用实际变量名/字符串替换数组映射变量? [英] Replace array-mapped variables with the actual variable name/string?
问题描述
我正在尝试编辑Greasemonkey / jQuery脚本。我无法在此处发布链接。
代码经过模糊处理并使用minify进行压缩。
它的开头是这样的:
I am trying to edit a Greasemonkey/jQuery script. I can't post the link here.
The code is obfuscated and compressed with minify.
It starts like this:
var _0x21e9 = ["\x67\x65\x74\x4D\x6F\x6E\x74\x68", "\x67\x65\x74\x55\x54\x43\x44\x61\x74\x65", ...
解码后,我得到了这个:
After "decoding" it, I got this:
var _0x21e9=["getMonth","getUTCDate","getFullYear", ...
这是一个巨大的列表(500+)。然后,它有一些这样的变量:
It is a huge list (500+ ). Then, it has some variables like this:
month = date[_0x21e9[0]](), day = date[_0x21e9[1]](), ...
_0x21e9 [0]是getMonth,_0x21e9 [1]是getUTCDate等。
_0x21e9[0] is getMonth, _0x21e9[1] is getUTCDate, etc.
是否可以用实际变量名替换方括号?如何?
我对javascript / jQuery知之甚少,无法按照现在的方式读取代码。
我只想使用这个巨大脚本中的一些函数并删除我不需要的其他人。
Is it possible to replace the square brackets with the actual variable name? How?
I have little knowledge in javascript/jQuery and can not "read" the code the way it is right now.
I just want to use some functions from this huge script and remove the others I do not need.
更新:我尝试使用jsbeautifier.org,如此处和重复的问题所示,但没有改变,除了缩进。
Update: I tried using jsbeautifier.org as suggested here and in the duplicated question but nothing changed, except the "indent".
它没有用解码的名称替换数组变量。
例如:
It did not replace the array variables with the decoded names.
For example:
- jsbeautifier仍然给出:
month = date [_0x21e9 [0]]()
。 - 但我需要:
month = date [getMonth]()
。
- jsbeautifier still gives:
month = date[_0x21e9[0]]()
. - But I need:
month = date["getMonth"]()
.
所有在线反混淆器似乎都不这样做,我该怎么办?
None of the online deobfuscators seem to do this, How can I?
我有没有办法与某人共享代码,至少是其中的一部分?我看过我不能发贴pastebin,或类似的。我不能在这里发布完整的代码。
Is there a way for me to share the code with someone, at least part of it? I read I can not post pastebin, or similar here. I can not post it the full code here.
这是代码的另一部分:
$(_0x21e9[8] + vid)[_0x21e9[18]]();
[8]是。 [18]是删除。手动更换它会产生奇怪的结果。
[8] is "." and [18] is "remove". Manually replacing it gives a strange result.
推荐答案
我还没有看过任何这样做的在线反混淆器,但原理很简单。
构造一个文本过滤器,用于解析key数组,然后用适当的数组值替换该数组所引用的每个实例。
I haven't seen any online deobfuscator that does this yet, but the principle is simple.
Construct a text filter that parses the "key" array and then replaces each instance that that array is referenced, with the appropriate array value.
例如,假设你有一个文件, evil.js 看起来像这样(你运行它之后虽然 jsbeautifier.org 使用检测打包程序和混淆器?
和 Unescape可打印字符...
选项集):
For example, suppose you have a file, evil.js that looks like this (AFTER you have run it though jsbeautifier.org with the Detect packers and obfuscators?
and the Unescape printable chars...
options set):
var _0xf17f = ["(", ")", 'div', "createElement", "id", "log", "console"];
var _0x41dcx3 = eval(_0xf17f[0] + '{id: 3}' + _0xf17f[1]);
var _0x41dcx4 = document[_0xf17f[3]](_0xf17f[2]);
var _0x41dcx5 = _0x41dcx3[_0xf17f[4]];
window[_0xf17f[6]][_0xf17f[5]](_0x41dcx5);
在这种情况下,key变量将是 _0xf17f
和key数组将是 [(,),...]
。
In that case, the "key" variable would be _0xf17f
and the "key" array would be ["(", ")", ...]
.
过滤器过程如下所示:
- 使用js文件上的文本处理提取密钥名称。结果:
_0xf17f
-
提取键阵列的字符串src。结果:
- Extract the key name using text processing on the js file. Result:
_0xf17f
Extract the string src of the key array. Result:
keyArrayStr = '["(", ")", \'div\', "createElement", "id", "log", "console"]';
在javascript中,我们可以使用 .replace()
解析JS src的其余部分。像这样:
In javascript, we can then use .replace()
to parse the rest of the JS src. Like so:
var keyArrayStr = '["(", ")", \'div\', "createElement", "id", "log", "console"]';
var restOfSrc = "var _0x41dcx3 = eval(_0xf17f[0] + '{id: 3}' + _0xf17f[1]);\n"
+ "var _0x41dcx4 = document[_0xf17f[3]](_0xf17f[2]);\n"
+ "var _0x41dcx5 = _0x41dcx3[_0xf17f[4]];\n"
+ "window[_0xf17f[6]][_0xf17f[5]](_0x41dcx5);\n"
;
var keyArray = eval (keyArrayStr);
//-- Note that `_0xf17f` is the key name we already determined.
var keyRegExp = /_0xf17f\s*\[\s*(\d+)\s*\]/g;
var deObsTxt = restOfSrc.replace (keyRegExp, function (matchStr, p1Str) {
return '"' + keyArray[ parseInt(p1Str, 10) ] + '"';
} );
console.log (deObsTxt);
如果你运行那个代码,你得到:
var _0x41dcx3 = eval("(" + '{id: 3}' + ")");
var _0x41dcx4 = document["createElement"]("div");
var _0x41dcx5 = _0x41dcx3["id"];
window["console"]["log"](_0x41dcx5);
- 这有点容易阅读/理解。
-- which is a bit easier to read/understand.
我还创建了一个在线页面,它采用了JS源代码,并以更加自动化和健壮的方式完成了所有3个重新映射步骤。您可以在以下位置查看:
I've also created an online page that takes JS source and does all 3 remapping steps in a slightly more automated and robust manner. You can see it at:
(请注意,该工具希望源代码以密钥变量声明开头,就像您的代码示例一样)
(Note that that tool expects the source to start with the "key" variable declaration, like your code samples do)
这篇关于用实际变量名/字符串替换数组映射变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!