Fork me on GitHub

一段鬼畜风格的JavaScript解密

 

在CSDN上看到有人提问一段JS怎么解密,虽然已经是四年前的问题了,还是解一下。

原问题地址: 这段JS怎样解密? [问题点数:40分,结帖人seo2014]

 

这是楼主发出的原JS:

/*ZlQEInL6A*/var/*jY10R0zzRU8*/GmjGBvOJh/*giquCfF2*/=/*kACnJn3eX*/\u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065;/*CS71pgPOv*/var/*n0MtRt70*/bA92i/*ifSDSFcU*/=/*jyd0J2NKNf*/\u0065\u0076\u0061\u006c;/*v1h6km*/bA92i/*u0HCZxy*/(GmjGBvOJh/*u0HCZxy*/("eval/*Xanffka2Yxz*/%28/*AiEUa*/function/*SUOKMrs*/%28/*scqripznLN*/p%2Ca%2Cc%2Ck%2Ce%2Cd%29%7Be%3Dfunction/*ZYzhI*/%28/*o1zyEjG*/c%29%7Breturn/*MvvMpr0F*/%28/*pFoBpswdCP*/c%3Ca%3F%27%27%3Ae/*QXMTA*/%28/*EPhPHxLz8*/parseInt/*eO0duSMRFCq*/%28/*snpIf0HD*/c%2Fa%29%29%29%2B/*JMtMJBRu*/%28/*zTYxS8WEKH*//*bfaGvQEp*/%28/*rJujGv*/c%3Dc%25a%29%3E35%3FString.fromCharCode/*Rnz6P10zEBq*/%28/*HBUp9*/c%2B29%29%3Ac.toString/*UJ0aXrebdf*/%28/*qUoD1DA1hv2*/36%29%29%7D%3Bif/*d5tlkv6tyjE*/%28/*kDlpJ4Tn8G*/%21%27%27.replace/*Ax5WApn*/%28/*RI8xgV*/%2F%5E%2F%2CString%29%29%7Bwhile/*Ab0Xr8q*/%28/*YXaipYGP*/c--%29%7Bd%5Be/*UWUawqC*/%28/*e5yuxpN6*/c%29%5D%3Dk%5Bc%5D%7C%7Ce/*jX7Ln*/%28/*GStTNW5moPd*/c%29%7Dk%3D%5Bfunction/*gQieGRklkcK*/%28/*mIylFLc*/e%29%7Breturn%20d%5Be%5D%7D%5D%3Be%3Dfunction/*hbES4ing8Y*/%28/*Bgx3eE*/%29%7Breturn%27%5C%5Cw%2B%27%7D%3Bc%3D1%7D%3Bwhile/*ov1eYBByD*/%28/*W9T7IQHec1x*/c--%29%7Bif/*FunD7BG*/%28/*rcq3BD54*/k%5Bc%5D%29%7Bp%3Dp.replace/*FBfnTsGZ*/%28/*yXd7AbgnhX*/new%20RegExp/*TcldWiY3q*/%28/*MAlqLy1UC9k*/%27%5C%5Cb%27%2Be/*V6AudD*/%28/*UEtRAtO3*/c%29%2B%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%7D%7Dreturn%20p%7D/*fnAU7pi9DBw*/%28/*Nb77y*/%27s/*ohCTiHJX2*/%28/*PhxEVA7DI*/3e/*yJUwpqB5iFp*/%28/*zWo0jda*/%22s%253i%253n%253k%253j%25z%2539%2538%2529%252W%25l%252%2529%25a%252%252X%258%2527%2527%252T%252R%252%2535%2529%2529%2529%252B%2528%252%2533%251a%2529%251b%251p.1l%252%251r%2529%2518.V%25Y%2529%2529%255%2510%2528%2521%2527%2527.t%2528%252F%2511%252F%251O%2529%2529%251V%252--%2529%251K%25n%252%2529%254%251A%25e%254%257%251J%252%2529%253h%251%251F%251E%2529%25a%251D%25n%254%255%254%251H%25l%2528%2529%25a%2527%250%251I%252B%2527%255%251C%251B%255%251v%252--%2529%251u%251t%25e%254%2529%251w%251x.t%251z%251y%2528%2527%250%25v%2527%25h%252%2529%252B%2527%250%25v%2527%252C%251Y%2527%2529%25z%25e%254%2529%255%251Z%2520%255%2528%2524%2523%25f.u%2528%250%251U%250%2527%2529.r%251N%2529%253%251M%25f.d%2528%251P%2522%2529%253%25j%253%25j%251T.b%253%251S%251s.9%2528%2522%258%2522%2529%253%2525%25w%251m%254%253%2513%25w%25C%254.9%2528%2514.q%2522%2529%2515%2517%2528%2529%2516%25c.d%2528%250%25Z%250%2527%2529%251%25R%2529%25Q%25M%251%250%25S%25T%252F%25X-o.p.m%2519-B.I%258%250%2527%251o%253%251q%25A%25c.U%2529%253%251j%25A%25c.E.W%2529%253%251d%251e%252B%250%2527%251h%251%250%2527%251g%25C%254%252B%250%2527%2526%251%250%2527%25h%252B%250%2527%2531%251%250%2527%2530%252B%250%2527%2534%251%250%2527%2537%2536%2528%2529.O%2528%2529%253%252Y%25f.H%2528%252Q%2522%2529%256.b%252U%256.G%251%25g%2522%256.F%251%25g%2522%256.k.J%251%25i%2522%256.k.K%251%25i%2522%256.N%251%253o%2522%256.L%2528%250%253c%250%2527%252C%250%253b%250%2527%25D%2529%253d.P.y%253g%2529%255%253f%2528%2529%252P%2527%25x%25x%252C%2527%257%252m%252l%252k%252n%252o%252r%252q%252p%252j%252i%252c%252b%252a%252d%252e%252h%252g%252f%252s%252t%252J%252I%252H%252K%252L%252N%252M%257%252G%257%252E%252w%252v%252u%252x%252y%252D%252A%252z%251k%252O%253a%253l%253m%253p%252V%252S%252Z%2532%251R%251c%251i%251n%257%2512%251Q%251W%251X%2527.1L%2528%2527%257%2527%2529%25D%252C%251G%255%2529%2529%251f%22%29%29%27%2C62%2C212%2C%275C%7C3D%7C28c%7C3B2%7C5D%7C7D%7C3B3%7C7C%7C3F%7C%7C7Breturn%7C%7C284%7C%7C5Bc%7C3D4%7C226%7C2Be%7C22i%7C20v%7C%7C3Dfunction%7C%7C5Be%7C%7C%7C%7C%7Ceval%7Creplace%7C%7C5Cb%7C3D5%7C2C60%7C%7C2Ck%7C3Dj%7C%7C5B0%7C2C0%7C%7C%7C%7C%7C%7C%7C%7C%7C20a%7C%7C%7C%7C7B2%7C3DD%7C27l%7C3A%7C%7CtoString%7C%7C2Fn%7C2836%7C276%7C3Bif%7C5E%7C7Creferrer%7C207%7C22C%7C3BA%7C7Bz%7C20c%7C3Ac%7C2FT%7C25a%7C3E35%7C7CDate%7C208%7C3Da%7C0A%7C2B7%7C267%7C7Cframeborder%7C20f%7C7Cname%7CfromCharCode%7C5B1%7C7Cllurl%7C2Bh%7C3FString%7C20e%7C2B29%7C3Dv%7C28k%7C7Bif%7C3Bwhile%7C7Bp%7C3Dp%7C20RegExp%7C28new%7C3Dk%7C3D1%7C3Bc%7C20d%7C28e%7C5Bfunction%7C7B%7C3Be%7C5Cw%7C7Ce%7C7Bd%7Csplit%7C20g%7C280%7C2CString%7C22x%7C7Cthepage%7C7Cbody%7C205%7C3Dg%7C27s%7C7Bwhile%7C7Chref%7C7Cnew%7C27g%7C7Dreturn%7C20p%7C%7C%7C20w%7C272%7C20h%7C26S%7C%7C%7C%7C7CQQfangke_ref%7C7CgetElementById%7C7Cskip%7C7CQQfangke_page%7C7Cpara%7C7CencodeURIComponent%7C7C0px%7C7Cids%7C7Csrc%7C7CQQfangke_xurl%7C7Cdocument%7C7Ciframe%7C7Cvar%7C7Ctmp%7C7CQQfangke_iframe%7C7Csplit%7C7CQQfangke_url%7C7Curl%7C7Cstyle%7C7Chttp%7C7Cif%7C7CappendChild%7C7Cqq_js%7C7Cfunction%7C7Ccensus%7C7Clocation%7C7Cnull%7C%7C%7C7CCount%7C7Cfangke_xHead%7C%7C7CgetElementsByTagName%7C7C812631263%7C7Cqq%7C7Cnet%7C7Chuantu%7C7Cjs%7C7CHEAD%7C7Citem%7C7Cid%7C3B%7C223%7C28parseInt%7C7Cno%7C3Ae%7C3D8%7C7CsetAttribute%7C7Be%7C3Ca%7C203%7C7Cscrolling%7C2Bf%7C26V%7C7CgetTime%7C3Dc%7C26t%7C2Fa%7C20Q%7C2BX%7C2Cd%7C2Ce%7C7CcreateElement%7C270%7C27R%7C3B4%7Cunescape%7C7Dc%7C283%7C7Dk%7C28function%7C2Cc%7C2Ca%7C7Cphp%7C7Cwidth%7C28p%7C22M%7C7Cheight%27.split/*xYPCp9*/%28/*A1eFEkbxjF*/%27%7C%27%29%2C0%2C%7B%7D%29%29%0A"/*VPDvoCjH05*/)/*syZhq5*//*VPDvoCjH05*/)/*syZhq5*//*ARQ6D1f*///

格式化一下:

/*ZlQEInL6A*/
var
/*jY10R0zzRU8*/
GmjGBvOJh
/*giquCfF2*/
=
/*kACnJn3eX*/
\u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065;
/*CS71pgPOv*/
var
/*n0MtRt70*/
bA92i
/*ifSDSFcU*/
=
/*jyd0J2NKNf*/
\u0065\u0076\u0061\u006c;
/*v1h6km*/
bA92i
/*u0HCZxy*/
(GmjGBvOJh
/*u0HCZxy*/
("eval/*Xanffka2Yxz*/%28/*AiEUa*/function/*SUOKMrs*/%28/*scqripznLN*/p%2Ca%2Cc%2Ck%2Ce%2Cd%29%7Be%3Dfunction/*ZYzhI*/%28/*o1zyEjG*/c%29%7Breturn/*MvvMpr0F*/%28/*pFoBpswdCP*/c%3Ca%3F%27%27%3Ae/*QXMTA*/%28/*EPhPHxLz8*/parseInt/*eO0duSMRFCq*/%28/*snpIf0HD*/c%2Fa%29%29%29%2B/*JMtMJBRu*/%28/*zTYxS8WEKH*//*bfaGvQEp*/%28/*rJujGv*/c%3Dc%25a%29%3E35%3FString.fromCharCode/*Rnz6P10zEBq*/%28/*HBUp9*/c%2B29%29%3Ac.toString/*UJ0aXrebdf*/%28/*qUoD1DA1hv2*/36%29%29%7D%3Bif/*d5tlkv6tyjE*/%28/*kDlpJ4Tn8G*/%21%27%27.replace/*Ax5WApn*/%28/*RI8xgV*/%2F%5E%2F%2CString%29%29%7Bwhile/*Ab0Xr8q*/%28/*YXaipYGP*/c--%29%7Bd%5Be/*UWUawqC*/%28/*e5yuxpN6*/c%29%5D%3Dk%5Bc%5D%7C%7Ce/*jX7Ln*/%28/*GStTNW5moPd*/c%29%7Dk%3D%5Bfunction/*gQieGRklkcK*/%28/*mIylFLc*/e%29%7Breturn%20d%5Be%5D%7D%5D%3Be%3Dfunction/*hbES4ing8Y*/%28/*Bgx3eE*/%29%7Breturn%27%5C%5Cw%2B%27%7D%3Bc%3D1%7D%3Bwhile/*ov1eYBByD*/%28/*W9T7IQHec1x*/c--%29%7Bif/*FunD7BG*/%28/*rcq3BD54*/k%5Bc%5D%29%7Bp%3Dp.replace/*FBfnTsGZ*/%28/*yXd7AbgnhX*/new%20RegExp/*TcldWiY3q*/%28/*MAlqLy1UC9k*/%27%5C%5Cb%27%2Be/*V6AudD*/%28/*UEtRAtO3*/c%29%2B%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%7D%7Dreturn%20p%7D/*fnAU7pi9DBw*/%28/*Nb77y*/%27s/*ohCTiHJX2*/%28/*PhxEVA7DI*/3e/*yJUwpqB5iFp*/%28/*zWo0jda*/%22s%253i%253n%253k%253j%25z%2539%2538%2529%252W%25l%252%2529%25a%252%252X%258%2527%2527%252T%252R%252%2535%2529%2529%2529%252B%2528%252%2533%251a%2529%251b%251p.1l%252%251r%2529%2518.V%25Y%2529%2529%255%2510%2528%2521%2527%2527.t%2528%252F%2511%252F%251O%2529%2529%251V%252--%2529%251K%25n%252%2529%254%251A%25e%254%257%251J%252%2529%253h%251%251F%251E%2529%25a%251D%25n%254%255%254%251H%25l%2528%2529%25a%2527%250%251I%252B%2527%255%251C%251B%255%251v%252--%2529%251u%251t%25e%254%2529%251w%251x.t%251z%251y%2528%2527%250%25v%2527%25h%252%2529%252B%2527%250%25v%2527%252C%251Y%2527%2529%25z%25e%254%2529%255%251Z%2520%255%2528%2524%2523%25f.u%2528%250%251U%250%2527%2529.r%251N%2529%253%251M%25f.d%2528%251P%2522%2529%253%25j%253%25j%251T.b%253%251S%251s.9%2528%2522%258%2522%2529%253%2525%25w%251m%254%253%2513%25w%25C%254.9%2528%2514.q%2522%2529%2515%2517%2528%2529%2516%25c.d%2528%250%25Z%250%2527%2529%251%25R%2529%25Q%25M%251%250%25S%25T%252F%25X-o.p.m%2519-B.I%258%250%2527%251o%253%251q%25A%25c.U%2529%253%251j%25A%25c.E.W%2529%253%251d%251e%252B%250%2527%251h%251%250%2527%251g%25C%254%252B%250%2527%2526%251%250%2527%25h%252B%250%2527%2531%251%250%2527%2530%252B%250%2527%2534%251%250%2527%2537%2536%2528%2529.O%2528%2529%253%252Y%25f.H%2528%252Q%2522%2529%256.b%252U%256.G%251%25g%2522%256.F%251%25g%2522%256.k.J%251%25i%2522%256.k.K%251%25i%2522%256.N%251%253o%2522%256.L%2528%250%253c%250%2527%252C%250%253b%250%2527%25D%2529%253d.P.y%253g%2529%255%253f%2528%2529%252P%2527%25x%25x%252C%2527%257%252m%252l%252k%252n%252o%252r%252q%252p%252j%252i%252c%252b%252a%252d%252e%252h%252g%252f%252s%252t%252J%252I%252H%252K%252L%252N%252M%257%252G%257%252E%252w%252v%252u%252x%252y%252D%252A%252z%251k%252O%253a%253l%253m%253p%252V%252S%252Z%2532%251R%251c%251i%251n%257%2512%251Q%251W%251X%2527.1L%2528%2527%257%2527%2529%25D%252C%251G%255%2529%2529%251f%22%29%29%27%2C62%2C212%2C%275C%7C3D%7C28c%7C3B2%7C5D%7C7D%7C3B3%7C7C%7C3F%7C%7C7Breturn%7C%7C284%7C%7C5Bc%7C3D4%7C226%7C2Be%7C22i%7C20v%7C%7C3Dfunction%7C%7C5Be%7C%7C%7C%7C%7Ceval%7Creplace%7C%7C5Cb%7C3D5%7C2C60%7C%7C2Ck%7C3Dj%7C%7C5B0%7C2C0%7C%7C%7C%7C%7C%7C%7C%7C%7C20a%7C%7C%7C%7C7B2%7C3DD%7C27l%7C3A%7C%7CtoString%7C%7C2Fn%7C2836%7C276%7C3Bif%7C5E%7C7Creferrer%7C207%7C22C%7C3BA%7C7Bz%7C20c%7C3Ac%7C2FT%7C25a%7C3E35%7C7CDate%7C208%7C3Da%7C0A%7C2B7%7C267%7C7Cframeborder%7C20f%7C7Cname%7CfromCharCode%7C5B1%7C7Cllurl%7C2Bh%7C3FString%7C20e%7C2B29%7C3Dv%7C28k%7C7Bif%7C3Bwhile%7C7Bp%7C3Dp%7C20RegExp%7C28new%7C3Dk%7C3D1%7C3Bc%7C20d%7C28e%7C5Bfunction%7C7B%7C3Be%7C5Cw%7C7Ce%7C7Bd%7Csplit%7C20g%7C280%7C2CString%7C22x%7C7Cthepage%7C7Cbody%7C205%7C3Dg%7C27s%7C7Bwhile%7C7Chref%7C7Cnew%7C27g%7C7Dreturn%7C20p%7C%7C%7C20w%7C272%7C20h%7C26S%7C%7C%7C%7C7CQQfangke_ref%7C7CgetElementById%7C7Cskip%7C7CQQfangke_page%7C7Cpara%7C7CencodeURIComponent%7C7C0px%7C7Cids%7C7Csrc%7C7CQQfangke_xurl%7C7Cdocument%7C7Ciframe%7C7Cvar%7C7Ctmp%7C7CQQfangke_iframe%7C7Csplit%7C7CQQfangke_url%7C7Curl%7C7Cstyle%7C7Chttp%7C7Cif%7C7CappendChild%7C7Cqq_js%7C7Cfunction%7C7Ccensus%7C7Clocation%7C7Cnull%7C%7C%7C7CCount%7C7Cfangke_xHead%7C%7C7CgetElementsByTagName%7C7C812631263%7C7Cqq%7C7Cnet%7C7Chuantu%7C7Cjs%7C7CHEAD%7C7Citem%7C7Cid%7C3B%7C223%7C28parseInt%7C7Cno%7C3Ae%7C3D8%7C7CsetAttribute%7C7Be%7C3Ca%7C203%7C7Cscrolling%7C2Bf%7C26V%7C7CgetTime%7C3Dc%7C26t%7C2Fa%7C20Q%7C2BX%7C2Cd%7C2Ce%7C7CcreateElement%7C270%7C27R%7C3B4%7Cunescape%7C7Dc%7C283%7C7Dk%7C28function%7C2Cc%7C2Ca%7C7Cphp%7C7Cwidth%7C28p%7C22M%7C7Cheight%27.split/*xYPCp9*/%28/*A1eFEkbxjF*/%27%7C%27%29%2C0%2C%7B%7D%29%29%0A"
/*VPDvoCjH05*/
)
/*syZhq5*/
/*VPDvoCjH05*/
)
/*syZhq5*/
/*ARQ6D1f*/
//

看到有不少注释干扰,写个过滤JS注释的方法过滤一下(这一步非必要):

package cc11001100.js;

import org.apache.commons.io.FileUtils;

import java.io.File;
import java.io.IOException;

import static java.nio.charset.StandardCharsets.UTF_8;

/**
 * 将JS中的注释过滤掉
 * <p>
 * 可以过滤掉的注释类型:
 * 1. 单行注释
 * 2. 多行注释
 *
 * @author CC11001100
 */
public class JsCommentFilter {

	// 原始JS的内容
	private String script;
	// 当前下标位置
	private int pos;
	// 上一个字符是否是转义字符
	private boolean lastIsEscape = false;
	// 当前下标是否在字符串内
	private boolean inString = false;
	// 进入字符串的引号类型,出字符串时要匹配入字符串字符
	private char inStringQuote = '\0';

	private StringBuilder outBuffer;

	public JsCommentFilter(String script) {
		this.script = script;
		this.outBuffer = new StringBuilder();
	}

	public String get() {
		if (outBuffer.length() == 0) {
			filterComment();
		}
		return outBuffer.toString();
	}

	private void filterComment() {
		// 最后一个字符不参与计算,因为一个字符无法构成注释
		while (pos < script.length() - 1) {
			if (consumeComment()) {
				continue;
			}
			freshFlag();
			outBuffer.append(script.charAt(pos));
			pos++;
		}
		if (pos < script.length()) {
			outBuffer.append(script.charAt(pos));
		}
	}

	/**
	 * 略过注释
	 *
	 * @return boolean, true if consumed some comment else false.
	 */
	private boolean consumeComment() {
		if (lastIsEscape || inString) {
			return false;
		}

		boolean isConsumed = false;
		String nextTwoChar = script.substring(pos, pos + 2);
		// 多行注释
		if ("/*".equals(nextTwoChar)) {
			pos += 2;
			while (pos < script.length() - 1 && !"*/".equals(script.substring(pos, pos + 2))) {
				pos++;
			}
			pos += 2;
			isConsumed = true;
		} else if ("//".equals(nextTwoChar)) {
			// 单行注释
			pos += 2;
			while (pos < script.length() && script.charAt(pos) != '\n') {
				pos++;
			}
			isConsumed = true;
		}
		return isConsumed;
	}

	/**
	 * 刷新各种标志位,因为标志位可能要求有序,所以集中在一处调用
	 */
	private void freshFlag() {
		inQuoteFlag();
		escapeFlag();
	}

	/**
	 * 处理字符串进出标志位
	 * NOTICE: MUST BEFORE {@link #escapeFlag()}
	 */
	private void inQuoteFlag() {
		if (lastIsEscape) {
			return;
		}
		char c = script.charAt(pos);
		if (c != '\'' && c != '\"') {
			return;
		}

		if (inString && c == inStringQuote) {
			inString = false;
		} else if (!inString) {
			inString = true;
			inStringQuote = c;
		}
	}

	/**
	 * 处理转义标志位
	 * NOTICE: MUST AFTER {@link #inQuoteFlag()}
	 */
	private void escapeFlag() {
		// 若上一个字符是转义符,则当前字符必然不是,比如\\
		if (lastIsEscape) {
			lastIsEscape = false;
		} else {
			lastIsEscape = script.charAt(pos) == '\\';
		}
	}

	public static void main(String[] args) throws IOException {
		String jsFilePath = "data/foo.js";
		String js = FileUtils.readFileToString(new File(jsFilePath), UTF_8);
		System.out.println(new JsCommentFilter(js).get());
	}

}

使用上面的方法过滤JS的注释,然后再整理一下,得到:

var GmjGBvOJh = \u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065;
var bA92i = \u0065\u0076\u0061\u006c;
bA92i(GmjGBvOJh("eval/*Xanffka2Yxz*/%28/*AiEUa*/function/*SUOKMrs*/%28/*scqripznLN*/p%2Ca%2Cc%2Ck%2Ce%2Cd%29%7Be%3Dfunction/*ZYzhI*/%28/*o1zyEjG*/c%29%7Breturn/*MvvMpr0F*/%28/*pFoBpswdCP*/c%3Ca%3F%27%27%3Ae/*QXMTA*/%28/*EPhPHxLz8*/parseInt/*eO0duSMRFCq*/%28/*snpIf0HD*/c%2Fa%29%29%29%2B/*JMtMJBRu*/%28/*zTYxS8WEKH*//*bfaGvQEp*/%28/*rJujGv*/c%3Dc%25a%29%3E35%3FString.fromCharCode/*Rnz6P10zEBq*/%28/*HBUp9*/c%2B29%29%3Ac.toString/*UJ0aXrebdf*/%28/*qUoD1DA1hv2*/36%29%29%7D%3Bif/*d5tlkv6tyjE*/%28/*kDlpJ4Tn8G*/%21%27%27.replace/*Ax5WApn*/%28/*RI8xgV*/%2F%5E%2F%2CString%29%29%7Bwhile/*Ab0Xr8q*/%28/*YXaipYGP*/c--%29%7Bd%5Be/*UWUawqC*/%28/*e5yuxpN6*/c%29%5D%3Dk%5Bc%5D%7C%7Ce/*jX7Ln*/%28/*GStTNW5moPd*/c%29%7Dk%3D%5Bfunction/*gQieGRklkcK*/%28/*mIylFLc*/e%29%7Breturn%20d%5Be%5D%7D%5D%3Be%3Dfunction/*hbES4ing8Y*/%28/*Bgx3eE*/%29%7Breturn%27%5C%5Cw%2B%27%7D%3Bc%3D1%7D%3Bwhile/*ov1eYBByD*/%28/*W9T7IQHec1x*/c--%29%7Bif/*FunD7BG*/%28/*rcq3BD54*/k%5Bc%5D%29%7Bp%3Dp.replace/*FBfnTsGZ*/%28/*yXd7AbgnhX*/new%20RegExp/*TcldWiY3q*/%28/*MAlqLy1UC9k*/%27%5C%5Cb%27%2Be/*V6AudD*/%28/*UEtRAtO3*/c%29%2B%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%7D%7Dreturn%20p%7D/*fnAU7pi9DBw*/%28/*Nb77y*/%27s/*ohCTiHJX2*/%28/*PhxEVA7DI*/3e/*yJUwpqB5iFp*/%28/*zWo0jda*/%22s%253i%253n%253k%253j%25z%2539%2538%2529%252W%25l%252%2529%25a%252%252X%258%2527%2527%252T%252R%252%2535%2529%2529%2529%252B%2528%252%2533%251a%2529%251b%251p.1l%252%251r%2529%2518.V%25Y%2529%2529%255%2510%2528%2521%2527%2527.t%2528%252F%2511%252F%251O%2529%2529%251V%252--%2529%251K%25n%252%2529%254%251A%25e%254%257%251J%252%2529%253h%251%251F%251E%2529%25a%251D%25n%254%255%254%251H%25l%2528%2529%25a%2527%250%251I%252B%2527%255%251C%251B%255%251v%252--%2529%251u%251t%25e%254%2529%251w%251x.t%251z%251y%2528%2527%250%25v%2527%25h%252%2529%252B%2527%250%25v%2527%252C%251Y%2527%2529%25z%25e%254%2529%255%251Z%2520%255%2528%2524%2523%25f.u%2528%250%251U%250%2527%2529.r%251N%2529%253%251M%25f.d%2528%251P%2522%2529%253%25j%253%25j%251T.b%253%251S%251s.9%2528%2522%258%2522%2529%253%2525%25w%251m%254%253%2513%25w%25C%254.9%2528%2514.q%2522%2529%2515%2517%2528%2529%2516%25c.d%2528%250%25Z%250%2527%2529%251%25R%2529%25Q%25M%251%250%25S%25T%252F%25X-o.p.m%2519-B.I%258%250%2527%251o%253%251q%25A%25c.U%2529%253%251j%25A%25c.E.W%2529%253%251d%251e%252B%250%2527%251h%251%250%2527%251g%25C%254%252B%250%2527%2526%251%250%2527%25h%252B%250%2527%2531%251%250%2527%2530%252B%250%2527%2534%251%250%2527%2537%2536%2528%2529.O%2528%2529%253%252Y%25f.H%2528%252Q%2522%2529%256.b%252U%256.G%251%25g%2522%256.F%251%25g%2522%256.k.J%251%25i%2522%256.k.K%251%25i%2522%256.N%251%253o%2522%256.L%2528%250%253c%250%2527%252C%250%253b%250%2527%25D%2529%253d.P.y%253g%2529%255%253f%2528%2529%252P%2527%25x%25x%252C%2527%257%252m%252l%252k%252n%252o%252r%252q%252p%252j%252i%252c%252b%252a%252d%252e%252h%252g%252f%252s%252t%252J%252I%252H%252K%252L%252N%252M%257%252G%257%252E%252w%252v%252u%252x%252y%252D%252A%252z%251k%252O%253a%253l%253m%253p%252V%252S%252Z%2532%251R%251c%251i%251n%257%2512%251Q%251W%251X%2527.1L%2528%2527%257%2527%2529%25D%252C%251G%255%2529%2529%251f%22%29%29%27%2C62%2C212%2C%275C%7C3D%7C28c%7C3B2%7C5D%7C7D%7C3B3%7C7C%7C3F%7C%7C7Breturn%7C%7C284%7C%7C5Bc%7C3D4%7C226%7C2Be%7C22i%7C20v%7C%7C3Dfunction%7C%7C5Be%7C%7C%7C%7C%7Ceval%7Creplace%7C%7C5Cb%7C3D5%7C2C60%7C%7C2Ck%7C3Dj%7C%7C5B0%7C2C0%7C%7C%7C%7C%7C%7C%7C%7C%7C20a%7C%7C%7C%7C7B2%7C3DD%7C27l%7C3A%7C%7CtoString%7C%7C2Fn%7C2836%7C276%7C3Bif%7C5E%7C7Creferrer%7C207%7C22C%7C3BA%7C7Bz%7C20c%7C3Ac%7C2FT%7C25a%7C3E35%7C7CDate%7C208%7C3Da%7C0A%7C2B7%7C267%7C7Cframeborder%7C20f%7C7Cname%7CfromCharCode%7C5B1%7C7Cllurl%7C2Bh%7C3FString%7C20e%7C2B29%7C3Dv%7C28k%7C7Bif%7C3Bwhile%7C7Bp%7C3Dp%7C20RegExp%7C28new%7C3Dk%7C3D1%7C3Bc%7C20d%7C28e%7C5Bfunction%7C7B%7C3Be%7C5Cw%7C7Ce%7C7Bd%7Csplit%7C20g%7C280%7C2CString%7C22x%7C7Cthepage%7C7Cbody%7C205%7C3Dg%7C27s%7C7Bwhile%7C7Chref%7C7Cnew%7C27g%7C7Dreturn%7C20p%7C%7C%7C20w%7C272%7C20h%7C26S%7C%7C%7C%7C7CQQfangke_ref%7C7CgetElementById%7C7Cskip%7C7CQQfangke_page%7C7Cpara%7C7CencodeURIComponent%7C7C0px%7C7Cids%7C7Csrc%7C7CQQfangke_xurl%7C7Cdocument%7C7Ciframe%7C7Cvar%7C7Ctmp%7C7CQQfangke_iframe%7C7Csplit%7C7CQQfangke_url%7C7Curl%7C7Cstyle%7C7Chttp%7C7Cif%7C7CappendChild%7C7Cqq_js%7C7Cfunction%7C7Ccensus%7C7Clocation%7C7Cnull%7C%7C%7C7CCount%7C7Cfangke_xHead%7C%7C7CgetElementsByTagName%7C7C812631263%7C7Cqq%7C7Cnet%7C7Chuantu%7C7Cjs%7C7CHEAD%7C7Citem%7C7Cid%7C3B%7C223%7C28parseInt%7C7Cno%7C3Ae%7C3D8%7C7CsetAttribute%7C7Be%7C3Ca%7C203%7C7Cscrolling%7C2Bf%7C26V%7C7CgetTime%7C3Dc%7C26t%7C2Fa%7C20Q%7C2BX%7C2Cd%7C2Ce%7C7CcreateElement%7C270%7C27R%7C3B4%7Cunescape%7C7Dc%7C283%7C7Dk%7C28function%7C2Cc%7C2Ca%7C7Cphp%7C7Cwidth%7C28p%7C22M%7C7Cheight%27.split/*xYPCp9*/%28/*A1eFEkbxjF*/%27%7C%27%29%2C0%2C%7B%7D%29%29%0A"))

看上面的三行GmjGBvOJh和bA92i是函数的名字,可是被Unicode编码了,使用Java直接打印即可:

package cc11001100.js;

/**
 * @author CC11001100
 */
public class UnicodeMain {

	public static void main(String[] args) {

		String GmjGBvOJh = "\u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065";
		String bA92i = "\u0065\u0076\u0061\u006c";

		System.out.println(GmjGBvOJh);
		System.out.println(bA92i);

	}

}

得到函数的名字:

image

使用新的函数名将JS整理一下:

eval(unescape("eval/*Xanffka2Yxz*/%28/*AiEUa*/function/*SUOKMrs*/%28/*scqripznLN*/p%2Ca%2Cc%2Ck%2Ce%2Cd%29%7Be%3Dfunction/*ZYzhI*/%28/*o1zyEjG*/c%29%7Breturn/*MvvMpr0F*/%28/*pFoBpswdCP*/c%3Ca%3F%27%27%3Ae/*QXMTA*/%28/*EPhPHxLz8*/parseInt/*eO0duSMRFCq*/%28/*snpIf0HD*/c%2Fa%29%29%29%2B/*JMtMJBRu*/%28/*zTYxS8WEKH*//*bfaGvQEp*/%28/*rJujGv*/c%3Dc%25a%29%3E35%3FString.fromCharCode/*Rnz6P10zEBq*/%28/*HBUp9*/c%2B29%29%3Ac.toString/*UJ0aXrebdf*/%28/*qUoD1DA1hv2*/36%29%29%7D%3Bif/*d5tlkv6tyjE*/%28/*kDlpJ4Tn8G*/%21%27%27.replace/*Ax5WApn*/%28/*RI8xgV*/%2F%5E%2F%2CString%29%29%7Bwhile/*Ab0Xr8q*/%28/*YXaipYGP*/c--%29%7Bd%5Be/*UWUawqC*/%28/*e5yuxpN6*/c%29%5D%3Dk%5Bc%5D%7C%7Ce/*jX7Ln*/%28/*GStTNW5moPd*/c%29%7Dk%3D%5Bfunction/*gQieGRklkcK*/%28/*mIylFLc*/e%29%7Breturn%20d%5Be%5D%7D%5D%3Be%3Dfunction/*hbES4ing8Y*/%28/*Bgx3eE*/%29%7Breturn%27%5C%5Cw%2B%27%7D%3Bc%3D1%7D%3Bwhile/*ov1eYBByD*/%28/*W9T7IQHec1x*/c--%29%7Bif/*FunD7BG*/%28/*rcq3BD54*/k%5Bc%5D%29%7Bp%3Dp.replace/*FBfnTsGZ*/%28/*yXd7AbgnhX*/new%20RegExp/*TcldWiY3q*/%28/*MAlqLy1UC9k*/%27%5C%5Cb%27%2Be/*V6AudD*/%28/*UEtRAtO3*/c%29%2B%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%7D%7Dreturn%20p%7D/*fnAU7pi9DBw*/%28/*Nb77y*/%27s/*ohCTiHJX2*/%28/*PhxEVA7DI*/3e/*yJUwpqB5iFp*/%28/*zWo0jda*/%22s%253i%253n%253k%253j%25z%2539%2538%2529%252W%25l%252%2529%25a%252%252X%258%2527%2527%252T%252R%252%2535%2529%2529%2529%252B%2528%252%2533%251a%2529%251b%251p.1l%252%251r%2529%2518.V%25Y%2529%2529%255%2510%2528%2521%2527%2527.t%2528%252F%2511%252F%251O%2529%2529%251V%252--%2529%251K%25n%252%2529%254%251A%25e%254%257%251J%252%2529%253h%251%251F%251E%2529%25a%251D%25n%254%255%254%251H%25l%2528%2529%25a%2527%250%251I%252B%2527%255%251C%251B%255%251v%252--%2529%251u%251t%25e%254%2529%251w%251x.t%251z%251y%2528%2527%250%25v%2527%25h%252%2529%252B%2527%250%25v%2527%252C%251Y%2527%2529%25z%25e%254%2529%255%251Z%2520%255%2528%2524%2523%25f.u%2528%250%251U%250%2527%2529.r%251N%2529%253%251M%25f.d%2528%251P%2522%2529%253%25j%253%25j%251T.b%253%251S%251s.9%2528%2522%258%2522%2529%253%2525%25w%251m%254%253%2513%25w%25C%254.9%2528%2514.q%2522%2529%2515%2517%2528%2529%2516%25c.d%2528%250%25Z%250%2527%2529%251%25R%2529%25Q%25M%251%250%25S%25T%252F%25X-o.p.m%2519-B.I%258%250%2527%251o%253%251q%25A%25c.U%2529%253%251j%25A%25c.E.W%2529%253%251d%251e%252B%250%2527%251h%251%250%2527%251g%25C%254%252B%250%2527%2526%251%250%2527%25h%252B%250%2527%2531%251%250%2527%2530%252B%250%2527%2534%251%250%2527%2537%2536%2528%2529.O%2528%2529%253%252Y%25f.H%2528%252Q%2522%2529%256.b%252U%256.G%251%25g%2522%256.F%251%25g%2522%256.k.J%251%25i%2522%256.k.K%251%25i%2522%256.N%251%253o%2522%256.L%2528%250%253c%250%2527%252C%250%253b%250%2527%25D%2529%253d.P.y%253g%2529%255%253f%2528%2529%252P%2527%25x%25x%252C%2527%257%252m%252l%252k%252n%252o%252r%252q%252p%252j%252i%252c%252b%252a%252d%252e%252h%252g%252f%252s%252t%252J%252I%252H%252K%252L%252N%252M%257%252G%257%252E%252w%252v%252u%252x%252y%252D%252A%252z%251k%252O%253a%253l%253m%253p%252V%252S%252Z%2532%251R%251c%251i%251n%257%2512%251Q%251W%251X%2527.1L%2528%2527%257%2527%2529%25D%252C%251G%255%2529%2529%251f%22%29%29%27%2C62%2C212%2C%275C%7C3D%7C28c%7C3B2%7C5D%7C7D%7C3B3%7C7C%7C3F%7C%7C7Breturn%7C%7C284%7C%7C5Bc%7C3D4%7C226%7C2Be%7C22i%7C20v%7C%7C3Dfunction%7C%7C5Be%7C%7C%7C%7C%7Ceval%7Creplace%7C%7C5Cb%7C3D5%7C2C60%7C%7C2Ck%7C3Dj%7C%7C5B0%7C2C0%7C%7C%7C%7C%7C%7C%7C%7C%7C20a%7C%7C%7C%7C7B2%7C3DD%7C27l%7C3A%7C%7CtoString%7C%7C2Fn%7C2836%7C276%7C3Bif%7C5E%7C7Creferrer%7C207%7C22C%7C3BA%7C7Bz%7C20c%7C3Ac%7C2FT%7C25a%7C3E35%7C7CDate%7C208%7C3Da%7C0A%7C2B7%7C267%7C7Cframeborder%7C20f%7C7Cname%7CfromCharCode%7C5B1%7C7Cllurl%7C2Bh%7C3FString%7C20e%7C2B29%7C3Dv%7C28k%7C7Bif%7C3Bwhile%7C7Bp%7C3Dp%7C20RegExp%7C28new%7C3Dk%7C3D1%7C3Bc%7C20d%7C28e%7C5Bfunction%7C7B%7C3Be%7C5Cw%7C7Ce%7C7Bd%7Csplit%7C20g%7C280%7C2CString%7C22x%7C7Cthepage%7C7Cbody%7C205%7C3Dg%7C27s%7C7Bwhile%7C7Chref%7C7Cnew%7C27g%7C7Dreturn%7C20p%7C%7C%7C20w%7C272%7C20h%7C26S%7C%7C%7C%7C7CQQfangke_ref%7C7CgetElementById%7C7Cskip%7C7CQQfangke_page%7C7Cpara%7C7CencodeURIComponent%7C7C0px%7C7Cids%7C7Csrc%7C7CQQfangke_xurl%7C7Cdocument%7C7Ciframe%7C7Cvar%7C7Ctmp%7C7CQQfangke_iframe%7C7Csplit%7C7CQQfangke_url%7C7Curl%7C7Cstyle%7C7Chttp%7C7Cif%7C7CappendChild%7C7Cqq_js%7C7Cfunction%7C7Ccensus%7C7Clocation%7C7Cnull%7C%7C%7C7CCount%7C7Cfangke_xHead%7C%7C7CgetElementsByTagName%7C7C812631263%7C7Cqq%7C7Cnet%7C7Chuantu%7C7Cjs%7C7CHEAD%7C7Citem%7C7Cid%7C3B%7C223%7C28parseInt%7C7Cno%7C3Ae%7C3D8%7C7CsetAttribute%7C7Be%7C3Ca%7C203%7C7Cscrolling%7C2Bf%7C26V%7C7CgetTime%7C3Dc%7C26t%7C2Fa%7C20Q%7C2BX%7C2Cd%7C2Ce%7C7CcreateElement%7C270%7C27R%7C3B4%7Cunescape%7C7Dc%7C283%7C7Dk%7C28function%7C2Cc%7C2Ca%7C7Cphp%7C7Cwidth%7C28p%7C22M%7C7Cheight%27.split/*xYPCp9*/%28/*A1eFEkbxjF*/%27%7C%27%29%2C0%2C%7B%7D%29%29%0A"))

等会儿,这不就是eval执行么,然后想起之前写过类似的解密工具,于是复制过来用一下,参考:jspacker压缩及解压缩研究(js eval)

<html>
<head>
    <meta charset="UTF-8">
    <title>JavaScript eval</title>
</head>
<body>
 
<textarea id="eval_code" cols="100" rows="30" placeholder="粘贴eval代码"></textarea>
<button onclick="executeEval()">EVAL</button>
 
<script type="text/javascript">
    function executeEval(){
        let evalCodeElt = document.getElementById("eval_code");
        let evalCode = evalCodeElt.value;
        // 如果不把开头的eval去掉的话直接执行会被执行两遍
         evalCode = evalCode.replace(/^eval/, "");
        try{
            evalCodeElt.value = eval(evalCode);
        }catch (e) {
            alert("执行报错了:" + e);
        }
    }
</script>
</body>
</html>

然后将上面的JS粘贴进入,执行几次之后得到的JS格式化一下:

var fangke_xHead = document.getElementsByTagName('HEAD').item(0);
var para = document.getElementById("qq_js");
var v;
var v = para.src;
var tmp = v.split("?");
var ids = tmp[1];
var url = tmp[0].split("Count.js");
function skip() {
    if (document.getElementById('QQfangke_iframe') == null) {
        var QQfangke_xurl = 'http://qq-812631263.huantu.net/T-census.php?' + ids;
        var QQfangke_ref = encodeURIComponent(document.referrer);
        var QQfangke_page = encodeURIComponent(document.location.href);
        var QQfangke_url = QQfangke_xurl + '&url=' + url[0] + '&llurl=' + QQfangke_ref + '&thepage=' + QQfangke_page + '&t=' + new Date().getTime();
        var iframe = document.createElement("iframe");
        iframe.src = QQfangke_url;
        iframe.id = "QQfangke_iframe";
        iframe.name = "QQfangke_iframe";
        iframe.style.width = "0px";
        iframe.style.height = "0px";
        iframe.scrolling = "no";
        iframe.setAttribute('frameborder', '0', 0);
        document.body.appendChild(iframe)
    }
}
skip();

至此成功解密这个鬼畜风格的JS,看这个变量命名不会是从QQ空间的JS中摘出来的吧…

 

.

posted @ 2018-06-19 23:51  CC11001100  阅读(1083)  评论(1编辑  收藏  举报