Decrypting it manually was much simpler than expected, and it took less than half an hour to do it.
The most critical part of JS deobfuscation:
l eval or document.write, VBS's EXECUTE, execScript and other functions that can run js
l unescape
There are generally several ways to obfuscate js :
1. Convert the code into hex form code through escape, which is incomprehensible
2. Perform simple reversible encryption on the code, and then provide a decryption function to decrypt the code and use Calls such as eval hand the code string to the js engine for execution.
3. Filter out comments and spaces in the code, modify the names of internal functions/internal variables in the js code, and change them to very difficult to understand numbers or easily confused strings, such as a string of mixed numbers 0 and letters O. Makes it difficult to identify.
A more advanced method is to combine the above methods.
Therefore, the way to restore it is
1. Use unescape to decode the visible %XX string
2. Find eval or similar interpretation function entry
3. Put the parameters passed into eval Find the strings
4. If these strings are also in hex form, use unescape to solve them
5. Loop through the process of 2-4 until all the codes are found
6. At this time it is very likely that It was found that there are still some variables used in the solved function, and these variables are some large strings. In this case, these strings should be the encrypted source code. Insert the code into the appropriate position at the end of the function that uses them, and display their decrypted string to get the source code.
The most important thing to note here is to clearly see the variable names. Many of the codes in the decryption part are formed by adding names such as 000O and 0O00. See clearly the real names of these variables.
Be careful to preserve the order of declaration and definition of functions and variables to avoid not being able to find functions or variables due to moving locations.
In addition, obfuscation tools will also add a lot of junk code to the code, which can be deleted.
If you have a stronger obfuscation tool, you can also insert some useful code into the generated garbage-like code to provide some variables for the garbled function that follows, such as the decrypted key, so you need to Be careful not to disrupt the order of the code. If you are not sure whether it is junk code, leave it first.
It seems that method 3 is the simplest and the most retarded, but in fact this method has the greatest impact on us. Trying to read code without comments, in a confusing format and with a bunch of identifiers with messy names is very difficult for any normal person. It's all a nightmare. However, it is probably because the "internal" standard is not easy to judge, and some obfuscation tools do not provide such a function.
Another: Decrypt the webpage
In the address bar or press Ctrl O, enter: