消除用于执行it服务器端的JS混淆脚本
消除用于执行it服务器端的JS混淆脚本
提问于 2016-01-25 08:50:44
如何消除javaScript代码的混淆?它是这里 (在最后一个脚本标记中)。
基本上我知道它会做什么(混淆表单的登录/密码名称属性值,并向表单添加一个隐藏的输入,其中包含名称=char和随机值,请参见相关问题这里)。我想对脚本进行解码,以了解它是如何执行混淆的,以便我可以模仿它服务器端的(使用php)。
这个工具不能解码它。
我通过编辑hd对象完成了一些模糊处理。我提取了代码的各个部分(用分号;分隔),并对它们进行了编辑:
<script>
var hd =~[];
hd={___:++hd,$$$$:(![]+"")[hd],__$:++hd,$_$_:(![]+"")[hd],_$_:++hd,$_$$:({}+"")[hd],$$_$:(hd[hd]+"")[hd],_$$:++hd,$$$_:(!""+"")[hd],$__:++hd,$_$:++hd,$$__:({}+"")[hd],$$_:++hd,$$$:++hd,$___:++hd,$__$:++hd};
hd.$_=(hd.$_=hd+"")[hd.$_$]+(hd._$=hd.$_[hd.__$])+(hd.$$=(hd.$+"")[hd.__$])+((!hd)+"")[hd._$$]+(hd.__=hd.$_[hd.$$_])+(hd.$=(!""+"")[hd.__$])+(hd._=(!""+"")[hd._$_])+hd.$_[hd.$_$]+hd.__+hd._$+hd.$;
hd.$$=hd.$+(!""+"")[hd._$$]+hd.__+hd._+hd.$+hd.$$;
hd.$=(hd.___)[hd.$_][hd.$_];
console.log('hd: ');
console.dir(hd);
console.log('hd length: ' + Object.keys(hd).length);
</script>它的输出您可能会在浏览器控制台中看到那里。
然而,代码的最后一部分显然是一个调用自己的函数:
hd.$(hd.$(... _+"\"")())(); hd.$是对象的函数,请参见图:
但我不知道怎么破译。我试图替换对象的所有实例,例如。HD.$,hd.$_$等在其余的代码,但结果只是像这。不知道该怎么向前看。
回答 1
Stack Overflow用户
回答已采纳
发布于 2016-01-25 10:12:01
在构造hd对象之后,没有进行其他变量赋值,它只是构建一个大字符串来解析为一个函数。
因此,使用您生成的hd对象,我提取了构建字符串的部分,并得到了以下内容:
"return\"docu\155e\156t.\147et\105le\155e\156t\102\171\111d('lo\147\151\156fo\162\155').\151\156\156e\162\110\124\115\114\40=\40'<d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-u\163e\162\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-u\163e\162\156a\155e\"\40t\171\160e=\"te\170t\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\130\161\125\106\1603\107\156e\147\"\40\166alue=\"\"\40\160lace\150olde\162=\"\114o\147\151\156\"></d\151\166><d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-loc\153\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-\160a\163\163\167o\162d\"\40t\171\160e=\"\160a\163\163\167o\162d\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\171l\110\156\110\161\150\104\1262\"\40\160lace\150olde\162=\"\120a\163\163\167o\162d\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"\151\156\160ut-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"c\150ec\153bo\170\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40\151d=\"lo\147\151\156-\162e\155e\155be\162\"\40t\171\160e=\"c\150ec\153bo\170\"\40\156a\155e=\"\162e\155e\155be\162\"\40\166alue=\"1\">\40\122e\155e\155be\162\40\155e\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40\163t\171le=\"\155a\162\147\151\156-to\160:10\160\170\"\40cla\163\163=\"fo\162\155-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"col-\163\155-12\40co\156t\162ol\163\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<a\40\151d=\"bt\156-lo\147\151\156\"\40\150\162ef=\"#\"\40cla\163\163=\"bt\156\40bt\156-\163ucce\163\163\">\114o\147\151\156\40\40</a>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40t\171\160e=\"\150\151dde\156\"\40\156a\155e=\"c\150a\162\"\40\166alue=\"&\156ot;\">';\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$(\"#bt\156-lo\147\151\156\").cl\151c\153(fu\156ct\151o\156(){\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\166a\162\40\163e\162\40=\40$(\40\"#lo\147\151\156fo\162\155\"\40).\163e\162\151al\151\172e();\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$.\160o\163t(\"/\160o\163t.\160\150\160\",\163e\162+\"&\150a\163\150=\"+\155d5(\163e\162),fu\156ct\151o\156(){locat\151o\156.\162e\160lace(\"/lo\147\147ed.\160\150\160\");});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\"";这让我们半途而废。但是很多字符都是URI编码的(\xxx)。我做了一个简单的regex替换来解码这些值:
var raw = "return\"docu\155e\156t.\147et\105le\155e\156t\102\171\111d('lo\147\151\156fo\162\155').\151\156\156e\162\110\124\115\114\40=\40'<d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-u\163e\162\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-u\163e\162\156a\155e\"\40t\171\160e=\"te\170t\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\130\161\125\106\1603\107\156e\147\"\40\166alue=\"\"\40\160lace\150olde\162=\"\114o\147\151\156\"></d\151\166><d\151\166\40\163t\171le=\"\155a\162\147\151\156-botto\155:\4025\160\170\"\40cla\163\163=\"\151\156\160ut-\147\162ou\160\"><\163\160a\156\40cla\163\163=\"\151\156\160ut-\147\162ou\160-addo\156\"><\151\40cla\163\163=\"\147l\171\160\150\151co\156\40\147l\171\160\150\151co\156-loc\153\"></\151></\163\160a\156><\151\156\160ut\40\151d=\"lo\147\151\156-\160a\163\163\167o\162d\"\40t\171\160e=\"\160a\163\163\167o\162d\"\40cla\163\163=\"fo\162\155-co\156t\162ol\"\40\156a\155e=\"\171l\110\156\110\161\150\104\1262\"\40\160lace\150olde\162=\"\120a\163\163\167o\162d\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"\151\156\160ut-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"c\150ec\153bo\170\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40\151d=\"lo\147\151\156-\162e\155e\155be\162\"\40t\171\160e=\"c\150ec\153bo\170\"\40\156a\155e=\"\162e\155e\155be\162\"\40\166alue=\"1\">\40\122e\155e\155be\162\40\155e\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</label>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40\163t\171le=\"\155a\162\147\151\156-to\160:10\160\170\"\40cla\163\163=\"fo\162\155-\147\162ou\160\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<d\151\166\40cla\163\163=\"col-\163\155-12\40co\156t\162ol\163\">\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<a\40\151d=\"bt\156-lo\147\151\156\"\40\150\162ef=\"#\"\40cla\163\163=\"bt\156\40bt\156-\163ucce\163\163\">\114o\147\151\156\40\40</a>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40</d\151\166>\\\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40<\151\156\160ut\40t\171\160e=\"\150\151dde\156\"\40\156a\155e=\"c\150a\162\"\40\166alue=\"&\156ot;\">';\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$(\"#bt\156-lo\147\151\156\").cl\151c\153(fu\156ct\151o\156(){\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\166a\162\40\163e\162\40=\40$(\40\"#lo\147\151\156fo\162\155\"\40).\163e\162\151al\151\172e();\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40$.\160o\163t(\"/\160o\163t.\160\150\160\",\163e\162+\"&\150a\163\150=\"+\155d5(\163e\162),fu\156ct\151o\156(){locat\151o\156.\162e\160lace(\"/lo\147\147ed.\160\150\160\");});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40});\12\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\"";
var decoded = raw.replace(/\\\d+/g, function(match) {
return window.decodeURIComponent(match);
});这给了我以下内容(整理一下并格式化):
document.getElementById('loginform').innerHTML = '
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-user"></i>
</span>
<input id="login-username" type="text" class="form-control" name="XqUFp3Gneg" value="" placeholder="Login">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-lock"></i>
</span>
<input id="login-password" type="password" class="form-control" name="ylHnHqhDV2" placeholder="Password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1">
Remember me
</label>
</div>
</div>
<div style="margin-top:10px" class="form-group">
<div class="col-sm-12 controls">
<a id="btn-login" href="#" class="btn btn-success">Login</a>
</div>
</div>
<input type="hidden" name="char" value="¬">
';
$("#btn-login").click(function(){
var ser = $( "#loginform" ).serialize();
$.post("/post.php",
ser + "&hash=" + md5(ser),
function() { location.replace("/logged.php"); }
);
});换句话说,它使用jquery serialize()序列化表单值,然后创建该序列化值的md5散列,并将其作为hash查询字符串传递给服务器调用。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/34988403
复制相关文章
相似问题
腾讯云开发者
