Su *_*lle 3 javascript obfuscation deobfuscation
众所周知,用"packer"和"eval"之类的东西混淆的混淆javascript代码很容易被互联网上提供的各种工具解码,但是最近我遇到了一段javascript代码,它被混淆了类似的东西[]['filter']['constructor'].....,似乎没有解码的解决方案.示例如下:
[]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[true + true] + "N" + "S" + "S" + "{" + "I" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] +
"5" + "f") + 101["toString"]("!0!01")[+true] + "a" + (+"false" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["fontcolor"]()["!01"])[true + true] + "a" + "t" + "e")()())["!0!0!00"] + "e" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" +
"e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "5" + "f") + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "59" + "") + "o" + "u" + []["filter"]["constructor"]("r" +
"e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "7" + "d");
如何解码这样的JavaScript?
小智 5
这看起来非常像非字母数字混淆,但是处于中间形式.在这里看一个例子.
原理是相同的:1.它依赖于另一种评估代码的形式,在你的情况下是Array过滤器构造函数2.使用下标符号(将对象名转换为字符串)3.将字符串分解为单字符字符串,然后使用类型强制将每个字符转换为非字母数字符号序列.
对此进行解码非常简单,但如果您手动执行此操作则需要付出艰苦的努力.我认为编写一个工具来自动还原它需要不到一个小时的时间.起初看起来似乎是一个很好的混淆,但它没有弹性,很容易被击败.
没有混淆是100%防弹,但现代JS混淆器(如JScrambler)比基本编码技术(无论是eval还是eval-less)要深刻得多.
有关非字母数字混淆的更多详细信息,请参阅此演示文稿(幻灯片33-38).如果您对JavaScript混淆感兴趣,请参阅其余部分.