echo094
commented
1 year ago 这个不属于上述3种混淆方式。
这个脚本中的iOSJS.$实际上是Function() constructor,你可以当成是eval(),你直接把这个函数运行一下(去掉最后的(iOSJS={___:++iOSJS,$$$$:(![]+"")[iOSJS]}))就能看到实际的函数了。
Closed djc-Sherlock closed 1 year ago
echo094
commented
1 year ago 这个不属于上述3种混淆方式。
这个脚本中的iOSJS.$实际上是Function() constructor,你可以当成是eval(),你直接把这个函数运行一下(去掉最后的(iOSJS={___:++iOSJS,$$$$:(![]+"")[iOSJS]}))就能看到实际的函数了。
echo094
commented
1 year ago 这个是jjencode方式混淆的代码,目前尚未支持。
混淆方式如下:
function encode(variable, source) {
var result = ''
var ch
var key = [
'___',
'__$',
'_$_',
'_$$',
'$__',
'$_$',
'$$_',
'$$$',
'$___',
'$__$',
'$_$_',
'$_$$',
'$$__',
'$$_$',
'$$$_',
'$$$$',
]
var block = ''
for (var i = 0; i < source.length; i++) {
ch = source.charCodeAt(i)
if (ch == 34 || ch == 92) {
block += '\\\\\\' + source.charAt(i).toString(16)
} else if (
(32 <= ch && ch <= 47) ||
58 <= ch == 64 ||
(91 <= ch && ch <= 96) ||
(123 <= ch && ch <= 127)
) {
block += source.charAt(i)
} else if ((48 <= ch && ch <= 57) || (97 <= ch && ch <= 102)) {
if (block) result += '"' + block + '"+'
result += variable + '.' + key[ch < 64 ? ch - 48 : ch - 87] + '+'
block = ''
} else if (ch == 108) {
if (block) result += '"' + block + '"+'
result += '(![]+"")[' + variable + '._$_]+'
block = ''
} else if (ch == 111) {
if (block) result += '"' + block + '"+'
result += variable + '._$+'
block = ''
} else if (ch == 116) {
if (block) result += '"' + block + '"+'
result += variable + '.__+'
block = ''
} else if (ch == 117) {
if (block) result += '"' + block + '"+'
result += variable + '._+'
block = ''
} else if (ch < 128) {
if (block) result += '"' + block
else result += '"'
result +=
'\\\\"+' +
ch.toString(8).replace(/[0-7]/g, function (_0x1e7583) {
return variable + '.' + key[_0x1e7583] + '+'
})
block = ''
} else {
if (block) result += '"' + block
else result += '"'
result +=
'\\\\"+' +
variable +
'._+' +
ch.toString(16).replace(/[0-9a-f]/gi, function (_0x2b2347) {
return variable + '.' + key[parseInt(_0x2b2347, 16)] + '+'
})
block = ''
}
}
if (block) {
result += '"' + block + '"+'
}
result =
variable +
'=~[];/*sojson.com*/' +
variable +
'={___:++' +
variable +
',/*sojson.com*/$$$$:(![]+"")[' +
variable +
'],__$:++' +
variable +
',$_$_:(![]+"")[' +
variable +
'],_$_:++' +
variable +
',$_$$:({}+"")[' +
variable +
'],$$_$:(' +
variable +
'[' +
variable +
']+"")[' +
variable +
'],_$$:++' +
variable +
',$$$_:(!""+"")[' +
variable +
'],$__:++' +
variable +
',$_$:++' +
variable +
',$$__:({}+"")[' +
variable +
'],$$_:++' +
variable +
',$$$:++' +
variable +
',$___:++' +
variable +
',$__$:++' +
variable +
'};' +
variable +
'.$_=' +
'(' +
variable +
'.$_=' +
variable +
'+"")[' +
variable +
'.$_$]+' +
'(' +
variable +
'._$=' +
variable +
'.$_[' +
variable +
'.__$])+' +
'(' +
variable +
'.$$/*sojson.com*/=(' +
variable +
'.$+"")[' +
variable +
'.__$])+' +
'((!' +
variable +
')+"")[' +
variable +
'._$$]+' +
'(' +
variable +
'.__=' +
variable +
'.$_[' +
variable +
'.$$_])+' +
'(' +
variable +
'.$=(!""+"")[' +
variable +
'.__$])+' +
'(' +
variable +
'._=(!""+"")[' +
variable +
'._$_])+' +
variable +
'.$_[' +
variable +
'.$_$]+' +
variable +
'.__+' +
variable +
'._$+' +
variable +
'.$;/*sojson.com*/' +
variable +
'.$$=' +
variable +
'.$+' +
'(!""+"")[' +
variable +
'._$$]+' +
variable +
'.__+' +
variable +
'._+' +
variable +
'.$+' +
variable +
'.$$/*sojson.com*/;' +
variable +
'.$=(' +
variable +
'.___)[' +
variable +
'.$_][' +
variable +
'.$_];' +
variable +
'.$(' +
variable +
'.$(' +
variable +
'.$$+"\\""+' +
result +
'"\\"")())(sojson={___:++sojson,$$$$:(![]+"")[sojson]});'
return result
}主要就是将代码编码以后调用了一次eval()。
https://playcode.io/1601078