首页 > 分享 > ast反混淆进阶

ast反混淆进阶

花匠小妙招
2024-12-24 04:03

实现目的：字符花指令与函数花指令的处理处理前： var _0xb28de8 = { "abcd": function (_0x22293f, _0x5a165e) { return _0x22293f == _0x5a165e; }, "dbca": function (_0xfbac1e, _0x23462f, _0x556555) { return _0xfbac1e(_0x23462f, _0x556555); }, "aaa": function (_0x57e640) { return _0x57e640(); }, "bbb": "eee" }; var aa = _0xb28de8["abcd"](123, 456); var bb = _0xb28de8["dbca"](bcd, 11, 22); var cc = _0xb28de8["aaa"](dcb); 处理后： var aa = 123 == 456; var bb = bcd(11, 22); var cc = dcb(); 123456789101112131415161718192021

demo.js var _0xb28de8 = { "abcd": function (_0x22293f, _0x5a165e) { return _0x22293f == _0x5a165e; }, "dbca": function (_0xfbac1e, _0x23462f, _0x556555) { return _0xfbac1e(_0x23462f, _0x556555); }, "aaa": function (_0x57e640) { return _0x57e640(); }, "bbb": "eee" }; var aa = _0xb28de8["abcd"](123, 456); var bb = _0xb28de8["dbca"](bcd, 11, 22); var cc = _0xb28de8["aaa"](dcb); function dd() { var _0xb28de8 = {//局部变量同名验证 "bbb": "eee45475" }; var dd = _0xb28de8["bbb"]; } var ddf = _0xb28de8["bbb"];//局部变量与全局变量同名验证 function dd() { //全局变量在函数体是否可用验证 var dd = _0xb28de8["bbb"]; } function kk(a) {//传值验证 var ss = _0xb28de8[a]; } 1234567891011121314151617181920212223242526272829303132333435

dec_main.js const fs = require("fs");//文件读写 const parse = require("@babel/parser"); //解析为ast const traverse = require('@babel/traverse').default;//遍历节点 const t = require('@babel/types');//类型 const generator = require('@babel/generator').default;//ast解析为代码 //读取js文件 const jscode = fs.readFileSync( './demo.js', { encoding: 'utf-8' } ); let ast = parse.parse(jscode);//js转ast function callToStr(path) { // 将对象进行替换 var node = path.node;//获取路径节点 if (!t.isObjectExpression(node.init))//不是对象表达式则退出 return; var objPropertiesList = node.init.properties; // 获取对象内所有属性 if (objPropertiesList.length == 0) // 对象内属性列表为0则退出 return; var objName = node.id.name; // 对象名 let scope = path.scope;//获取路径的作用域 let binding = scope.getBinding(objName);// if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测 return; } let paths = binding.referencePaths;//绑定引用的路径 let paths_sums=0;//路径计数 objPropertiesList.forEach(prop => { var key = prop.key.value;//属性名 if (t.isFunctionExpression(prop.value))//属性值为函数表达式 { var retStmt = prop.value.body.body[0];//定位到ReturnStatement path.scope.traverse(path.scope.block, { CallExpression: function (_path) {//调用表达式匹配 let _path_binding = _path.scope.getBinding(objName);//当前作用域获取绑定 if(_path_binding!=binding)return;//两者绑定对比 if (!t.isMemberExpression(_path.node.callee))//成员表达式判定 return; var _node = _path.node.callee;//回调函数节点 if (!t.isIdentifier(_node.object) || _node.object.name !== objName)//非标识符检测||节点对象名全等验证 return; if (!(t.isStringLiteral(_node.property) || t.isIdentifier(_node.property)))//节点属性非可迭代字符验证||节点属性标识符验证 return; if (!(_node.property.value == key || _node.property.name == key))//节点属性值与名称等于指定值验证 return; if (!t.isStringLiteral(_node.property) || _node.property.value != key)//节点属性可迭代字符验证与节点属性值与指定值等于验证 return; var args = _path.node.arguments;//获取节点的参数 // 二元运算 if (t.isBinaryExpression(retStmt.argument) && args.length === 2)//二进制表达式判定且参数为两个 { _path.replaceWith(t.binaryExpression(retStmt.argument.operator, args[0], args[1]));//二进制表达式替换当前节点 } // 逻辑运算 else if (t.isLogicalExpression(retStmt.argument) && args.length == 2)//与二元运算一样 { _path.replaceWith(t.logicalExpression(retStmt.argument.operator, args[0], args[1])); } // 函数调用 else if (t.isCallExpression(retStmt.argument) && t.isIdentifier(retStmt.argument.callee))//回调函数表达式判定及回调参数部分判定 { _path.replaceWith(t.callExpression(args[0], args.slice(1))) } paths_sums+=1;//删除计数标志 } }) } else if (t.isStringLiteral(prop.value)) {//属性值为可迭代字符类型 var retStmt = prop.value.value;//属性值的值即A:B中的B部分 path.scope.traverse(path.scope.block, { MemberExpression: function (_path) {//成员表达式 let _path_binding = _path.scope.getBinding(objName);//当前作用域获取绑定 if(_path_binding!=binding)return;//两者绑定对比 var _node = _path.node; if (!t.isIdentifier(_node.object) || _node.object.name !== objName)//节点对象标识符验证|节点对象名验证 return; if (!(t.isStringLiteral(_node.property) || t.isIdentifier(_node.property)))//节点属性可迭代字符验证|标识符验证 return; if (!(_node.property.value == key || _node.property.name == key))//节点属性值与名称等于指定值验证 return; if (!t.isStringLiteral(_node.property) || _node.property.value != key)//节点属性可迭代字符判定|节点属性值等于指定值验证 return; _path.replaceWith(t.stringLiteral(retStmt))//节点替换 paths_sums+=1;//删除计数标志 } }) } }); if (paths_sums == paths.length) {//若绑定的每个路径都已处理，则移除当前路径 path.remove();//删除路径 } } traverse(ast, {VariableDeclarator: {exit: [callToStr]},}); // 对象替换 let {code} = generator(ast,opts = {jsescOption:{"minimal":true}}) //文件保存 fs.writeFile('./demoNew.js', code, (err) => { }); 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109

demoNew.js var _0xb28de8 = { "abcd": function (_0x22293f, _0x5a165e) { return _0x22293f == _0x5a165e; }, "dbca": function (_0xfbac1e, _0x23462f, _0x556555) { return _0xfbac1e(_0x23462f, _0x556555); }, "aaa": function (_0x57e640) { return _0x57e640(); }, "bbb": "eee" }; //由于后面kk函数体传参数使用该字典对象，参数未知，保留该字典对象 var aa = 123 == 456; var bb = bcd(11, 22); var cc = dcb(); function dd() { var dd = "eee45475"; } var ddf = "eee"; //局部变量与全局变量同名验证 function dd() { //全局变量在函数体是否可用验证 var dd = "eee"; } function kk(a) { //传值验证 var ss = _0xb28de8[a]; } 1234567891011121314151617181920212223242526272829303132333435

优化及说明：一.对于所有的删除操作都采取影响最小的操作 1.对于局部变量与全局变量同名情况 var _0xb28de8 = {...}； function dd() { var _0xb28de8 = {//局部变量同名验证 "bbb": "eee45475" }; var dd = _0xb28de8["bbb"]; } 同名作用域不同，局部变量优先，花指令处理后，可删除局部_0xb28de8，同时也是安全删除情况 2.不安全删除情况 function kk(a) {//传值验证 var ss = _0xb28de8[a]; } 此处，使用全局变量_0xb28de8，但是传入的值未知，确保整体安全，禁止删除_0xb28de8 二.对全局变量及局部变量的使用场景进行优化特别说明及感谢：此处核心源码来自于作者：丁仔参考ob解混淆源码 https://github.com/DingZaiHub/ob-decrypt 123456789101112131415161718192021222324