如何使用“[] [filter] [constructor] ...”对javascript代码进行反混淆处理?

时间:2014-10-04 08:58:59

标签: javascript obfuscation deobfuscation

众所周知,使用互联网上提供的各种工具可以轻松解码带有“packer”和“eval”之类的混淆javascript代码,但最近我遇到了一段javascript代码,这些代码被混淆了[]['filter']['constructor'].....,似乎没有解码的解决方案。示例如下:

[]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[true + true] + "N" + "S" + "S" + "{" + "I" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] +
    "5" + "f") + 101["toString"]("!0!01")[+true] + "a" + (+"false" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["fontcolor"]()["!01"])[true + true] + "a" + "t" + "e")()())["!0!0!00"] + "e" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" +
    "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "5" + "f") + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "59" + "") + "o" + "u" + []["filter"]["constructor"]("r" +
    "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "7" + "d");

如何解码这样的javascript?

1 个答案:

答案 0 :(得分:5)

这看起来非常像非字母数字混淆,但是处于中间形式。查看here示例。

原则是一样的: 它依赖于另一种评估代码的形式,在你的例子中是Array过滤器构造函数 2.使用下标表示法(将对象名称转换为字符串) 3.将字符串分解为单字符串,然后使用类型强制将每个字符转换为非字母数字符号序列。

对此进行解码非常简单,但如果您手动执行此操作则需要付出艰苦的努力。我认为编写一个工具来自动还原它需要不到一个小时的时间。 起初看起来似乎是一个很好的混淆,但它没有弹性,很容易被击败。

没有混淆是100%防弹,但现代JS混淆器(如JScrambler)比基本编码技术(无论是eval还是eval-less)要深得多。

有关非字母数字混淆的更多详细信息,请参阅this presentation(幻灯片33-38)。 如果您对JavaScript混淆感兴趣,请参阅其余部分。

相关问题
最新问题