最近发票查验平台的JS在抓取时,发现JS的内容 被混淆了,一头雾水,整个文件成了这样的样式:即使格式化,美化之后,依然,如此:
return _0x23666d[_0x3d8c('0x299', '@g[H')](_0x23666d[_0x3d8c('0x29a', 'f])s')](_0x205ff1[_0x3d8c('0x197', '*up9')](_0x23666d['RJaFV']($['cs'][_0x3d8c('0x29b', 'e6Te')](_0x23666d[_0x3d8c('0x29c', 'tYe)')](_0x14f1f5, _0x2a1439[_0x3d8c('0x29d', 'aGUp')](_0x205ff1[_0x3d8c('0x29e', '3C*E')](_0x23666d[_0x3d8c('0x29f', 'StyP')](_0x23666d['vUtLx'](_0x52c3d0, _0x53991d[_0x3d8c('0x2a0', 'K%$d')]) + _0x397dcb, _0x397dcb[_0x3d8c('0x107', 'e6Te')]))))) + _0x205ff1['xx'](_0x23666d['vUtLx'](_0x14f1f5, _0x21500b)), _0x21500b)), _0x2a1439[_0x3d8c('0x2a1', '*#dB')](_0x205ff1['xx'](_0x23666d['vUtLx'](_0x52c3d0, _0x21500b)), _0x205ff1[_0x3d8c('0x190', 'f])s')](_0x397dcb))), _0x205ff1[_0x3d8c('0x175', '*94i')](_0x23666d[_0x3d8c('0x2a2', 'aGUp')](_0x2673e3, _0x21500b))[_0x3d8c('0x2a3', 'xip4')]());
网上查了一下,有几位高手,做了反混淆还原的,还是不错的,但对于有的混淆JS文件,还原不了,或者,丢失了部分代码。
怎么办,只有自己动手了。分析每个JS头部:
var _0x3d13 = ['w6tcJcOAbg==', 'wqdYwrEWLw==', 'w7shOQ0B', 'QMKFw7/DmMKP', 'cB1PwpoA', 'w7Z7DMK4XMKGwo4zJcOCw6vCrTnCq8OifMOWwqTCog==', 'wrgufwZP', 'w6PDmgjDpMK0', 'MUzDkcOWFA==', 'bcKLCcKaaw==',。。。。。。
定义了一个大数组。不要认为,这个数组可以拿来使用,那就错了。
分析JS文件头部,发现:
(function(_0x589f7e, _0x199a91) {
var _0x4053b2 = function(_0x5c43c0) {
while (--_0x5c43c0) {
_0x589f7e['push'](_0x589f7e['shift']());
}
};
var _0x464fe7 = function(_0x582ef9, _0x14b5d0) {
_0x582ef9(++_0x14b5d0);
};
_0x464fe7(_0x4053b2, _0x199a91);
}(_0x3d13, 0x187));
var _0x3d8c = function(_0x17ddb8, _0x230eed) {
_0x17ddb8 = _0x17ddb8 - 0x0;
var _0x10d5f3 = _0x3d13[_0x17ddb8];
if (_0x3d8c['WGiXiH'] === undefined) {
(function() {
var _0x26a4de;
try {
var _0x443e41 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
_0x26a4de = _0x443e41();
} catch (_0x4993de) {
_0x26a4de = window;
}
var _0x18e5dc = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
_0x26a4de['atob'] || (_0x26a4de['atob'] = function(_0x23e847) {
var _0x5c40ce = String(_0x23e847)['replace'](/=+$/, '');
for (var _0x14720a = 0x0, _0x184255, _0x229160, _0x21476a = 0x0, _0x5a68a3 = ''; _0x229160 = _0x5c40ce['charAt'](_0x21476a++); ~_0x229160 && (_0x184255