js逆向-ast混淆还原入门案例(2)
符佐
将上篇分解,记录多写法将a["length"]转变为a.length
案例需2个文件:运行文件2_run.js 源码文件2_read.js
2_read.js
var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function (_0xf486e7, _0x2075d7) {
var _0x5c3a18 = function (_0x5b65b1) {
while (--_0x5b65b1) {
_0xf486e7['push'](_0xf486e7['shift']());
}
};
_0x5c3a18(++_0x2075d7);
})(_0x2075, 0xa4);
var _0x5c3a = function (_0xf486e7, _0x2075d7) {
_0xf486e7 = _0xf486e7 - 0x0;
var _0x5c3a18 = _0x2075[_0xf486e7];
if (_0x5c3a['vEVEZj'] === undefined) {
(function () {
var _0x2e1ca4;
try {
var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
_0x2e1ca4 = _0x28e173();
} catch (_0x16acc9) {
_0x2e1ca4 = window;
}
var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
_0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function (_0x5a7812) {
var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
var _0x5e030c = '';
for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e, _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
_0x29200e = _0x16f958['indexOf'](_0x29200e);
}
return _0x5e030c;
});
})();
var _0x3acf89 = function (_0x593a19, _0xfee22e) {
var _0x1b5349 = [],
_0x4ddb21 = 0x0,
_0x28ed27,
_0x4b4996 = '',
_0xbdd0c6 = '';
_0x593a19 = atob(_0x593a19);
for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
_0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
}
_0x593a19 = decodeURIComponent(_0xbdd0c6);
var _0x1a120c;
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x1b5349[_0x1a120c] = _0x1a120c;
}
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
}
_0x1a120c = 0x0;
_0x4ddb21 = 0x0;
for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
_0x1a120c = (_0x1a120c + 0x1) % 0x100;
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
_0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
}
return _0x4b4996;
};
_0x5c3a['HKkhxp'] = _0x3acf89;
_0x5c3a['eabUGz'] = {};
_0x5c3a['vEVEZj'] = !![];
}
var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
if (_0x5b65b1 === undefined) {
if (_0x5c3a['vszZjY'] === undefined) {
_0x5c3a['vszZjY'] = !![];
}
_0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
_0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
} else {
_0x5c3a18 = _0x5b65b1;
}
return _0x5c3a18;
};
var _0x2e1ca4 = function () {
var _0x564fd8 = !![];
return function (_0x157886, _0x3f8543) {
var _0x3aa335 = _0x564fd8 ? function () {
if (_0x3f8543) {
var _0x35f411 = _0x3f8543["apply"](_0x157886, arguments);
_0x3f8543 = null;
return _0x35f411;
}
} : function () {
};
_0x564fd8 = ![];
return _0x3aa335;
};
}();
setInterval(function () {
_0x3acf89();
}, 0xfa0);
(function () {
_0x2e1ca4(this, function () {
var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');
var _0x28f488 = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i');
var _0x5783e7 = _0x3acf89('init');
if (!_0x13f533['test'](_0x5783e7 + "chain") || !_0x28f488['test'](_0x5783e7 + "input")) {
_0x5783e7('0');
} else {
_0x3acf89();
}
})();
})();
window = {};
window['atob'] = function (_0x44004e) {
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var _0x2761c0 = String(_0x44004e)["replace"](/=+$/, '');
if (_0x2761c0["length"] % 0x4 == 0x1)
throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');
for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0['charAt'](_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4, _0x1076e1++ % 0x4) ? _0x5766d9 += String["fromCharCode"](0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0)
_0x228da4 = e["indexOf"](_0x228da4);
return _0x5766d9;
};
window['btoa'] = function (_0x140387) {
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71["charAt"](0x0 | _0x3a865d) || (_0x388744 = '=', _0x3a865d % 0x1); _0x171f9b += _0x388744["charAt"](0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
if (_0x5c4afc = _0x414c71["charCodeAt"](_0x3a865d += 0.75), _0x5c4afc > 0xff) throw new t("'btoa' failed: The string to be encoded contains characters outside of the Latin1 range.");
_0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
}
return _0x171f9b;
};
function _0x3acf89(_0x1a61bd) {
function _0x50b4d2(_0x5c1045) {
if (typeof _0x5c1045 === 'string') {
return function (_0xaf1ee8) {
}['constructor']("while (true) {}")["apply"]("counter");
} else {
if (('' + _0x5c1045 / _0x5c1045)['length'] !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
(function () {
return !![];
})['constructor']('debu' + 'gger')["call"]("action");
} else {
(function () {
return ![];
})["constructor"]("debu" + "gger")['apply']("stateObject");
}
}
_0x50b4d2(++_0x5c1045);
}
try {
if (_0x1a61bd) {
return _0x50b4d2;
} else {
_0x50b4d2(0x0);
}
} catch (_0x524e63) {
}
}2_run.js
/*
* 安装 npm install @babel/core
* */
// 将JS源码转换成语法树
const parser = require("@babel/parser");
// 为parser提供模板引擎
const template = require("@babel/template").default;
// 遍历AST
const traverse = require("@babel/traverse").default;
// 操作节点,比如判断节点类型,生成新的节点等
const t = require("@babel/types");
// 将语法树转换为源代码
const generator = require("@babel/generator").default;
// 操作文件
const fs = require("fs");
//
const path = require('path');
var file_path = 'F:\\FILE\\Python\\Exercises\\js\\js-ast混淆还原\\'
var jscode = fs.readFileSync(file_path+"2_read.js", { //更改读取文件
encoding: "utf-8"
});
function traverse_all_MemberExpression(ast) {
// 遍历节点,当遇到下列类型的时候会调用函数
traverse(ast, {
MemberExpression: {
enter: [replace]
},
})
}
// a["length"]转变为a.length
function replace(path)
{
const node = path.node;
let property = path.get('property')
if(t.isStringLiteral(node.property)) {
let value = node.property.value;
console.log(value)
//原为true,改后的效果把[]变为.
node.computed = false
//如果写成path.replaceWith是将整个MemberExpression节点换为value,节点类型也变为Identifier,例:window.btoa变为btoa
//我们仅需要替换property节点
property.replaceWith(t.Identifier(value))
}
//发现 window.atob中的computed为false ,window['btoa']中的为true
//效果同上
// let property = path.get('property')
// if(property.isStringLiteral()) {
// let value = property.node.value;
// console.log(value)
// path.node.computed = false
// property.replaceWith(t.Identifier(value))
// }
}
let ast = parser.parse(jscode);
traverse_all_MemberExpression(ast)
let {code} = generator(ast);
fs.writeFile(file_path+'2_decoded.js', code, (err)=>{}); //更改写入文件
生成2_decoded.js
var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function (_0xf486e7, _0x2075d7) {
var _0x5c3a18 = function (_0x5b65b1) {
while (--_0x5b65b1) {
_0xf486e7.push(_0xf486e7.shift());
}
};
_0x5c3a18(++_0x2075d7);
})(_0x2075, 0xa4);
var _0x5c3a = function (_0xf486e7, _0x2075d7) {
_0xf486e7 = _0xf486e7 - 0x0;
var _0x5c3a18 = _0x2075[_0xf486e7];
if (_0x5c3a.vEVEZj === undefined) {
(function () {
var _0x2e1ca4;
try {
var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
_0x2e1ca4 = _0x28e173();
} catch (_0x16acc9) {
_0x2e1ca4 = window;
}
var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
_0x2e1ca4.atob || (_0x2e1ca4.atob = function (_0x5a7812) {
var _0x3c7e74 = String(_0x5a7812).replace(/=+$/, '');
var _0x5e030c = '';
for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74.charAt(_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e, _0x4eaee2++ % 0x4) ? _0x5e030c += String.fromCharCode(0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
_0x29200e = _0x16f958.indexOf(_0x29200e);
}
return _0x5e030c;
});
})();
var _0x3acf89 = function (_0x593a19, _0xfee22e) {
var _0x1b5349 = [],
_0x4ddb21 = 0x0,
_0x28ed27,
_0x4b4996 = '',
_0xbdd0c6 = '';
_0x593a19 = atob(_0x593a19);
for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19.length; _0x1d6343 < _0x3f947e; _0x1d6343++) {
_0xbdd0c6 += '%' + ('00' + _0x593a19.charCodeAt(_0x1d6343).toString(0x10)).slice(-0x2);
}
_0x593a19 = decodeURIComponent(_0xbdd0c6);
var _0x1a120c;
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x1b5349[_0x1a120c] = _0x1a120c;
}
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e.charCodeAt(_0x1a120c % _0xfee22e.length)) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
}
_0x1a120c = 0x0;
_0x4ddb21 = 0x0;
for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19.length; _0x585b7f++) {
_0x1a120c = (_0x1a120c + 0x1) % 0x100;
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
_0x4b4996 += String.fromCharCode(_0x593a19.charCodeAt(_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
}
return _0x4b4996;
};
_0x5c3a.HKkhxp = _0x3acf89;
_0x5c3a.eabUGz = {};
_0x5c3a.vEVEZj = !![];
}
var _0x5b65b1 = _0x5c3a.eabUGz[_0xf486e7];
if (_0x5b65b1 === undefined) {
if (_0x5c3a.vszZjY === undefined) {
_0x5c3a.vszZjY = !![];
}
_0x5c3a18 = _0x5c3a.HKkhxp(_0x5c3a18, _0x2075d7);
_0x5c3a.eabUGz[_0xf486e7] = _0x5c3a18;
} else {
_0x5c3a18 = _0x5b65b1;
}
return _0x5c3a18;
};
var _0x2e1ca4 = function () {
var _0x564fd8 = !![];
return function (_0x157886, _0x3f8543) {
var _0x3aa335 = _0x564fd8 ? function () {
if (_0x3f8543) {
var _0x35f411 = _0x3f8543.apply(_0x157886, arguments);
_0x3f8543 = null;
return _0x35f411;
}
} : function () {};
_0x564fd8 = ![];
return _0x3aa335;
};
}();
setInterval(function () {
_0x3acf89();
}, 0xfa0);
(function () {
_0x2e1ca4(this, function () {
var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');
var _0x28f488 = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i');
var _0x5783e7 = _0x3acf89('init');
if (!_0x13f533.test(_0x5783e7 + "chain") || !_0x28f488.test(_0x5783e7 + "input")) {
_0x5783e7('0');
} else {
_0x3acf89();
}
})();
})();
window = {};
window.atob = function (_0x44004e) {
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var _0x2761c0 = String(_0x44004e).replace(/=+$/, '');
if (_0x2761c0.length % 0x4 == 0x1) throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');
for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0.charAt(_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4, _0x1076e1++ % 0x4) ? _0x5766d9 += String.fromCharCode(0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0) _0x228da4 = e.indexOf(_0x228da4);
return _0x5766d9;
};
window.btoa = function (_0x140387) {
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71.charAt(0x0 | _0x3a865d) || (_0x388744 = '=', _0x3a865d % 0x1); _0x171f9b += _0x388744.charAt(0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
if (_0x5c4afc = _0x414c71.charCodeAt(_0x3a865d += 0.75), _0x5c4afc > 0xff) throw new t("'btoa' failed: The string to be encoded contains characters outside of the Latin1 range.");
_0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
}
return _0x171f9b;
};
function _0x3acf89(_0x1a61bd) {
function _0x50b4d2(_0x5c1045) {
if (typeof _0x5c1045 === 'string') {
return function (_0xaf1ee8) {}.constructor("while (true) {}").apply("counter");
} else {
if (('' + _0x5c1045 / _0x5c1045).length !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
(function () {
return !![];
}).constructor('debu' + 'gger').call("action");
} else {
(function () {
return ![];
}).constructor("debu" + "gger").apply("stateObject");
}
}
_0x50b4d2(++_0x5c1045);
}
try {
if (_0x1a61bd) {
return _0x50b4d2;
} else {
_0x50b4d2(0x0);
}
} catch (_0x524e63) {}
}
既然能将a["length"]转变为a.length,当然也能变回来
以下是核心代码:
function replace(path) {
// const node = path.node;
// let property = path.get('property')
// if (t.isIdentifier(node.property)) {
// let name = node.property.name;
// console.log(name)
// node.computed = true
// property.replaceWith(t.StringLiteral(name))
// }
//效果同上
let property = path.get('property')
if (property.isIdentifier()) {
let name = property.node.name;
console.log(name)
path.node.computed = true
property.replaceWith(t.StringLiteral(name))
}
}
类似资料: