js逆向-ast混淆还原入门案例(1)

recast资料太少,在大佬的建议下转到babel了。

搬运各个地方的案例学习后,分享给大家,也给自己一个记录。

案例需2个文件:运行文件1_run.js       源码文件1_read.js

1_read.js

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function(_0xf486e7, _0x2075d7) {
    var _0x5c3a18 = function(_0x5b65b1) {
        while (--_0x5b65b1) {
            _0xf486e7['push'](_0xf486e7['shift']());
        }
    };
    _0x5c3a18(++_0x2075d7);
}(_0x2075, 0xa4));
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
    _0xf486e7 = _0xf486e7 - 0x0;
    var _0x5c3a18 = _0x2075[_0xf486e7];
    if (_0x5c3a['vEVEZj'] === undefined) {
        (function() {
            var _0x2e1ca4;
            try {
                var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x2e1ca4 = _0x28e173();
            } catch (_0x16acc9) {
                _0x2e1ca4 = window;
            }
            var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
                var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
                var _0x5e030c = '';
                for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
                _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
                    _0x29200e = _0x16f958['indexOf'](_0x29200e);
                }
                return _0x5e030c;
            }
            );
        }());
        var _0x3acf89 = function(_0x593a19, _0xfee22e) {
            var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
            _0x593a19 = atob(_0x593a19);
            for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
                _0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
            }
            _0x593a19 = decodeURIComponent(_0xbdd0c6);
            var _0x1a120c;
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x1b5349[_0x1a120c] = _0x1a120c;
            }
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
            }
            _0x1a120c = 0x0;
            _0x4ddb21 = 0x0;
            for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
                _0x1a120c = (_0x1a120c + 0x1) % 0x100;
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
                _0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
            }
            return _0x4b4996;
        };
        _0x5c3a['HKkhxp'] = _0x3acf89;
        _0x5c3a['eabUGz'] = {};
        _0x5c3a['vEVEZj'] = !![];
    }
    var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
    if (_0x5b65b1 === undefined) {
        if (_0x5c3a['vszZjY'] === undefined) {
            _0x5c3a['vszZjY'] = !![];
        }
        _0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
        _0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
    } else {
        _0x5c3a18 = _0x5b65b1;
    }
    return _0x5c3a18;
};
var _0x2e1ca4 = function() {
    var _0x564fd8 = !![];
    return function(_0x157886, _0x3f8543) {
        var _0x3aa335 = _0x564fd8 ? function() {
            if (_0x3f8543) {
                var _0x35f411 = _0x3f8543[_0x5c3a('0x15', 'qqhd')](_0x157886, arguments);
                _0x3f8543 = null;
                return _0x35f411;
            }
        }
        : function() {}
        ;
        _0x564fd8 = ![];
        return _0x3aa335;
    }
    ;
}();
setInterval(function() {
    _0x3acf89();
}, 0xfa0);
(function() {
    _0x2e1ca4(this, function() {
        var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');
        var _0x28f488 = new RegExp(_0x5c3a('0x13', 'l02m'),'i');
        var _0x5783e7 = _0x3acf89('init');
        if (!_0x13f533['test'](_0x5783e7 + _0x5c3a('0xb', 'mvpW')) || !_0x28f488['test'](_0x5783e7 + _0x5c3a('0x6', 'S&fJ'))) {
            _0x5783e7('0');
        } else {
            _0x3acf89();
        }
    })();
}());
window = {};
window['atob'] = function(_0x44004e) {
    e = _0x5c3a('0x8', 'CwZq');
    var _0x2761c0 = String(_0x44004e)[_0x5c3a('0x9', 'F%XZ')](/=+$/, '');
    if (_0x2761c0[_0x5c3a('0x7', 'KMc0')] % 0x4 == 0x1)
        throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');
    for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0['charAt'](_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4,
    _0x1076e1++ % 0x4) ? _0x5766d9 += String[_0x5c3a('0x16', '%Fh)')](0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0)
        _0x228da4 = e[_0x5c3a('0xe', 'ivHf')](_0x228da4);
    return _0x5766d9;
}
window['btoa'] = function(_0x140387) {
    e = _0x5c3a('0x11', '1t8u');
    for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71[_0x5c3a('0x10', 'G%UZ')](0x0 | _0x3a865d) || (_0x388744 = '=',
    _0x3a865d % 0x1); _0x171f9b += _0x388744[_0x5c3a('0x5', '#%vS')](0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
        if (_0x5c4afc = _0x414c71[_0x5c3a('0xa', '(eE#')](_0x3a865d += 0.75),
        _0x5c4afc > 0xff)
            throw new t(_0x5c3a('0xf', '!zyq'));
        _0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
    }
    return _0x171f9b;
}
function _0x3acf89(_0x1a61bd) {
    function _0x50b4d2(_0x5c1045) {
        if (typeof _0x5c1045 === 'string') {
            return function(_0xaf1ee8) {}
            ['constructor'](_0x5c3a('0x3', 'mvpW'))[_0x5c3a('0xc', 'dtRw')](_0x5c3a('0x1', 'g1Ep'));
        } else {
            if (('' + _0x5c1045 / _0x5c1045)['length'] !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
                (function() {
                    return !![];
                }
                ['constructor']('debu' + 'gger')[_0x5c3a('0x4', '%Fh)')](_0x5c3a('0x0', 'zu[n')));
            } else {
                (function() {
                    return ![];
                }
                [_0x5c3a('0x2', 'g1Ep')](_0x5c3a('0x12', 'LPae') + _0x5c3a('0x14', 'N5*X'))['apply'](_0x5c3a('0xd', 'qOO9')));
            }
        }
        _0x50b4d2(++_0x5c1045);
    }
    try {
        if (_0x1a61bd) {
            return _0x50b4d2;
        } else {
            _0x50b4d2(0x0);
        }
    } catch (_0x524e63) {}
}




1_run.js

/*
* 安装 npm install @babel/core
* */

// 将JS源码转换成语法树
const parser = require("@babel/parser");
// 为parser提供模板引擎
const template = require("@babel/template").default;
// 遍历AST
const traverse = require("@babel/traverse").default;
// 操作节点,比如判断节点类型,生成新的节点等
const t = require("@babel/types");
// 将语法树转换为源代码
const generator = require("@babel/generator").default;
// 操作文件
const fs = require("fs");
//
const path = require('path');

var file_path = 'F:\\FILE\\Python\\Exercises\\js\\js-ast混淆还原\\'
var jscode = fs.readFileSync(file_path+"1_read.js", {
    encoding: "utf-8"
});

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function(_0xf486e7, _0x2075d7) {
    var _0x5c3a18 = function(_0x5b65b1) {
        while (--_0x5b65b1) {
            _0xf486e7['push'](_0xf486e7['shift']());
        }
    };
    _0x5c3a18(++_0x2075d7);
}(_0x2075, 0xa4));
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
    _0xf486e7 = _0xf486e7 - 0x0;
    var _0x5c3a18 = _0x2075[_0xf486e7];
    if (_0x5c3a['vEVEZj'] === undefined) {
        (function() {
            var _0x2e1ca4;
            try {
                var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x2e1ca4 = _0x28e173();
            } catch (_0x16acc9) {
                _0x2e1ca4 = window;
            }
            var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
                var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
                var _0x5e030c = '';
                for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
                _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
                    _0x29200e = _0x16f958['indexOf'](_0x29200e);
                }
                return _0x5e030c;
            }
            );
        }());
        var _0x3acf89 = function(_0x593a19, _0xfee22e) {
            var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
            _0x593a19 = atob(_0x593a19);
            for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
                _0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
            }
            _0x593a19 = decodeURIComponent(_0xbdd0c6);
            var _0x1a120c;
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x1b5349[_0x1a120c] = _0x1a120c;
            }
            for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
            }
            _0x1a120c = 0x0;
            _0x4ddb21 = 0x0;
            for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
                _0x1a120c = (_0x1a120c + 0x1) % 0x100;
                _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
                _0x28ed27 = _0x1b5349[_0x1a120c];
                _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
                _0x1b5349[_0x4ddb21] = _0x28ed27;
                _0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
            }
            return _0x4b4996;
        };
        _0x5c3a['HKkhxp'] = _0x3acf89;
        _0x5c3a['eabUGz'] = {};
        _0x5c3a['vEVEZj'] = !![];
    }
    var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
    if (_0x5b65b1 === undefined) {
        if (_0x5c3a['vszZjY'] === undefined) {
            _0x5c3a['vszZjY'] = !![];
        }
        _0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
        _0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
    } else {
        _0x5c3a18 = _0x5b65b1;
    }
    return _0x5c3a18;
};

function traverse_all(ast) {
    // 遍历节点,当遇到下列类型的时候会调用函数
    traverse(ast, {
        CallExpression: {
            enter: [replace_function_to_string]
        }
    })
    traverse(ast, {
        MemberExpression: {
            enter: [replace]
        }
    })


}
// a["length"]转变为a.length
function replace(path)
{
    const node = path.node;
    let property = path.get('property')
    if(t.isStringLiteral(node.property)) {
        let value  = node.property.value;
        console.log(value)
        //原为true,改后的效果把[]变为.
        node.computed = false
        //如果写成path.replaceWith是将整个MemberExpression节点换为value,节点类型也变为Identifier,例:window.btoa变为btoa
        //我们仅需要替换property节点
        property.replaceWith(t.Identifier(value))
        }
}

//调用_0x5c3a进行解密,在替换原来的
function replace_function_to_string(path)
{//对节点进行处理
  const node = path.node;
  //判断节点类型及函数名,不是则返回
  if (!t.isIdentifier(node.callee,{name:"_0x5c3a"})) return;
  //取实参值
  let first_arg  = node.arguments[0].value;
  let second_arg = node.arguments[1].value;
  //调用本地的_0x5c3a函数
  let value = _0x5c3a(first_arg,second_arg);
  //打印看结果
  console.log(node.callee.name,first_arg,second_arg,value);
  //替换CallExpression节点,为StringLiteral类型的value
  path.replaceWith(t.StringLiteral(value));
}

let ast = parser.parse(jscode);
traverse_all(ast);
let {code} = generator(ast);
fs.writeFile(file_path+'1_decoded.js', code, (err)=>{});

生成1_decoded.js

var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];

(function (_0xf486e7, _0x2075d7) {
  var _0x5c3a18 = function (_0x5b65b1) {
    while (--_0x5b65b1) {
      _0xf486e7.push(_0xf486e7.shift());
    }
  };

  _0x5c3a18(++_0x2075d7);
})(_0x2075, 0xa4);

var _0x5c3a = function (_0xf486e7, _0x2075d7) {
  _0xf486e7 = _0xf486e7 - 0x0;
  var _0x5c3a18 = _0x2075[_0xf486e7];

  if (_0x5c3a.vEVEZj === undefined) {
    (function () {
      var _0x2e1ca4;

      try {
        var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');

        _0x2e1ca4 = _0x28e173();
      } catch (_0x16acc9) {
        _0x2e1ca4 = window;
      }

      var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
      _0x2e1ca4.atob || (_0x2e1ca4.atob = function (_0x5a7812) {
        var _0x3c7e74 = String(_0x5a7812).replace(/=+$/, '');

        var _0x5e030c = '';

        for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74.charAt(_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e, _0x4eaee2++ % 0x4) ? _0x5e030c += String.fromCharCode(0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
          _0x29200e = _0x16f958.indexOf(_0x29200e);
        }

        return _0x5e030c;
      });
    })();

    var _0x3acf89 = function (_0x593a19, _0xfee22e) {
      var _0x1b5349 = [],
          _0x4ddb21 = 0x0,
          _0x28ed27,
          _0x4b4996 = '',
          _0xbdd0c6 = '';

      _0x593a19 = atob(_0x593a19);

      for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19.length; _0x1d6343 < _0x3f947e; _0x1d6343++) {
        _0xbdd0c6 += '%' + ('00' + _0x593a19.charCodeAt(_0x1d6343).toString(0x10)).slice(-0x2);
      }

      _0x593a19 = decodeURIComponent(_0xbdd0c6);

      var _0x1a120c;

      for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x1b5349[_0x1a120c] = _0x1a120c;
      }

      for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e.charCodeAt(_0x1a120c % _0xfee22e.length)) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
      }

      _0x1a120c = 0x0;
      _0x4ddb21 = 0x0;

      for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19.length; _0x585b7f++) {
        _0x1a120c = (_0x1a120c + 0x1) % 0x100;
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
        _0x4b4996 += String.fromCharCode(_0x593a19.charCodeAt(_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
      }

      return _0x4b4996;
    };

    _0x5c3a.HKkhxp = _0x3acf89;
    _0x5c3a.eabUGz = {};
    _0x5c3a.vEVEZj = !![];
  }

  var _0x5b65b1 = _0x5c3a.eabUGz[_0xf486e7];

  if (_0x5b65b1 === undefined) {
    if (_0x5c3a.vszZjY === undefined) {
      _0x5c3a.vszZjY = !![];
    }

    _0x5c3a18 = _0x5c3a.HKkhxp(_0x5c3a18, _0x2075d7);
    _0x5c3a.eabUGz[_0xf486e7] = _0x5c3a18;
  } else {
    _0x5c3a18 = _0x5b65b1;
  }

  return _0x5c3a18;
};

var _0x2e1ca4 = function () {
  var _0x564fd8 = !![];

  return function (_0x157886, _0x3f8543) {
    var _0x3aa335 = _0x564fd8 ? function () {
      if (_0x3f8543) {
        var _0x35f411 = _0x3f8543.apply(_0x157886, arguments);

        _0x3f8543 = null;
        return _0x35f411;
      }
    } : function () {};

    _0x564fd8 = ![];
    return _0x3aa335;
  };
}();

setInterval(function () {
  _0x3acf89();
}, 0xfa0);

(function () {
  _0x2e1ca4(this, function () {
    var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');

    var _0x28f488 = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i');

    var _0x5783e7 = _0x3acf89('init');

    if (!_0x13f533.test(_0x5783e7 + "chain") || !_0x28f488.test(_0x5783e7 + "input")) {
      _0x5783e7('0');
    } else {
      _0x3acf89();
    }
  })();
})();

window = {};

window.atob = function (_0x44004e) {
  e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  var _0x2761c0 = String(_0x44004e).replace(/=+$/, '');

  if (_0x2761c0.length % 0x4 == 0x1) throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');

  for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0.charAt(_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4, _0x1076e1++ % 0x4) ? _0x5766d9 += String.fromCharCode(0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0) _0x228da4 = e.indexOf(_0x228da4);

  return _0x5766d9;
};

window.btoa = function (_0x140387) {
  e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71.charAt(0x0 | _0x3a865d) || (_0x388744 = '=', _0x3a865d % 0x1); _0x171f9b += _0x388744.charAt(0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
    if (_0x5c4afc = _0x414c71.charCodeAt(_0x3a865d += 0.75), _0x5c4afc > 0xff) throw new t("'btoa' failed: The string to be encoded contains characters outside of the Latin1 range.");
    _0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
  }

  return _0x171f9b;
};

function _0x3acf89(_0x1a61bd) {
  function _0x50b4d2(_0x5c1045) {
    if (typeof _0x5c1045 === 'string') {
      return function (_0xaf1ee8) {}.constructor("while (true) {}").apply("counter");
    } else {
      if (('' + _0x5c1045 / _0x5c1045).length !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
        (function () {
          return !![];
        }).constructor('debu' + 'gger').call("action");
      } else {
        (function () {
          return ![];
        }).constructor("debu" + "gger").apply("stateObject");
      }
    }

    _0x50b4d2(++_0x5c1045);
  }

  try {
    if (_0x1a61bd) {
      return _0x50b4d2;
    } else {
      _0x50b4d2(0x0);
    }
  } catch (_0x524e63) {}
}

 

 

  • 1
    点赞
  • 18
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
js逆向AST混淆是一种通过解析和修改JavaScript的抽象语法树(AST)来还原混淆代码的过程。首先,我们需要获取到混淆代码的AST表示形式。然后,根据特定的反混淆算法,对AST进行遍历和修改,以还原原始代码的结构和逻辑。在这个过程中,我们可以使用不同的技术和工具来帮助我们完成反混淆任务。 在提供的引用中,涉及了一些对AST进行遍历和修改的代码片段。例如,在引用中,使用了traverse函数来遍历AST,然后通过修改AST节点来进行替换和替换。在引用中,通过迭代和遍历AST,找到变量名和取值方法名,然后将它们替换或删除。在引用中,使用了traverse函数和eval函数来移除赋值表达式和成员表达式。 以上是一些常见的技术和方法,用于js逆向AST混淆。具体的反混淆过程可能因代码结构和混淆方式而有所不同。为了成功反混淆代码,可能需要更多的详细信息和专业知识。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* *3* [【JavaScript 逆向AST混淆](https://blog.csdn.net/pyzzd/article/details/130613135)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_1"}}] [.reference_item style="max-width: 100%"] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值