逆向工程需要付出很多努力。但是,在面對混淆JS時,可以從幾個步驟開始。
首先,deobfuscate然後beautify。在這一點上,代碼仍然是不可讀的,但這些步驟將降低總體複雜性。
大多數JavaScript混淆器都使用了一種策略:它們提取靜態值,將它們放入數組中,並將靜態值替換爲數組查找。
E.g.
注:我省略了變量名稱的變形。
var url = 'www.google.com';
將變爲:
var allStaticValues = ['www.google.com'];
var url = allStaticValues[0];
這種模式通常很容易識別和扭轉。
var allStaticValues = ['www.google.com'];
var obfusactedCode = 'var url = allStaticValues[0];';
var clearerCode = obfusactedCode.replace(/allStaticValues\[(.+?)\]/g, function ($0, $1) {
return ("'" + allStaticValues[$1] + "'");
}); //var url = 'www.google.com';
下面是它與你的混淆代碼給出:
function _fPnA(number) {
switch (number) {
case '||||':
return '0';
break;
case '|||]':
return '1';
break;
case '||]|':
return '2';
break;
case '||]]':
return '3';
break;
case '|]||':
return '4';
break;
case '|]|]':
return '5';
break;
case '|]]|':
return '6';
break;
case '|]]]':
return '7';
break;
case ']|||':
return '8';
break;
case ']||]':
return '9';
break;
default:
return 'separate';
break
}
return 'separate'
}
function _fKhU(code) {
var _vTcN = window.location.hostname;
var _vMgJ = '';
var _vNfU = '';
_vTcN = _vTcN.replace('http://', '');
_vTcN = _vTcN.replace('https://', '');
_vTcN = _vTcN.replace('www.', '');
_vTcN = _vTcN.split('.')[0];
for (var _vXnG = 0; _vXnG < code.length/4; _vXnG++) {
var _vKxS = code.substring(_vXnG * 4, (_vXnG + 1) * 4);
if (_fPnA(_vKxS) == 'separate') {
_vMgJ += String.fromCharCode(Number(_vNfU));
_vNfU = ''
} else {
_vNfU += _fPnA(_vKxS)
}
}
_vMgJ += String.fromCharCode(Number(_vNfU));
if (_vMgJ.indexOf(_vTcN) == -1) {
document.write('You got Post Feed widget for <em>' + _vMgJ + '</em> but you are using it for <em>' + window.location.hostname + '</em>. PLEASE REMOVE IT AND THEN <strong><a href="http://bloggercando.blogspot.com/2014/05/all-in-one-post-feed-widget-for-blogger.html" target="_blank">GET IT AGAIN</a></strong>');
return false
}
return true
}
function _fNuC(_vMgJ) {
document.write('<script type="text/javascript" src="' + _vMgJ + '"></script>')
}
function _fLiX(pub_date, format) {
pub_date = pub_date.split('-');
date = new Date(pub_date[0], pub_date[1] - 1, pub_date[2].substring(0, 2));
dd = date.getDate();
mm = date.getMonth() + 1;
yyyy = date.getFullYear();
format = format.replace('dd', dd);
format = format.replace('mm', mm);
format = format.replace('yyyy', yyyy);
return format
}
function _fJmO(content) {
var _vUcB = '';
var _vSiC = '<img ';
var _vOaY = 'src="';
var _vQlK = '"';
index0 = content.indexOf(_vSiC);
if (index0 != -1) {
index1 = content.indexOf(_vOaY, index0);
if (index0 != -1) {
index2 = content.indexOf(_vQlK, index1 + _vOaY.length);
if (index0 != -1) {
_vUcB = content.substring(index1 + _vOaY.length, index2)
}
}
}
if (_vUcB == '') {
_vSiC = 'data-thumbnail-src="';
_vOaY = '"';
index0 = content.indexOf(_vSiC);
if (index0 != -1) {
index1 = content.indexOf(_vOaY, index0 + _vSiC.length);
if (index0 != -1) {
_vUcB = content.substring(index0 + _vSiC.length, index1)
}
}
}
if (_vUcB == '') {
_vSiC = '<iframe ';
_vOaY = 'src="';
_vQlK = '"';
index0 = content.indexOf(_vSiC);
if (index0 != -1) {
index1 = content.indexOf(_vOaY, index0);
if (index0 != -1) {
index2 = content.indexOf(_vQlK, index1 + _vOaY.length);
if (index0 != -1) {
_vUcB = content.substring(index1 + _vOaY.length, index2);
_vUcB = _vUcB.replace('http://www.youtube.com/watch?v=', '');
_vUcB = _vUcB.replace('http://www.youtube.com/embed/', '');
_vUcB = _vUcB.replace('?rel=0', '');
_vUcB = 'http://img.youtube.com/vi/' + _vUcB + '/mqdefault.jpg'
}
}
}
}
return _vUcB
}
function _fIyU(json) {
var _vJdM = new Object();
var _vHbI = /<\S[^>]*>/g;
_vJdM.id = json.feed.id.$t;
key = 'blog-';
index = _vJdM.id.indexOf(key);
_vJdM.id = _vJdM.id.substring(index + key.length);
_vJdM.id = _vJdM.id.replace('.comments', '');
_vJdM.cate = new Array();
if ('category' in json.feed) {
for (_vXnG = 0; _vXnG < json.feed.category.length; _vXnG++) {
_vJdM.cate[_vXnG] = json.feed.category[_vXnG].term
}
}
_vJdM.title = '';
if ('title' in json.feed) {
_vJdM.title = json.feed.title.$t
}
_vJdM.subtitle = '';
if ('subtitle' in json.feed) {
_vJdM.subtitle = json.feed.subtitle.$t
}
_vJdM.admin = new Object();
_vJdM.admin.name = 'Anonymous';
_vJdM.admin.uri = '';
_vJdM.admin.avatar = 'http://img1.blogblog.com/img/anon36.png';
if ('name' in json.feed.author[0]) {
_vJdM.admin.name = json.feed.author[0].name.$t
}
if ('uri' in json.feed.author[0]) {
_vJdM.admin.uri = json.feed.author[0].uri.$t
}
if ('gd$image' in json.feed.author[0]) {
if (json.feed.author[0].gd$image.src != 'http://img1.blogblog.com/img/blank.gif') {
_vJdM.admin.avatar = json.feed.author[0].gd$image.src
}
}
_vJdM.total_entry = Number(json.feed.openSearch$totalResults.$t);
_vJdM.start_index = Number(json.feed.openSearch$startIndex.$t);
_vJdM.item_per_page = Number(json.feed.openSearch$itemsPerPage.$t);
_vJdM.entry_number = 0;
if ('entry' in json.feed) {
_vJdM.entry_number = json.feed.entry.length
}
_vJdM.entry = new Array();
for (_vXnG = 0; _vXnG < _vJdM.entry_number; _vXnG++) {
_vJdM.entry[_vXnG] = new Object();
temp = new Object();
entry = json.feed.entry[_vXnG];
temp.id = entry.id.$t;
key = 'post-';
index = temp.id.indexOf(key);
temp.id = temp.id.substring(index + key.length);
temp.published = '';
if ('published' in entry) {
temp.published = entry.published.$t
}
temp.cate = new Array();
if ('category' in entry) {
for (j = 0; j < entry.category.length; j++) {
temp.cate[j] = entry.category[j].term
}
}
temp.title = '';
if ('title' in entry) {
temp.title = entry.title.$t
}
temp.content = '';
if ('content' in entry) {
temp.content = entry.content.$t
}
temp.summary = '';
if ('summary' in entry) {
temp.summary = entry.summary.$t
}
if (temp.summary == '') {
temp.summary = temp.content.replace(_vHbI, '')
}
if (temp.content == '') {
temp.content = temp.summary
}
temp.link = '';
temp.reply_label = 'comments';
if ('link' in entry) {
for (j = 0; j < entry.link.length; j++) {
if (entry.link[j].rel == 'alternate') {
temp.link = entry.link[j].href
}
if (entry.link[j].rel == 'replies') {
temp.reply_label = entry.link[j].title
}
}
}
temp.author = new Object();
temp.author.name = 'Anonymous';
temp.author.uri = '';
temp.author.avatar = 'http://img1.blogblog.com/img/anon36.png';
a0 = entry.author[0];
if ('name' in a0) {
temp.author.name = a0.name.$t
}
if ('uri' in a0) {
temp.author.uri = a0.uri.$t
}
if ('gd$image' in a0) {
if (a0.gd$image.src != 'http://img1.blogblog.com/img/blank.gif') {
temp.author.avatar = a0.gd$image.src
}
}
temp.thumbnail = '';
if ('media$thumbnail' in entry) {
temp.thumbnail = entry.media$thumbnail.url
}
temp.reply_number = 0;
if ('thr$total' in entry) {
temp.reply_number = Number(entry.thr$total.$t)
}
temp.reply_label = temp.reply_label.replace(temp.reply_number + ' ', '');
temp.reply_to = '';
temp.reply_json = '';
temp.reply_title = '';
if ('thr$in-reply-to' in entry) {
temp.reply_to = entry['thr$in-reply-to'].href;
temp.reply_json = entry['thr$in-reply-to'].source;
temp.reply_json = temp.reply_json.replace('/default/', '/summary/');
temp.reply_json = temp.reply_json + '?alt=json-in-script'
}
temp.pid = '';
if ('gd$extendedProperty' in entry) {
for (j = 0; j < entry.gd$extendedProperty.length; j++) {
if (entry.gd$extendedProperty[j].name == 'blogger.itemClass') {
temp.pid = entry.gd$extendedProperty[j].value
}
}
}
temp.pid = temp.pid.replace('pid-', '');
_vJdM.entry[_vXnG] = temp
}
return _vJdM
}
if (typeof(jquery_included) == 'undefined') {
jquery_included = false
}
function _fQdH() {
if (typeof(jQuery) == 'undefined') {
if (!jquery_included) {
jquery_included = true;
var _vZpT = document.createElement('script');
_vZpT.setAttribute('src', 'http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js');
_vZpT.setAttribute('type', 'text/javascript');
document.getElementsByTagName('head')[0].appendChild(_vZpT)
}
setTimeout(function() {
_fQdH()
}, 50)
} else {
if (!($('link[href*="font-awesome.css"]').length)) {
_vZpT = document.createElement('link');
_vZpT.setAttribute('href', 'http://netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css');
_vZpT.setAttribute('rel', 'stylesheet');
document.getElementsByTagName('head')[0].appendChild(_vZpT)
}
}
}
_fQdH();
function _fIhA(str) {
document.write(str)
}
function _fRcS(str) {
if (typeof(console) != 'undefined') {
if ('log' in console) {}
}
}
function _fYtG(json) {
if (_fKhU(bcd140526_id) == false) return;
var _vAyB = '<div style="clear:both!important;float:none;!important;line-height:0!important"></div>';
var _vMuA = _fIyU(json);
var _vDyO = '';
if (_vMuA.total_entry) {
_vDyO += ('<div class="bcd140526_post_feed ' + bcd140526_design_style + ' ' + ((bcd140526_show_thumbnail) ? 'thumb' : 'no-thumb') + '"><ul>');
for (var _vXnG = 0; _vXnG < _vMuA.total_entry && _vXnG < bcd140526_post_count; _vXnG++) {
p = _vMuA.entry[_vXnG];
_vDyO += ('<li class="item item-' + _vXnG + '">');
_fRcS(p.thumbnail);
if (!p.thumbnail) {
p.thumbnail = _fJmO(p.content)
}
if (bcd140526_show_thumbnail && p.thumbnail) {
if (bcd140526_design_style === 'column') {
var _vUcB = p.thumbnail;
if (_vUcB.indexOf('/s72-c/') != -1) {
_vUcB = _vUcB.replace('/s72-c/', '/s1600/')
} else if (_vUcB.indexOf('youtube.com') != -1) {
if (_vUcB.indexOf('/default.') != -1) {
_vUcB = _vUcB.replace('/default.', '/mqdefault.')
}
}
p.thumbnail = _vUcB
} else {
var _vUcB = p.thumbnail;
if (_vUcB.indexOf('/s72-c/') != -1) {
_vUcB = _vUcB.replace('/s72-c/', '/s' + bcd140526_thumbnail_size + '-c/')
} else if (_vUcB.indexOf('youtube.com') != -1) {
if (_vUcB.indexOf('/default.') != -1) {
_vUcB = _vUcB.replace('/default.', '/mqdefault.')
}
}
p.thumbnail = _vUcB
}
_vDyO += ('<a class="thumbnail" style="width:' + bcd140526_thumbnail_size + 'px;height:' + bcd140526_thumbnail_size + 'px;" href="' + p.link + '"><img src="' + p.thumbnail + '"/></a>')
}
_vDyO += ('<div class="item-body">');
if (bcd140526_show_label && (typeof(p.cate[0]) != 'undefined')) {
_vDyO += ('<a class="cate" href="' + HOST + '/search/label/' + p.cate[0] + '">' + p.cate[0] + '</a>')
}
_vDyO += ('<h3 class="title"><a href="' + p.link + '">' + p.title + '</a></h3>');
if (bcd140526_show_author_name || bcd140526_show_comment_numbers || bcd140526_show_date) {
_vDyO += ('<div class="meta">');
if (bcd140526_show_author_name) {
_vDyO += ('<span class="meta-item author-name"><i class="fa fa-user"></i> ' + p.author.name + '</span>')
}
if (bcd140526_show_comment_numbers) {
_vDyO += ('<span class="meta-item comment-number"><i class="fa fa-comment"></i> ' + p.reply_number + '</span>')
}
if (bcd140526_show_comment_numbers) {
_vDyO += ('<span class="meta-item date-time"><i class="fa fa-clock-o"></i> ' + _fLiX(p.published, bcd140526_date_format) + '</span>')
}
_vDyO += (_vAyB + '</div>' + _vAyB)
}
if (bcd140526_show_snippet) {
if (p.summary.length > bcd140526_snippet_length) {
p.summary = p.summary.substring(0, bcd140526_snippet_length) + '...'
}
if (bcd140526_show_readmore) {
p.summary += ' <a href="' + p.link + '#more">' + lang_readmore + '</a>'
}
_vDyO += ('<p class="snippet">' + p.summary + '</p>')
}
_vDyO += (_vAyB + '</div>' + _vAyB);
_vDyO += ('</li>')
}
_vDyO += ('</ul>');
if (!bcd140526_hide_copyright) {
_vDyO += (_vAyB);
_vDyO += ('<a target="_blank" class="copyright" href="http://bloggercando.blogspot.com/2014/05/all-in-one-post-feed-widget-for-blogger.html" style="font-size: 11px!important;text-align:right;visibility: visible;!important;text-indent:0!important;height:auto!important;width:100%!important;position:static!important;color:#999!important;display:block!important;opacity:1!important;">BloggerWidget</a>')
}
_vDyO += ('</div>' + _vAyB)
} else {
_vDyO += ('<p><em>Have no posts</em></p>')
}
_fIhA(_vDyO)
}
function _fXzN(json) {
if (bcd140526_sort_by == 'random') {
var _vOsU = _fIyU(json);
rand = Math.floor((Math.random() * _vOsU.total_entry) + 1);
if (rand + bcd140526_post_count > _vOsU.total_entry) {
rand = _vOsU.total_entry - bcd140526_post_count + 1
}
if (rand < 1) {
rand = 1
}
var _vXmZ = HOST + '/feeds/posts/default';
if (bcd140526_index_label) {
_vXmZ += '/-/' + encodeURIComponent(bcd140526_index_label)
}
_vXmZ += '?alt=json-in-script&max-result=' + bcd140526_post_count + '&start-index=' + rand + '&callback=_fYtG';
_fRcS(_vXmZ);
_fNuC(_vXmZ)
} else {
_fRcS('show');
if (_fKhU(bcd140526_id)) {
_fYtG(json)
}
}
}
var _vXmZ = HOST + '/feeds/posts/default';
if (bcd140526_index_label) {
_vXmZ += '/-/' + encodeURIComponent(bcd140526_index_label)
}
_vXmZ += '?alt=json-in-script';
if (bcd140526_sort_by == 'random') {
_vXmZ += '&max-results=0'
} else {
_vXmZ += '&max-results=' + bcd140526_post_count
}
_vXmZ += '&callback=_fXzN';
_fRcS(_vXmZ);
if (_fKhU(bcd140526_id)) {
_fNuC(_vXmZ)
}
此時知道在上下文中的代碼在運行和它最初產生將有助於逆向工程。如果沒有深入的分析,您可以先完成代碼並取消可變名稱。
例如,我們可以將var _vTcN = window.location.hostname;更改爲var hostName = window.location.hostname;,並將其重命名爲_vTcN至hostName,這是有意義的。
經過幾次通過,當你感覺代碼更具可讀性時,你可以找到執行入口點並從那裏找到它。
一個簡單的警報(「\ x62 \ x3D \ x5B \ x27 \ x30 ...」)將顯示十六進制代碼內部的內容。但是,要回答你的問題,這是真正的JavaScript,它只是混淆了沒有人理解你的內容。 – Elieder
http://jsfiddle.net/fyjby68v/ – medasafar
http://deobfuscatejavascript.com/會是一個好的開始。 – plalx