马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
×
本帖最后由 凌零 于 2025-8-16 13:15 编辑
目标网址:https://www.alicesw.com/book/36968/f679b4cdb5096.html
找正文:
加密过后的,base64无法正常解密,定位到解密函数:
看看这个js:
同样混淆过,不过解混淆比较容易:
1. 提取字符串表这段代码的核心混淆方式是通过 _0x464f() 返回的字符串数组进行引用。我们可以先提取这个字符串数组: - const _0x464f = () => [
- '310lmMnFN', 'TextDecoder not available', 'decrypt_base64', 'Module', 'written',
- 'instantiate', 'slice', '557827htkZsG', '130CdByor', '343704MpArnB',
- 'exports', 'length', 'instantiateStreaming', 'search', '5298265OQixwu',
- '10715728EJQZxF', 'set', '__wbindgen_string_new', '{}.constructor("return this")( )',
- 'application/wasm', '`WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error:\n',
- 'apply', 'TextEncoder not available', 'byteLength', 'info', 'warn',
- 'exception', '__wbindgen_malloc', 'utf-8', 'Content-Type', 'toString',
- '5663784CmmXTj', 'console', 'bind', '1778634UvUAql', 'using deprecated parameters for `initSync()`; pass a single object instead',
- 'url', 'Instance', 'prototype', '868077ByItEL', 'encodeInto',
- 'encode', 'table', 'subarray', 'decode', '(((.+)+)+$',
- '__wbindgen_export_0', '__wbindgen_start', 'function', 'memory', '__wbindgen_wasm_module',
- '__wbindgen_free', 'constructor', 'grow', 'string', 'undefined',
- 'trace', 'wbg', 'return (function() ', '4fEwMZg', 'alicesw_bg.wasm', 'getPrototypeOf'
- ];
2. 替换 _0x19734b 和 _0x4d39_0x19734b 和 _0x4d39 是同一个函数,作用是返回字符串数组中的某个索引对应的字符串 3. 替换 _0x1747da 和 _0xdb32ba这两个函数是反调试代码: 4. 提取 decrypt_base64 函数核心函数是: - export function decrypt_base64(_0x57473f) {
- const _0x2a550a = _0x19734b;
- let _0x12a91c, _0x36e60f;
- try {
- const _0x5f489e = passStringToWasm0(_0x57473f, wasm[_0x2a550a(0x213)], wasm['__wbindgen_realloc']),
- _0x44bec9 = WASM_VECTOR_LEN,
- _0x168e89 = wasm[_0x2a550a(0x1fa)](_0x5f489e, _0x44bec9);
- var _0x176f59 = _0x168e89[0x0], _0x13a588 = _0x168e89[0x1];
- if (_0x168e89[0x3]) {
- _0x176f59 = 0x0, _0x13a588 = 0x0;
- throw takeFromExternrefTable0(_0x168e89[0x2]);
- }
- return _0x12a91c = _0x176f59, _0x36e60f = _0x13a588, getStringFromWasm0(_0x176f59, _0x13a588);
- } finally {
- wasm[_0x2a550a(0x22b)](_0x12a91c, _0x36e60f, 0x1);
- }
- }
- export function decrypt_base64(input) {
- let ptr, len;
- try {
- const wasmInputPtr = passStringToWasm0(input, wasm['__wbindgen_malloc'], wasm['__wbindgen_realloc']);
- const wasmInputLen = WASM_VECTOR_LEN;
- const result = wasm['decrypt_base64'](wasmInputPtr, wasmInputLen); // 调用 Wasm 解密
- const [outputPtr, outputLen] = result;
- if (result[3]) { // 如果有异常
- throw takeFromExternrefTable0(result[2]);
- }
- ptr = outputPtr, len = outputLen;
- return getStringFromWasm0(outputPtr, outputLen); // 返回解密后的字符串
- } finally {
- wasm['__wbindgen_free'](ptr, len, 1); // 释放内存
- }
- }
那么我们看看wasm代码,先用wabt转换为dcmp c代码 ok,4700行,一堆混淆,解密时间太长了,我们不如直接调用它的函数 写html: - <!DOCTYPE html>
- <html>
- <head>
- <title>WASM</title>
- </head>
- <body>
- <script type="module">
- import init, { decrypt_base64 } from './alicesw.js';
- async function run() {
- try {
- await init();
- const encryptedData = "Test";
- const decrypted = decrypt_base64(encryptedData);
- alert(decrypted);
- } catch (error) {
- console.error("解密失败:", error);
- }
- }
- run();
- </script>
- </body>
- </html>
传入encryptedData
测试:
,成功 移植到js中也很简单,这里不做赘述 总结:解混淆不划算,换个算法再混淆就不行了;所以不如分析js,然后调用wasm进行解密。
|
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
不懂,但给大佬点赞
