定位被混淆的函数

Locate obfuscated function

本文关键字:函数 定位      更新时间:2023-09-26

我正试图对一个网站进行逆向工程,该网站具有解码编码字符串的功能。函数在一个内联脚本中被调用:

<script type='text/javascript'>
    var str = dec("BHUJLOUBHUNK");
</script>

即使我有完整的源代码,我也没有成功地找出实际功能dec所在的位置。我怀疑该函数隐藏在以下脚本中的某个地方(但我可能错了):

<script type="text/javascript">var _0xb557=["'x6B'x65'x79","'x4A'x30'x2B'x49'x52'x68'x42'x33'x2B'x4C'x79'x4F'x30'x66'x77'x32'x49'x2B'x32'x71'x54'x32'x44'x66'x38'x48'x56'x64'x50'x61'x62'x77'x6D'x4A'x56'x65'x44'x57'x46'x46'x6F'x70'x6C'x6D'x56'x78'x46'x46'x35'x75'x77'x36'x5A'x6C'x6E'x50'x4E'x58'x6F'x3D"];jwplayer[_0xb557[0]]=_0xb557[1];</script>
<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'''w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('''b'+e(c)+'''b','g'),k[c])}}return p}('10 14(15){5 3=15+'''',2=3.17(0);8(9<=2&&2<=21){5 19=2;8(3.13===1){4 2}5 12=3.17(1);4((19-9)*20)+(12-11)+22}8(11<=2&&2<=29){4 2}4 2}10 28(3){5 6="";23(7=0;7<3.13;7++){5 18=14(3.27(7));16=18^26;6=6+24.25(16)}4 6}',10,30,'||code|str|return|var|decoded|i|if|0xD800|function|0xDC00|low|length|ord|string|a|charCodeAt|b|hi|0x400|0xDBFF|0x10000|for|String|fromCharCode|123|charAt|dec|0xDFFF'.split('|'),0,{}))
</script>

我如何追踪dec()函数?

使用jsbeautifier.org或任何类似的站点来解除源代码的混淆。或者直接输入:

console.log(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'''w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('''b'+e(c)+'''b','g'),k[c])}}return p}('10 14(15){5 3=15+'''',2=3.17(0);8(9<=2&&2<=21){5 19=2;8(3.13===1){4 2}5 12=3.17(1);4((19-9)*20)+(12-11)+22}8(11<=2&&2<=29){4 2}4 2}10 28(3){5 6="";23(7=0;7<3.13;7++){5 18=14(3.27(7));16=18^26;6=6+24.25(16)}4 6}',10,30,'||code|str|return|var|decoded|i|if|0xD800|function|0xDC00|low|length|ord|string|a|charCodeAt|b|hi|0x400|0xDBFF|0x10000|for|String|fromCharCode|123|charAt|dec|0xDFFF'.split('|'),0,{}));

…查看未混淆的源代码。

例如,如果您将eval行粘贴到JSBeautifier中,您将得到:

function ord(string) {
    var str = string + '',
        code = str.charCodeAt(0);
    if (0xD800 <= code && code <= 0xDBFF) {
        var hi = code;
        if (str.length === 1) {
            return code
        }
        var low = str.charCodeAt(1);
        return ((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000
    }
    if (0xDC00 <= code && code <= 0xDFFF) {
        return code
    }
    return code
}
function dec(str) {
    var decoded = "";
    for (i = 0; i < str.length; i++) {
        var b = ord(str.charAt(i));
        a = b ^ 123;
        decoded = decoded + String.fromCharCode(a)
    }
    return decoded
}
相关文章: