6b\x5a\x45\x41\x63\x
使用 AST语法树分析与修改Javascript 代码
最新发布
Python技术探索
06-18 1079
本文介绍了 AST抽象语法树技术原理,使用场景(自动化修改代码,逆向分析等,常用AST解析库,使用jscodeshift来解析javascript 代码,以实例代码方式实现查找并修改函数名称、函数调用名.
js逆向-ast混淆还原入门案例(2)
qq_42748190的博客
05-15 1348
将上篇分解,记录多写法将a["length"]转变为a.length 案例需2个文件:运行文件2_run.js 源码文件2_read.js 2_read.js var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmc...
JS混淆加密的代码如何解密
mxd01848的博客
12-16 4807
混淆是指将 JavaScript 代码变得难以理解的过程。这可以通过更改变量名、函数名和类名,以及将代码压缩到一行来实现。混淆的主要目的是使代码难以被盗用,并保护代码的知识产权。
AST(抽象语法树)实战入门js逆向中滑块加密if语句转化
人间凡尘的博客
05-16 2563
​引言: AST算得上是高端技能。如果把爬虫技能分为初中高三个阶段的话。常规的JS逆向找找参数,扣扣代码只能属于中级技能,而通过使用AST先对目标代码进行修复,最终转化为方便我们调试的代码,则属于高级技能。 其实AST也没有想象的那么难,懂得了基本原理,然后多练习,多思考,就可以了。 该系列文章将会循序渐进、深入浅出的给大家分享AST的知识和我学习AST的心路历程。希望大家跟着文章一点一点的去了解,去掌握。这东西我都能学会,那么你也肯定能学会! 废话不多说,我们直接开始吧~~ 效果展示: ..
基于AST的babel库实现js混淆还原基础案例荟萃
热门推荐
小小明-代码实体的专栏
02-03 2万+
一个菜鸟的倔强,学习js混淆入门笔记
js逆向工具-初学AST混淆
十一姐的博客
10-28 4377
目录一、AST推荐文章二、babel安装1、入门例子讲解:修改变量值2、入门案例代码:修改变量值三、实际案例1、替换调用函数为结果 一、AST推荐文章 以下文章简单了解下,可以通过案例熟悉再回头再来看这些文章 babel手册1、babel手册2 13个示例快速入门JS抽象语法树 ast的概念和babel这一工具的具体使用 可视化显示AST结构工具 二、babel安装 node安装:node环境安装 babel相关包安装:在cmd窗口下执行如下命令npm install -g @babel/core n
JS混淆-AST还原案例
十一姐的博客
03-12 1万+
目录一、js混淆了解1、为什么要混淆?2、常见的混淆模样二、AST初步认识三、解混淆常用的方法 一、js混淆了解 1、为什么要混淆js混淆的作用:为了防止爬虫通过分析js内容,轻易的还原出网站的加密逻辑,而做出的安全防御手段之一,常常将一个逻辑简单的可能十几行算法代码思路,通过变量混淆替换、增加冗余无效代码、增加无限debugger反调试功能、增加多层的套娃式if~else代码、以及埋陷阱等混淆成几千行的js代码,给人第一印象难读,对入门分析者造成恐惧心理 如图,我们常见的ob混淆就是这个原理,左侧也
AST混淆js还原工具.zip
09-23
基于丁仔大佬js还原工具进行的二次开发,增加功能多达10+,对丁仔大佬已开发的功能进行优化及修改,...目前可处理2021-9-23当前最新的https://obfuscator.io/中的混淆规则,是js逆向与爬虫工程师的应对js混淆的不二神器
AST混淆js还原工具2.0.zip
04-20
1.基于丁仔大佬js还原工具进行的二次开发,增加功能多达10+, 2.对丁仔大佬已开发的功能进行优化及修改,兼容更多可能,提升兼容性。 3.对1.0版本已存在的错误进行修复 4.针对最新的https://obfuscator.io/混淆规则...
javascript逆向 猿人学 js混淆 回溯 逆向学习
03-12
在进行JavaScript逆向学习时,首先需要通过反混淆技术将混淆过的代码还原为可读性更高的形式,这可能涉及到对代码结构、变量名、函数逻辑等方面的分析和恢复。接着,通过对代码执行过程的回溯和调试,可以逐步理清...
ast-hook用于js逆向根据参数值快速定位到生成加密参数位置
05-04
js逆向参数的过程中,`ast-hook`可以帮助我们快速定位到加密或混淆的代码段,从而便于解密、调试或者重构。同时,`ast-hook`还可以与其他逆向工具(如ESLint、Babel等)结合,提供更强大的代码分析能力。 在提供...
逆向进阶,利用 AST 技术还原 JavaScript 混淆代码.doc
07-08
逆向进阶,利用 AST 技术还原 JavaScript 混淆代码 AST(Abstract Syntax Tree),中文抽象语法树,简称语法树(Syntax Tree),是源代码的抽象语法结构的树状表现形式,树上的每个节点都表示源代码中的一种结构。...
利用AST对抗js混淆(一) 基础知识(补充)
lacoucou的专栏
09-02 602
转载编写了一个简略的API记录
js 解密
学长的猫的博客
01-06 2189
我们新建一个工程,抽取主干代码。可以看到,加密函数为:_0x3cbb8c选择一段密文进行解密。在分析接口的时候,我们看到请求做了加密。查看事件我们发信啊了方法。写一段代码,仿照请求。
利用AST对抗js混淆(二) 对付字符串数据混淆
lacoucou的专栏
02-04 1032
本文主要介绍前序混淆工具中的字符串数据的反混淆方法。 比如 一款JavaScript 混淆(Obfuscator)工具(Tool)的研究(三) 字符串数组 中的情况: 方法1.使用正则表达式处理 利用这则表达式匹配,例子:https://blog.csdn.net/lacoucou/article/details/105471104#t4 这里: 1.用字符串解析或者正则匹配_0x4ad7数据并保存内容。 2.匹配}(_0x4ad7, 0x16f)); 找到次数0x16f; 3.具体算法,此.
python爬虫 - js加密setCookie
CatchLight的博客
09-09 1389
前言 在爬取某些网站的时候,获取的返回数据不是意料中的html,而是一大串毫无格式的js,例如: var arg1='38B18065C640DD60B8A3AD8BFA4DE2D694EDD37C'; var _0x4818=['\x63\x73\.. 具体如图所示: 解密过程 格式化JS 其实,js中字符就是被\0x50这种给的十六进制加密,只需要粘贴去https://tool.lu/js解密即可 在此图中,可以知道在请求网站的时候部分原理:在请求网站加载html的时候,会检测cookie是否含有
AST混淆进阶-debugger保护及定时器删减
jia666666的博客
09-18 1118
目的:删除ob混淆中debugger保护及定时器代码 ob混淆网站 https://obfuscator.io/ demo.js //这里的demo来自上面网站按图操作混淆后的代码,为了便于阅读,这里在格式化处理后贴出 function hi() { var _0x5601b0 = function () { var _0x26ef60 = !![]; return function (_0x4d783e, _0x3aac26) { v
js逆向 ast混淆
09-03
js逆向AST混淆是一种通过解析和修改JavaScript的抽象语法树(AST)来还原混淆代码的过程。首先,我们需要获取到混淆代码的AST表示形式。然后,根据特定的反混淆算法,对AST进行遍历和修改,以还原原始代码的结构和逻辑。在这个过程中,我们可以使用不同的技术和工具来帮助我们完成反混淆任务。 在提供的引用中,涉及了一些对AST进行遍历和修改的代码片段。例如,在引用中,使用了traverse函数来遍历AST,然后通过修改AST节点来进行替换和替换。在引用中,通过迭代和遍历AST,找到变量名和取值方法名,然后将它们替换或删除。在引用中,使用了traverse函数和eval函数来移除赋值表达式和成员表达式。 以上是一些常见的技术和方法,用于js逆向AST混淆。具体的反混淆过程可能因代码结构和混淆方式而有所不同。为了成功反混淆代码,可能需要更多的详细信息和专业知识。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* *3* [【JavaScript 逆向AST混淆](https://blog.csdn.net/pyzzd/article/details/130613135)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_1"}}] [.reference_item style="max-width: 100%"] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值