JS解密的特点就是见eval就去掉, 除非用了更特别的手段
本例中去eval并执行得到
var _$=["",'','\\\x77\x2b','\\\x62','\\\x62','\x67','\x65\x20\x34\x24\x3d\x5b\x22\\\x37\\\x38\\\x33\\\x39\\\x33\\\x36\\\x35\\\x32\\\x32\\\x31\\\x64\\\x32\\\x66\\\x31\\\x31\x22\x5d\x3b\x61\x20\x62\x28\x29\x7b\x63\x3d\x20\x34\x24\x5b\x30\x5d\x7d','\x7c\x78\x36\x34\x7c\x78\x32\x66\x7c\x78\x36\x39\x7c\x5f\x7c\x78\x33\x61\x7c\x78\x36\x65\x7c\x78\x37\x37\x7c\x78\x36\x35\x7c\x78\x37\x38\x7c\x66\x75\x6e\x63\x74\x69\x6f\x6e\x7c\x6f\x6e\x65\x6b\x65\x79\x7c\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x7c\x78\x36\x63\x7c\x76\x61\x72\x7c\x78\x36\x31','\x7c']window["\x65\x76\x61\x6c"](function(O2b,a5f,O1e,O27,e,O7f){e=function(O25){return(O25<a5f? _$[0]:e(window["\x70\x61\x72\x73\x65\x49\x6e\x74"](O25/a5f)))+((O25=O25%a5f)>0x23?String["\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65"](O25+0x1d):O25["\x74\x6f\x53\x74\x72\x69\x6e\x67"](0x24))}if(! _$[1]["\x72\x65\x70\x6c\x61\x63\x65"](/^/,String)){while(O1e--)O7f[e(O1e)]=O27[O1e]||e(O1e)O27=[function(a42){return O7f[a42]}]e=function(){return _$[2]}O1e=0x1}while(O1e--)if(O27[O1e])O2b=O2b["\x72\x65\x70\x6c\x61\x63\x65"](new RegExp( _$[3]+e(O1e)+ _$[4], _$[5]),O27[O1e])return O2b}( _$[6],0x10,0x10, _$[7]["\x73\x70\x6c\x69\x74"]( _$[8]),0x0,{}))显然是又一道加密
观察到window["\x65\x76\x61\x6c"]
就是window.eval
去掉它执行得到
var _$=["\x77\x65\x69\x78\x69\x6e\x3a\x2f\x2f\x64\x6c\x2f\x61\x64\x64"]function onekey(){location= _$[0]}
格式化後得到
var _$=["weixin://dl/add"]
function onekey(){location=_$[0]}
eval() 函数可计算某个字符串,并执行其中的的 JavaScript 代码。所以在每次执行之后, kode都在起变化, 变化过程如下:
0 :
kode="oked\"=)''):-1thnglee.od(kAtarche.od?kthnglee.od<k(ix+e=od}ki)t(rAha.cdeko)++1(iAtarche.od=kx+){=2i+)-1thnglee.od(ki<0i=r(fo'='x\"\\)''(nioj.)(esrever.)''(tilps.edok=edok\"\\\\\\oek\\d\\\"=\\\\)\\\\'\\n'o(.i(js)eeer.v'r()i'pt.ldskeeoo=d\\k\\\\\\\\\\\\\\\\\\\\\\\\\\\"o\\ek\\d\\\\=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\g\\\\f\\prqx1huwwz+l?hf%lvwuvsf#_um@2%:v<875m4_1Av2%f?lvwu%s>A\\,\\\\\\\\\\\\\\\\\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\x\\'=o'(f=ri<0oiekldn.teg+h)ic+k{d=.ohercoaeCtdiA-()f3ci0(c<=)2+1+8Sxr=nt.irgmfhorCoaeCcd}(o)ekxd\\=\\\\\\\\\\\\\\\\\\\\\\\\\\\"e\\o=\\d\\\"k\\\\\\\\o\\ekkdd=.opeis(l't.'e)ersv(r.eo)nj'i)(='\"\\\\\\edok\"\\e=od\"kkdo=eokeds.lpti'()'r.verees)(j.io(n'')"x=''for(i=0i<(kode.length-1)i+=2){x+=kode.charAt(i+1)+kode.charAt(i)}kode=x+(i<kode.length?kode.charAt(kode.length-1):'')
1 :
kode=")'':)1-htgnel.edok(tArahc.edok?htgnel.edok<i(+x=edok})i(tArahc.edok+)1+i(tArahc.edok=+x{)2=+i)1-htgnel.edok(<i0=i(rof''=x\"')('injo).e(rsvere).''t(lispe.od=kdeko\"\\oked\"\\=)\\\\''n(oi.j()seerev.r')('itpl.sdekoe=odk\\\\\\\\\\\\\"\\oked\\\\=\"\\\\\\\\\\\\\\\\\\\\\\g\\\\frpxqh1wuzwl+h?%fvluwsv#fu_@m%2v:8<574m1_vA%2?fvluws%A>,\\\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\x'='of(r=i0<iokedl.netgh+i)+c{k=do.ehcraoCedtAi(-)3fic(0<c)=+218+xS=rtni.grfmohCraoCedc(})okedx=\\\\\\\\\\\\\"\\e=od\"\\k\\\\okedk=do.epsil(t''.)erevsr(e.)ojni'()'=\"\\deko\"=edok"kode=kode.split('').reverse().join('')
2 :
kode="oked\"=')('injo).e(rsvere).''t(lispe.od=kdeko\\k\"do=e\"\\\\\\=xdeko)}(cdeCoarChomfrg.intr=Sx+812+=)c<0(cif3)-(iAtdeCoarche.od=k{c+)i+hgten.ldekoi<0i=r(fo'='x\\\\\\\\\"\\\\\\,>A%swulvf?2%Av_1m475<8:v2%m@_uf#vswulvf%?h+lwzuw1hqxprf\\g\\\\\\\\\\\"=\\deko\"\\\\\\kdo=eokeds.lpti'()'r.verees)(j.io(n''\\)=\"deko\"okedk=do.epsil(t''.)erevsr(e.)ojni'()'"x=''for(i=0i<(kode.length-1)i+=2){x+=kode.charAt(i+1)+kode.charAt(i)}kode=x+(i<kode.length?kode.charAt(kode.length-1):'')
3 :
kode=")''(nioj.)(esrever.)''(tilps.edok=edok\"kode=\"\\x=edok})c(edoCrahCmorf.gnirtS=+x821=+c)0<c(fi3-)i(tAedoCrahc.edok=c{)++ihtgnel.edok<i0=i(rof''=x\\\\\"\\>,%Awslufv2?A%_vm174<5:82vm%_@fuv#wslufv?%+hwluz1wqhpxfrg\\\\\"\\=edok\"\\kode=kode.split('').reverse().join('')\"=edok"kode=kode.split('').reverse().join('')
4 :
kode=")''(nioj.)(esrever.)''(tilps.edok=edok\"kode=\"\\grfxphqw1zulwh+%?vfulsw#vuf@_%mv28:5<471mv_%A?2vfulswA%,>\"\\x=''for(i=0i<kode.lengthi++){c=kode.charCodeAt(i)-3if(c<0)c+=128x+=String.fromCharCode(c)}kode=x\"=edok"kode=kode.split('').reverse().join('')
5 :
kode="x=edok})c(edoCrahCmorf.gnirtS=+x821=+c)0<c(fi3-)i(tAedoCrahc.edok=c{)++ihtgnel.edok<i0=i(rof''=x\">,%Awslufv2?A%_vm174<5:82vm%_@fuv#wslufv?%+hwluz1wqhpxfrg\"=edok"kode=kode.split('').reverse().join('')
6 :
kode="grfxphqw1zulwh+%?vfulsw#vuf@_%mv28:5<471mv_%A?2vfulswA%,>"x=''for(i=0i<kode.lengthi++){c=kode.charCodeAt(i)-3if(c<0)c+=128x+=String.fromCharCode(c)}kode=x
7 :
document.write("<script src=\"js/572914.js\"></script>")
