ast反混淆修复

0215b893 · wang · 3e46f185 · 0215b893 · 0215b893 · 0215b893
Commit 0215b893 authored Jun 03, 2024 by wang
11 changed files
--- a/ast/ast.js
+++ b/ast/ast.js
--- a/ast/decode.js
+++ b/ast/decode.js
@@ -6,7 +6,7 @@ const generator = require("@babel/generator").default;


 //js混淆代码读取
-process.argv.length > 2 ? encodeFile = process.argv[2] : encodeFile = "./main.js";
+process.argv.length > 2 ? encodeFile = process.argv[2] : encodeFile = "./main_ok.js";
 process.argv.length > 3 ? decodeFile = process.argv[3] : decodeFile = "./decodeResult.js";

 //将源代码解析为AST
@@ -623,47 +623,47 @@ function o(n) {
    return u;
 }

-traverse(ast, {
-    VariableDeclaration(path) {
-        let {declarations} = path.node;
-        let scope = path.scope;
-        if (declarations.length !== 1) return;
-        let declaration = declarations[0]
-        let {id, init} = declaration;
-        if (!init) return
-        if (!types.isIdentifier(init)) return;
-        if (init.name === 'i') {
-            let binding = scope.getBinding(id.name);
-            if (id.name === 'xs') {
-                debugger
-            }
-            if (!binding) return;
-            console.log(id.name, init.name, binding.references)
-
-            for (const referencePath of binding.referencePaths) {
-                // console.log(referencePath);
-                // console.log(generator(referencePath.parent).code)
-                // console.log(referencePath.parentPath.type)
-
-                if (types.isCallExpression(referencePath.parent)) {
-                    let {callee, arguments} = referencePath.parent;
-
-                    if (arguments.length === 1 && types.isStringLiteral(arguments[0])) {
-                        let res = o(arguments[0].value)
-                        // if (id.name === 'xs') {
-                        //
-                        // console.log(generator(referencePath.parent).code, res)
-                        // }
-                        referencePath.parentPath.replaceWith(types.StringLiteral(res))
-                    }
-                } else {
-
-                }
-            }
-        }
-
-    }
-})
+// traverse(ast, {
+//     VariableDeclaration(path) {
+//         let {declarations} = path.node;
+//         let scope = path.scope;
+//         if (declarations.length !== 1) return;
+//         let declaration = declarations[0]
+//         let {id, init} = declaration;
+//         if (!init) return
+//         if (!types.isIdentifier(init)) return;
+//         if (init.name === 'i') {
+//             let binding = scope.getBinding(id.name);
+//             if (id.name === 'xs') {
+//                 debugger
+//             }
+//             if (!binding) return;
+//             console.log(id.name, init.name, binding.references)
+//
+//             for (const referencePath of binding.referencePaths) {
+//                 // console.log(referencePath);
+//                 // console.log(generator(referencePath.parent).code)
+//                 // console.log(referencePath.parentPath.type)
+//
+//                 if (types.isCallExpression(referencePath.parent)) {
+//                     let {callee, arguments} = referencePath.parent;
+//
+//                     if (arguments.length === 1 && types.isStringLiteral(arguments[0])) {
+//                         let res = o(arguments[0].value)
+//                         // if (id.name === 'xs') {
+//                         //
+//                         // console.log(generator(referencePath.parent).code, res)
+//                         // }
+//                         referencePath.parentPath.replaceWith(types.StringLiteral(res))
+//                     }
+//                 } else {
+//
+//                 }
+//             }
+//         }
+//
+//     }
+// })


 //end

--- a/ast/decode2.js
+++ b/ast/decode2.js
@@ -107,13 +107,15 @@ function restoreValue(inName, scope, funcName) {
    if (!binding3) return;
    console.log(funcName, inName, binding3.references)
    for (const inReferencePath of binding3.referencePaths) {
-        console.log(generator(inReferencePath.parent).code, inReferencePath.parent.type)
+        // if (generator(inReferencePath.parent).code == 'n(348)')debugger
        if (types.isCallExpression(inReferencePath.parent)) {
            let {arguments} = inReferencePath.parent
            if (arguments.length !== 1) continue
            let res = globalFuncs[funcName](arguments[0].value)
            // console.log(funcName,inName,arguments[0].value,res)
            inReferencePath.parentPath.replaceWith(types.valueToNode(res))
+        console.log(generator(inReferencePath.parent).code, inReferencePath.parent.type, res)
+
        } else if (types.isVariableDeclarator(inReferencePath.parent)) {
            // 如果是继续引用 直接再找
            let inName2 = inReferencePath.parent.id.name;
@@ -273,7 +275,7 @@ function i(n) {
        u = o[n];
    } else {
        for (var c = a(n), u = "", f = 0; f < c["length"]; ++f) {
-            var s = "EjAWylS"["charCodeAt"](f % 7);
+            var s = "toLgQ3X"["charCodeAt"](f % 7);
            u += String["fromCharCode"](s ^ c["charCodeAt"](f));
        }
        o[n] = u;
@@ -370,6 +372,8 @@ function f(t) {
    };
    return f(t);
  }
+
+
 traverse(ast, {
    FunctionDeclaration(path) {
        let {id, body} = path.node;
@@ -385,9 +389,12 @@ traverse(ast, {
                        let arguments = p.parent.arguments;
                        if (arguments.length !== 1) return
                        try {
+                            // if (!types.isNumericLiteral(arguments[0]))return;
                            let res = i(arguments[0].value);
+                            if(arguments[0].value === 'JDd9VWMFbA')debugger
                            if (res === 'PX12573') debugger;
                            p.parentPath.replaceWith(types.valueToNode((res)))
+                            console.log(arguments[0].value, res)
                        } catch (e) {
                            // console.error(generator(p.parent).code)

@@ -401,7 +408,7 @@ traverse(ast, {
                if (arguments.length !== 1) continue
                try {

-                    let res = U(arguments[0].value);
+                    let res = i(arguments[0].value);
                    referencePath.parentPath.replaceWith(types.valueToNode((res)))
                } catch (e) {
                    // console.error(generator(p.parent).code)
@@ -412,6 +419,8 @@ traverse(ast, {
        }
    }
 })
+
+
 //end
 console.timeEnd("处理完毕，耗时");


--- a/ast/decodeResult.js
+++ b/ast/decodeResult.js
--- a/ast/decodeResult22.js
+++ b/ast/decodeResult22.js
--- a/ast/main.js
+++ b/ast/main.js
--- a/ast/main_ok.js
+++ b/ast/main_ok.js
--- a/src/f91.js
+++ b/src/f91.js
@@ -5248,12 +5248,12 @@ class PxBypass {
 async function run() {
    while (true) {
        try {
-            let res = await axios.get('http://ymx-lcc.unififi.com/header/task/pull/cookieF9?brush_name=test')
-            let data = res.data;
+            // let res = await axios.get('http://ymx-lcc.unififi.com/header/task/pull/cookieF9?brush_name=test')
+            // let data = res.data;
            //
-            // let data = {
-            //     status: 0
-            // }
+            let data = {
+                status: 0
+            }
            console.log(data)
            // if r.json()['status'] != 0:
            //     #         logger.debug(f'不需要刷值')

--- a/src/package-lock.json
+++ b/src/package-lock.json
--- a/src/package.json
+++ b/src/package.json
@@ -22,8 +22,11 @@
    "query-string": "^8.1.0"
  },
  "devDependencies": {
-    "@babel/core": "^7.22.11",
-    "@babel/types": "^7.22.11"
+    "@babel/core": "^7.24.6",
+    "@babel/traverse": "^7.24.6",
+    "@babel/types": "^7.24.6",
+    "@types/babel__generator": "^7.6.8",
+    "@types/babel__traverse": "^7.20.6"
  },
  "type": "module"
 }
--- a/src/run.js
+++ b/src/run.js
@@ -56,9 +56,9 @@ class PxBypass {
        this.prox = `http://user-uni001-region-us-sessid-${randint(1000, 5000)}-sesstime-5-keep-true:q39CEBTs5A5YQXor@pr.roxlabs.cn:4600`
        // prox = `http://uni00001_custom_zone_US_sid_${randint(67336718, 67336728)}_time_5:q39CEBTs5A@us.foxyip.com:7778`
        // prox = `http://unfflcc:76cc14-47b8dd-1f8ace-827836-0c740e@usa.rotating.proxyrack.net:${randint(10000, 13500)}`
-        // this.prox = 'http://127.0.0.1:8890'
-        this.tlsUrl = 'http://52.52.23.116/tls/forward'
-        // this.tlsUrl = 'http://127.0.0.1:58000/tls/forward'
+        this.prox = 'http://127.0.0.1:8890'
+        // this.tlsUrl = 'http://52.52.23.116/tls/forward'
+        this.tlsUrl = 'http://127.0.0.1:58000/tls/forward'


        this.pxHeaders = {