JS逆向|使用pyexecjs库替换加密字符串
【摘要】
声明:本文只作学习研究,禁止用于非法用途,否则后果自负,如有侵权,请告知删除,谢谢!
下面的代码是我在某网站随便找的一段base64的 javascript 源码:
window = {};window.atob = function(r) { e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012...
声明:本文只作学习研究,禁止用于非法用途,否则后果自负,如有侵权,请告知删除,谢谢!
下面的代码是我在某网站随便找的一段base64的 javascript 源码:
-
window = {};
-
window.atob = function(r) {
-
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
-
var o = String(r).replace(/=+$/, "");
-
if(o.length % 4 == 1) throw new t("'atob' failed: The string to be decoded is not correctly encoded.");
-
for(var n, a, i = 0, c = 0, d = ""; a = o.charAt(c++); ~a && (n = i % 4 ? 64 * n + a : a, i++ % 4) ? d += String.fromCharCode(255 & n >> (-2 * i & 6)) : 0) a = e.indexOf(a);
-
return d
-
}
-
window.btoa = function(r) {
-
e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
-
for(var o, n, a = String(r), i = 0, c = e, d = ""; a.charAt(0 | i) || (c = "=", i % 1); d += c.charAt(63 & o >> 8 - i % 1 * 8)) {
-
if(n = a.charCodeAt(i += .75), n > 255) throw new t("'btoa' failed: The string to be encoded contains characters outside of the Latin1 range.");
-
o = o << 8 | n
-
}
-
return d
-
}
并在 https://obfuscator.io/ 这个网站上将其进行混淆,注意勾选如下:
点击 Obfuscate 按钮,对代码进行混淆,并在结果栏勾选Evaluate:
将混淆代码进行美化后如下:
-
var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
-
(function(_0xf486e7, _0x2075d7) {
-
var _0x5c3a18 = function(_0x5b65b1) {
-
while (--_0x5b65b1) {
-
_0xf486e7['push'](_0xf486e7['shift']());
-
}
-
};
-
_0x5c3a18(++_0x2075d7);
-
}(_0x2075, 0xa4));
-
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
-
_0xf486e7 = _0xf486e7 - 0x0;
-
var _0x5c3a18 = _0x2075[_0xf486e7];
-
if (_0x5c3a['vEVEZj'] === undefined) {
-
(function() {
-
var _0x2e1ca4;
-
try {
-
var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
-
_0x2e1ca4 = _0x28e173();
-
} catch (_0x16acc9) {
-
_0x2e1ca4 = window;
-
}
-
var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
-
_0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
-
var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
-
var _0x5e030c = '';
-
for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
-
_0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
-
_0x29200e = _0x16f958['indexOf'](_0x29200e);
-
}
-
return _0x5e030c;
-
}
-
);
-
}());
-
var _0x3acf89 = function(_0x593a19, _0xfee22e) {
-
var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
-
_0x593a19 = atob(_0x593a19);
-
for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
-
_0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
-
}
-
_0x593a19 = decodeURIComponent(_0xbdd0c6);
-
var _0x1a120c;
-
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
-
_0x1b5349[_0x1a120c] = _0x1a120c;
-
}
-
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
-
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
-
_0x28ed27 = _0x1b5349[_0x1a120c];
-
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
-
_0x1b5349[_0x4ddb21] = _0x28ed27;
-
}
-
_0x1a120c = 0x0;
-
_0x4ddb21 = 0x0;
-
for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
-
_0x1a120c = (_0x1a120c + 0x1) % 0x100;
-
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
-
_0x28ed27 = _0x1b5349[_0x1a120c];
-
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
-
_0x1b5349[_0x4ddb21] = _0x28ed27;
-
_0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
-
}
-
return _0x4b4996;
-
};
-
_0x5c3a['HKkhxp'] = _0x3acf89;
-
_0x5c3a['eabUGz'] = {};
-
_0x5c3a['vEVEZj'] = !![];
-
}
-
var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
-
if (_0x5b65b1 === undefined) {
-
if (_0x5c3a['vszZjY'] === undefined) {
-
_0x5c3a['vszZjY'] = !![];
-
}
-
_0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
-
_0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
-
} else {
-
_0x5c3a18 = _0x5b65b1;
-
}
-
return _0x5c3a18;
-
};
-
var _0x2e1ca4 = function() {
-
var _0x564fd8 = !![];
-
return function(_0x157886, _0x3f8543) {
-
var _0x3aa335 = _0x564fd8 ? function() {
-
if (_0x3f8543) {
-
var _0x35f411 = _0x3f8543[_0x5c3a('0x15', 'qqhd')](_0x157886, arguments);
-
_0x3f8543 = null;
-
return _0x35f411;
-
}
-
}
-
: function() {}
-
;
-
_0x564fd8 = ![];
-
return _0x3aa335;
-
}
-
;
-
}();
-
setInterval(function() {
-
_0x3acf89();
-
}, 0xfa0);
-
(function() {
-
_0x2e1ca4(this, function() {
-
var _0x13f533 = new RegExp('function\x20*\x5c(\x20*\x5c)');
-
var _0x28f488 = new RegExp(_0x5c3a('0x13', 'l02m'),'i');
-
var _0x5783e7 = _0x3acf89('init');
-
if (!_0x13f533['test'](_0x5783e7 + _0x5c3a('0xb', 'mvpW')) || !_0x28f488['test'](_0x5783e7 + _0x5c3a('0x6', 'S&fJ'))) {
-
_0x5783e7('0');
-
} else {
-
_0x3acf89();
-
}
-
})();
-
}());
-
window = {};
-
window['atob'] = function(_0x44004e) {
-
e = _0x5c3a('0x8', 'CwZq');
-
var _0x2761c0 = String(_0x44004e)[_0x5c3a('0x9', 'F%XZ')](/=+$/, '');
-
if (_0x2761c0[_0x5c3a('0x7', 'KMc0')] % 0x4 == 0x1)
-
throw new t('\x27atob\x27\x20failed:\x20The\x20string\x20to\x20be\x20decoded\x20is\x20not\x20correctly\x20encoded.');
-
for (var _0x3568b6, _0x228da4, _0x1076e1 = 0x0, _0x242bbc = 0x0, _0x5766d9 = ''; _0x228da4 = _0x2761c0['charAt'](_0x242bbc++); ~_0x228da4 && (_0x3568b6 = _0x1076e1 % 0x4 ? 0x40 * _0x3568b6 + _0x228da4 : _0x228da4,
-
_0x1076e1++ % 0x4) ? _0x5766d9 += String[_0x5c3a('0x16', '%Fh)')](0xff & _0x3568b6 >> (-0x2 * _0x1076e1 & 0x6)) : 0x0)
-
_0x228da4 = e[_0x5c3a('0xe', 'ivHf')](_0x228da4);
-
return _0x5766d9;
-
}
-
;
-
window['btoa'] = function(_0x140387) {
-
e = _0x5c3a('0x11', '1t8u');
-
for (var _0x5a7683, _0x5c4afc, _0x414c71 = String(_0x140387), _0x3a865d = 0x0, _0x388744 = e, _0x171f9b = ''; _0x414c71[_0x5c3a('0x10', 'G%UZ')](0x0 | _0x3a865d) || (_0x388744 = '=',
-
_0x3a865d % 0x1); _0x171f9b += _0x388744[_0x5c3a('0x5', '#%vS')](0x3f & _0x5a7683 >> 0x8 - _0x3a865d % 0x1 * 0x8)) {
-
if (_0x5c4afc = _0x414c71[_0x5c3a('0xa', '(eE#')](_0x3a865d += 0.75),
-
_0x5c4afc > 0xff)
-
throw new t(_0x5c3a('0xf', '!zyq'));
-
_0x5a7683 = _0x5a7683 << 0x8 | _0x5c4afc;
-
}
-
return _0x171f9b;
-
}
-
;
-
function _0x3acf89(_0x1a61bd) {
-
function _0x50b4d2(_0x5c1045) {
-
if (typeof _0x5c1045 === 'string') {
-
return function(_0xaf1ee8) {}
-
['constructor'](_0x5c3a('0x3', 'mvpW'))[_0x5c3a('0xc', 'dtRw')](_0x5c3a('0x1', 'g1Ep'));
-
} else {
-
if (('' + _0x5c1045 / _0x5c1045)['length'] !== 0x1 || _0x5c1045 % 0x14 === 0x0) {
-
(function() {
-
return !![];
-
}
-
['constructor']('debu' + 'gger')[_0x5c3a('0x4', '%Fh)')](_0x5c3a('0x0', 'zu[n')));
-
} else {
-
(function() {
-
return ![];
-
}
-
[_0x5c3a('0x2', 'g1Ep')](_0x5c3a('0x12', 'LPae') + _0x5c3a('0x14', 'N5*X'))['apply'](_0x5c3a('0xd', 'qOO9')));
-
}
-
}
-
_0x50b4d2(++_0x5c1045);
-
}
-
try {
-
if (_0x1a61bd) {
-
return _0x50b4d2;
-
} else {
-
_0x50b4d2(0x0);
-
}
-
} catch (_0x524e63) {}
-
}
可以看到,代码已经被搞的面目全非了,并且多了很多代码。我们来逐步分析。
一个大数组,一个移位函数,然后就是一个解密字符串的函数 _0x5c3a 。可以看到后面的代码多次调用这个解密函数。
本文要做的就是如何对这个解密的函数进行简单的字符替换操作。
先验证可行性:
将 大数组,移位代码及解密函数在控制台运行一下:
验证base64码表是否正确:
验证正确,这样看来解密函数可以直接用。
替换思路:
将类似 _0x5c3a('0x11', '1t8u') 这种调用全部正则查找出来
调用 pyexecjs库计算出 _0x5c3a('0x11', '1t8u') 的值
全部进行替换
核心代码:
-
reg = re.compile(r"_0x5c3a\([\s\S]{12,14}'\)")
-
results = reg.findall(code) #code是整个混淆代码,此处查找全部调用
-
ctx = execjs.compile(jscode) #jscode 是 大数组 + 移位函数 + 解密函数
-
for result in results:
-
value = ctx.eval(result) #计算解密后的字串
-
print (result,value)
-
code = code.replace(result,"'" + value + "'") #替换
替换结果如图:
其实比对混淆前后的代码,你会发现多了很多无用的代码,在静态分析的时候可以直接将其删除,并不影响其功能。
下篇文章讲述如何开启一个node服务进行替换,彻底告别pyexecjs这个库。
文章来源: blog.csdn.net,作者:悦来客栈的老板,版权归原作者所有,如需转载,请联系作者。
原文链接:blog.csdn.net/qq523176585/article/details/109508006
【版权声明】本文为华为云社区用户转载文章,如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)