AST反混淆进阶-多重return函数降维

2023-12-18 18:40:52
实现目的:多重return函数降维,减少无用代码,增强可读性

在这里插入图片描述
在这里插入图片描述

处理前 demo.js

function bD1(cu, cv) {
  return cu+cv+cu['a'](cu,cv);
}
function bD2(cu, cv) {
  return cu||cv;
}
function bD3(cu, cv) {
  return cu['a'](cv);
}
function bD4(cu,cv){//一级回调
  return bD2(cu,cv);
}
function bD5(cu,cv){//二级回调
  return bD2(cu,bD1(cu,cv));
}
let a=bD1(1,2);
let b=bD2(1,2);
let c=bD3(1,2);
let d=bD4(1,2);
let e=bD5(1,2);
let f=bD2(2,2);

function _0x1d67c2(_0x15c06f) {
    _0x3cf847(0x1a1, 0x12b, 0x167, 0x1a5, 'V5G*');

    function _0x3cf847(_0x4b1750, _0x4b1446, _0x52f9ec, _0x3ca602, _0x337a1a) {
        return _0x5f51f1(_0x4b1750 - 0x59, _0x4b1446 - 0x18, _0x4b1750 - -0x4b9, _0x3ca602 - 0x13f, _0x337a1a);
    }

    function _0x5f51f1(_0x22c9c3, _0xf343c3, _0xbba8e9, _0x547f99, _0x492858) {
        return _0x21c1(_0xbba8e9 - 0x3aa, _0x492858);
    }

}

function _0xd2bb() {
  var _0x47c054 = ["KCQas", "KLhNV", "Hello", "setIn", "jMWgo", "TuJbx", "Dmibk", "348vojcoB", "info", "symQY", "Ulmln", "state", "dXrDX", "boazx", "OznnC", "aIzLQ", "QZhEg", "hQkYN", "\\( *\\", "jwMoa", "nstru", "hXpCx", "CqzZm", "GBWTb", "pGaqb", "AwBAw", "to__", "mPDMp", "KJRxM", "e) {}", "apply", "MsTZb", "$]*)", "OJzgO", "GYtiB", ")+)+)", "vexLf", "zPuUb", "ZZyFw", "zfzXV", "jJkEK", "n() ", "hibzp", "dHiHD", "NaKfJ", "eqzOh", "RKpYO", "EyPrY", "qGGij", "SkCFn", "BVGyp", "SlxvU", "xKDyj", "dYEto", "|4|3", "warn", "jBlyk", "MiMhX", "CRbRD", "tRaNX", "yAQuM", "SsMQI", "FmQKe", "toStr", "strin", "hyBby", "jZmPB", "SzMsb", "IQxkn", "nESdc", "RHnjk", "GuxAs", "mTdux", "YqHjG", "ghubV", "EMFxM", "dwMYK", "OBFSm", "bnMRJ", "zpprt", "*(?:[", "YPlPs", "BQPwp", "YKerq", "oaGxl", "ujnWE", "aDrMy", "iyTUM", "QlcOq", "xaIaA", "WKkxt", " (tru", "qaTsB", "Eybns", "BJQlH", "bYzAg", "FcbBQ", "KUTpZ", "zAOGE", "sMkmf", "cIhAN", "DegXU", "qhiLt", "vBCMJ", "ICrrP", "mBGGc", "gMDgb", "gqWRs", "CiWLA", "hgIVP", "kAsJn", "log", "cPpOe", "jalma", "TTrIh", "error", "HFtWt", "UoAMF", "MRSTn", "lengt", "zfEYq", "IQiuQ", "RIdZk", "oqyNV", "GZAar", "aFwEK", "MUsIW", "rxiNn", "iHBeW", "tPuOA", "ructo", "ROUIZ", "6427218nChQAc", "HhWxf", "OcKBI", "ViLmC", "proto", "lbtLJ", "mknqy", "JntKK", "sHMLK", "zddHV", "trace", "HLyhP", "OYDfH", "VqjQy", "ImLre", "KGWSm", "TZXFm", "SnEFz", "MjRVu", "ctor(", "JhXSt", "OSaVO", "ytSlL", "blebi", "QBIbO", "VyopH", "joWag", "xTSbQ", "iFMsh", "DmFEl", "AxIOU", "EqhCJ", "yAvIB", "4|5|2", "92741uYekad", "FNqDP", "conso", "terva", "tzZee", "LjLKj", "PlpPR", "bwdrc", "kudcN", "WBpGw", "4605756zqJqhj", "KmOGI", "pQkmf", "sgdDM", "\\+\\+ ", "JsrUi", "VPCNZ", "table", "cVohb", "LcPXo", "|3|5|", "pgvmF", "4|1|2", "aHYoF", "Uevde", "JEuWA", "25985JBXWMn", "|3|1|", "QEKhF", "(((.+", "ARpti", "LsoyZ", "7646508YUvFvq", "sySNL", "pvvOp", "lSZty", "uwpdD", "ILwYE", "RPfFt", "xLDvO", "ynOWz", "ICRjc", "IQuET", "input", "kyPzR", "RgJLp", "actio", "SUtFU", "GWGCw", "ArtMk", "excep", "lbyIH", "MDBvN", "HZpxj", "uKcJJ", "ciRtH", "AmrwV", "{}.co", "aAhXS", "is\")(", "VNuQa", "zPAMp", "0|1|2", "ion *", "jEzrW", "6183XQHGVD", "FTxpu", "jwCjB", "cbSpR", "iKjMl", "sUAle", "MjPXg", "Objec", "Jfzub", "Z_$][", "KjWdV", "FcSCk", " Worl", "WXpKr", "yClin", "zA-Z_", "QTvPA", "unbTi", "mEKDv", "\"retu", "QVpMr", "mqZiv", "mkSCH", "JoDSv", "wdLUQ", "prnnN", "DWrsv", "UcytB", "OfWId", "0-9a-", "split", "XfFfC", "funct", "tion", "a-zA-", "pzLJK", "VHhZU", "hRcjJ", "iwCau", "vfbvd", "RGJjf", "NeLwC", "while", "JsdFH", "WXawy", "NdlgL", "BRhnW", "sCuEs", "axZLw", "powmU", "hbjZS", "DsRUy", "dQSdG", "n (fu", "ixRXt", "call", "nctio", "searc", "Jlddx", "OMXQH", "dZeAe", "KMroK", "AVwWi", "WDMnH", "const", "dHAjZ", "skuxt", "QwHmW", "bind", "mFXPL", "ydvIw", "FgqKZ", "PQOOX", "OcXNY", "QfNts", "count", "jNHzh", "dGJEf", "DpiLj", "PlXuk", "jILZh", "4|5|3", "ELCcN", "hrQkY", "hboyq", "Ihlif", "ogXrA", "oASTF", "retur", "gtmrv", "yBoCl", "DiQms", "gaqhn", "gger", "qlavu", "YaRZp", "hENbz", "ukOuw", "OfkVj", "vWcaM", "kKIdN", "TjUun", "AylNF", "fIpoD", "sKWLS", "XhEXU", "test", "TqFdk", "debu", "998220ujakWH", "opqCx", "ykkEm", "kBpin", "FJZDp", "okRqb", "kxzwM", "NDVag", "nalGG", "oXyza", "FLbIY", "GcnRM", "HYRfN", "jVGDN", "rmqiB", "BQRvb", "grJMt", "|0|1|", "type", "zGypA", "mWdOn", "cnHHT", "NfyPL", "eSgrf", "__pro", "kOSIZ", "XfpMm", "ing", "NrDfS", "tcNBE", "bEKuo", "chain", "yAOeo", "rn th", "2608ouahMj", "GoViD", "init", "Xfzkw", "mARYn"];

  _0xd2bb = function () {
    return _0x47c054;
  };

  return _0xd2bb();
}
(function (_0x5cc440, _0x534fc3) {
  function _0x1cc439(_0x43e1c4, _0x1b6425, _0x2b15a6, _0x2e8d7c, _0x2341b2) {
    return _0x21aa(_0x2341b2 - 857, _0x43e1c4);
  }

  var _0x14de50 = _0x5cc440();

  function _0x2cb329(_0x2d480b, _0x3fc703, _0x4a6f06, _0x5e2338, _0x46197e) {
    return _0x21aa(_0x2d480b - -554, _0x46197e);
  }

  function _0x86a30(_0x333ece, _0xa27f0a, _0x463dda, _0x445c68, _0x3e2948) {
    return _0x21aa(_0x333ece - -525, _0x445c68);
  }

  function _0x2e0a7c(_0x5f413e, _0x8750f0, _0x5cdbf4, _0x45f4ba, _0x3b5ca7) {
    return _0x21aa(_0x5cdbf4 - -822, _0x8750f0);
  }

  function _0xd7535b(_0x1c8b52, _0xf495d2, _0x161214, _0x235c6b, _0x27bc7b) {
    return _0x21aa(_0x1c8b52 - -87, _0xf495d2);
  }

  while (true) {
    if (-parseInt(_0x2cb329(-223, -54, -76, -289, -316)) / 1 + -parseInt(_0x2cb329(-49, 115, -140, 22, 131)) / 2 + parseInt(_0x1cc439(1021, 1154, 1059, 1059, 1198)) / 3 + -parseInt(_0x1cc439(1558, 1257, 1470, 1535, 1408)) / 4 * (-parseInt(_0xd7535b(270, 362, 150, 178, 341)) / 5) + -parseInt(_0x1cc439(1343, 1408, 1120, 1385, 1220)) / 6 + parseInt(_0x2e0a7c(-573, -614, -525, -355, -368)) / 7 + -parseInt(_0x86a30(14, -116, 141, 100, -173)) / 8 * (parseInt(_0x1cc439(1254, 1404, 1284, 1238, 1253)) / 9) === _0x534fc3) break;else _0x14de50["push"](_0x14de50["shift"]());
  }
})(_0xd2bb, 815334);
function _0x21aa(_0x2f3545, _0x1e9b2c) {
  var _0x12a54d = _0xd2bb();

  _0x21aa = function (_0x33d946, _0x4b04ff) {
    _0x33d946 = _0x33d946 - 229;
    var _0x236931 = _0x12a54d[_0x33d946];
    return _0x236931;
  };

  return _0x21aa(_0x2f3545, _0x1e9b2c);
}

function _0x225df7(_0x3ac47e, _0x5145a8, _0x2464c6, _0x50c28a, _0x3c4c80) {
	return _0x21aa(_0x3c4c80 - -387, _0x5145a8);
}

function _0x2f786a(_0x47c9f2, _0x59351f, _0x4fa004, _0x286774, _0x5df1c8) {
	return _0x225df7(_0x47c9f2 - 149, _0x286774, _0x4fa004 - 145, _0x286774 - 126, _0x59351f - -52);
}

console.log(_0x2f786a(25, 166, -15, 82, 31));

处理后 demoNew.js

let a = 1 + 2 + 1["a"](1, 2);
let b = 1 || 2;
let c = 1["a"](2);
let d = 1 || 2;
let e = 1 || 1 + 2 + 1["a"](1, 2);
let f = 2 || 2;

function _0x1d67c2(_0x15c06f) {
  _0x21c1(0x1a1 - -0x4b9 - 0x3aa, 'V5G*');
}

function _0xd2bb() {
  var _0x47c054 = ["KCQas", "KLhNV", "Hello", "setIn", "jMWgo", "TuJbx", "Dmibk", "348vojcoB", "info", "symQY", "Ulmln", "state", "dXrDX", "boazx", "OznnC", "aIzLQ", "QZhEg", "hQkYN", "\\( *\\", "jwMoa", "nstru", "hXpCx", "CqzZm", "GBWTb", "pGaqb", "AwBAw", "to__", "mPDMp", "KJRxM", "e) {}", "apply", "MsTZb", "$]*)", "OJzgO", "GYtiB", ")+)+)", "vexLf", "zPuUb", "ZZyFw", "zfzXV", "jJkEK", "n() ", "hibzp", "dHiHD", "NaKfJ", "eqzOh", "RKpYO", "EyPrY", "qGGij", "SkCFn", "BVGyp", "SlxvU", "xKDyj", "dYEto", "|4|3", "warn", "jBlyk", "MiMhX", "CRbRD", "tRaNX", "yAQuM", "SsMQI", "FmQKe", "toStr", "strin", "hyBby", "jZmPB", "SzMsb", "IQxkn", "nESdc", "RHnjk", "GuxAs", "mTdux", "YqHjG", "ghubV", "EMFxM", "dwMYK", "OBFSm", "bnMRJ", "zpprt", "*(?:[", "YPlPs", "BQPwp", "YKerq", "oaGxl", "ujnWE", "aDrMy", "iyTUM", "QlcOq", "xaIaA", "WKkxt", " (tru", "qaTsB", "Eybns", "BJQlH", "bYzAg", "FcbBQ", "KUTpZ", "zAOGE", "sMkmf", "cIhAN", "DegXU", "qhiLt", "vBCMJ", "ICrrP", "mBGGc", "gMDgb", "gqWRs", "CiWLA", "hgIVP", "kAsJn", "log", "cPpOe", "jalma", "TTrIh", "error", "HFtWt", "UoAMF", "MRSTn", "lengt", "zfEYq", "IQiuQ", "RIdZk", "oqyNV", "GZAar", "aFwEK", "MUsIW", "rxiNn", "iHBeW", "tPuOA", "ructo", "ROUIZ", "6427218nChQAc", "HhWxf", "OcKBI", "ViLmC", "proto", "lbtLJ", "mknqy", "JntKK", "sHMLK", "zddHV", "trace", "HLyhP", "OYDfH", "VqjQy", "ImLre", "KGWSm", "TZXFm", "SnEFz", "MjRVu", "ctor(", "JhXSt", "OSaVO", "ytSlL", "blebi", "QBIbO", "VyopH", "joWag", "xTSbQ", "iFMsh", "DmFEl", "AxIOU", "EqhCJ", "yAvIB", "4|5|2", "92741uYekad", "FNqDP", "conso", "terva", "tzZee", "LjLKj", "PlpPR", "bwdrc", "kudcN", "WBpGw", "4605756zqJqhj", "KmOGI", "pQkmf", "sgdDM", "\\+\\+ ", "JsrUi", "VPCNZ", "table", "cVohb", "LcPXo", "|3|5|", "pgvmF", "4|1|2", "aHYoF", "Uevde", "JEuWA", "25985JBXWMn", "|3|1|", "QEKhF", "(((.+", "ARpti", "LsoyZ", "7646508YUvFvq", "sySNL", "pvvOp", "lSZty", "uwpdD", "ILwYE", "RPfFt", "xLDvO", "ynOWz", "ICRjc", "IQuET", "input", "kyPzR", "RgJLp", "actio", "SUtFU", "GWGCw", "ArtMk", "excep", "lbyIH", "MDBvN", "HZpxj", "uKcJJ", "ciRtH", "AmrwV", "{}.co", "aAhXS", "is\")(", "VNuQa", "zPAMp", "0|1|2", "ion *", "jEzrW", "6183XQHGVD", "FTxpu", "jwCjB", "cbSpR", "iKjMl", "sUAle", "MjPXg", "Objec", "Jfzub", "Z_$][", "KjWdV", "FcSCk", " Worl", "WXpKr", "yClin", "zA-Z_", "QTvPA", "unbTi", "mEKDv", "\"retu", "QVpMr", "mqZiv", "mkSCH", "JoDSv", "wdLUQ", "prnnN", "DWrsv", "UcytB", "OfWId", "0-9a-", "split", "XfFfC", "funct", "tion", "a-zA-", "pzLJK", "VHhZU", "hRcjJ", "iwCau", "vfbvd", "RGJjf", "NeLwC", "while", "JsdFH", "WXawy", "NdlgL", "BRhnW", "sCuEs", "axZLw", "powmU", "hbjZS", "DsRUy", "dQSdG", "n (fu", "ixRXt", "call", "nctio", "searc", "Jlddx", "OMXQH", "dZeAe", "KMroK", "AVwWi", "WDMnH", "const", "dHAjZ", "skuxt", "QwHmW", "bind", "mFXPL", "ydvIw", "FgqKZ", "PQOOX", "OcXNY", "QfNts", "count", "jNHzh", "dGJEf", "DpiLj", "PlXuk", "jILZh", "4|5|3", "ELCcN", "hrQkY", "hboyq", "Ihlif", "ogXrA", "oASTF", "retur", "gtmrv", "yBoCl", "DiQms", "gaqhn", "gger", "qlavu", "YaRZp", "hENbz", "ukOuw", "OfkVj", "vWcaM", "kKIdN", "TjUun", "AylNF", "fIpoD", "sKWLS", "XhEXU", "test", "TqFdk", "debu", "998220ujakWH", "opqCx", "ykkEm", "kBpin", "FJZDp", "okRqb", "kxzwM", "NDVag", "nalGG", "oXyza", "FLbIY", "GcnRM", "HYRfN", "jVGDN", "rmqiB", "BQRvb", "grJMt", "|0|1|", "type", "zGypA", "mWdOn", "cnHHT", "NfyPL", "eSgrf", "__pro", "kOSIZ", "XfpMm", "ing", "NrDfS", "tcNBE", "bEKuo", "chain", "yAOeo", "rn th", "2608ouahMj", "GoViD", "init", "Xfzkw", "mARYn"];

  _0xd2bb = function () {
    return _0x47c054;
  };

  return _0xd2bb();
}

(function (_0x5cc440, _0x534fc3) {
  var _0x14de50 = _0x5cc440();

  while (true) {
    if (-parseInt(_0x21aa(-223 - -554, -316)) / 1 + -parseInt(_0x21aa(-49 - -554, 131)) / 2 + parseInt(_0x21aa(1198 - 857, 1021)) / 3 + -parseInt(_0x21aa(1408 - 857, 1558)) / 4 * (-parseInt(_0x21aa(270 - -87, 362)) / 5) + -parseInt(_0x21aa(1220 - 857, 1343)) / 6 + parseInt(_0x21aa(-525 - -822, -614)) / 7 + -parseInt(_0x21aa(14 - -525, 100)) / 8 * (parseInt(_0x21aa(1253 - 857, 1254)) / 9) === _0x534fc3) break;else _0x14de50["push"](_0x14de50["shift"]());
  }
})(_0xd2bb, 815334);

function _0x21aa(_0x2f3545, _0x1e9b2c) {
  var _0x12a54d = _0xd2bb();

  _0x21aa = function (_0x33d946, _0x4b04ff) {
    _0x33d946 = _0x33d946 - 229;
    var _0x236931 = _0x12a54d[_0x33d946];
    return _0x236931;
  };

  return _0x21aa(_0x2f3545, _0x1e9b2c);
}

console.log(_0x21aa(166 - -52 - -387, 82));

主逻辑源码 ObDecryFuMain.js

const fs = require("fs");//文件读写
const parse = require("@babel/parser"); //解析为ast
const traverse = require('@babel/traverse').default;//遍历节点
const t = require('@babel/types');//类型
const generator = require('@babel/generator').default;//ast解析为代码


//读取js文件
const jscode = fs.readFileSync(
    './demo.js', {
        encoding: 'utf-8'
    }
);
let ast = parse.parse(jscode);//js转ast

function FunToRetu(path) {
	// return函数简化
	try {
		let node = path.node;//获取路径节点

		if (!t.isBlockStatement(node.body)) return;//块语句判定
		if (!t.isReturnStatement(node.body.body[0])) return;//return 语句判定
		let funName = node.id.name;//函数名称

		let retStmt = node.body.body[0];//定位到returnStatement
		let paramsName = node.params //函数参数列表

		let scope = path.scope;//获取路径的作用域
		let binding = scope.getBinding(funName);//获取绑定

		if (!binding || binding.constantViolations.length > 0) {//检查该变量的值是否被修改--一致性检测
			return;
		}
		let paths = binding.referencePaths;//绑定引用的路径
		let paths_sums = 0;//路径计数

		paths.map(function (refer_path) {
			let bindpath = refer_path.parentPath;//父路径

			let binnode = bindpath.node;//父路径的节点

			if (!t.isCallExpression(binnode)) return;//回调表达式判断

			if (!t.isIdentifier(binnode.callee)) return;//不是标识符则退出
			if (funName != binnode.callee.name) return;//函数名不等于回调函数名称则退出
			let args = bindpath.node.arguments;//获取节点的参数

			if (paramsName.length != args.length) return;//形参与实参数目不等,退出
			let strA = generator(retStmt.argument).code//return ast语句转js语句

			let tmpAst = parse.parse(strA);//重新解析为ast
			for (var a = 0; a < args.length; a++) {//遍历所有的实参
				let name = paramsName[a].name;//形参
				let strB = generator(args[a]).code//实参
				traverse(tmpAst, {//函数内部
					Identifier: function (_p) {//调用表达式匹配
						if (_p.node.name == name) {//return中的形参与传入的形参一致
							_p.node.name = strB;//实参替换形参
						}
					}
				})
			}

			bindpath.replaceWith(t.Identifier(generator(tmpAst).code.replaceAll(';', '')))//子节点信息替换

			// tmpAst=parse.parse(generator(tmpAst).code)
			// bindpath.replaceExpressionWithStatements([tmpAst.program.body[0]])
			paths_sums += 1;//路径+1
		});

		if (paths_sums == paths.length && delete_return) {//若绑定的每个路径都已处理 ,则移除当前路径
			path.remove();//删除路径
		}
	} catch (e) {

	}

}

var Rerurn_sum = 3;//return简化执行的次数-函数花指令嵌套几层,这里设置几层
var delete_return = false;//return删除标志符
for (var a = 1; a < Rerurn_sum; a++) {
    ast = parse.parse(generator(ast).code);//刷新ast
    if (a == Rerurn_sum - 1) delete_return = true;//return删除标志符
    traverse(ast, {FunctionDeclaration: {exit: [FunToRetu]},});
}

let {code} = generator(ast,opts = {jsescOption:{"minimal":true}})
//文件保存
fs.writeFile('./demoNew.js', code, (err) => {
});

文章来源:https://blog.csdn.net/jia666666/article/details/135063798
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。