Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jsconfuser: 新混淆工具 #112

Open
goodwenhao opened this issue Aug 13, 2024 · 16 comments · May be fixed by #117
Open

jsconfuser: 新混淆工具 #112

goodwenhao opened this issue Aug 13, 2024 · 16 comments · May be fixed by #117
Labels
wip Work in progress

Comments

@goodwenhao
Copy link

Which plugin are you reporting a bug for?

obfuscator

Version of Node

20.14

Input code

https://github.com/goodwenhao/study/blob/main/test.js

Additional context

No response
@echo094
Copy link
Owner

echo094 commented Aug 13, 2024
edited
Loading

根据后续留言,该混淆工具确定为 https://github.com/MichaelXF/js-confuser

这种混淆方式的核心内容是头尾的两部分代码:

// 头部
function ggsElv() {}
PS61TpK = Object["defineProperty"]
function b2YUfe(ggsElv) {
  return x_bH3Yz[ggsElv < 48 ? ggsElv - 94 : ggsElv > 281 ? ggsElv - 80 : ggsElv - 49];
}
x_bH3Yz = UehMhMQ.call(this);
function nS3LeN(ggsElv, PS61TpK) {
  GrpZibt(ggsElv, "length", {
    value: PS61TpK,
    configurable: b2YUfe(104)
  });
  return ggsElv;
}
GrpZibt = Object.defineProperty;
var XPU2Of = [], MrnEyjO = [...]

// 尾部
function UehMhMQ() {
  return [...];
}
function JBApsSj(ggsElv, x_bH3Yz = 0) {
  var GrpZibt = function () {
    return ggsElv(...arguments);
  };
  return PS61TpK(GrpZibt, "length", {
    "value": x_bH3Yz,
    "configurable": true
  });
}
  • 应用GlobalConcealing转换模块,隐藏环境自带的全局方法,见correctOptions
  • 应用OpaquePredicates转换模块,在全局域添加一个表达式存储,然后随机替换一部分IF和SWITCH语句的判定项
  • 应用StringConcealing转换模块
    • 将一些字符串收集到全局数组中,并采用随机Base91字典进行编解码,该转换存在多处局部warp和decode函数,但共享全局cache。
    • 将一些字符串收集到局部作用域的数组中,不进行额外处理
    • 将一些字符串收集到局部作用域的Object中,不进行额外处理
  • 应用StringCompression转换模块,将一些字符串收集到全局的decoder函数中
  • 应用Stack转换模块,函数nS3LeN用来包装参数ggsElv,可以直接替换回ggsElv(这类转换伴随着将入参转换为数组的形式)
  • 应用DuplicateLiteralsRemoval转换模块,函数UehMhMQ收集了部分字符串和数值(obfuscator的列表只收集字符串),函数b2YUfe等通过x_bH3Yz间接调用UehMhMQ中的字符串
  • 应用Minify转换模块,函数JBApsSj用来包装参数ggsElv,可以直接替换回ggsElv
  • 应用AntiTooling转换模块,空函数ggsElv的作用是执行参数语句,能够打乱代码块的逻辑

@goodwenhao
Copy link
Author

好的,目前该项目解不了这种新型的是吧

@echo094
Copy link
Owner

echo094 commented Aug 14, 2024

如果这是一种公开的混淆工具,可以考虑添加

@goodwenhao
Copy link
Author

okk期待佬适配

@echo094 echo094 changed the title [Bug]: 大佬,这个解不了,是不支持吗 other: 新混淆工具 Aug 15, 2024
@mrright-cyber
Copy link

mrright-cyber commented Aug 15, 2024
edited
Loading

我近期也发现了这类加密的不断出现,格式均形如:

// 头部:
function ukhkX8(){}
var fdyqG3=Object['defineProperty']

期待佬适配

@echo094
Copy link
Owner

echo094 commented Aug 15, 2024

我近期也发现了这类加密的不断出现

所以你知道这个工具的链接吗

@echo094 echo094 closed this as not planned Won't fix, can't repro, duplicate, stale Aug 21, 2024
@Tlaeld
Copy link

Tlaeld commented Aug 31, 2024

新混淆工具,求佬支持:
https://github.com/MichaelXF/js-confuser

@echo094 echo094 reopened this Sep 1, 2024
@echo094 echo094 changed the title other: 新混淆工具 js-confuser: 新混淆工具 Sep 1, 2024
@mrright-cyber
Copy link

mrright-cyber commented Sep 1, 2024
edited
Loading

大佬,这类型的找到了,具体链接

仓库地址

这类加密发展太迅猛了,现在基本上JS都用这个加密了

我近期也发现了这类加密的不断出现

所以你知道这个工具的链接吗

@echo094 echo094 added the wip Work in progress label Sep 2, 2024
@echo094 echo094 linked a pull request Sep 2, 2024 that will close this issue
Draft
@echo094 echo094 changed the title js-confuser: 新混淆工具 jsconfuser: 新混淆工具 Sep 7, 2024
@echo094
Copy link
Owner

echo094 commented Sep 7, 2024

适配中,不定时更新到分支 jsconfuser

@greenwave1987
Copy link

现在能解吗?我这报错还是不行。

@echo094
Copy link
Owner

echo094 commented Sep 24, 2024

现在能解吗?我这报错还是不行。

你可以把你的样本贴出来。

@greenwave1987
Copy link

greenwave1987 commented Sep 24, 2024
edited
Loading

https://raw.githubusercontent.com/6dylan6/jdpro/refs/heads/main/jd_dpqd_sign.js 更新代码后这个可以,但是其他加密的还是报错,这个加密这么牛吗,一个加密一个样,例如下面这个。
https://raw.githubusercontent.com/6dylan6/jdpro/refs/heads/main/jd_dpqd_main.js。
报错:
`D:\backup\decode-js-jsconfuser\src\plugin\jsconfuser.js:1010
decode_fn.traverse({
^

TypeError: Cannot read properties of null (reading 'traverse')
at findBufferToString (D:\backup\decode-js-jsconfuser\src\plugin\jsconfuser.js:1010:15)
at FunctionDeclaration (D:\backup\decode-js-jsconfuser\src\plugin\jsconfuser.js:1229:10)
at NodePath._call (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:49:20)
at NodePath.call (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:39:18)
at NodePath.visit (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:85:31)
at TraversalContext.visitQueue (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:89:16)
at TraversalContext.visitMultiple (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:61:17)
at TraversalContext.visit (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:110:19)
at traverseNode (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\traverse-node.js:22:17)
at NodePath.visit (D:\backup\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:91:52)`

@wangjing71
Copy link

TypeError: Cannot read properties of undefined (reading 'constantViolations')
at StringLiteral (C:\Users\hp\Desktop\decode-js-jsconfuser\src\plugin\jsconfuser.js:1283:17)
at NodePath._call (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:49:20)
at NodePath.call (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:39:18)
at NodePath.visit (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:85:31)
at TraversalContext.visitQueue (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:89:16)
at TraversalContext.visitSingle (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:65:19)
at TraversalContext.visit (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:112:19)
at traverseNode (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\traverse-node.js:22:17)
at NodePath.visit (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\path\context.js:91:52)
at TraversalContext.visitQueue (C:\Users\hp\Desktop\decode-js-jsconfuser\node_modules@babel\traverse\lib\context.js:89:16)

@echo094
Copy link
Owner

echo094 commented Oct 19, 2024
edited
Loading

这个混淆工具剩下的几个流程比较复杂,最近有很多别的事,这个月没有足够的时间用来分析和编码,等空下来再看。

@wangjing71
Copy link

好像还是解不了、。。

@echo094
Copy link
Owner

echo094 commented Dec 15, 2024

好像还是解不了、。。

这里面,Stack混淆比较难搞。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wip Work in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

jsconfuser: new plugin echo094/decode-js
6 participants
@wangjing71 @echo094 @greenwave1987 @Tlaeld @mrright-cyber @goodwenhao