首页 > 编程札记 > 编程

AST反混淆实战:大数组字面量元素替换

阅读: 评论:0

AST反混淆实战:大数组字面量元素替换

AST反混淆实战:大数组字面量元素替换

声明:本文仅供学习研究,严禁用于非法用途,否则后果自负!如有侵权,请告知删除,谢谢。

缘由

我在 JS逆向:猿人学爬虫比赛第五题详细题解(上)  这篇文章里介绍了AST反混淆的思路,现在来看看 如何进行大数组字面量元素替换。

样例地址

"aHR0cHM6Ly93d3cubmlrZS5jb20vc3RhdGljL2QwZmU4NDViOWEwdGkyMDkxYjg5NThmZjIxZDA0ZDg2YQ=="

样本分析

将代码复制并格式化保存为js文件后,可以看到代码开头定义了这么一个数组:

var _ac = ["x67x65x74x41x74x74x72x69x62x75x74x65", "x41x63x74x69x76x65x58x4fx62x6ax65x63x74", "x64x6fx61x63x74", "x62x61x74x3a", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x36x2c", "x67x65x74x66x6fx72x6dx69x6ex66x6f", "x4ax61x76x61x20x41x70x70x6cx65x74x20x50x6cx75x67x2dx69x6e", "x6dx65x5fx63x6ex74", "x6fx6ex4cx69x6ex65", "x41x76x65x6ex69x72x20x4ex65x78x74", "x50x61x70x79x72x75x73", "x70x6fx69x6ex74x65x72x54x79x70x65", "x6dx6ex5fx6dx63x5fx6cx6dx74", "x68x70x64", "x2cx73x37x3a", "x67x65x74x46x6cx6fx61x74x56x61x6c", "x67x65x74x43x6fx6ex74x65x78x74", "x64x61x74x61", "x43x6fx72x73x69x76x61x20x48x65x62x72x65x77", "x68x6e", "x70x65x72x73x69x73x74x65x6ex74x2dx73x74x6fx72x61x67x65", "x6ex6fx6ex3a", "x3d", "x53x69x6cx76x65x72x6cx69x67x68x74x20x50x6cx75x67x2dx49x6e", "x61x62", "x73x66x34", "x62x6d", "x55x6ex69x74x79x20x50x6cx61x79x65x72", "x57x69x64x65x76x69x6ex65x20x43x6fx6ex74x65x6ex74x20x44x65x63x72x79x70x74x69x6fx6ex20x4dx6fx64x75x6cx65", "x6bx65x79x75x70", "x63x68x69x6cx64x4ex6fx64x65x73", "x64x6fx5fx64x69x73", "x42x69x72x63x68x20x53x74x64", "x69x73x20x6ex6fx74x20x61x20x76x61x6cx69x64x20x65x6ex75x6dx20x76x61x6cx75x65x20x6fx66x20x74x79x70x65x20x50x65x72x6dx69x73x73x69x6fx6ex4ex61x6dx65", "x76x63x61x63x74", "x5cx5cx22", "x73x70x61x77x6e", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x39x2c", "x63x6ex73", "x63x6cx69x63x6b", "x68x76x63", "x63x65x5fx6ax73x5fx70x6fx73x74", "x74x6fx75x63x68x65x6ex64", "x74x6fx46x69x78x65x64", "x67x79x72x6fx73x63x6fx70x65", "x78", "x6dx6fx7ax43x6fx6ex6ex65x63x74x69x6fx6e", "x57x65x62x4bx69x74x2dx69x6ex74x65x67x72x69x65x72x74x65x20x50x44x46", "x63x63", "x22x7d", "x6dx6fx7ax48x69x64x64x65x6e", "x4fx70x65x6ex20x53x61x6ex73", "x50x49", "x73x65x6ex64", "x67x65x74x5fx73x74x6fx70x5fx73x69x67x6ex61x6cx73", "x66x6fx6ex74", "x64x32", "x73x65x6ex64x42x65x61x63x6fx6e", "x6fx6ex6cx6fx61x64", "x6dx6dx65x5fx63x6ex74x5fx6cx6dx74", "x72x65x71x75x65x73x74x4dx65x64x69x61x4bx65x79x53x79x73x74x65x6dx41x63x63x65x73x73", "x69x73x54x72x75x73x74x65x64", "x66x69x6cx6cx54x65x78x74", "x64x69x73x70x6cx61x79", "x7bx22x73x65x73x73x69x6fx6ex5fx69x64x22x20x3ax20x22", "x61x6ax5fx73x73", "x6dx6fx75x73x65x75x70", "x52x6fx62x6fx74x6f", "x7e", "x55x62x75x6ex74x75x20x52x65x67x75x6cx61x72", "x64x6fx61x5fx74x68x72x6fx74x74x6cx65", "x6bx65x5fx76x65x6c", "x6ax73x5fx70x6fx73x74", "x73x68x69x66x74", "x63x68x72x6fx6dx65", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x32x2c", "x55x62x75x6ex74x75x20x4dx65x64x69x75x6d", "x69x64", "x41x76x65x6ex69x72", "x2d", "x72x76x65", "x73x6fx72x74", "x63x72x65x64x65x6ex74x69x61x6cx73", "x50x4fx53x54", "x6dx6ex5fx73", "x6dx61x70", "x70x72x65x76x66x69x64", "x6fx6ex6dx6fx75x73x65x64x6fx77x6e", "x6dx65x73x73x61x67x65", "x2f", "x6dx6fx7ax52x54x43x50x65x65x72x43x6fx6ex6ex65x63x74x69x6fx6e", "x73x74x6fx72x65x57x65x62x57x69x64x65x54x72x61x63x6bx69x6ex67x45x78x63x65x70x74x69x6fx6e", "x71x75x65x72x79", "x62x64", "x70x69", "x63x6fx6fx6bx69x65x45x6ex61x62x6cx65x64", "x61x63x63x65x6cx65x72x6fx6dx65x74x65x72", "x3dx3d", "x67x62x72x76", "x68x61x73x4fx77x6ex50x72x6fx70x65x72x74x79", "x76x63", "x70x6cx65x6e", "x6dx6dx6dx6dx6dx6dx6dx6dx6cx6cx69", "x65x76x65x6ex74", "x70x72x6fx6dx70x74", "x39x30x70x78", "x76x65x72", "x43x6fx6ex73x74x72x75x63x74x6fx72", "x68x6bx64", "x2fx2f", "x61x70x70x65x6ex64x43x68x69x6cx64", "x36x70x74x20x41x72x69x61x6c", "x3bx20", "x57x69x6ex64x6fx77x73x20x4dx65x64x69x61x20x50x6cx61x79x65x72x20x50x6cx75x67x2dx69x6ex20x44x79x6ex61x6dx69x63x20x4cx69x6ex6bx20x4cx69x62x72x61x72x79", "x6dx6ex5fx77", "x51x75x69x63x6bx73x61x6ex64", "x6dx61x63x74", "x22x2cx22x73x65x6ex73x6fx72x5fx64x61x74x61x22x20x3ax20x22", "x6dx6ex5fx63x74", "x68x74x73", "x41x72x69x61x6cx48x65x62x72x65x77x2dx4cx69x67x68x74", "x6fx6ex6bx65x79x70x72x65x73x73", "x69x50x68x6fx74x6fx50x68x6fx74x6fx63x61x73x74", "x6dx6ex5fx69x6ex69x74", "x6fx66x66", "x3cx69x6ex69x74x2fx3e", "x61x6ax5fx6cx6dx74x5fx74x61x63x74", "x70x6dx65x5fx63x6ex74x5fx6cx6dx74", "x7ax31", "x41x70x70x6cx65x20x47x6fx74x68x69x63", "x64x69x76", "x73x74x61x72x74x54x72x61x63x6bx69x6ex67", "x69x6ex73", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x31x2c", "x65x6ex47x65x74x4cx6fx63", "x73x63x72x65x65x6e", "x62x63", "x57x69x6ex67x64x69x6ex67x73x20x32", "x64x63x73", "x6dx6ex5fx74x63x6c", "x5f", "x73x65x72x76x69x63x65x57x6fx72x6bx65x72", "x70x6dx65x5fx63x6ex74", "x66x70x56x61x6cx43x61x6cx63x75x6cx61x74x65x64", "x70x61x67x65x58", "x65x6ex63x6fx64x65", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x30x2c", "x65x6dx61x69x6c", "x70x6fx69x6ex74x65x72x75x70", "x68x6dx64", "x3b", "x61x6cx70x68x61", "x44x61x6dx61x73x63x75x73", "x6dx6ex5fx75x70x64x61x74x65x5fx63x68x61x6cx6cx65x6ex67x65x5fx64x65x74x61x69x6cx73", "x62x6dx69x73x63", "x70x6fx69x6ex74x65x72x64x6fx77x6e", "x64x65x66x61x75x6cx74x56x61x6cx75x65", "x47x69x6cx6cx20x53x61x6ex73x20x4dx54", "x61x6ax5fx6cx6dx74x5fx64x6dx61x63x74", "x70x6cx75x67x69x6ex73", "x73x70x61x6e", "x61x72x63", "x66x69x64x63x6ex74", "x76x69x62x3a", "x64x65x66x61x75x6cx74", "x65x6ex52x65x61x64x44x6fx63x55x72x6c", "x73x70x6cx69x63x65", "x64x72x69x76x65x72", "x61x70x69x63x61x6cx6cx5fx62x6d", "x78x31x32x3a", "x70x64x75x63x65x5fx63x6ex74x5fx6cx6dx74", "x67x65x74x56x6fx69x63x65x73", "x72x65x67x69x73x74x65x72x50x72x6fx74x6fx63x6fx6cx48x61x6ex64x6cx65x72", "x6dx6ex5fx61x62x63x6b", "x73x63x3a", "x6dx73x48x69x64x64x65x6e", "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax30x31x32x33x34x35x36x37x38x39x2bx2f", "x68x70x75", "x6fx6ex6bx65x79x75x70", "x75x61x72", "x65x78x70", "x63x6dx61", "x73x74x61x72x74x64x6fx61x64x6dx61", "x54x69x6dx65x73", "x66x6d", "x66x70x63x66", "x70x73x75x62", "x74x6fx75x63x68x73x74x61x72x74", "x72x75x6ex46x6fx6ex74x73", "x74x69x6dx65x7ax6fx6ex65x4fx66x66x73x65x74x4bx65x79", "x63x61x6cx63x5fx66x70", "x65x6dx69x74", "x63x64x6fx61", "x73x6cx69x63x65", "x63x61x6dx65x72x61", "x64x6dx5fx64x69x73", "x6fx70x63x3a", "x78x31x31x3a", "x41x64x6fx62x65x41x41x4dx44x65x74x65x63x74", "x63x66x5fx75x72x6c", "x74x6fx75x63x68x6dx6fx76x65", "x67x65x74x6dx72", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x38x2c", "x4dx6fx6ex61x63x6f", "x6cx65x6ex67x74x68", "x6bx65x79x64x6fx77x6e", "x6fx75x74x65x72x57x69x64x74x68", "x61x63x6fx73", "x72x67x62x28x31x30x32x2cx20x32x30x34x2cx20x30x29", "x66x73x70", "x6fx64", "x67x65x74x53x74x6fx72x61x67x65x55x70x64x61x74x65x73", "x61x66x53x62x65x70x38x79x6ax6ex5ax55x6ax71x33x61x4cx30x31x30x6ax4fx31x35x53x61x77x6ax32x56x5ax66x64x59x4bx38x75x59x39x30x75x78x71", "x43x61x6cx69x62x72x69", "x74x68x65x6e", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x33x2c", "x46x69x6cx65x52x65x61x64x65x72", "x68x66", "x43x68x72x6fx6dx65x20x50x44x46x20x56x69x65x77x65x72", "x64x65x76x69x63x65x2dx69x6ex66x6f", "x77x67x6c", "x44x65x66x61x75x6cx74x20x42x72x6fx77x73x65x72x20x48x65x6cx70x65x72", "x3a", "x61x6ax5fx6cx6dx74x5fx64x6fx61x63x74", "x4dx53x49x45", "x69x73x49x67x6e", "x58x4dx4cx48x74x74x70x52x65x71x75x65x73x74", "x63x61x6cx6cx50x68x61x6ex74x6fx6d", "x4ex61x74x69x76x65x20x43x6cx69x65x6ex74", "x6dx73x76x69x73x69x62x69x6cx69x74x79x63x68x61x6ex67x65", "x64x65x6ex69x65x64", "x74x65x78x74", "x6dx6ex5fx6cx63x6c", "x79", "x63x73", "x77x65x62x73x74x6fx72x65", "x65x6ex41x64x64x48x69x64x64x65x6e", "x74x6fx53x74x72x69x6ex67", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x31x2c", "x72x56x61x6c", "x68x63", "x6dx6ex5fx72x74x73", "x52x65x61x6cx50x6cx61x79x65x72x20x56x65x72x73x69x6fx6ex20x50x6cx75x67x69x6e", "x43x6fx75x72x69x65x72x20x4ex65x77", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x34x2c", "x47x65x6ex65x76x61", "x61x70x70x4dx69x6ex6fx72x56x65x72x73x69x6fx6e", "x64x6dx61x5fx74x68x72x6fx74x74x6cx65", "x2cx6cx6fx63x3a", "x53x68x72x65x65x20x44x65x76x61x6ex61x67x61x72x69x20x37x31x34", "x77x6c", "x73x65x61x72x63x68", "x6cx6fx63", "x77x65x62x72x74x63x4bx65x79", "x6ex70", "x61x6cx74x4bx65x79", "x74x73x74", "x3cx2fx62x70x64x3e", "x67x65x74x5fx63x66x5fx64x61x74x65", "x6dx65x64x69x61x44x65x76x69x63x65x73", "x61x6ax5fx69x6ex64x78x5fx74x61x63x74", "x63x6cx69x65x6ex74x59", "x50x61x6cx61x74x69x6ex6f", "x70x61x72x61x6dx73x5fx75x72x6c", "x52x65x61x6cx50x6cx61x79x65x72x28x74x6dx29x20x47x32x20x4cx69x76x65x43x6fx6ex6ex65x63x74x2dx45x6ex61x62x6cx65x64x20x50x6cx75x67x2dx49x6ex20x28x33x32x2dx62x69x74x29", "x66x69x6cx6cx52x65x63x74", "x64x6dx3a", "x62x64x6d", "x69x6ex66x6fx72x6dx69x6ex66x6f", "x73x75x62x73x74x72x69x6ex67", "x62x75x74x74x6fx6e", "x61x6ax5fx69x6ex64x78x5fx64x6dx61x63x74", "x53x65x72x69x66", "x77x65x62x6bx69x74x54x65x6dx70x6fx72x61x72x79x53x74x6fx72x61x67x65", "x3cx73x65x74x53x44x46x4ex3e", "x62x61x63x6bx67x72x6fx75x6ex64x2dx73x79x6ex63", "x64x6fx4ex6fx74x54x72x61x63x6b", "x67x65x74x64x75x72x6c", "x63x6bx69x65", "x61x6dx62x69x65x6ex74x2dx6cx69x67x68x74x2dx73x65x6ex73x6fx72", "x4dx65x6ex6cx6f", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x35x2c", "x72x65x70x6cx61x63x65", "x6dx6fx7ax49x73x4cx6fx63x61x6cx6cx79x41x76x61x69x6cx61x62x6cx65", "x2c", "x4cx6fx62x73x74x65x72", "x61x6ax5fx69x6ex64x78x5fx64x6fx61x63x74", "x77x65x62x6bx69x74x52x54x43x50x65x65x72x43x6fx6ex6ex65x63x74x69x6fx6e", "x66x6fx72x45x61x63x68", "x64x6fx63x75x6dx65x6ex74", "x73x65x6cx65x6ex69x75x6d", "x6ex6fx77", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x39x2c", "x61x6ax5fx69x6ex64x78", "x68x74x65", "x61x63x63x65x6cx65x72x61x74x69x6fx6e", "x74x61", "x73x74x72x69x6ex67", "x62x6fx64x79", "x66x75x6ex63x74x69x6fx6e", "x73x68x69x66x74x4bx65x79", "x66x6cx6fx6fx72", "x74x6f", "x72x67x62x28x31x32x30x2cx20x31x38x36x2cx20x31x37x36x29", "x5fx61x62x63x6b", "x6ex61x76x5fx70x65x72x6d", "x73x65x73x73x69x6fx6ex5fx69x64", "x6dx6ex5fx6cx63", "x2cx73x31x3a", "x61x75x74x68", "x48x65x6cx76x65x74x69x63x61x20x4ex65x75x65", "x77x76", "x6dx6ex5fx69x6c", "x2cx73x32x3a", "x69x6ex6ex65x72x48x65x69x67x68x74", "x74x65x5fx63x6ex74", "x56x65x72x73x69x6fx6ex2fx34x2ex30", "x50x6fx69x6ex74x65x72x45x76x65x6ex74", "x74x79x70x65", "x64x6fx61x64x6dx61x5fx65x6e", "x64x6fx65x5fx76x65x6c", "x63x68x6bx6ex75x6cx6c", "x4ex69x6dx62x75x73x20x52x6fx6dx61x6ex20x4ex6fx20x39x20x4c", "x50x61x6cx61x74x69x6ex6fx2dx42x6fx6cx64", "x63x6cx69x65x6ex74x58", "x66x63x3a", "x43x61x6ex74x61x72x65x6cx6c", "x6cx61x6ex67x75x61x67x65", "x68x6bx70", "x53x6fx75x72x63x65x20x53x61x6ex73x20x50x72x6f", "x66x61x73", "x7bx22x73x65x6ex73x6fx72x5fx64x61x74x61x22x3ax22", "x68x74x74x70x73x3ax2fx2f", "x77x69x74x68x43x72x65x64x65x6ex74x69x61x6cx73", "x70x69x78x65x6cx44x65x70x74x68", "x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65", "x44x65x76x69x63x65x4fx72x69x65x6ex74x61x74x69x6fx6ex45x76x65x6ex74", "x6dx72", "x63x68x61x72x43x6fx64x65", "x74x6fx44x61x74x61x55x52x4c", "x78x61x67x67", "x6dx6ex5fx63x64", "x43x65x6ex74x75x72x79x20x47x6fx74x68x69x63", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x35x2c", "x67x65x74x42x61x74x74x65x72x79", "x63x6cx69x65x6ex74x57x69x64x74x68", "x4cx61x74x6f", "x63x65x69x6c", "x4dx69x63x72x6fx73x6fx66x74x2ex58x4dx4cx48x54x54x50", "x63x72x65x61x74x65x45x6cx65x6dx65x6ex74", "x47x6fx6fx67x6cx65x20x54x61x6cx6bx20x50x6cx75x67x69x6ex20x56x69x64x65x6fx20x52x65x6ex64x65x72x65x72", "x69x6ex6ex65x72x48x54x4dx4c", "x6dx6ex5fx70x72", "x73x74x72x6fx6bx65", "x74x64x75x63x65x5fx63x6ex74x5fx6cx6dx74", "x6dx6ex5fx73x74x6fx75x74", "x2cx63x70x65x6ex3a", "x6bx61x63x74", "x6dx64x75x63x65x5fx63x6ex74", "x63x6cx69x70x62x6fx61x72x64", "x77x65x6e", "x6dx6ex5fx63x63", "x70x61x72x73x65", "x64x6fx63x75x6dx65x6ex74x4dx6fx64x65", "x70x64", "x6dx2cx45x76x21x78x56x36x37x42x61x55x3ex20x65x68x32x6dx3cx66x33x41x47x33x40", "x67x65x74x5fx74x79x70x65", "x6dx6ex5fx74x6fx75x74", "x62x72x61x76x65", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x32x2c", "x70x6cx75x67x69x6ex49x6ex66x6f", "x70x61x72x73x65x5fx67x70", "x72x65x71x75x69x72x65x64", "x5cx27", "x6dx6ex5fx61x6c", "x46x61x6ex74x61x73x71x75x65x20x53x61x6ex73x20x4dx6fx6ex6f", "x77x65x62x6bx69x74x76x69x73x69x62x69x6cx69x74x79x63x68x61x6ex67x65", "x72x65x6dx6fx76x65x43x68x69x6cx64", "x6dx6fx75x73x65x64x6fx77x6e", "x6ex5fx63x6b", "x4dx6fx7ax69x6cx6cx61x20x44x65x66x61x75x6cx74x20x50x6cx75x67x2dx69x6e", "x6dx6ex5fx72x74", "x74x6fx75x63x68x63x61x6ex63x65x6c", "x42x61x74x61x6ex67", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x34x2c", "x70x72x6fx64x75x63x74x53x75x62", "x43x65x6ex74x75x72x79", "x68x61x72x64x77x61x72x65x43x6fx6ex63x75x72x72x65x6ex63x79", "x6bx65x5fx63x6ex74", "x4dx6fx6ex6fx73x70x61x63x65", "x66x69x6cx6cx53x74x79x6cx65", "x74x65x6c", "x23x66x36x30", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x38x2c", "x68x61x73x49x6ex64x65x78x65x64x44x42", "x63x6cx69x70x62x6fx61x72x64x2dx77x72x69x74x65", "x74x5fx65x6e", "x74x6fx45x6cx65x6dx65x6ex74", "x74x6dx65x5fx63x6ex74", "x68x74x63", "x75x70x64x61x74x65x74", "x61x70x69x5fx70x75x62x6cx69x63x5fx6bx65x79", "x72x61x6ex64x6fx6d", "x43x61x6dx62x72x69x61", "x69x73x42x72x61x76x65", "x53x68x6fx63x6bx77x61x76x65x20x46x6cx61x73x68", "x67x72x61x6ex74x65x64", "x6ax6fx69x6e", "x2cx22x61x75x74x68x22x20x3ax20x22", "x77x69x64x74x68", "x6dx6ex5fx6cx67", "x61x6cx74x46x6fx6ex74x73", "x4ax61x76x61x20x50x6cx75x67x2dx69x6ex20x32x20x66x6fx72x20x4ex50x41x50x49x20x42x72x6fx77x73x65x72x73", "x66x69x72x73x74x4cx6fx61x64", "x42x65x6cx6cx20x4dx54", "x64x65x66x61x75x6cx74x5fx73x65x73x73x69x6fx6e", "x72x6fx75x6ex64", "x6dx6ex5fx77x74", "x2cx69x74x30", "x63x6bx61", "x6dx73x4dx61x6ex69x70x75x6cx61x74x69x6fx6ex56x69x65x77x73x45x6ex61x62x6cx65x64", "x3cx40x6ex76x34x35x2ex20x46x31x6ex36x33x72x2cx50x72x31x6ex37x31x6ex36x21", "x24x63x64x63x5fx61x73x64x6ax66x6cx61x73x75x74x6fx70x66x68x76x63x5ax4cx6dx63x66x6cx5f", "x63x64x6dx61", "x3cx2fx73x65x74x53x44x46x4ex3e", "x2cx30", "x6fx66x66x73x65x74x57x69x64x74x68", "x61x70x70x6cx69x63x61x74x69x6fx6ex2fx6ax73x6fx6e", "x74x5fx64x69x73", "x6dx64x75x63x65x5fx63x6ex74x5fx6cx6dx74", "x66x6fx6ex74x73", "x67x64", "x7a", "x31x36x70x74x20x41x72x69x61x6c", "x6ex61x76x69x67x61x74x6fx72", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x36x2c", "x41x75x74x68x6fx72x69x7ax61x74x69x6fx6e", "x63x61x63x68x65", "x73x65x64", "x73x74x61x72x74x5fx74x73", "x64x6dx65x5fx63x6ex74", "x64x65x76x69x63x65x6fx72x69x65x6ex74x61x74x69x6fx6e", "x73x74x72x6fx6bx65x53x74x79x6cx65", "x6fx6ex66x6fx63x75x73", "x6dx6fx7ax49x6ex6ex65x72x53x63x72x65x65x6ex59", "x2fx67x65x74x5fx70x61x72x61x6dx73", "x6dx6ex5fx6dx63x5fx69x6ex64x78", "x63x6cx65x61x72x43x61x63x68x65", "x6fx6ex6dx6fx75x73x65x6dx6fx76x65", "x2cx73x65x74x53x44x46x4ex3a", "x6cx76x63", "x76x69x62x72x61x74x65", "x72x69x72", "x64x6fx65x5fx63x6ex74x5fx6cx6dx74", "x66x70x56x61x6c", "x4dx69x63x72x6fx73x6fx66x74x20x54x61x69x20x4cx65", "x72x65x61x64x79x53x74x61x74x65", "x75x73x65x72x41x67x65x6ex74", "x67x65x6fx6cx6fx63x61x74x69x6fx6e", "x64x65x6e", "x6fx66x66x73x65x74x48x65x69x67x68x74", "x6cx61x6ex67", "x42x75x66x66x65x72", "x73x65x6ex73x6fx72x5fx64x61x74x61", "x3bx20x70x61x74x68x3dx2fx3bx20x65x78x70x69x72x65x73x3dx46x72x69x2cx20x30x31x20x46x65x62x20x32x30x32x35x20x30x38x3ax30x30x3ax30x30x20x47x4dx54x3b", "x64x65x76x69x63x65x50x69x78x65x6cx52x61x74x69x6f", "x6cx6fx61x70", "x3cx62x70x64x3e", "x72x43x46x50", "x22", "x2dx31", "x74x64", "x43x6fx6dx69x63x20x4ex65x75x65", "x70x61x67x65x59", "x64x6dx65x5fx63x6ex74x5fx6cx6dx74", "x70x64x75x63x65x5fx63x6ex74", "x63x61x74x63x68", "x61x63x74x69x76x65x45x6cx65x6dx65x6ex74", "x6dx6fx75x73x65x6dx6fx76x65", "x68x74x74x70x73x3a", "x6cx6fx63x61x6cx53x74x6fx72x61x67x65", "x75x72x6c", "x2cx6dx6ex5fx77x3a", "x2dx31x2cx32x2cx2dx39x34x2cx2dx37x30x2c", "x70x61x73x73x77x6fx72x64", "", "x73x64x66x6e", "x31x39x32x70x78", "x2dx31x2cx32x2cx2dx39x34x2cx2dx38x30x2c", "x6dx69x64x69", "x6dx6fx7ax41x6cx61x72x6dx73", "x63x74x72x6cx4bx65x79", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x30x31x2c", "x72x6fx74x61x74x65x5fx72x69x67x68x74", "x61x74x61x6ex68", "x6dx61x67x6ex65x74x6fx6dx65x74x65x72", "x64x6fx6dx41x75x74x6fx6dx61x74x69x6fx6e", "x62x72x76", "x68x61x73x53x65x73x73x69x6fx6ex53x74x6fx72x61x67x65", "x76x69x73x69x62x69x6cx69x74x79x63x68x61x6ex67x65", "x73x65x73x73x69x6fx6ex53x74x6fx72x61x67x65x4bx65x79", "x6dx6ex5fx72", "x72x6fx74x61x74x69x6fx6ex52x61x74x65", "x73x61x6ex73x2dx73x65x72x69x66", "x6fx6e", "x44x65x76x69x63x65x4dx6fx74x69x6fx6ex45x76x65x6ex74", "x4fx73x77x61x6cx64", "x78x31", "x42x6fx64x6fx6ex69x20x37x32", "x59x6fx75x54x75x62x65x20x50x6cx75x67x2dx69x6e", "x64x6fx63x75x6dx65x6ex74x45x6cx65x6dx65x6ex74", "x73x70x6cx69x74", "x6bx65x79x70x72x65x73x73", "x4dx69x63x72x6fx73x6fx66x74x20x53x61x6ex73x20x53x65x72x69x66", "x6bx65x5fx63x6ex74x5fx6cx6dx74", "x6cx6fx63x61x6cx53x74x6fx72x61x67x65x4bx65x79", "x63x68x61x72x43x6fx64x65x41x74", "x68x62x43x61x6cx63", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x32x2c", "x68x62", "x6fx6ex72x65x61x64x79x73x74x61x74x65x63x68x61x6ex67x65", "x67x66", "x45x64x67x65x20x50x44x46x20x56x69x65x77x65x72", "x69x6ex6ex65x72x57x69x64x74x68", "x69x72", "x73x74x61x74x65", "x77x65x62x64x72x69x76x65x72", "x58x50x61x74x68x52x65x73x75x6cx74", "x76x61x6cx75x65", "x6ex6fx6ex65", "x61x6ax5fx74x79x70x65", "x63x6cx69x70x62x6fx61x72x64x2dx72x65x61x64", "x61x70x70x6cx79x46x75x6ex63", "x6fx70x65x72x61", "x69x6ex70x75x74", "x74x65x5fx76x65x6c", "x61x75x74x6fx63x6fx6dx70x6cx65x74x65", "x78x32", "x6dx6ex5fx70x73x6e", "x53x68x6fx63x6bx77x61x76x65x20x66x6fx72x20x44x69x72x65x63x74x6fx72", "x6dx6fx6ex6fx73x70x61x63x65", "x67x65x74x5fx62x72x6fx77x73x65x72", "x70x65x5fx76x65x6c", "x73x74x6fx72x61x67x65", "x70x6fx73x69x74x69x6fx6ex3ax20x72x65x6cx61x74x69x76x65x3bx20x6cx65x66x74x3ax20x2dx39x39x39x39x70x78x3bx20x76x69x73x69x62x69x6cx69x74x79x3ax20x68x69x64x64x65x6ex3bx20x64x69x73x70x6cx61x79x3ax20x62x6cx6fx63x6bx20x21x69x6dx70x6fx72x74x61x6ex74", "x63x74x61", "x7cx7c", "x57x61x73x65x65x6d", "x70x61x79x6dx65x6ex74x2dx68x61x6ex64x6cx65x72", "x2cx73x33x3a", "x79x31", "x68x6dx6d", "x72x73x74", "x62x70x64", "x41x64x6fx62x65x20x42x72x61x69x6cx6cx65", "x4ex6fx74x6f", "x63x77x65x6ex3a", "x6dx6dx65x5fx63x6ex74", "x6ex75x6dx62x65x72", "x66x72x6fx6dx43x68x61x72x43x6fx64x65", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x37x2c", "x68x65x69x67x68x74", "x6dx6ex5fx74x73", "x64x33", "x32", "x4ex65x77x20x59x6fx72x6b", "x70x72x6fx64x75x63x74", "x73x74x61x63x6b", "x69x6dx75x6c", "x68x6dx75", "x63x62x72x74", "x30x61x34x36x47x35x6dx31x37x56x72x70x34x6fx34x63", "x6dx65x74x61x4bx65x79", "x64x6dx5fx65x6e", "x6cx69x73x74x46x75x6ex63x74x69x6fx6ex73", "x50x4cx55x47x49x4ex53", "x62x65x74x61", "x75x6ex64x65x66", "x6dx6ex5fx67x65x74x5fx6ex65x77x5fx63x68x61x6cx6cx65x6ex67x65x5fx70x61x72x61x6dx73", "x63x6fx6fx6bx69x65", "x69x50x61x64x3b", "x67x61x6dx6dx61", "x61x70x70x56x65x72x73x69x6fx6e", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x39x2c", "x69x6ex69x74x5fx74x69x6dx65", "x67x65x74x47x61x6dx65x70x61x64x73", "x67x62", "x70x75x73x68", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x33x2c", "x66x6fx6ex74x53x69x7ax65", "x42x61x73x69x63x20", "x61x64x64x45x76x65x6ex74x4cx69x73x74x65x6ex65x72", "x68x6bx75", "x70x61x63x74", "x6dx6ex5fx73x74x61x74x65", "x73x70x65x65x63x68x53x79x6ex74x68x65x73x69x73", "x6dx65x5fx76x65x6c", "x65x78x63x65x70x74x69x6fx6e", "x6ex61x6dx65", "x64x69x73", "x2cx75x61x65x6ex64x2c", "x63x6cx69x65x6ex74x48x65x69x67x68x74", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x37x2c", "x63x73x73x54x65x78x74", "x63x6fx6fx6bx69x65x5fx63x68x6bx5fx72x65x61x64", "x61x76x61x69x6cx48x65x69x67x68x74", "x4dx61x63x20x4fx53x20x58x20x31x30x5fx35", "x74x61x63x74", "x41x64x6fx62x65x20x48x65x62x72x65x77", "x69x31x3a", "x41x70x70x6cx65x20x4cx69x47x6fx74x68x69x63", "x63x73x68", "x70x65x72x6dx69x73x73x69x6fx6ex73", "x30", "x46x75x74x75x72x61", "x70x6fx77", "x73x64x5fx64x65x62x75x67", "x76x63x5fx63x6ex74", "x64x6dx65x5fx76x65x6c", "x70x72x6fx74x6fx63x6fx6c", "x63x70x61", "x43x6fx6ex74x65x6ex74x2dx74x79x70x65", "x44x72x6fx69x64x20x53x65x72x69x66", "x70x72x6fx64", "x68x69x64x64x65x6e", "x74x6fx4cx6fx77x65x72x43x61x73x65", "x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72", "x6dx6fx75x73x65", "x76x6fx69x63x65x55x52x49", "x33", "x63x61x6cx6c", "x47x45x54", "x77x68x69x63x68", "x77x65x62x6bx69x74x47x65x74x47x61x6dx65x70x61x64x73", "x6dx6ex5fx6cx64", "x6fx6ex62x6cx75x72", "x6fx6ex63x6cx69x63x6b", "x66x6dx68", "x70x61x74x70", "x77x65x62x6bx69x74x48x69x64x64x65x6e", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x30x2c", "x69x73x63x3a", "x67x65x74x5fx63x6fx6fx6bx69x65", "x70x72x6fx74x6fx74x79x70x65", "x6ax61x76x61x45x6ex61x62x6cx65x64", "x69x6ex64x65x78x65x64x44x42", "x73x74x79x6cx65", "x54x6fx75x63x68x45x76x65x6ex74", "x70x65x6e", "x77x72x63x3a", "x43x61x6ex64x61x72x61", "x61x63x63x65x73x73x69x62x69x6cx69x74x79x2dx65x76x65x6ex74x73", "x62x6cx75x65x74x6fx6fx74x68", "x70x65x5fx63x6ex74", "x63x68x65x63x6bx5fx73x74x6fx70x5fx70x72x6fx74x6fx63x6fx6c", "x61x70x70x6cx79", "x73x65x73x73x69x6fx6ex53x74x6fx72x61x67x65", "x57x65x62x45x78x36x34x20x47x65x6ex65x72x61x6cx20x50x6cx75x67x69x6ex20x43x6fx6ex74x61x69x6ex65x72", "x6cx6fx63x61x74x69x6fx6e", "x62x6dx2dx74x65x6cx65x6dx65x74x72x79", "x61x73x69x6e", "x49x54x43x20x42x6fx64x6fx6ex69x20x37x32x20x42x6fx6cx64", "x73x65x72x69x66", "x61x6cx6c", "x61x76x61x69x6cx57x69x64x74x68", "x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x4ex61x6dx65", "x61x74x73", "x68x6fx73x74x6ex61x6dx65", "x64x6fx5fx65x6e", "x66x66", "x74x61x72x67x65x74", "x61x74x74x61x63x68x45x76x65x6ex74", "x5fx70x68x61x6ex74x6fx6d", "x4dx69x6ex69x6fx6ex20x50x72x6f", "x74x64x75x63x65x5fx63x6ex74", "x72x65x71x75x65x73x74x57x61x6bx65x4cx6fx63x6b", "x64x69x73x46x70x43x61x6cx4fx6ex54x69x6dx65x6fx75x74", "x6fx6ex70x6fx69x6ex74x65x72x75x70", "x41x6cx4ex69x6cx65", "x63x61x6ex76x61x73", "x43x6fx75x72x69x65x72", "x6ex6fx74x69x66x69x63x61x74x69x6fx6ex73", "x48x54x4dx4cx45x6cx65x6dx65x6ex74", "x68x79x70x6fx74", "x77x72", "x73x70x65x61x6bx65x72", "x47x6fx6fx67x6cx65x20x45x61x72x74x68x20x50x6cx75x67x2dx69x6e", "x73x71x72x74", "x52x54x43x50x65x65x72x43x6fx6ex6ex65x63x74x69x6fx6e", "x6dx6fx7ax50x68x6fx6ex65x4ex75x6dx62x65x72x53x65x72x76x69x63x65", "x69x6ex64x65x78x4fx66", "x74x6dx65x5fx63x6ex74x5fx6cx6dx74", "x70x61x72x73x65x49x6ex74", "x62x69x6ex64", "x6ax72x73", "x6bx65x79x43x6fx64x65", "x63x68x61x72x41x74", "x66x6dx7a", "x32x64", "x6fx39", "x6dx6ex5fx70x6fx6cx6c", "x4cx75x63x69x64x61x20x53x61x6ex73", "x66x70x56x61x6cx73x74x72", "x43x68x72x6fx6dx65x20x52x65x6dx6fx74x65x20x44x65x73x6bx74x6fx70x20x56x69x65x77x65x72", "x51x75x69x63x6bx54x69x6dx65x20x50x6cx75x67x2dx69x6e", "x50x72x65x73x73x20x53x74x61x72x74x20x32x50", "x6dx6fx7ax76x69x73x69x62x69x6cx69x74x79x63x68x61x6ex67x65", "x64x6fx65x5fx63x6ex74", "x2fx5fx62x6dx2fx5fx64x61x74x61", "x64x65x76x69x63x65x6dx6fx74x69x6fx6e", "x4dx69x63x72x6fx73x6fx66x74x20x4fx66x66x69x63x65x20x4cx69x76x65x20x50x6cx75x67x2dx69x6e", "x61x62x73", "x66x6fx6ex74x46x61x6dx69x6cx79", "x69x6ex64x65x78x65x64x44x62x4bx65x79", "x54x49x2dx4ex73x70x69x72x65", "x64x6dx61x63x74", "x61x63x63x65x6cx65x72x61x74x69x6fx6ex49x6ex63x6cx75x64x69x6ex67x47x72x61x76x69x74x79", "x6fx6ex70x6fx69x6ex74x65x72x64x6fx77x6e", "x6dx69x63x72x6fx70x68x6fx6ex65", "x75x6ex6b", "x67x65x74x45x6cx65x6dx65x6ex74x42x79x49x64", "x73x65x74x5fx63x6fx6fx6bx69x65", "x67x65x74x5fx6dx6ex5fx70x61x72x61x6dx73x5fx66x72x6fx6dx5fx61x62x63x6b", "x75x6ex64x65x66x69x6ex65x64", "x63x6fx6cx6fx72x44x65x70x74x68", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x32x30x2c", "x67x65x74x54x69x6dx65x7ax6fx6ex65x4fx66x66x73x65x74", "x53x68x61x72x65x50x6fx69x6ex74x20x42x72x6fx77x73x65x72x20x50x6cx75x67x2dx69x6e", "x65x6ex63x6fx64x65x5fx75x74x66x38", "x6cx61x73x74x49x6ex64x65x78x4fx66", "x63x61x6cx5fx64x69x73", "x6dx6ex5fx73x65x6e", "x2dx31x2cx32x2cx2dx39x34x2cx2dx31x31x36x2c", "x77x65x68", "x68x61x73x4cx6fx63x61x6cx53x74x6fx72x61x67x65", "x76x63x5fx63x6ex74x5fx6cx6dx74", "x58x44x6fx6dx61x69x6ex52x65x71x75x65x73x74", "x41x64x6fx62x65x20x41x63x72x6fx62x61x74", "x6dx6ex5fx67x65x74x5fx63x75x72x72x65x6ex74x5fx63x68x61x6cx6cx65x6ex67x65x73", "x6fx6ex6bx65x79x64x6fx77x6e", "x68x74x74x70x3ax2fx2f", "x73x73x68", "x66x6fx6ex74x73x5fx6fx70x74x6d", "x6e", "x7d", "x74x5fx74x73x74", "x70x73x74x61x74x65", "x55x52x4c", "x68x74x6d", "x6fx70x65x6e", "x31", "x69x50x68x6fx6ex65", "x61x62x63x64x65x66x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x78x79x7ax31x32x33x34x35x36x37x38x39x30x3bx2bx2dx2e", "x6fx6ex6dx6fx75x73x65x75x70"];

而后面的代码多次引用了该数组里的元素。如图:

这样显示的非常的不直观。现在写个简单的插件来将数组的引用直接替换为元素。

思路

  1. 将上面的数组定义代码复制到AST处理代码中。

  2. 先处理十六进制的字符串,让字符串直观。

  3. 遍历类似 _ac[607] 的MemberExpression节点,再进行判断

  4. 判断条件成立,进行替换。

插件编写

一,使用 利用AST解混淆先导知识:调用babel库反混淆代码模板  这篇文章介绍的代码,并将数组定义代码复制到该代码中。

二,十六进制的字符串,使用 JavaScript反混淆插件一:处理十六进制、中英文Unicode字符串或数值 这篇文章介绍的插件即可。

三,遍历类似 _ac[607] 的MemberExpression节点:

const visitor = 
{MemberExpression(path){},
}

四,条件判断,成立则替换:

const visitor = 
{MemberExpression(path){let {object,property} = de;if (!types.isIdentifier(object,{name:"_ac"})) return;if (!types.isNumericLiteral(property)) return;let index = property.value;let value = _ac[index];placeWith(types.valueToNode(value));},
}

运行后部分代码截图如下:

这样看下来,比之前的代码要简单易读得多。而且,插件的编写也是非常的容易,几乎是零难度。

注意事项

  1. 数组元素需要全部为字面量。

  2. 要确保数组至始至终都没有被改变。

  3. 如果使用作用域可能会好点,不过对于有些代码无法使用作用域,这种方式更好。对特定的网站使用专用AST还原插件,效果会更好。

也行你觉得就算进行了数组元素的替换,距离分析出加密参数还很远,没什么用。不过既然有方法能让代码更清晰一点,那为啥不用呢

大家有没有发现比正则替换简单多了?

本文发布于:2024-02-04 09:52:30,感谢您对本站的认可!

本文链接:https://www.4u4v.net/it/170704517254530.html

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

上一篇:Python:学习Python爬虫的第一天
下一篇:x6自定义样式
标签:字面   数组   实战   元素   AST
留言与评论(共有 0 条评论)
   
验证码:
推荐文章
排行榜
热门标签

Copyright ©2019-2022 Comsenz Inc.Powered by ©

网站地图1 网站地图2 网站地图3 网站地图4 网站地图5 网站地图6 网站地图7 网站地图8 网站地图9 网站地图10 网站地图11 网站地图12 网站地图13 网站地图14 网站地图15 网站地图16 网站地图17 网站地图18 网站地图19 网站地图20 网站地图21 网站地图22/a> 网站地图23