众所周知,用“packer”和“eval”之类的东西混淆的javascript代码可以很容易地通过互联网上提供的各种工具进行解码,但是最近我遇到了一段混淆了类似东西的javascript代码[]['filter']['constructor'].....,貌似没有解码解。示例如下:
[]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[true + true] + "N" + "S" + "S" + "{" + "I" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] +
"5" + "f") + 101["toString"]("!0!01")[+true] + "a" + (+"false" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["fontcolor"]()["!01"])[true + true] + "a" + "t" + "e")()())["!0!0!00"] + "e" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" +
"e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "5" + "f") + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "59" + "") + "o" + "u" + []["filter"]["constructor"]("r" +
"e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "7" + "d");
如何像这样解码javascript?
最佳答案
这看起来很像非字母数字混淆,但是是一种中间形式。看here举个例子。
原理是一样的: 1.它依赖于评估代码的另一种形式,在您的情况下是数组过滤器构造函数 2. 使用下标符号(将对象名称转换为字符串) 3. 将字符串分解为单字符字符串,然后使用类型转换将每个字符转换为非字母数字符号序列。
解码这个很容易,但是如果你手动完成它就需要很辛苦的工作。我认为编写一个工具来自动恢复它需要不到一个小时的时间。 乍一看,这似乎是一个很好的混淆,但它没有弹性,很容易被打败。
没有混淆是 100% 防弹的,但现代 JS 混淆器(例如 JScrambler)比基本编码技术(无论是 eval 还是 eval-less)要深入得多。
参见 this presentation有关非字母数字混淆的更多详细信息(幻灯片 33-38)。 如果您对 JavaScript 混淆感兴趣,请参阅其余部分。
关于javascript - 如何使用 "[][filter][constructor]..."反混淆 javascript 代码?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26191263/