search

echo094 / decode-js

JS混淆代码的AST分析工具 AST analysis tool for obfuscated JS code
MIT License
717 stars 336 forks source link

ldvmp: 新混淆工具 #107

Closed wojiaoyishang closed 4 months ago

wojiaoyishang commented 4 months ago

移步:https://www.ldvmp.com/ 查看。 样本见附件 样本.txt

源代码:

// 函数名会被重置
function pow(n){
    if(n === 1){
        return 2;
    }
    return 2 * pow(n-1);
}
console.log(pow(5));
// 导出函数,函数名会被保留
globalThis.add = function(a, b){
    return a + b;
}
console.log(add(3, 5));

使用 common 解密之后:

typeof window === "undefined" && Object.assign(globalThis, {
  exports,
  require,
  module,
  __filename,
  __dirname
}); // 非Node环境可删除
(function (ﱣﹱ, ﱣיּ, ࢭﱣ, ﹰﱣ, ﱡء, ﹰﱡ, ءﱞ) {
  ﹲﱢ(9, ﱣﹱ), "\u2028";
  function ﹲﱢ(יּﱞ, ﹱء, ﱡࢭ, ࢭﱠ, ﹱﹰ, ࢭﱢ, ءﱡ, ﹲﱟ, יּء, ﹱ, ﹲﱞ, ﱟ) {
    function ﱞء(ﱠﱟ) {
      let ࢭﹰ = ࢭﱠ;
      for (let ﱢ = 1; ﱢ < ﱠﱟ; ++ﱢ) ࢭﹰ = ࢭﹰ.__proto__;
      return ࢭﹰ;
    }
    function ﱞﹲ() {
      if (ﹱﹰ) return ﹱﹰ;
      let יּࢭ = {};
      Object.defineProperties(יּࢭ, {
        ﱣיּ: {
          get() {
            return ءﱡ;
          },
          set(ﹱﱢ) {
            ءﱡ = ﹱﱢ;
          }
        },
        ࢭﱣ: {
          get() {
            return ﹲﱟ;
          },
          set(ﹱﱢ) {
            ﹲﱟ = ﹱﱢ;
          }
        }
      });
      יּࢭ.__proto__ = ࢭﱠ;
      ﹱﹰ = יּࢭ;
      return יּࢭ;
    }
    while (1) if (7 > יּﱞ) {
      if (יּﱞ < 2) 1 > יּﱞ ? (ﹲﱞ = ءﱡ + ﹲﱟ, יּﱞ = 4) : ﹲﱞ = (יּﱞ = 16, יּء());else if (יּﱞ < 3) ﹲﱞ = ﱣﹱ["console"][(יּﱞ = 19, "log")];else if (4 > יּﱞ) ﹱ = ((יּﱞ = 11) - 9) * ﹲﱞ;else if (5 > יּﱞ) return ﹲﱞ;else if (יּﱞ < 6) ﹲﱞ = (יּﱞ = 3, ءﱞ(ﱟ));else ﹲﱞ = ﱣﹱ["add"]((יּﱞ = 14) - 11, 5);
    } else if (יּﱞ < 13) {
      if (יּﱞ > 10) {
        if (יּﱞ < 12) return ﹱ;else return;
      } else if (יּﱞ < 9) 8 > יּﱞ ? יּﱞ = 1 : ﱣﹱ["globalThis"][(יּﱞ = 18, "add")] = יּء;else if (יּﱞ > 9) ﹱ ? יּﱞ = 15 : יּﱞ = 25;else ءﱞ = (יּﱞ = 22, function (...ﱡﱠ) {
        return ﹲﱢ(23, this, arguments, ﱞﹲ(), ﹰﱡ, ﹰﱡ, ...ﱡﱠ);
      });
    } else if (יּﱞ < 19) {
      if (יּﱞ > 16) 17 < יּﱞ ? יּء = ﱣﹱ["console"][(יּﱞ -= 12, "log")] : יּﱞ = 8;else if (15 > יּﱞ) 14 > יּﱞ ? יּء = (יּﱞ = 17, function (...ﱡﱠ) {
        return ﹲﱢ(0, this, arguments, ﱞﹲ(), ﹰﱡ, ﹰﱡ, ...ﱡﱠ);
      }) : ﹱ = (יּﱞ = 12, ﹰﱣ(יּء, ﱣﹱ["console"])(ﹲﱞ));else if (יּﱞ > 15) יּﱞ += 5;else return יּﱞ - 13;
    } else if (יּﱞ > 25) ﹱ = (יּﱞ = 13, ﹰﱣ(יּء, ﱣﹱ["console"])(ﹲﱞ));else if (23 < יּﱞ) יּﱞ > 24 ? ﱟ = ءﱡ - ((יּﱞ = 5) - 4) : ﹲﱞ = ءﱞ((יּﱞ = 26) - 21);else if (יּﱞ < 22) {
      if (20 < יּﱞ) יּء = ﱣﹱ["console"][(יּﱞ = 24, "log")];else if (יּﱞ > 19) return;else ﱟ = (יּﱞ = 20, ﹰﱣ(ﹲﱞ, ﱣﹱ["console"])("[\u55B5\u55B5\u76FE]: \u5E38\u89C4\u7248\n[\u4F5C\u8005\u5FAE\u4FE1]: CyyWon\n[\u77E5\u8BC6\u661F\u7403]: https://t.zsxq.com/16K0ySvnP\n[\u5FAE\u4FE1\u516C\u4F17\u53F7]: https://mp.weixin.qq.com/s/e_BYGLmH4R-uw-un2n7ZZQ\n[\u5B98\u7F51]: https://ldvmp.com/\n"));
    } else 22 < יּﱞ ? ﹱ = ءﱡ === (יּﱞ = 10) - 9 : יּء = (יּﱞ = 7, function (...ﱡﱠ) {
      return ﹲﱢ(2, this, arguments, ﱞﹲ(), ﹰﱡ, ﹰﱡ, ...ﱡﱠ);
    });
  }
})(globalThis, !![], ![], (() => {}).call.bind((() => {}).bind), null);
echo094 commented 4 months ago

这个是有控制流混淆没处理,混淆方式和 #19 类似,和变量名没关系。

这个工具是给人练习学习用的吧,有人用它来做正事吗?

wojiaoyishang commented 4 months ago

对的,是用于学习的。在B站上看到的,因为本人能力有限,所以不知明的就发Issue问了,感谢大佬指明思路。