function _0x1f1a68(_0x1be822, _0x79fd7, _0x340561, _0x170aa8, _0x35407a) {    return _0x4903(_0x35407a - 0x252, _0x340561);}

function _0x3cb10b(_0x9056d3, _0xd6da67, _0x4e8aa3, _0x575cfa, _0x50067e) {     return _0x1f1a68(_0x9056d3 - 0x1ca, _0xd6da67 - 0x97, _0x4e8aa3, _0x575cfa - 0x13c, _0xd6da67 - 0x119); }function _0x362f86(_0xeb8495, _0x2bb06b, _0x3bc6ce, _0x59c29b, _0x141499) {    return _0x3cb10b(_0xeb8495 - 0x1a0, _0xeb8495 - -0x370, _0x3bc6ce, _0x59c29b - 0x19c, _0x141499 - 0x120);}function _0x1f1a68(_0x1be822, _0x79fd7, _0x340561, _0x170aa8, _0x35407a) {    return _0x4903(_0x35407a - 0x252, _0x340561);}

function replaceArgsToIndex(funcargs, arg) {        if (arg.type == "BinaryExpression") {            return replaceArgsToIndex(funcargs, arg.left);        }        if (arg.name.startsWith("arg")) {            return true;        }        for (let i = 0; i < funcargs.length; i++) {            if (funcargs[i].name == arg.name) {                arg.name = "arg" + i;                return true;            }        }        console.log("not found arg " + arg.name + " at " + arg.loc?.start.line);        return false;}

function _0x1f1a68(_0x1be822, _0x79fd7, _0x340561, _0x170aa8, _0x35407a) {    return _0x4903(arg4 - 0x252, arg2);}

function convertIndexToArg(funcargs, arg) {        if (arg.type == "BinaryExpression") {            return btypes.binaryExpression(arg.operator, convertIndexToArg(funcargs, arg.left), arg.right);        }        if (arg.name.startsWith("arg")) {            let index = parseInt(arg.name.substr(3));            if (index < funcargs.length) {                return funcargs[index];            } else {                console.log("not found arg index with name " + arg.name + " at " + arg.loc?.start.line);            }        } else {            return arg;        }}

let doFlatten = {        FunctionDeclaration(path) {            let refBinding = path.scope.getBinding(path.node.id?.name);            if (!refBinding.referenced) {                path.remove(); //如果函数没有被引用则直接删除并更新作用域                path.scope.crawl();                return;            }            if (path.node.body.body.length != 1) return;            let body = path.node.body.body[0];            if (!btypes.isReturnStatement(body)) return;            let callExp = body.argument;            if (!btypes.isCallExpression(callExp)) return;            //以上三个判断是否满足混淆函数的格式            let calleeArgs = callExp.arguments; //混淆函数里面调用函数的参数            let funcArgs = path.node.params; //混淆函数的参数            for (let arg of calleeArgs) {                let type = arg.type;                switch (arg.type) {                    case "BinaryExpression":                        replaceArgsToIndex(funcArgs, (arg as btypes.BinaryExpression).left as btypes.Identifier); //这里可以不case,已经在replaceArgsToIndex中实现了递归，这里case是为了防止有未预期的形式，但是经过测试不存在该情况                        break;                    case "Identifier":                        replaceArgsToIndex(funcArgs, arg as btypes.Identifier);                        break;                    default:                        console.log("callee arg not recognizable at line: " + path.node.loc?.start.line);                        return;                }            }             let { id } = path.node;            let binding = path.scope.getBinding((id as btypes.Identifier).name);            for (let refer_path of binding!.referencePaths) {                //获取所有调用                if (!btypes.isCallExpression(refer_path.parent)) {                    console.log("abnormal reference at line: " + refer_path.node.loc?.start.line);                    continue;                }                let args = (refer_path.parent as btypes.CallExpression).arguments;                let newArgs: btypes.Expression[] = []; //重组的表调用参数                let argExp: btypes.Expression;                for (let arg of calleeArgs) {                    let type = arg.type;                    switch (arg.type) {                        case "BinaryExpression":                            argExp = convertIndexToArg(args, (arg as btypes.BinaryExpression).left as btypes.Identifier);                            let exp = btypes.binaryExpression((arg as btypes.BinaryExpression).operator, argExp, (arg as btypes.BinaryExpression).right)                            newArgs.push(exp);                            //处理重组，按照嵌套二值表达式的方式组装并把变量参数放在最左边                            break;                        case "Identifier":                            argExp = convertIndexToArg(args, arg as btypes.Identifier);                            newArgs.push(argExp);                            break;                    }                }                let newCallExp = btypes.callExpression(callExp.callee, newArgs);                refer_path.parentPath.replaceWith(newCallExp);//替换callExpression            }            path.parentPath.scope.crawl();            //console.log("modified code: " + codegen["default"](path.node).code);            //path.remove();        }    };    traverse["default"](root, doFlatten);

for (let level = 0; level < 3; level++) {  removeConstFunc(root)}

function _0x4903(_0x41f1e9, _0x3130bc) {    var _0x5e7ec4 = _0x8976();     return _0x4903 = function (_0x899a2d, _0x5835f7) {      _0x899a2d = _0x899a2d - 109;      var _0x3e8c46 = _0x5e7ec4[_0x899a2d];       if (_0x4903.HfpBsi === undefined) {        var _0x1cbb5e = function (_0x50d26d) {          var _0x5a42a9 = '',              _0x12cc8d = '',              _0x5f42a1 = _0x5a42a9 + _0x1cbb5e;           for (var _0x2829d6 = 0, _0x49459b, _0x390f91, _0x46a986 = 0; _0x390f91 = _0x50d26d.charAt(_0x46a986++); ~_0x390f91 && (_0x49459b = _0x2829d6 % 4 ? _0x49459b * 64 + _0x390f91 : _0x390f91, _0x2829d6++ % 4) ? _0x5a42a9 += _0x5f42a1.charCodeAt(_0x46a986 + 10) - 10 !== 0 ? String.fromCharCode(255 & _0x49459b >> (-2 * _0x2829d6 & 6)) : _0x2829d6 : 0) {            _0x390f91 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='.indexOf(_0x390f91);          }           for (var _0x42631c = 0, _0x4ab4be = _0x5a42a9.length; _0x42631c < _0x4ab4be; _0x42631c++) {            _0x12cc8d += '%' + ('00' + _0x5a42a9.charCodeAt(_0x42631c).toString(16)).slice(-2);          }           return decodeURIComponent(_0x12cc8d);        };         var _0x6b448 = function (_0x1b5efd, _0x1ba8dd) {          var _0x45d44d = [],              _0xd3ad3a = 0,              _0x1e5c57,              _0x567392 = '';           _0x1b5efd = _0x1cbb5e(_0x1b5efd);           var _0x579ae7;           for (_0x579ae7 = 0; _0x579ae7 < 256; _0x579ae7++) {            _0x45d44d[_0x579ae7] = _0x579ae7;          }           for (_0x579ae7 = 0; _0x579ae7 < 256; _0x579ae7++) {            _0xd3ad3a = (_0xd3ad3a + _0x45d44d[_0x579ae7] + _0x1ba8dd.charCodeAt(_0x579ae7 % _0x1ba8dd.length)) % 256, _0x1e5c57 = _0x45d44d[_0x579ae7], _0x45d44d[_0x579ae7] = _0x45d44d[_0xd3ad3a], _0x45d44d[_0xd3ad3a] = _0x1e5c57;          }           _0x579ae7 = 0, _0xd3ad3a = 0;           for (var _0x577b0d = 0; _0x577b0d < _0x1b5efd.length; _0x577b0d++) {            _0x579ae7 = (_0x579ae7 + 1) % 256, _0xd3ad3a = (_0xd3ad3a + _0x45d44d[_0x579ae7]) % 256, _0x1e5c57 = _0x45d44d[_0x579ae7], _0x45d44d[_0x579ae7] = _0x45d44d[_0xd3ad3a], _0x45d44d[_0xd3ad3a] = _0x1e5c57, _0x567392 += String.fromCharCode(_0x1b5efd.charCodeAt(_0x577b0d) ^ _0x45d44d[(_0x45d44d[_0x579ae7] + _0x45d44d[_0xd3ad3a]) % 256]);          }           return _0x567392;        };         _0x4903.MMnWus = _0x6b448, _0x41f1e9 = arguments, _0x4903.HfpBsi = !![];      }       var _0x22abc4 = _0x5e7ec4[0],          _0x244987 = _0x899a2d + _0x22abc4,          _0x238d8e = _0x41f1e9[_0x244987];       if (!_0x238d8e) {        if (_0x4903.CBAcVv === undefined) {          var _0xdfbdcc = function (_0xacf633) {            this.kDnxVr = _0xacf633, this.IoBPQs = [1, 0, 0], this.wpMLDB = function () {return 'newState';}, this.kJPlqW = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*', this.YBMSQk = '[\x27|\x22].+[\x27|\x22];?\x20*}'; //这是正则表达式          };           _0xdfbdcc.prototype.NgtXeG = function () {            var _0x18c3d0 = new RegExp(this.kJPlqW + this.YBMSQk),                _0xa664a8 = _0x18c3d0.test(this.wpMLDB.toString()) ? --this.IoBPQs[1] : --this.IoBPQs[0]; //这里检测函数文本是否满足正则，实际上是检测JS有没有被格式化，在这里将wpMLDB手动的改回了最小化的格式绕过检测             return this.vbKnou(_0xa664a8);          }, _0xdfbdcc.prototype.vbKnou = function (_0x561c7b) {            if (!Boolean(~_0x561c7b)) return _0x561c7b;            return this.DtzlIA(this.kDnxVr); //检测到被格式化，调用该函数溢满内存          }, _0xdfbdcc.prototype.DtzlIA = function (_0x386581) {            for (var _0x2adaa0 = 0, _0x5245a5 = this.IoBPQs.length; _0x2adaa0 < _0x5245a5; _0x2adaa0++) {              this.IoBPQs.push(Math.round(Math.random())), _0x5245a5 = this.IoBPQs.length;            }             return _0x386581(this.IoBPQs[0]);          }, new _0xdfbdcc(_0x4903).NgtXeG(), _0x4903.CBAcVv = !![];        }         _0x3e8c46 = _0x4903.MMnWus(_0x3e8c46, _0x5835f7), _0x41f1e9[_0x244987] = _0x3e8c46;      } else _0x3e8c46 = _0x238d8e;       return _0x3e8c46;    }, _0x4903(_0x41f1e9, _0x3130bc);  }   (function (_0x4dbad8, _0x3b7f07) {    var _0x37755d = _0x4dbad8();     while (!![]) {      try {        var _0x39c0da = parseInt(_0x4903(4069, 'u]yp')) / 1 * (parseInt(_0x4903(2125, '[email protected]]')) / 2) + parseInt(_0x4903(140, 'kFVy')) / 3 + -parseInt(_0x4903(2566, 'j1TD')) / 4 + parseInt(_0x4903(3272, 'a*Xk')) / 5 + -parseInt(_0x4903(2587, '[email protected]')) / 6 + -parseInt(_0x4903(743, '5h*C')) / 7 + parseInt(_0x4903(5102, 'dVlJ')) / 8;         if (_0x39c0da === _0x3b7f07) break;else _0x37755d.push(_0x37755d.shift());      } catch (_0x696156) {        _0x37755d.push(_0x37755d.shift());      }    }  })(_0x8976, 214580); //字符串数组顺序还原，_0x8976为一个返回全局数组的函数，数组太长了就不放上来了

module.exports = {  _0x4903}

import { _0x4903 } from './strdeec'function evalDecryptStr(root){    traverse["default"](root, {        CallExpression(path) {            let { callee } = path.node;            if (btypes.isIdentifier(callee) && callee.name == "_0x4903") { //判断是否为字符串解密函数                //console.log(codegen["default"](path.node).code,"loc:",path.node.loc?.start.line);                let args = path.node.arguments;                if(!btypes.isNumericLiteral(args[0]) || !btypes.isStringLiteral(args[1])) return;                let str = (args[0] as btypes.NumericLiteral).value;                let key = (args[1] as btypes.StringLiteral).value; //获取函数调用表达式的参数                //console.log("decrypt str: " + str + " with key: " + key);                let result = _0x4903(str, key); //调用解密JS                path.replaceWith(btypes.stringLiteral(result)); //将函数调用替换成返回的字符串            }        }    });}

var _0x36ac29 = {        'NaqJs': function(_0x23b608, _0x3b3abb) {            return _0x23b608 + _0x3b3abb;        },        'UJTOv': _0x174a07(0xf38, 'LzP4', 0xfd8, 0x636, 0x1585),        'KunTi': _0x513b7d(0x130c, 0xeca, 0x876, 'lsex', 0x51b),        'qCfPd': _0x513b7d(-0x735, 0x161, 0x4cf, 'KFQS', 0x9d0) + 'n',        'CGJyE': _0x3b7723(-0x374, 'k2r*', 0xc46, 0x41c, 0x16c) + _0x1c1190(0xef5, 'Dvut', 0x841, 0x960, 0xae9) + _0x3b7723(-0x165, 'a*Xk', -0x5d6, 0x3a5, 0x743) + ')',        'aXujP': _0x174a07(0x5b9, 'a*Xk', 0x976, 0xf31, 0x697) + _0x1c1190(0xb61, '[email protected]]', 0x10c9, 0x7cb, 0x8db) + _0x1c1190(0x3e4, '5h*C', 0x39f, 0x36d, 0xc81) + _0x139616(0xd98, 0x90e, '[q9T', 0x1244, 0x4e3) + _0x174a07(0xfc6, '$TWJ', 0x1020, 0xbef, 0xbc5) + _0x174a07(0x801, 'mPMe', 0xcce, 0x8d3, 0xbb) + _0x513b7d(0x605, 0x1d, -0x31c, '[q9T', -0x3c5),        'MTufy': function(_0x43fade, _0x361ab2) {            return _0x43fade(_0x361ab2);        },        'cqyFN': _0x513b7d(0x6c5, 0xcb7, 0x1631, 'A$dO', 0xc76),        'ITrER': function(_0x7d61e2, _0x18ffb2) {            return _0x7d61e2 + _0x18ffb2;        },        'mYpth': _0x3b7723(0x3f8, 'vrb1', 0x487, 0xa64, 0x32f),        'ySBMh': _0x174a07(0x10a4, 'LzP4', 0x10fb, 0x1589, 0xc04),        'fhGPp': function(_0x10918e) {            return _0x10918e();        },        'BPPTg': function(_0xbea0a9, _0xf05a6b) {            return _0xbea0a9 === _0xf05a6b;        },        'aFUAX': _0x1c1190(0x1105, 'DZK9', 0xa48, 0x101f, 0x17c1),        'YkQUD': function(_0x3d394f, _0x304d01) {            return _0x3d394f !== _0x304d01;        },        'XUKwk': _0x1c1190(0x53c, 'u]yp', 0x1b9, 0xa84, 0x7fb),        'hGUML': _0x174a07(0xbc5, '[Kpm', 0xb6a, 0x3bd, 0xa68),        'FZvDE': function(_0x3899f7, _0x4782b9) {            return _0x3899f7 === _0x4782b9;        },        'LCVgl': _0x1c1190(0x925, 's*!&', 0x2f8, 0x4d4, -0x3e5),        'FFifH': _0x174a07(0x1437, 'Thp]', 0x17dc, 0x1c99, 0x1031)    };

var _0x36ac29 = {    'NaqJs': function (_0x23b608, _0x3b3abb) {      return _0x23b608 + _0x3b3abb;    },    'UJTOv': "debu",    'KunTi': "gger",    'qCfPd': "action",    'CGJyE': "function *\\( *\\)",    'aXujP': "\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)",    'MTufy': function (_0x43fade, _0x361ab2) {      return _0x43fade(_0x361ab2);    },    'cqyFN': "init",    'ITrER': function (_0x7d61e2, _0x18ffb2) {      return _0x7d61e2 + _0x18ffb2;    },    'mYpth': "chain",    'ySBMh': "input",    'fhGPp': function (_0x10918e) {      return _0x10918e();    },    'BPPTg': function (_0xbea0a9, _0xf05a6b) {      return _0xbea0a9 === _0xf05a6b;    },    'aFUAX': "WrmJg",    'YkQUD': function (_0x3d394f, _0x304d01) {      return _0x3d394f !== _0x304d01;    },    'XUKwk': "SBXpo",    'hGUML': "GJQSO",    'FZvDE': function (_0x3899f7, _0x4782b9) {      return _0x3899f7 === _0x4782b9;    },    'LCVgl': "spaxN",    'FFifH': "QeYEB"  };

# 往期推荐

1.CVE-2022-21882提权漏洞学习笔记

2.wibu证书 - 初探

3.win10 1909逆向之APIC中断和实验

4.EMET下EAF机制分析以及模拟实现

5.sql注入学习分享

6.V8 Array.prototype.concat函数出现过的issues和他们的POC们