obfuscator伪代码样例

obfuscator混淆过的代码,反混淆后有很多伪代码,有些规则不太好找,会导致伪代码无法删除。

obfuscator 解密工具地址dejs

现将伪代码模板整理如下:如有清理不彻底的情况,可手动删除。

调式保护代码

这些代码也就是让反混淆的人在控制台查看的时候,进入死循环一直无法执行下去的控制逻辑。

调试代码重复执行逻辑。

  (function () {
            {globalVariableTemplate}

            that.setInterval({debugProtectionFunctionName}, {debugProtectionInterval});
        })();

调试代码执行

(function () {
    {callControllerFunctionName}(
        this,
        function () {
            const regExp1 = new RegExp('function *\\( *\\)');
            const regExp2 = new RegExp('\\+\\+ *\(?:[a-zA-Z_$][0-9a-zA-Z_$]*\)', 'i');

            const result = {debugProtectionFunctionName}('init');

            if (!regExp1.test(result + 'chain') || !regExp2.test(result + 'input')) {
                result('0');
            } else {
                {debugProtectionFunctionName}();
            }
        }
    )();
})();

格式1

if (typeof counter === 'string') {
    return (function (arg) {}.constructor('while (true) {}').apply('counter'));
} else {
    if (('' + counter / counter)['length'] !== 1 || counter % 20 === 0) {
        (function () {return true;}.constructor('debu' + 'gger').call('action'));
    } else {
        (function () {return false;}.constructor('debu' + 'gger').apply('stateObject'));
    }
}

格式2

if (typeof counter === 'string') {
    const func = function () {
        while (true) {}
    };

    return func();
} else {
    if (('' + counter / counter)['length'] !== 1 || counter % 20 === 0) {
        debugger;
    } else {
        debugger;
    }

}

格式3

function {debugProtectionFunctionName} (ret) {
    function debuggerProtection (counter) {
        {debuggerTemplate}

        debuggerProtection(++counter);
    }

    try {
        if (ret) {
            return debuggerProtection;
        } else {
            debuggerProtection(0);
        }
    } catch (y) {}
}

全局变量代码

单次调用控制器模板

这个模板的伪代码在混淆代码中有大量的使用。这个伪代码在多种类型表达式中有使用,目前工具尚无法完美的删除这些伪代码。后面时间富裕的话,会将该代码进行删除。

const {callControllerFunctionName} = (function(){
    let firstCall = true;

    return function (context, fn){
        const rfn = firstCall ? function(){
            if(fn){
                const res = fn.apply(context, arguments);
                fn = null;
                return res;
            }
        } : function(){}

        firstCall = false;

        return rfn;
    }
})()

全局变量模板1

let that;

try {
    const getGlobal = Function('return (function() ' + '{}.constructor("return this")( )' + ');');

    that = getGlobal();
} catch (e) {
    that = window;
}

全局变量模板2

const getGlobal = function () {
    let globalObject;

    try {
        globalObject = Function('return (function() ' + '{}.constructor("return this")( )' + ');')();
    } catch (e) {
        globalObject = window;
    }

    return globalObject;
};
const that = getGlobal();

禁用console伪代码

const {consoleLogDisableFunctionName} = {callControllerFunctionName}(this, function () {
    {globalVariableTemplate}

    const consoleObject = (that.console = that.console || {});
    const methods = ['log', 'warn', 'info', 'error', 'exception', 'table', 'trace'];

    for (let index = 0; index < methods.length; index++){
        const func = {callControllerFunctionName}.constructor.prototype.bind({callControllerFunctionName});
        const methodName = methods[index];
        const originalFunction = consoleObject[methodName] || func;

        func.__proto__ = {callControllerFunctionName}.bind({callControllerFunctionName});
        func.toString = originalFunction.toString.bind(originalFunction);

        consoleObject[methodName] = func;
    }
});

{consoleLogDisableFunctionName}();

域名保护伪代码

const {domainLockFunctionName} = {callControllerFunctionName}(this, function () {

    {globalVariableTemplate}

    const regExp = new RegExp("[{domainsStringDiff}]", "g");
    const domains = "{domains}".replace(regExp, "").split(";");
    let document;
    let domain;
    let location;
    let hostname;

    const isName = function(name, length, cs) {
        if (name.length != length) {
            return false;
        }

        for (let i = 0; i < length; i++) {
            for (let j = 0; j < cs.length; j += 2) {
                if (i == cs[j] && name.charCodeAt(i) != cs[j+1]) {
                    return false;
                }
            }
        }

        return true;
    };

    const isNameVariant1 = function(cs, name, length) {
      return isName(name, length, cs);
    };

    const isNameVariant2 = function(name, cs, length) {
      return isNameVariant1(cs, name, length);
    };

    const isNameVariant3 = function(length, name, cs) {
      return isNameVariant2(name, cs, length);
    };

    for (let d in that) {
        if (isName(d, 8, [7, 116, 5, 101, 3, 117, 0, 100])) {
            document = d;

            break;
        }
    }

    for (let d1 in that[document]) {
        if (isNameVariant3(6, d1, [5, 110, 0, 100])) {
            domain = d1;

            break;
        }
    }

    for (let d2 in that[document]) {
        if (isNameVariant2(d2, [7, 110, 0, 108], 8)) {
            location = d2;

            break;
        }
    }

    if (!("~" > domain)) {
        for (let d3 in that[document][location]) {
            if (isNameVariant1([7, 101, 0, 104], d3, 8)) {
                hostname = d3;

                break;
            }
        }
    }

    if (!document || !that[document]) {
        return;
    }

    const documentDomain = that[document][domain];
    const documentLocationHostName = !!that[document][location] && that[document][location][hostname];
    const currentDomain = documentDomain || documentLocationHostName;

    if (!currentDomain) {
        return;
    }

    let ok = false;

    for (let i = 0; i < domains.length; i++) {
        const domain = domains[i];
        const domainNormalized = domain[0] === String.fromCharCode(46)
            ? domain.slice(1)
            : domain;
        const position = currentDomain.length - domainNormalized.length;
        const lastIndex = currentDomain.indexOf(domainNormalized, position);
        const endsWith = lastIndex !== -1 && lastIndex === position;

        if (endsWith) {
            if (currentDomain.length == domain.length || domain.indexOf(".") === 0) {
                ok = true;
            }
        }
    }

    if (!ok) {
        const regExp2 = new RegExp("[{domainLockRedirectUrlDiff}]", "g");
        const domainLockRedirectUrl = "{hiddenDomainLockRedirectUrl}".replace(regExp2, "");

        that[document][location] = domainLockRedirectUrl;
    }
});

{domainLockFunctionName}();

自我防护伪代码

const {selfDefendingFunctionName} = {callControllerFunctionName}(this, function () {
    return {selfDefendingFunctionName}
        .toString()
        .search('(((.+)+)+)+$')
        .toString()
        .constructor({selfDefendingFunctionName})
        .search('(((.+)+)+)+$');
});

{selfDefendingFunctionName}();
end
  • 作者:kali(作者介绍)
  • 更新时间:2022-07-20 18:09
  • 版权声明:自由转载-非商用-非衍生-保持署名(创意共享3.0许可证)
  • 转载声明:转载站点文章,请附上原文链接
  • 翻译声明:翻译文章会不严谨,请务必附上原文链接
  • 扫描阅读:扫描二维码,手机阅读该文章