解密脚本编写

ast/decode2.js

@@ -86,9 +86,12 @@ const renameFunc =
 allNewNames.clear();
 
 
+
+
+
 function getBinding(scope, name, func) {
     let binding = scope.getBinding(name);
-    console.log(`scope.get(${name}).length = ${binding.references}`)
+    // console.log(`scope.get(${name}).length = ${binding.references}`)
     if (binding.references > 0) {
         for (const referencePath of binding.referencePaths) {
             func(referencePath)
@@ -123,6 +126,7 @@ function restoreValue(inName, scope, funcName) {
 for (let i = 0; i < 1; i++) {
     traverse(ast, {
         FunctionDeclaration(path) {
+
             // 先找
             //  function ip() {
             //   var t = ["NjR0QllZTQ", "bind", "reload", "NjR0QltQTw", "NjR0QV1dTw", "pxInit", "uid", "pxvid", "length", "72630ywVgnM", "platform", "vid", "trigger", "NjR0QVxRSA", "random", "67349mopHGY", "NjR0Ql9cQg", "306744MLTLsI", "NjR0QV9fTw", "_pxvid", "getTime", "xhrFailure", "527700doOldY", "_pxRootUrl", "_pxmvid", "top", "NjR0QVNQQg", "xhrResponse", "NjR0QVhbSg", "NjR0QV5QSg", "getItem", "_pxVid", "removeItem", "one", "NjR0QllfTg", "_asyncInit", "NjQ", "3060155IbqKSZ", "subscribe", "1026255lNKhiL", "self", "588762aejAEn", "xhrSuccess"];
@@ -141,8 +145,9 @@ for (let i = 0; i < 1; i++) {
             let name = id.name;
             let code = generator(path.node).code;
 
-            // if (name !== 'Ur') return;
+            // if (name !== 'nv') return;
             let binding = path.parentPath.scope.getBinding(name);
+            if (!binding)return;
             console.log(`scope.get(${name}).length = ${binding.references}`)
             if (binding.references > 0) {
                 let code1, code2, funcName;
@@ -151,11 +156,11 @@ for (let i = 0; i < 1; i++) {
                     // console.log('111',referencePath.parentPath.parent.type)
                     if (types.isUnaryExpression(referencePath.parentPath.parent)) {
                         code1 = generator(referencePath.parentPath.parent).code;
-                        console.groupCollapsed(['改变顺序', code1])
+                        // console.groupCollapsed(['改变顺序', code1])
                     } else if (types.isVariableDeclarator(referencePath.parentPath.parent)) {
                         code2 = generator(referencePath.parentPath.parentPath.parentPath.parentPath.parent).code;
                         funcName = referencePath.parentPath.parentPath.parentPath.parentPath.parent.id.name
-                        console.groupCollapsed(['使用', code2])
+                        // console.groupCollapsed(['使用', code2])
                     }
                 }
 
@@ -163,8 +168,12 @@ for (let i = 0; i < 1; i++) {
                 resCode += `
                 globalFuncs['${funcName}'] = ${funcName} 
                 `
-                console.groupCollapsed([funcName, resCode])
+                // console.groupCollapsed([funcName, resCode])
+
+                if (!globalFuncs[funcName]) {
                     eval(resCode)
+
+                }
                 // console.log(eval(`${funcName}(195)`))
                 let binding2 = path.parentPath.scope.getBinding(funcName);
                 // 找到Tp 的引用地方
@@ -179,11 +188,11 @@ for (let i = 0; i < 1; i++) {
                         if (types.isCallExpression(referencePath.parent)) {
                             let {arguments} = referencePath.parent
                             if (arguments.length !== 1) continue
-                            let res = eval(`${funcName}(arguments[0].value)`)
+                            let res = globalFuncs[funcName](arguments[0].value)
                             // console.log(funcName,inName,arguments[0].value,res)
                             referencePath.parentPath.replaceWith(types.valueToNode(res))
                         } else {
-                            if (!referencePath.parent.id)continue;
+                            if (!referencePath.parent.id) continue;
                             // 继续找引用
                             let inName = referencePath.parent.id.name;
                             let binding3 = referencePath.scope.getBinding(inName);
@@ -194,9 +203,18 @@ for (let i = 0; i < 1; i++) {
                                 if (types.isCallExpression(inReferencePath.parent)) {
                                     let {arguments} = inReferencePath.parent
                                     if (arguments.length !== 1) continue
-                                    let res = eval(`${funcName}(arguments[0].value)`)
-                                    // console.log(funcName,inName,arguments[0].value,res)
+                                    let res = globalFuncs[funcName](arguments[0].value)
+                                    console.log('444', funcName, inName, arguments[0].value, res)
+                                    if (res === 'getTime') {
+
+                                        let {code} = generator(ast, opts = {jsescOption: {"minimal": true}});
+                                        fs.writeFile('./tmp.js', code, (err) => {
+                                        });
+                                    }
+                                    console.log('before', res, generator(inReferencePath.parent).code)
                                     inReferencePath.parentPath.replaceWith(types.valueToNode(res))
+                                    console.log('afterr', res, generator(inReferencePath.parent).code)
+                                    inReferencePath.skip()
                                 } else if (types.isVariableDeclarator(inReferencePath.parent)) {
                                     // 如果是继续引用 直接再找
                                     let inName2 = inReferencePath.parent.id.name;
@@ -221,6 +239,91 @@ for (let i = 0; i < 1; i++) {
 }
 
 
+// 字符串还原铭文
+var o = {};
+var a = function () {
+    try {
+        if (atob && "test" === atob("dGVzdA==")) {
+            return atob;
+        }
+    } catch (t) {
+    }
+
+    function t(t) {
+        this["message"] = t;
+    }
+
+    t["prototype"] = new Error();
+    t["prototype"]["name"] = "InvalidCharacterError";
+    return function (e) {
+        var n = String(e)["replace"](/[=]+$/, "");
+        if (n["length"] % 4 == 1) {
+            throw new t("'atob' failed: The string to be decoded is not correctly encoded.");
+        }
+        for (var r, a, o = 0, i = 0, c = ""; a = n["charAt"](i++); ~a && (r = o % 4 ? 64 * r + a : a, o++ % 4) ? c += String["fromCharCode"](255 & r >> (-2 * o & 6)) : 0) {
+            a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="["indexOf"](a);
+        }
+        return c;
+    };
+}();
+
+function i(n) {
+    if (o[n]) {
+        u = o[n];
+    } else {
+        for (var c = a(n), u = "", f = 0; f < c["length"]; ++f) {
+            var s = "bhDTSyS"["charCodeAt"](f % 7);
+            u += String["fromCharCode"](s ^ c["charCodeAt"](f));
+        }
+        o[n] = u;
+    }
+    return u;
+}
+
+
+traverse(ast, {
+    FunctionDeclaration(path) {
+        let {id, body} = path.node;
+        if (id.name !== 'i') return;
+        if (body.body.length !== 4) return
+        let binding = path.scope.getBinding(id.name)
+        console.log(id.name, binding.references)
+        for (const referencePath of binding.referencePaths) {
+            // console.log(generator(referencePath.parent).code, referencePath.parent.type)
+            if (types.isVariableDeclarator(referencePath.parent)) {
+                let idName = referencePath.parent.id.name;
+                getBinding(referencePath.scope, idName, function (p) {
+                    if (types.isCallExpression(p.parent)) {
+                        let arguments = p.parent.arguments;
+                        if (arguments.length !== 1) return
+                        try {
+                            let res = i(arguments[0].value);
+                            if (res === 'PX12571') debugger;
+                            p.parentPath.replaceWith(types.valueToNode((res)))
+                        } catch (e) {
+                            // console.error(generator(p.parent).code)
+
+                        }
+                    }
+
+                })
+
+            } else if (types.isCallExpression(referencePath.parent)) {
+                let arguments = referencePath.parent.arguments;
+                if (arguments.length !== 1) continue
+                try {
+                    let res = i(arguments[0].value);
+                    referencePath.parentPath.replaceWith(types.valueToNode((res)))
+                } catch (e) {
+                    // console.error(generator(p.parent).code)
+
+                }
+            }
+
+        }
+    }
+})
+
 //end
 console.timeEnd("处理完毕，耗时");
 

ast/yuchuli.js

@@ -357,44 +357,43 @@ const restoreVarDeclarator = {
 traverse(ast, restoreVarDeclarator)
 
 //还原object
-traverse(ast, {
-    VariableDeclaration(path) {
-        let {scope, node} = path;
-        let {declarations} = node;
-        if (!declarations) return
-
-        if (declarations.length !== 1) return;
+function isBaseLiteral(node) {
+    if (types.isLiteral(node)) {
+        return true;
+    }
+    if (types.isUnaryExpression(node, {operator: "-"}) ||
+        types.isUnaryExpression(node, {operator: "+"})) {
+        return isBaseLiteral(node.argument);
+    }
 
-        let {id, init} = declarations[0]
-        if (!types.isObjectExpression(init)) return
-        let {properties} = init;
+    return false;
+}
 
-        if (properties.length === 0) return;
-        for (let i = 0; i < properties.length; i++) {
-            let {key, value} = properties[i];
-            if (!types.isNumericLiteral(value)) return
-        }
+const decodeValueOfObject =
+{//当一个object里面的value全部为字面量时的还原，没有考虑单个key重新赋值的情况。
+    VariableDeclarator(path) {
+        let { node, scope } = path;
+        const { id, init } = node;
+        if (!types.isObjectExpression(init)) return;
 
+        let properties = init.properties;
+        if (properties.length == 0 || !properties.every(property => isBaseLiteral(property.value)))
+            return;
 
         let binding = scope.getBinding(id.name);
-        if (!binding) return
-        let {constant, referencePaths, constantViolations} = binding;
-        if (!constant) {//新版本的babel库，在循环里面的变量定义，默认非常量
-            if (constantViolations.length != 1 || constantViolations[0] != path) //旧版本屏蔽该行即可
-            {
-                return;
-            }
-        }
+		if (!binding)return;
+        let { constant, referencePaths } = binding;
+        if (!constant) return;
 
         let newMap = new Map();
         for (const property of properties) {
-            let {key, value} = property;
-            newMap.set(key.name, value);
+            let { key, value } = property;
+            newMap.set(key.value, value);
         }
 
         let canBeRemoved = true;
         for (const referPath of referencePaths) {
-            let {parentPath} = referPath;
+            let { parentPath } = referPath;
             if (!parentPath.isMemberExpression()) {
                 canBeRemoved = false;
                 return;
@@ -402,16 +401,18 @@ traverse(ast, {
 
             let AncestorPath = parentPath.parentPath;
 
-            if (AncestorPath.isAssignmentExpression({"left": parentPath.node})) {
+            if (AncestorPath.isAssignmentExpression({"left":parentPath.node}))
+            {
             	  canBeRemoved = false;
                 return;
             }
-            if (AncestorPath.isUpdateExpression() && ['++', '--'].includes(AncestorPath.node.operator)) {
+            if (AncestorPath.isUpdateExpression() && ['++','--'].includes(AncestorPath.node.operator))
+            {
             	  canBeRemoved = false;
                 return;
             }
 
-            let curKey = parentPath.node.property.name;
+            let curKey = parentPath.node.property.value;
             if (!newMap.has(curKey)) {
                 canBeRemoved = false;
                 break;
@@ -420,8 +421,11 @@ traverse(ast, {
         }
         canBeRemoved && path.remove();
         newMap.clear();
-    }
-})
+    },
+}
+
+
+traverse(ast, decodeValueOfObject);
 
 
 console.timeEnd("处理完毕，耗时");