用实际变量名/字符串替换数组映射变量？ [英] Replace array-mapped variables with the actual variable name/string?

问题描述

我正在尝试编辑Greasemonkey / jQuery脚本。我无法在此处发布链接。

代码经过模糊处理并使用minify进行压缩。

它的开头是这样的：

I am trying to edit a Greasemonkey/jQuery script. I can't post the link here.
The code is obfuscated and compressed with minify.
It starts like this:

var _0x21e9 = ["\x67\x65\x74\x4D\x6F\x6E\x74\x68", "\x67\x65\x74\x55\x54\x43\x44\x61\x74\x65", ...

解码后，我得到了这个：

After "decoding" it, I got this:

var _0x21e9=["getMonth","getUTCDate","getFullYear", ...   

这是一个巨大的列表（500+）。然后，它有一些这样的变量：

It is a huge list (500+ ). Then, it has some variables like this:

 month = date[_0x21e9[0]](), day = date[_0x21e9[1]](), ...

_0x21e9 [0]是getMonth，_0x21e9 [1]是getUTCDate等。

_0x21e9[0] is getMonth, _0x21e9[1] is getUTCDate, etc.

是否可以用实际变量名替换方括号？如何？

我对javascript / jQuery知之甚少，无法按照现在的方式读取代码。

我只想使用这个巨大脚本中的一些函数并删除我不需要的其他人。

Is it possible to replace the square brackets with the actual variable name? How?
I have little knowledge in javascript/jQuery and can not "read" the code the way it is right now.
I just want to use some functions from this huge script and remove the others I do not need.

更新：我尝试使用jsbeautifier.org，如此处和重复的问题所示，但没有改变，除了缩进。

Update: I tried using jsbeautifier.org as suggested here and in the duplicated question but nothing changed, except the "indent".

它没有用解码的名称替换数组变量。

例如：

It did not replace the array variables with the decoded names.
For example:

1. jsbeautifier仍然给出： month = date [_0x21e9 [0]]（）。


2. 但我需要： month = date [getMonth]（）。

1. jsbeautifier still gives: month = date[_0x21e9[0]]().
2. But I need: month = date["getMonth"]().

所有在线反混淆器似乎都不这样做，我该怎么办？

None of the online deobfuscators seem to do this, How can I?

我有没有办法与某人共享代码，至少是其中的一部分？我看过我不能发贴pastebin，或类似的。我不能在这里发布完整的代码。

Is there a way for me to share the code with someone, at least part of it? I read I can not post pastebin, or similar here. I can not post it the full code here.

这是代码的另一部分：

$(_0x21e9[8] + vid)[_0x21e9[18]]();    

[8]是。 [18]是删除。手动更换它会产生奇怪的结果。

[8] is "." and [18] is "remove". Manually replacing it gives a strange result.

推荐答案

我还没有看过任何这样做的在线反混淆器，但原理很简单。

构造一个文本过滤器，用于解析key数组，然后用适当的数组值替换该数组所引用的每个实例。

I haven't seen any online deobfuscator that does this yet, but the principle is simple.
Construct a text filter that parses the "key" array and then replaces each instance that that array is referenced, with the appropriate array value.

例如，假设你有一个文件， evil.js 看起来像这样（你运行它之后虽然 jsbeautifier.org 使用检测打包程序和混淆器？和 Unescape可打印字符... 选项集）：

For example, suppose you have a file, evil.js that looks like this (AFTER you have run it though jsbeautifier.org with the Detect packers and obfuscators? and the Unescape printable chars... options set):

var _0xf17f = ["(", ")", 'div', "createElement", "id", "log", "console"];
var _0x41dcx3 = eval(_0xf17f[0] + '{id: 3}' + _0xf17f[1]);
var _0x41dcx4 = document[_0xf17f[3]](_0xf17f[2]);
var _0x41dcx5 = _0x41dcx3[_0xf17f[4]];
window[_0xf17f[6]][_0xf17f[5]](_0x41dcx5);

在这种情况下，key变量将是 _0xf17f 和key数组将是 [（，），...] 。

In that case, the "key" variable would be _0xf17f and the "key" array would be ["(", ")", ...].

过滤器过程如下所示：

1. 使用js文件上的文本处理提取密钥名称。结果： _0xf17f



2. 提取键阵列的字符串src。结果：

1. Extract the key name using text processing on the js file. Result: _0xf17f

2. Extract the string src of the key array. Result:

keyArrayStr = '["(", ")", \'div\', "createElement", "id", "log", "console"]';

在javascript中，我们可以使用 .replace（）解析JS src的其余部分。像这样：

In javascript, we can then use .replace() to parse the rest of the JS src. Like so:

var keyArrayStr = '["(", ")", \'div\', "createElement", "id", "log", "console"]';
var restOfSrc   = "var _0x41dcx3 = eval(_0xf17f[0] + '{id: 3}' + _0xf17f[1]);\n"
                + "var _0x41dcx4 = document[_0xf17f[3]](_0xf17f[2]);\n"
                + "var _0x41dcx5 = _0x41dcx3[_0xf17f[4]];\n"
                + "window[_0xf17f[6]][_0xf17f[5]](_0x41dcx5);\n"
                ;
var keyArray    = eval (keyArrayStr);
//-- Note that `_0xf17f` is the key name we already determined.
var keyRegExp   = /_0xf17f\s*\[\s*(\d+)\s*\]/g;

var deObsTxt    = restOfSrc.replace (keyRegExp, function (matchStr, p1Str) {
    return '"' + keyArray[ parseInt(p1Str, 10) ] + '"';
} );
console.log (deObsTxt);

如果你运行那个代码，你得到：

var _0x41dcx3 = eval("(" + '{id: 3}' + ")");
var _0x41dcx4 = document["createElement"]("div");
var _0x41dcx5 = _0x41dcx3["id"];
window["console"]["log"](_0x41dcx5);

- 这有点容易阅读/理解。

-- which is a bit easier to read/understand.

我还创建了一个在线页面，它采用了JS源代码，并以更加自动化和健壮的方式完成了所有3个重新映射步骤。您可以在以下位置查看：

I've also created an online page that takes JS source and does all 3 remapping steps in a slightly more automated and robust manner. You can see it at:

（请注意，该工具希望源代码以密钥变量声明开头，就像您的代码示例一样）

(Note that that tool expects the source to start with the "key" variable declaration, like your code samples do)

这篇关于用实际变量名/字符串替换数组映射变量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！