反混淆JS混淆脚本以执行服务器端
如何对javaScript代码进行反混淆处理?它是here(在最后一个脚本标记内)。
基本上我知道它做了什么(混淆了表单的登录/密码名称属性值,并在表单中添加了一个名为=' char'和随机值的隐藏输入,请参阅相关问题here)。我想解码脚本以了解它如何执行混淆,以便我可以模仿服务器端(使用php)。
此tool无法对其进行解码。
我通过制作hd对象来完成一些反混淆。我拿了代码的一部分(用分号;分隔)并得到了它们:
<script>
var hd =~[];
hd={___:++hd,$$$$:(![]+"")[hd],__$:++hd,$_$_:(![]+"")[hd],_$_:++hd,$_$$:({}+"")[hd],$$_$:(hd[hd]+"")[hd],_$$:++hd,$$$_:(!""+"")[hd],$__:++hd,$_$:++hd,$$__:({}+"")[hd],$$_:++hd,$$$:++hd,$___:++hd,$__$:++hd};
hd.$_=(hd.$_=hd+"")[hd.$_$]+(hd._$=hd.$_[hd.__$])+(hd.$$=(hd.$+"")[hd.__$])+((!hd)+"")[hd._$$]+(hd.__=hd.$_[hd.$$_])+(hd.$=(!""+"")[hd.__$])+(hd._=(!""+"")[hd._$_])+hd.$_[hd.$_$]+hd.__+hd._$+hd.$;
hd.$$=hd.$+(!""+"")[hd._$$]+hd.__+hd._+hd.$+hd.$$;
hd.$=(hd.___)[hd.$_][hd.$_];
console.log('hd: ');
console.dir(hd);
console.log('hd length: ' + Object.keys(hd).length);
</script>
您可能会在浏览器控制台中看到there的输出。
然而,代码的最后一部分显然是一个自称的函数:
hd.$(hd.$(... _+"\"")())();
hd.$是对象的功能,见图:
但我不知道如何解码它。 我试图替换该对象的所有实例,例如。 hd。$$$$,hd。$ _ $等在代码的其余部分,但结果只有this。不知道如何继续前进。
1 个答案:
答案 0 :(得分:2)
在构造hd对象之后,没有进行其他变量赋值,它只是构建一个大字符串来解析为函数。
因此,使用生成的hd对象,我提取构建字符串的部分得到了这个:
"return\"docu\155e\156t.\147et\105le\155e\156t\102\171\111d('lo\147\151\156fo\162\155').\151\156\156e\162\110\124\115\114\40=\40'<d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-u\163e\162\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-u\163e\162\156a\155e\"\40t\171\160e=\"te\170t\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\130\161\125\106\1603\107\156e\147\"\40\166alue=\"\"\40\160lace\150olde\162=\"\114o\147\151\156\"></d\151\166><d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-loc\153\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-\160a\163\163\167o\162d\"\40t\171\160e=\"\160a\163\163\167o\162d\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\171l\110\156\110\161\150\104\1262\"\40\160lace\150olde\162=\"\120a\163\163\167o\162d\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"\151\156\160ut-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"c\150ec\153bo\170\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40\151d=\"lo\147\151\156-\162e\155e\155be\162\"\40t\171\160e=\"c\150ec\153bo\170\"\40\156a\155e=\"\162e\155e\155be\162\"\40\166alue=\"1\">\40\122e\155e\155be\162\40\155e\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40\163t\171le=\"\155a\162\147\151\156-to\160:10\160\170\"\40cla\163\163=\"fo\162\155-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"col-\163\155-12\40co\156t\162ol\163\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<a\40\151d=\"bt\156-lo\147\151\156\"\40\150\162ef=\"#\"\40cla\163\163=\"bt\156\40bt\156-\163ucce\163\163\">\114o\147\151\156\40\40</a>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40t\171\160e=\"\150\151dde\156\"\40\156a\155e=\"c\150a\162\"\40\166alue=\"&\156ot;\">';\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$(\"#bt\156-lo\147\151\156\").cl\151c\153(fu\156ct\151o\156(){\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\166a\162\40\163e\162\40=\40$(\40\"#lo\147\151\156fo\162\155\"\40).\163e\162\151al\151\172e();\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$.\160o\163t(\"/\160o\163t.\160\150\160\",\163e\162+\"&\150a\163\150=\"+\155d5(\163e\162),fu\156ct\151o\156(){locat\151o\156.\162e\160lace(\"/lo\147\147ed.\160\150\160\");});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\"";
这让我们半途而废。但是很多字符都是URI编码的(\ xxx)。我做了一个简单的正则表达式替换来解码这些值:
var raw = "return\"docu\155e\156t.\147et\105le\155e\156t\102\171\111d('lo\147\151\156fo\162\155').\151\156\156e\162\110\124\115\114\40=\40'<d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-u\163e\162\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-u\163e\162\156a\155e\"\40t\171\160e=\"te\170t\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\130\161\125\106\1603\107\156e\147\"\40\166alue=\"\"\40\160lace\150olde\162=\"\114o\147\151\156\"></d\151\166><d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-loc\153\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-\160a\163\163\167o\162d\"\40t\171\160e=\"\160a\163\163\167o\162d\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\171l\110\156\110\161\150\104\1262\"\40\160lace\150olde\162=\"\120a\163\163\167o\162d\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"\151\156\160ut-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"c\150ec\153bo\170\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40\151d=\"lo\147\151\156-\162e\155e\155be\162\"\40t\171\160e=\"c\150ec\153bo\170\"\40\156a\155e=\"\162e\155e\155be\162\"\40\166alue=\"1\">\40\122e\155e\155be\162\40\155e\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40\163t\171le=\"\155a\162\147\151\156-to\160:10\160\170\"\40cla\163\163=\"fo\162\155-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"col-\163\155-12\40co\156t\162ol\163\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<a\40\151d=\"bt\156-lo\147\151\156\"\40\150\162ef=\"#\"\40cla\163\163=\"bt\156\40bt\156-\163ucce\163\163\">\114o\147\151\156\40\40</a>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40t\171\160e=\"\150\151dde\156\"\40\156a\155e=\"c\150a\162\"\40\166alue=\"&\156ot;\">';\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$(\"#bt\156-lo\147\151\156\").cl\151c\153(fu\156ct\151o\156(){\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\166a\162\40\163e\162\40=\40$(\40\"#lo\147\151\156fo\162\155\"\40).\163e\162\151al\151\172e();\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$.\160o\163t(\"/\160o\163t.\160\150\160\",\163e\162+\"&\150a\163\150=\"+\155d5(\163e\162),fu\156ct\151o\156(){locat\151o\156.\162e\160lace(\"/lo\147\147ed.\160\150\160\");});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\"";
var decoded = raw.replace(/\\\d+/g, function(match) {
return window.decodeURIComponent(match);
});
这给了我以下内容(整理一下并格式化):
document.getElementById('loginform').innerHTML = '
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-user"></i>
</span>
<input id="login-username" type="text" class="form-control" name="XqUFp3Gneg" value="" placeholder="Login">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-lock"></i>
</span>
<input id="login-password" type="password" class="form-control" name="ylHnHqhDV2" placeholder="Password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1">
Remember me
</label>
</div>
</div>
<div style="margin-top:10px" class="form-group">
<div class="col-sm-12 controls">
<a id="btn-login" href="#" class="btn btn-success">Login</a>
</div>
</div>
<input type="hidden" name="char" value="¬">
';
$("#btn-login").click(function(){
var ser = $( "#loginform" ).serialize();
$.post("/post.php",
ser + "&hash=" + md5(ser),
function() { location.replace("/logged.php"); }
);
});
换句话说,它使用jquery serialize()序列化表单值,然后创建该序列化值的md5哈希值,并将其作为hash查询字符串传递给服务器调用。
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?