不常见的JS加密分析
前言
今天发现一个很少见的JS加密代码,他由一段十分少见的环境检测逻辑,修改一个字符都会被检测到,十分神奇,今天献上。
源代码
let hiJsJiami;!function(){const Zg3G=Array.prototype.slice.call(arguments);return eval("(function MpGw(vFNo){const P2Fo=fpxp(vFNo,nxap(MpGw.toString()));try{let rAIo=eval(P2Fo);return rAIo.apply(null,Zg3G);}catch(LXAo){var nvDo=(0o202222-66693);while(nvDo<(0o400161%65574))switch(nvDo){case (0x30058%0o200031):nvDo=LXAo instanceof SyntaxError?(0o400126%0x1001D):(0...省略一大堆代码...6%04%19%1F%1A%05SV%19Z%05%03%25(%5D%0B%11%06\'W%0E%1E%1D%0C%10%08%02%04@B%08%1D%01%15%18%18%06KA_%19Z%05%03%25(%5D%07%16%05%25W%0E%1E%1D%0C%10%08%02%04@B%08%1D%01%15%18%18%06K@_%19Z%05%03%25(%5D-+T*W%0E%1E%1D%0C%10%08%02%04@B%08%1D%01%15%18%18%06KB%5C%19Z%05%03%25(%5D%1B#%12%25W%0E%1E%1D%0C%10%08%02%04@B%08%1D%01%15%18%18%06KAX%19Z%05%03%25(%5D9%00%17%25W%0E%1E%1D%0C%10%08%02%04@B%08%1D%01%15%18%18%06K@V%19%1CD\")")}();
用在线JS解密进行第一层还原
(function MpGw(vFNo){const P2Fo=fpxp(vFNo,nxap(MpGw.toString()));try{let rAIo=eval(P2Fo);return rAIo.apply(null,Zg3G);}catch(LXAo){var nvDo=(0o202222-66693);while(nvDo<(0o400161%65574))switch(nvDo){case (0x30058%0o200031):nvDo=LXAo instanceof SyntaxError?(0o400126%0x1001D):(0o400163%0x10027);break;case (0o201510-0x1032C):nvDo=(0o400177%65581);{console.log('Error: the code has been tampered!');return}break;}throw LXAo;}function nxap(P4cp){let js5o=539378785;var LZ7o=(0o400075%65550);{let fn0o;while(LZ7o<(0x10550-0o202456)){switch(LZ7o){case (0O144657447^0x1935F20):LZ7o=(0o202032-0x1040B);{js5o^=(P4cp.charCodeAt(fn0o)*(15658734^0O73567354)+P4cp.charCodeAt(fn0o>>>(0x4A5D0CE&0O320423424)))^810782314;}break;case (0x40073%0o200031):LZ7o=(0x4004F%0o200021);fn0o++;break;case (0o201736-66515):LZ7o=fn0o<P4cp.length?(0O264353757%8):(0o1000236%65567);break;case (0o202450-0x10507):LZ7o=(0o1000107%0x1000F);fn0o=(0x21786%3);break;}}}let HU2o="";var biVo=(67216-0o203164);{let DPXo;while(biVo<(0x105C8-0o202643)){switch(biVo){case (0o204300-67748):biVo=(0o204730-0x109B4);DPXo=(0x21786%3);break;case (262308%0o200040):biVo=DPXo<(0O3153050563-0x19AC516B)?(66316-0o201362):(0o201344-0x102BF);break;case (0x10618-0o202776):biVo=(0x2005E%0o200040);{const DRup=js5o%(68296-0o205261);js5o=Math.floor(js5o/(0o204026-0x107FF));HU2o+=DRup>=(0x1071C-0o203402)?String.fromCharCode((0o600404%65601)+(DRup-(0o1000136%0x10011))):String.fromCharCode((0o217120-0x11DEF)+DRup);}break;case (0o204064-67606):biVo=(0o202070-0x10414);DPXo++;break;}}}return HU2o;}function fpxp(zMpp,bksp){zMpp=decodeURI(zMpp);let vHkp=(0x21786%3);let Xenp="";var rCfp=(68506-0o205571);{let T9hp;while(rCfp<(0o600152%0x10018)){switch(rCfp){case (0x9D8DE4-0O47306735):rCfp=(0o203410-0x106F9);{Xenp+=String.fromCharCode(zMpp.charCodeAt(T9hp)^bksp.charCodeAt(vHkp));vHkp++;var TbPp=(0o206666-0x10D9B);while(TbPp<(0x111D0-0o210652))switch(TbPp){case (0o200416-0x100F3):TbPp=vHkp>=bksp.length?(0o201344-66239):(0o203554-0x10746);break;case (0x300AF%0o200056):TbPp=(0o400144%65567);{vHkp=(0x75bcd15-0O726746425);}break;}}break;case (0o1000107%65551):rCfp=T9hp<zMpp.length?(0O264353757%8):(0o600171%65565);break;case (0o1000141%65552):rCfp=(196652%0o200013);T9hp=(0x75bcd15-0O726746425);break;case (0o202260-66721):rCfp=(0o202114-66625);T9hp++;break;}}}return Xenp;}})("E%0C%1D%05%10%1B%0D%0E%03BA%10%15%1A%0A%02%19%03%07%05S%19%22/%02BA%10%01%0A%10%14%1F%04HL/%1ATQX_O%16%15%1A%0A%02%19%03%07%05S?V'%02BA%10%01%0A%10%14%1F%04HC%05-.%0FECA0%01%18!%0FEC5C'Z%00%0EECA%16%15%1A%0A%02%19%03%07%05S%1D%25(%02B$32%00H%0F%1B.%07G%1D%17%05%11D%11%04%0E%07O4U%0E%1AUIQT%12%00%1...省略一万字代码...0A%03F%5BI%5D%12Y%5BG-TL%5D%05Z%5BA%5DPPDP@%5B%1C%5DTP_X%5CFC%17UQ_%5D%5BBH%0D%16%04%0C%01S%08%12%1C%01AE%5C%5EREYIQ%02XXYE%5EWHW%00%1B%5E%1CRLQ%22%5B%5C_EZSUY%5D6%5B%0B%5E%5DRX,Z%5BZT(;Z%05U%05%05+%0%19%1CD")
分析
方法体内一大段都是验证逻辑,验证方法是否有变动,如果有则验证不通过。
结尾
解密后的代码就不放出来了,对用户不尊重。
有js相关问题可以私信我