AST反混淆实战(一)
AST简介
抽象语法树(Abstract Syntax Tree,AST),或简称语法树(Syntax tree),是源代码语法结构的一种抽象表示。它以树状的形式表现编程语言的语法结构,树上的每个节点都表示源代码中的一种结构。之所以说语法是“抽象”的,是因为这里的语法并不会表示出真实语法中出现的每个细节。
使用到的第三方库
esprima:代码转语法树
estraverse:AST遍历辅助库(深度优先搜索),包含遍历及替换节点的功能
escodegen:语法树转代码
jsdom:获取模拟浏览器window对象(很多js会检测环境)
相关文件
反混淆前后对比
-反混淆前
_0x1dc76b[_0x1972('0xed')](typeof window, _0x1dc76b[_0x1972('0x229')]) && _0x1dc76b[_0x1972('0x147')](typeof window[_0x1972('0x38e')], _0x1dc76b[_0x1972('0x229')]) ? _0x1dc76b[_0x1972('0x44c')](typeof window[_0x1972('0x38e')][_0x1972('0x131')], _0x1dc76b[_0x1972('0x299')]) ? /phantomjs/[_0x1972('0x348')](window[_0x1972('0x38e')][_0x1972('0x131')][_0x1972('0x39e')]()) ? ss = _0x1dc76b[_0x1972('0x64')](ss, _0x1dc76b[_0x1972('0x13')](0x1, 0xf)) : window[_0x1972('0x38e')][_0x1972('0x301')] ? ss = _0x1dc76b[_0x1972('0x64')](ss, _0x1dc76b[_0x1972('0x311')](0x1, 0xf)) : ss = _0x1dc76b[_0x1972('0x64')](ss, _0x1dc76b[_0x1972('0x36c')](0x1, 0x1)) : _0x1dc76b[_0x1972('0x44c')](typeof window[_0x1972('0x38e')][_0x1972('0x3bd')], _0x1dc76b[_0x1972('0x21f')]) ? ss = _0x1dc76b[_0x1972('0x64')](ss, _0x1dc76b[_0x1972('0x36c')](0x1, 0xf)) : !window[_0x1972('0x38e')][_0x1972('0x3bd')] ? ss = _0x1dc76b[_0x1972('0x64')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0xf)) : ss = _0x1dc76b[_0x1972('0x28c')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0xf)) : ss = _0x1dc76b[_0x1972('0x27c')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0xf));
_0x1dc76b[_0x1972('0x44c')](typeof window, _0x1dc76b[_0x1972('0x229')]) && _0x1dc76b[_0x1972('0x26')](typeof window[_0x1972('0x433')], _0x1dc76b[_0x1972('0x229')]) ? _0x1dc76b[_0x1972('0x20e')](_0x1dc76b[_0x1972('0x1d8')](window[_0x1972('0x433')][_0x1972('0x1da')], window[_0x1972('0x433')][_0x1972('0x176')]), 0x0) ? ss = _0x1dc76b[_0x1972('0x27c')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0x2)) : ss = _0x1dc76b[_0x1972('0x370')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0x10)) : ss = _0x1dc76b[_0x1972('0x34d')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0x10));
_0x1dc76b[_0x1972('0x26')](typeof document, _0x1dc76b[_0x1972('0x229')]) && _0x1dc76b[_0x1972('0x26')](typeof document[_0x1972('0x208')], fff) ? !document[_0x1972('0x208')](_0x1dc76b[_0x1972('0x454')]) ? ss = _0x1dc76b[_0x1972('0x2c6')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0x3)) : ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x323')](0x1, 0x11)) : ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x1a1')](0x1, 0x11));
_0x1dc76b[_0x1972('0x119')](typeof window, _0x1dc76b[_0x1972('0x229')]) ? _0x1dc76b[_0x1972('0x119')](typeof window[_0x1972('0x410')], _0x1dc76b[_0x1972('0x21f')]) ? ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x1a1')](0x1, 0x4)) : ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x18d')](0x1, 0x12)) : _0x1dc76b[_0x1972('0x32e')](typeof window, _0x1dc76b[_0x1972('0x229')]) && _0x1dc76b[_0x1972('0x363')](typeof window[_0x1972('0x197')], _0x1dc76b[_0x1972('0x21f')]) ? ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x18d')](0x1, 0x12)) : ss = _0x1dc76b[_0x1972('0x3da')](ss, _0x1dc76b[_0x1972('0x18d')](0x1, 0x12));
image.png
反混淆后
typeof window == _0x1dc76b['WfJBW'] && typeof window['navigator'] == _0x1dc76b['WfJBW'] ? typeof window['navigator']['userAgent'] == _0x1dc76b['XaIwC'] ? /phantomjs/['test'](window['navigator']['userAgent']['toLowerCase']()) ? ss = ss | 1 << 15 : window['navigator']['webdriver'] ? ss = ss | 1 << 15 : ss = ss | 1 << 1 : typeof window['navigator']['appVersion'] == _0x1dc76b['DWvnG'] ? ss = ss | 1 << 15 : !window['navigator']['appVersion'] ? ss = ss | 1 << 15 : ss = ss | 1 << 15 : ss = ss | 1 << 15;
typeof window == _0x1dc76b['WfJBW'] && typeof window['screen'] == _0x1dc76b['WfJBW'] ? 970 + 1680 > 0 ? ss = ss | 1 << 2 : ss = ss | 1 << 16 : ss = ss | 1 << 16;
typeof document == _0x1dc76b['WfJBW'] && typeof document['getElementById'] == fff ? !document['getElementById'](_0x1dc76b['djBAH']) ? ss = ss | 1 << 3 : ss = ss | 1 << 17 : ss = ss | 1 << 17;
typeof window == _0x1dc76b['WfJBW'] ? typeof window['callPhantom'] == _0x1dc76b['DWvnG'] ? ss = ss | 1 << 4 : ss = ss | 1 << 18 : typeof window == _0x1dc76b['WfJBW'] && typeof window['_phantom'] == _0x1dc76b['DWvnG'] ? ss = ss | 1 << 18 : ss = ss | 1 << 18;
image.png
说明
//类似这种调用方法,根据传入参数算真实值(做了反混淆,会处理)
_0x1972('0x229')
//运算符封装为方法的,都会进行反混淆
_0x4d51e8['GNVJM'] = function (_0x399108, _0x2aefef) {
return _0x399108 == _0x2aefef;
};
//某个key等于字符串,(这种没处理,因为不是很影响读码了,就没处理。)
_0x4d51e8['WfJBW'] = 'object';
逆向过程
1.下载核心js文件,内容混淆严重。先做反混淆。分析代码,拆解为几种混淆规则,针对每种规则反混淆。这个文件梳理主要有3、4种混淆规则,这里做了主要的2种,已可以阅读七七八八了(主要就是几个混淆,然后又互相嵌套,AST遍历是深度优先遍历,会从内到外依次反混淆,可以处理嵌套)。
- 通过某个方法运算得到的string
var _0x1972 = function (_0x129385, _0x5b4f79) {
// ...............
//.............某些计算规则,返回根据传入参数计算出来的string。
//.................
return s;
}
//多次重复出现类似的代码
_0x1972('0x49')
//=================================================================================================================================
//反混淆核心代码
var ast = esprima.parseScript(content.toString());
//_0x1972方法在前57行,这个通过eval函数加载这个方法
eval(content.split('\n').slice(0, 57).join(''));
ast = estraverse.replace(ast, {
enter: function (node, parent) {
if (node.type === "CallExpression") {
//因为混淆文件会变化,变量名会变,函数名称长度为7的只有_0x1972这个方法
if (node.callee.name && node.callee.name.length === 7 && node.arguments.length === 1) {
//如果是这个函数,则直接用计算后的结果替换
let data = eval(`${node.callee.name}('${node.arguments[0].value}')`);
if (data && data !== 'undefined' && data !== 'Number' && data !== 'NaN') {
return {
type: "Literal",
value: data,
raw: `'${data}'`
};
}
}
}
},
});
//=================================================================================================================================
//反混淆后_0x1972('0x49')变为计算后的值WfJBW
WfJBW
- 运算符混淆
_0x615b4b['uUzso'] = function (_0x59febf, _0x3b43de) {
return _0x59febf & _0x3b43de;
};
//中间有一次重命名过程
var _0x2bb501 = _0x615b4b;
//多次出现的类似代码
_0x2bb501['uUzso'](_0xd72c68, 8)
//反混淆核心代码
ast = estraverse.replace(ast, {
enter: function (node, parent) {
if (node.type === "CallExpression"
&& node.arguments.length === 2
&& node.callee
&& node.callee.property
&& node.callee.property.value
) {
let operator;
let rname;
let rvalue = node.callee.property.value;
//寻找重命名前的真实名称
estraverse.traverse(ast, {
enter: function (find_node, parent) {
try {
if (find_node.type === "VariableDeclaration"
&& find_node.declarations[0].id.name === node.callee.object.name
) {
rname = find_node.declarations[0].init.name;
this.break()
}
} catch (e) {
this.skip()
}
}
});
//寻找对应方法的运算符,赋值给operator
estraverse.traverse(ast, {
enter: function (find_node, parent) {
try {
if (find_node.type === "AssignmentExpression"
&& find_node.left.object.name === rname
&& find_node.left.property.value === rvalue
) {
operator = find_node.right.body.body[0].argument.operator;
if (operator) {
this.break()
}
this.skip()
}
} catch (e) {
this.skip()
}
}
});
//替换为简化的语法树
if (operator) {
node = {
"type": "BinaryExpression",
"operator": operator,
"left": node.arguments[0],
"right": node.arguments[1]
};
return node
}
}
}
}
);
//反混淆后代码
_0x615b4b['uUzso'] = function (_0x59febf, _0x3b43de) {
return _0x59febf & _0x3b43de;
};
var _0x2bb501 = _0x615b4b;
//_0x2bb501['uUzso'](_0xd72c68, 8) 变为 _0xd72c68 & 8
_0xd72c68 & 8;
2、代码反混淆后已可以阅读,找到核心代码。
//加密入口函数
ABC['prototype']['z'](seed, ts)
//之后会用python调用,这里简单封装入口
function encrypt(seed, ts) {
ts = Number(ts);
return ABC['prototype']['z'](seed, ts);
}
//hook取两个真实参数,真实结果应为971bzdrUsH6rIWHBVAmYXWgD3LfYvX/ci0ZvZl1DAdpLwgm8rTU6n4iFR5UFL3dliWHPzK1oNJkfepDbUYXKr4ZeMTBkmYrZcjuFh8K6Z6LiCgJwowN9mPggIR+336cmJH9B
encrypt('pA2EJB+wiUR5EXY0ZDTsTSh2z4oxxDfBIGHbOzpdB6A=', 1589961615404);
3、nodejs环境,添加jsdom模拟浏览器环境,返回的结果总变。而在浏览器环境下,结果不变,且与之前hook取到的结果一致。判断反混淆未影响代码逻辑,但是代码中有判断浏览器环境
//添加window对象
const {JSDOM} = jsdom;
const {window} = new JSDOM(`...`)
//有一些判断环境的代码(这里给列出部分)
//如 global、process、child_process这些都是nodejs环境有,而浏览器没有。有50处左右对比环境的。
if (typeof global != _0x3e1ab5['VMFpl'] || typeof process != _0x3e1ab5['VMFpl'] || typeof child_process != _0x3e1ab5['VMFpl'] || typeof Buffer != _0x3e1ab5['VMFpl'] || typeof sessionStorage == _0x3e1ab5['VMFpl']) {
ss = ss | 1 << 12;
}
4、根据上面找出的对比浏览器环境的代码,写出对应的处理代码如:
//导入jsdom,有部分检测window对象,及其属性
const jsdom = require("jsdom");
const {JSDOM} = jsdom;
//检测当前url
const {window} = new JSDOM(`...`,{
url: "https://www.zhipin.com/job_detail/?query=",
});
// // or even
const {document} = (new JSDOM(`...`)).window;
//检测top
top = window
//检测setInterval方法toString的值,浏览器及nodejs环境有差异
setInterval['toString']= function () {
return "function setInterval() { [native code] }"
}
//有检测部分差异变量
global = undefined
process = undefined
child_process = undefined
Buffer = undefined
sessionStorage = {}
5、还有部分不好在代码上覆盖,直接在反混淆后替换
//这里是调试时过无限debugger
code = code.replace('debugger;', '')
//有一个eval函数内部也是无限debugger,这里用console.log替换eval,直接输出代码不执行
.replace('eval', 'console.log')
//替换部分浏览器值(在4中代码最上方覆盖不生效,这里直接替换掉,待研究)
.replace("window['screen']['availHeight']", '970')
.replace("window['screen']['availWidth']", '1680')
.replace("window['outerWidth']", '1680')
.replace("window['innerWidth']", '480')
.replace("window['outerHeight']", '967')
.replace("window['innerHeight']", '856')
6、终于在nodejs环境执行后与浏览器环境一致,也与hook到的值一致。
7、这个混淆的js文件,会定期更新,各变量名及内部加密算法改变。这里的4和5的处理都加入反混淆脚本,在js文件改变时,必须反混淆后才能出现5中的代码。(1.因为这里是直接调用,所以不关心加密算法是什么。2.因为上面5的部分代码无法覆盖,所以新的文件还是要走反混淆这一步。如果5的部分可以类似于4的处理,那么之后新js文件可以不用反混淆,只需要将4部分放入js文件头即可)
后记
看似很复杂的混淆,其实都只是几种混淆规则、互相嵌套造成的。看着脑壳疼,其实只要分析一下,借助AST,完成部分反混淆规则,即可正常阅读代码。