0
点赞
收藏
分享

微信扫一扫

发票查验平台JS分析兼谈obfuscator加密还原分析的另一种思路

勇敢乌龟 2022-01-08 阅读 59
javascript前端开发语言

最近发票查验平台的JS在抓取时,发现JS的内容 被混淆了,一头雾水,整个文件成了这样的样式:即使格式化,美化之后,依然,如此:

 return _0x23666d[_0x3d8c('0x299', '@g[H')](_0x23666d[_0x3d8c('0x29a', 'f])s')](_0x205ff1[_0x3d8c('0x197', '*up9')](_0x23666d['RJaFV']($['cs'][_0x3d8c('0x29b', 'e6Te')](_0x23666d[_0x3d8c('0x29c', 'tYe)')](_0x14f1f5, _0x2a1439[_0x3d8c('0x29d', 'aGUp')](_0x205ff1[_0x3d8c('0x29e', '3C*E')](_0x23666d[_0x3d8c('0x29f', 'StyP')](_0x23666d['vUtLx'](_0x52c3d0, _0x53991d[_0x3d8c('0x2a0', 'K%$d')]) + _0x397dcb, _0x397dcb[_0x3d8c('0x107', 'e6Te')]))))) + _0x205ff1['xx'](_0x23666d['vUtLx'](_0x14f1f5, _0x21500b)), _0x21500b)), _0x2a1439[_0x3d8c('0x2a1', '*#dB')](_0x205ff1['xx'](_0x23666d['vUtLx'](_0x52c3d0, _0x21500b)), _0x205ff1[_0x3d8c('0x190', 'f])s')](_0x397dcb))), _0x205ff1[_0x3d8c('0x175', '*94i')](_0x23666d[_0x3d8c('0x2a2', 'aGUp')](_0x2673e3, _0x21500b))[_0x3d8c('0x2a3', 'xip4')]());

网上查了一下,有几位高手,做了反混淆还原的,还是不错的,但对于有的混淆JS文件,还原不了,或者,丢失了部分代码。
怎么办,只有自己动手了。分析每个JS头部:

var _0x3d13 = ['w6tcJcOAbg==', 'wqdYwrEWLw==', 'w7shOQ0B', 'QMKFw7/DmMKP', 'cB1PwpoA', 'w7Z7DMK4XMKGwo4zJcOCw6vCrTnCq8OifMOWwqTCog==', 'wrgufwZP', 'w6PDmgjDpMK0', 'MUzDkcOWFA==', 'bcKLCcKaaw==',。。。。。。

定义了一个大数组。不要认为,这个数组可以拿来使用,那就错了。
分析JS文件头部,发现:

(function(_0x589f7e, _0x199a91) {
    var _0x4053b2 = function(_0x5c43c0) {
        while (--_0x5c43c0) {
            _0x589f7e['push'](_0x589f7e['shift']());
        }
    };
    var _0x464fe7 = function(_0x582ef9, _0x14b5d0) {
	_0x582ef9(++_0x14b5d0);
    };
    _0x464fe7(_0x4053b2, _0x199a91);
}(_0x3d13, 0x187));

var _0x3d8c = function(_0x17ddb8, _0x230eed) {
    _0x17ddb8 = _0x17ddb8 - 0x0;
    var _0x10d5f3 = _0x3d13[_0x17ddb8];
    if (_0x3d8c['WGiXiH'] === undefined) {
        (function() {
            var _0x26a4de;
            try {
                var _0x443e41 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x26a4de = _0x443e41();
            } catch (_0x4993de) {
                _0x26a4de = window;
            }
            var _0x18e5dc = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x26a4de['atob'] || (_0x26a4de['atob'] = function(_0x23e847) {
                var _0x5c40ce = String(_0x23e847)['replace'](/=+$/, '');
                for (var _0x14720a = 0x0, _0x184255, _0x229160, _0x21476a = 0x0, _0x5a68a3 = ''; _0x229160 = _0x5c40ce['charAt'](_0x21476a++); ~_0x229160 && (_0x184255 = _0x14720a % 0x4 ? _0x184255 * 0x40 + _0x229160 : _0x229160,
                _0x14720a++ % 0x4) ? _0x5a68a3 += String['fromCharCode'](0xff & _0x184255 >> (-0x2 * _0x14720a & 0x6)) : 0x0) {
                    _0x229160 = _0x18e5dc['indexOf'](_0x229160);
                }
                return _0x5a68a3;
            }
            );
        }());
        var _0x36b965 = function(_0x4ae65f, _0x1310de) {
            var _0xa3b65e = [], _0x190871 = 0x0, _0x2884aa, _0x520f67 = '', _0x4a236d = '';
            _0x4ae65f = atob(_0x4ae65f);
            for (var _0x3547ad = 0x0, _0x29dbd4 = _0x4ae65f['length']; _0x3547ad < _0x29dbd4; _0x3547ad++) {
                _0x4a236d += '%' + ('00' + _0x4ae65f['charCodeAt'](_0x3547ad)['toString'](0x10))['slice'](-0x2);
            }
            _0x4ae65f = decodeURIComponent(_0x4a236d);
            for (var _0x4dde59 = 0x0; _0x4dde59 < 0x100; _0x4dde59++) {
                _0xa3b65e[_0x4dde59] = _0x4dde59;
            }
            for (_0x4dde59 = 0x0; _0x4dde59 < 0x100; _0x4dde59++) {
                _0x190871 = (_0x190871 + _0xa3b65e[_0x4dde59] + _0x1310de['charCodeAt'](_0x4dde59 % _0x1310de['length'])) % 0x100;
                _0x2884aa = _0xa3b65e[_0x4dde59];
                _0xa3b65e[_0x4dde59] = _0xa3b65e[_0x190871];
                _0xa3b65e[_0x190871] = _0x2884aa;
            }
            _0x4dde59 = 0x0;
            _0x190871 = 0x0;
            for (var _0x1da148 = 0x0; _0x1da148 < _0x4ae65f['length']; _0x1da148++) {
                _0x4dde59 = (_0x4dde59 + 0x1) % 0x100;
                _0x190871 = (_0x190871 + _0xa3b65e[_0x4dde59]) % 0x100;
                _0x2884aa = _0xa3b65e[_0x4dde59];
                _0xa3b65e[_0x4dde59] = _0xa3b65e[_0x190871];
                _0xa3b65e[_0x190871] = _0x2884aa;
                _0x520f67 += String['fromCharCode'](_0x4ae65f['charCodeAt'](_0x1da148) ^ _0xa3b65e[(_0xa3b65e[_0x4dde59] + _0xa3b65e[_0x190871]) % 0x100]);
            }
            return _0x520f67;
        };
        _0x3d8c['irBVyt'] = _0x36b965;
        _0x3d8c['zWQfZu'] = {};
        _0x3d8c['WGiXiH'] = !![];
    }
    var _0x198517 = _0x3d8c['zWQfZu'][_0x17ddb8];
    if (_0x198517 === undefined) {
        if (_0x3d8c['bbImyS'] === undefined) {
            var _0x3b8850 = function(_0x57a92e) {
                this['HEozUV'] = _0x57a92e;
                this['ZZknVa'] = [0x1, 0x0, 0x0];
                this['xwMpUJ'] = function() {
                    return 'newState';
                }
                ;
                this['phHTpU'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';
                this['yxsFwC'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
            };
            _0x3b8850['prototype']['ebxGud'] = function() {
                var _0x234ca6 = new RegExp(this['phHTpU'] + this['yxsFwC']);
                //var _0x3f03cf = _0x234ca6['test'](this['xwMpUJ']['toString']()) ? --this['ZZknVa'][0x1] : --this['ZZknVa'][0x0];
                var _0x3f03cf = -1;
                return this['LeLNeI'](_0x3f03cf);
            }
            ;
            _0x3b8850['prototype']['LeLNeI'] = function(_0x370b79) {
                if (!Boolean(~_0x370b79)) {
                    return _0x370b79;
                }
                return this['JErunj'](this['HEozUV']);
            }
            ;
            _0x3b8850['prototype']['JErunj'] = function(_0x235751) {
                for (var _0x4a6b70 = 0x0, _0x12e50d = this['ZZknVa']['length']; _0x4a6b70 < _0x12e50d; _0x4a6b70++) {
                    this['ZZknVa']['push'](Math['round'](Math['random']()));
                    _0x12e50d = this['ZZknVa']['length'];
                }
                return _0x235751(this['ZZknVa'][0x0]);
            }
            ;
            new _0x3b8850(_0x3d8c)['ebxGud']();
            _0x3d8c['bbImyS'] = !![];
        }
        _0x10d5f3 = _0x3d8c['irBVyt'](_0x10d5f3, _0x230eed);
        _0x3d8c['zWQfZu'][_0x17ddb8] = _0x10d5f3;
    } else {
        _0x10d5f3 = _0x198517;
    }
    return _0x10d5f3;
};

这个代码在浏览器下,是正常的,放到EditPlus里,浏览,就是不行,好在现在的浏览器都有开发功能跟踪,直接修改:

(function(_0x589f7e, _0x199a91) {
    var _0x4053b2 = function(_0x5c43c0) {
        while (--_0x5c43c0) {
            _0x589f7e['push'](_0x589f7e['shift']());
        }
    };
    var _0x464fe7 = function(_0x582ef9, _0x14b5d0) {
	_0x582ef9(++_0x14b5d0);
    };
    _0x464fe7(_0x4053b2, _0x199a91);
}(_0x3d13, 0x187));


  var _0x3f03cf = _0x234ca6['test'](this['xwMpUJ']['toString']()) ? --this['ZZknVa'][0x1] : --this['ZZknVa'][0x0];

修改成

var _0x3f03cf = -1;

这样过来检测浏览器的关;

将以上内容做成一个脚本,方便,非JS语言的调用;

增加一条js 最后,

var abc = _0x3d8c('0x8fe', '1np2');

注意,后面 _0x3d8c(‘0x8fe’, ‘1np2’) 不是固定的,是JS文件中,很多这样的 _0x3d8c(‘0x147’, ‘c!jj’), _0x3d8c(‘0x14c’, ‘tYe)’)*
这样我们就可以替换,这些返回的值,替换后的文件,可读性,就相对好些了,做移植也容易了

 return _0x23666d['RJaFV'](_0x23666d['RJaFV'](_0x205ff1["encrypt"](_0x23666d['RJaFV']($['cs']['encode'](_0x23666d['VhRUO'](_0x14f1f5, _0x2a1439['moveTo'](_0x205ff1["encrypt"](_0x23666d['vUtLx'](_0x23666d['vUtLx'](_0x52c3d0, _0x53991d['length']) + _0x397dcb, _0x397dcb['length']))))) + _0x205ff1['xx'](_0x23666d['vUtLx'](_0x14f1f5, _0x21500b)), _0x21500b)), _0x2a1439['gen'](_0x205ff1['xx'](_0x23666d['vUtLx'](_0x52c3d0, _0x21500b)), _0x205ff1["encrypt"](_0x397dcb))), _0x205ff1["encrypt"](_0x23666d['PPcKI'](_0x2673e3, _0x21500b))['toUpperCase']());	//hxxc


'RJaFV': function(_0x37841e, _0x41336e) {
            return _0x37841e + _0x41336e;
		},

写一个小程序:调用 js脚本,查询 替换所有 **_0x3d8c( )**函数,ok。

这个js:

var _0x3d13 = ['w6tcJcOAbg==', 'wqdYwrEWLw==', 'w7shOQ0B', ,,,,,,,,,**自己补齐数组**
(function(_0x589f7e, _0x199a91) {
    var _0x4053b2 = function(_0x5c43c0) {
        while (--_0x5c43c0) {
            _0x589f7e['push'](_0x589f7e['shift']());
        }
    };
    var _0x464fe7 = function(_0x582ef9, _0x14b5d0) {
	_0x582ef9(++_0x14b5d0);
    };
    _0x464fe7(_0x4053b2, _0x199a91);
}(_0x3d13, 0x187));

var _0x3d8c = function(_0x17ddb8, _0x230eed) {
    _0x17ddb8 = _0x17ddb8 - 0x0;
    var _0x10d5f3 = _0x3d13[_0x17ddb8];
    if (_0x3d8c['WGiXiH'] === undefined) {
        (function() {
            var _0x26a4de;
            try {
                var _0x443e41 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                _0x26a4de = _0x443e41();
            } catch (_0x4993de) {
                _0x26a4de = window;
            }
            var _0x18e5dc = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x26a4de['atob'] || (_0x26a4de['atob'] = function(_0x23e847) {
                var _0x5c40ce = String(_0x23e847)['replace'](/=+$/, '');
                for (var _0x14720a = 0x0, _0x184255, _0x229160, _0x21476a = 0x0, _0x5a68a3 = ''; _0x229160 = _0x5c40ce['charAt'](_0x21476a++); ~_0x229160 && (_0x184255 = _0x14720a % 0x4 ? _0x184255 * 0x40 + _0x229160 : _0x229160,
                _0x14720a++ % 0x4) ? _0x5a68a3 += String['fromCharCode'](0xff & _0x184255 >> (-0x2 * _0x14720a & 0x6)) : 0x0) {
                    _0x229160 = _0x18e5dc['indexOf'](_0x229160);
                }
                return _0x5a68a3;
            }
            );
        }());
        var _0x36b965 = function(_0x4ae65f, _0x1310de) {
            var _0xa3b65e = [], _0x190871 = 0x0, _0x2884aa, _0x520f67 = '', _0x4a236d = '';
            _0x4ae65f = atob(_0x4ae65f);
            for (var _0x3547ad = 0x0, _0x29dbd4 = _0x4ae65f['length']; _0x3547ad < _0x29dbd4; _0x3547ad++) {
                _0x4a236d += '%' + ('00' + _0x4ae65f['charCodeAt'](_0x3547ad)['toString'](0x10))['slice'](-0x2);
            }
            _0x4ae65f = decodeURIComponent(_0x4a236d);
            for (var _0x4dde59 = 0x0; _0x4dde59 < 0x100; _0x4dde59++) {
                _0xa3b65e[_0x4dde59] = _0x4dde59;
            }
            for (_0x4dde59 = 0x0; _0x4dde59 < 0x100; _0x4dde59++) {
                _0x190871 = (_0x190871 + _0xa3b65e[_0x4dde59] + _0x1310de['charCodeAt'](_0x4dde59 % _0x1310de['length'])) % 0x100;
                _0x2884aa = _0xa3b65e[_0x4dde59];
                _0xa3b65e[_0x4dde59] = _0xa3b65e[_0x190871];
                _0xa3b65e[_0x190871] = _0x2884aa;
            }
            _0x4dde59 = 0x0;
            _0x190871 = 0x0;
            for (var _0x1da148 = 0x0; _0x1da148 < _0x4ae65f['length']; _0x1da148++) {
                _0x4dde59 = (_0x4dde59 + 0x1) % 0x100;
                _0x190871 = (_0x190871 + _0xa3b65e[_0x4dde59]) % 0x100;
                _0x2884aa = _0xa3b65e[_0x4dde59];
                _0xa3b65e[_0x4dde59] = _0xa3b65e[_0x190871];
                _0xa3b65e[_0x190871] = _0x2884aa;
                _0x520f67 += String['fromCharCode'](_0x4ae65f['charCodeAt'](_0x1da148) ^ _0xa3b65e[(_0xa3b65e[_0x4dde59] + _0xa3b65e[_0x190871]) % 0x100]);
            }
            return _0x520f67;
        };
        _0x3d8c['irBVyt'] = _0x36b965;
        _0x3d8c['zWQfZu'] = {};
        _0x3d8c['WGiXiH'] = !![];
    }
    var _0x198517 = _0x3d8c['zWQfZu'][_0x17ddb8];
    if (_0x198517 === undefined) {
        if (_0x3d8c['bbImyS'] === undefined) {
            var _0x3b8850 = function(_0x57a92e) {
                this['HEozUV'] = _0x57a92e;
                this['ZZknVa'] = [0x1, 0x0, 0x0];
                this['xwMpUJ'] = function() {
                    return 'newState';
                }
                ;
                this['phHTpU'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';
                this['yxsFwC'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
            };
            _0x3b8850['prototype']['ebxGud'] = function() {
                var _0x234ca6 = new RegExp(this['phHTpU'] + this['yxsFwC']);
                //var _0x3f03cf = _0x234ca6['test'](this['xwMpUJ']['toString']()) ? --this['ZZknVa'][0x1] : --this['ZZknVa'][0x0];
                var _0x3f03cf = -1;
                return this['LeLNeI'](_0x3f03cf);
            }
            ;
            _0x3b8850['prototype']['LeLNeI'] = function(_0x370b79) {
                if (!Boolean(~_0x370b79)) {
                    return _0x370b79;
                }
                return this['JErunj'](this['HEozUV']);
            }
            ;
            _0x3b8850['prototype']['JErunj'] = function(_0x235751) {
                for (var _0x4a6b70 = 0x0, _0x12e50d = this['ZZknVa']['length']; _0x4a6b70 < _0x12e50d; _0x4a6b70++) {
                    this['ZZknVa']['push'](Math['round'](Math['random']()));
                    _0x12e50d = this['ZZknVa']['length'];
                }
                return _0x235751(this['ZZknVa'][0x0]);
            }
            ;
            new _0x3b8850(_0x3d8c)['ebxGud']();
            _0x3d8c['bbImyS'] = !![];
        }
        _0x10d5f3 = _0x3d8c['irBVyt'](_0x10d5f3, _0x230eed);
        _0x3d8c['zWQfZu'][_0x17ddb8] = _0x10d5f3;
    } else {
        _0x10d5f3 = _0x198517;
    }
    return _0x10d5f3;
};

var abc = _0x3d8c('0x8fe', '1np2');

需要注意的是,对于不同的js文件,_0x3d13 ,_0x3d8c 是不同的。

分析到这里。

举报

相关推荐

发票查验平台JS混淆文件反编译原理分析兼谈obfuscator反编译步骤分析

javascript开发语言ecmascript

Cesium 做汉化的另一种思路。

日记本工具开源Cesium实验室Cesium

lxml的另一种用法

htmlxml字符串系统/运维

生成文件的另一种思路——共享文件同步

c#Tools服务器多线程文件大小

关于pad的另一种设计

padnumberHarmonyOS后端开发

windows禁止管理员安装程序的另一种思路

Windows代码改变世界程序员

Electron进程通信的另一种方式

electron前端javascript异步调用JSONRedis数据库

c 语言链表的另一种实现

链表#include结构体指针Hadoop大数据

大型系统从一种语言迁移重构到另一种语言的核心思路是什么

重构数据自动化测试验收测试Redis数据库

php数据递归的另一种处理方法

javascript开发语言ecmascript二级数据PHP前端开发
0 条评论