如何解码这个混淆的JavaScript?

时间:2015-07-08 13:51:19

标签: javascript obfuscation blogger deobfuscation

我正在通过blogger.com建立博客,并使用veethemes.com上的模板让我入门。

但是,我注意到模板中有一个混淆的脚本,我更愿意知道它的作用是为了确保没有任何不良或不需要的东西。

代码如下:

var _0x378a=["\x6B\x20\x45\x28\x73\x2C\x6E\x29\x7B\x79\x20\x73\x2E\x77\x28\x2F\x3C\x5C\x2F\x3F\x28\x3F\x21\x53\x5C\x73\x2A\x5C\x2F\x3F\x29\x5B\x61\x2D\x7A\x5D\x5B\x61\x2D\x54\x2D\x39\x5D\x2A\x5B\x5E\x3C\x3E\x5D\x2A\x3E\x2F\x4C\x2C\x22\x22\x29\x2E\x4B\x28\x2F\x5C\x73\x2B\x2F\x29\x2E\x31\x37\x28\x30\x2C\x6E\x2D\x31\x29\x2E\x5A\x28\x27\x20\x27\x29\x7D\x6B\x20\x31\x31\x28\x65\x2C\x74\x2C\x6E\x2C\x68\x2C\x63\x2C\x62\x2C\x71\x29\x7B\x35\x20\x72\x3D\x6A\x2E\x66\x28\x65\x29\x3B\x35\x20\x69\x3D\x6A\x2E\x66\x28\x6E\x29\x3B\x35\x20\x63\x3D\x63\x3B\x35\x20\x62\x3D\x62\x3B\x35\x20\x73\x3D\x22\x22\x3B\x35\x20\x6F\x3D\x72\x2E\x31\x39\x28\x22\x41\x22\x29\x3B\x35\x20\x61\x3D\x58\x3B\x35\x20\x70\x3D\x22\x22\x3B\x35\x20\x31\x36\x3D\x22\x75\x2E\x4D\x28\x57\x2E\x38\x2C\x20\x27\x31\x30\x27\x2C\x20\x27\x31\x32\x3D\x59\x2C\x20\x31\x33\x3D\x31\x34\x2C\x20\x31\x38\x3D\x78\x2C\x20\x31\x35\x3D\x78\x2C\x20\x4F\x2C\x20\x4E\x27\x29\x3B\x20\x79\x20\x50\x3B\x22\x3B\x49\x28\x6F\x2E\x51\x3E\x3D\x31\x29\x7B\x73\x3D\x27\x3C\x33\x20\x36\x3D\x22\x56\x2D\x55\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x3C\x41\x20\x36\x3D\x22\x52\x22\x20\x76\x3D\x22\x27\x2B\x6F\x5B\x30\x5D\x2E\x76\x2E\x77\x28\x2F\x73\x5C\x42\x5C\x64\x7B\x32\x2C\x34\x7D\x2F\x2C\x27\x73\x27\x2B\x31\x6F\x29\x2B\x27\x22\x20\x31\x71\x3D\x22\x22\x2F\x3E\x3C\x2F\x61\x3E\x3C\x2F\x33\x3E\x27\x3B\x61\x3D\x31\x73\x7D\x35\x20\x67\x3D\x27\x3C\x33\x20\x36\x3D\x22\x31\x72\x22\x3E\x3C\x33\x20\x36\x3D\x22\x31\x74\x22\x3E\x3C\x33\x20\x36\x3D\x22\x43\x22\x3E\x3C\x37\x20\x36\x3D\x22\x31\x61\x22\x3E\x27\x2B\x62\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x31\x70\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x23\x31\x6D\x22\x3E\x27\x2B\x63\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x44\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x27\x2B\x6E\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x44\x3E\x3C\x33\x20\x36\x3D\x22\x43\x20\x31\x66\x22\x3E\x3C\x37\x20\x36\x3D\x22\x71\x22\x3E\x31\x65\x20\x31\x6E\x20\x27\x2B\x71\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x68\x22\x3E\x31\x64\x20\x27\x2B\x68\x2B\x27\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x2B\x73\x2B\x27\x3C\x33\x20\x36\x3D\x22\x31\x62\x22\x3E\x3C\x70\x3E\x27\x2B\x45\x28\x72\x2E\x6D\x2C\x61\x29\x2B\x27\x20\x5B\x2E\x2E\x2E\x2E\x2E\x5D\x3C\x2F\x70\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x3B\x72\x2E\x6D\x3D\x67\x7D\x3B\x75\x2E\x31\x63\x3D\x6B\x28\x29\x7B\x35\x20\x65\x3D\x6A\x2E\x66\x28\x22\x31\x67\x22\x29\x3B\x49\x28\x65\x3D\x3D\x31\x68\x29\x7B\x75\x2E\x31\x6C\x2E\x38\x3D\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x22\x7D\x65\x2E\x48\x28\x22\x38\x22\x2C\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x2F\x22\x29\x3B\x65\x2E\x48\x28\x22\x31\x6B\x22\x2C\x22\x31\x6A\x22\x29\x3B\x65\x2E\x6D\x3D\x22\x31\x69\x2E\x6C\x22\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x64\x69\x76\x7C\x7C\x76\x61\x72\x7C\x63\x6C\x61\x73\x73\x7C\x73\x70\x61\x6E\x7C\x68\x72\x65\x66\x7C\x7C\x7C\x74\x61\x67\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x7C\x7C\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x7C\x64\x61\x74\x65\x7C\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x7C\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\x7C\x7C\x7C\x7C\x61\x75\x74\x68\x6F\x72\x7C\x7C\x7C\x7C\x77\x69\x6E\x64\x6F\x77\x7C\x73\x72\x63\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x32\x34\x7C\x72\x65\x74\x75\x72\x6E\x7C\x7C\x69\x6D\x67\x7C\x7C\x6D\x65\x74\x61\x7C\x68\x32\x7C\x73\x74\x72\x69\x70\x54\x61\x67\x73\x7C\x77\x77\x77\x7C\x76\x65\x65\x74\x68\x65\x6D\x65\x73\x7C\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x7C\x69\x66\x7C\x68\x74\x74\x70\x7C\x73\x70\x6C\x69\x74\x7C\x69\x67\x7C\x6F\x70\x65\x6E\x7C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x7C\x73\x63\x72\x6F\x6C\x6C\x62\x61\x72\x73\x7C\x66\x61\x6C\x73\x65\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x69\x6D\x67\x7C\x62\x72\x7C\x7A\x30\x7C\x6D\x65\x64\x69\x61\x7C\x70\x6F\x73\x74\x7C\x74\x68\x69\x73\x7C\x73\x75\x6D\x6D\x61\x72\x79\x5F\x6E\x6F\x69\x6D\x67\x7C\x35\x35\x30\x7C\x6A\x6F\x69\x6E\x7C\x77\x69\x6E\x64\x6F\x77\x4E\x61\x6D\x65\x7C\x72\x6D\x7C\x77\x69\x64\x74\x68\x7C\x68\x65\x69\x67\x68\x74\x7C\x36\x30\x30\x7C\x74\x6F\x70\x7C\x70\x6F\x70\x75\x70\x7C\x73\x6C\x69\x63\x65\x7C\x6C\x65\x66\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x74\x61\x67\x73\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x65\x78\x63\x65\x72\x70\x74\x7C\x6F\x6E\x6C\x6F\x61\x64\x7C\x6F\x6E\x7C\x70\x6F\x73\x74\x65\x64\x7C\x70\x6F\x73\x74\x5F\x6D\x65\x74\x61\x7C\x61\x74\x74\x72\x69\x5F\x62\x75\x74\x69\x6F\x6E\x7C\x6E\x75\x6C\x6C\x7C\x56\x65\x65\x54\x68\x65\x6D\x65\x73\x7C\x64\x6F\x66\x6F\x6C\x6C\x6F\x77\x7C\x72\x65\x6C\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x62\x79\x7C\x37\x30\x30\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x73\x74\x79\x6C\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6E\x74\x61\x69\x6E\x65\x72\x7C\x73\x75\x6D\x6D\x61\x72\x79\x69\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x68\x65\x61\x64\x65\x72","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];

eval(function(_0x6c60x1,_0x6c60x2,_0x6c60x3,_0x6c60x4,_0x6c60x5,_0x6c60x6)
{_0x6c60x5=function(_0x6c60x3){return (_0x6c60x3<_0x6c60x2?_0x378a[4]:_0x6c60x5(
parseInt(_0x6c60x3/_0x6c60x2)))+((_0x6c60x3=_0x6c60x3%_0x6c60x2)>35?String[_0x378a[5]]
(_0x6c60x3+29):_0x6c60x3.toString(36))};if(!_0x378a[4][_0x378a[6]]
(/^/,String)){while(_0x6c60x3--){_0x6c60x6[_0x6c60x5(_0x6c60x3)]=_0x6c60x4[_0x6c60x3]||_0x6c60x5(_0x6c60x3)};
_0x6c60x4=[function(_0x6c60x5){return _0x6c60x6[_0x6c60x5]}];_0x6c60x5=function(){return _0x378a[7]};_0x6c60x3=1;};
while(_0x6c60x3--){if(_0x6c60x4[_0x6c60x3])
{_0x6c60x1=_0x6c60x1[_0x378a[6]]( new 
 RegExp(_0x378a[8]+_0x6c60x5(_0x6c60x3)+_0x378a[8],_0x378a[9]),
_0x6c60x4[_0x6c60x3])}};return _0x6c60x1;}(_0x378a[0],62,92,_0x378a[3]
[_0x378a[2]](_0x378a[1]),0,{}));

我能够使用ddecode.com解码第一部分并提出以下内容:

var _0x378a=["k E(s,n){y s.w(/<\/?(?!S\s*\/?)[a-z][a-T-9]*[^<>]*>/L,"").K(/\s+/).17(0,n-1).Z(' ')}k 11(e,t,n,h,c,b,q){5 r=j.f(e);5 i=j.f(n);5 c=c;5 b=b;5 s="";5 o=r.19("A");5 a=X;5 p="";5 16="u.M(W.8, '10', '12=Y, 13=14, 18=x, 15=x, O, N'); y P;";I(o.Q>=1){s='<3 6="V-U"><a 8="'+t+'"><A 6="R" v="'+o[0].v.w(/s\B\d{2,4}/,'s'+1o)+'" 1q=""/></a></3>';a=1s}5 g='<3 6="1r"><3 6="1t"><3 6="C"><7 6="1a">'+b+'</7><7 6="1p"><a 8="'+t+'#1m">'+c+'</a></7></3><D><a 8="'+t+'">'+n+'</a></D><3 6="C 1f"><7 6="q">1e 1n '+q+'</7><7 6="h">1d '+h+'</7></3></3>'+s+'<3 6="1b"><p>'+E(r.m,a)+' [.....]</p></3></3>';r.m=g};u.1c=k(){5 e=j.f("1g");I(e==1h){u.1l.8="J://F.G.l"}e.H("8","J://F.G.l/");e.H("1k","1j");e.m="1i.l"}","|","split","|||div||var|class|span|href|||tag|comment|||getElementById||date||document|function|com|innerHTML||||author||||window|src|replace|24|return||img||meta|h2|stripTags|www|veethemes|setAttribute|if|http|split|ig|open|resizable|scrollbars|false|length|article_img|br|z0|media|post|this|summary_noimg|550|join|windowName|rm|width|height|600|top|popup|slice|left|getElementsByTagName|article_tags|article_excerpt|onload|on|posted|post_meta|attri_bution|null|VeeThemes|dofollow|rel|location|comments|by|700|article_comments|style|article_container|summaryi|article_header","","fromCharCode","replace","\w+","\b","g"];

如果我删除了该脚本,那么某些地方的网站会中断,例如“阅读更多”不再会切断主页上的文章,并且不再显示帖子标题等。

任何帮助解码此内容或提供可能对我有用的工具的提示都会非常感激。

1 个答案:

答案 0 :(得分:2)

只需删除代码中的eval并将其放入开发人员控制台即可。

Example of deobfuscation

相关问题
最新问题