脱ob混淆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
var _$oa = ['dmRXUFI=', 'Y2FsbA==', 'ZEdqcm4=', 'Y2h5QXU=', 'TFFSVHM=', 'YWN0aW9u', 'XCtcKyAqKD86W2EtekEtWl8kXVswLTlhLXpBLVpfJF0qKQ==', '5q2k572R6aG15Y+X44CQ54ix6ZSt5LqR55u+IFYxLjAg5Yqo5oCB54mI44CR5L+d5oqk', 'eHdtS0Y=', 'bk9wVnY=', 'UkdDSHg=', 'Ym50Vmc=', 'eEFYWW4=', 'cEFGaXE=', 'OyBwYXRoPS8=', 'YXBwbHk=', 'aW5pdA==', 'Y291bnRlcg==', 'YkNYR0I=', 'clFWeGY=', 'dGt2Sm4=', 'dUxyQVk=', 'ZmxUdVA=', 'NHwyfDF8NnwzfDd8NXw4fDA=', 'UWNBeXk=', 'c2lnbj0=', 'Y29va2ll', 'VUxVUFc=', 'd2hpbGUgKHRydWUpIHt9', 'YWlkaW5nX3dpbg==', 'YlBoZ1Q=', 'TW9TaGM=', 'V3drSXk=', 'ZGVidQ==', 'ZnBTTmM=', 'ZU5IakQ=', 'SERGWHI=', 'dGVzdA==', 'aW5wdXQ=', 'c3BsaXQ=', 'cFdEQWI=', 'eldrSnY=', 'dkR6UXA=', 'Y2hhaW4=', 'bG9n', 'Vm5qSkk=', 'SXpGT24=', 'cm91bmQ=', 'RURGWXQ=', 'YnRvYQ==', 'dVVPQ2M=', 'aEJWT2M=', 'c3RhdGVPYmplY3Q=', 'Y1dFWGM=', 'UWZjelY=', 'Y29uc3RydWN0b3I=', 'SkNMWmc=', 'UFhObGU=', 'cURkT3g=', 'c3RyaW5n', 'ZUFscmQ=', 'eEZWYm4=', 'cWlDWkI=', 'bVFVb08=', 'dmFsdWVPZg==', 'SW15bEM=', 'WUtIT1I=', 'a1ZrTnU='];
(function (a, b) {
    var c = function (f) {
        while (--f) {
            a['push'](a['shift']());
        }
    };
    c(++b);
}(_$oa, 0x1ca));
var _$ob = function (a, b) {
    a = a - 0x0;
    var c = _$oa[a];
    if (_$ob['NIHRIE'] === undefined) {
        (function () {
            var f;
            try {
                var h = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
                f = h();
            } catch (i) {
                f = window;
            }
            var g = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            f['atob'] || (f['atob'] = function (j) {
                    var k = String(j)['replace'](/=+$/, '');
                    var l = '';
                    for (var m = 0x0, n, o, p = 0x0; o = k['charAt'](p++); ~o && (n = m % 0x4 ? n * 0x40 + o : o,
                    m++ % 0x4) ? l += String['fromCharCode'](0xff & n >> (-0x2 * m & 0x6)) : 0x0) {
                        o = g['indexOf'](o);
                    }
                    return l;
                }
            );
        }());
        _$ob['rVIAwQ'] = function (e) {
            var f = atob(e);
            var g = [];
            for (var h = 0x0, j = f['length']; h < j; h++) {
                g += '%' + ('00' + f['charCodeAt'](h)['toString'](0x10))['slice'](-0x2);
            }
            return decodeURIComponent(g);
        }
        ;
        _$ob['kVQkhq'] = {};
        _$ob['NIHRIE'] = !![];
    }
    var d = _$ob['kVQkhq'][a];
    if (d === undefined) {
        c = _$ob['rVIAwQ'](c);
        _$ob['kVQkhq'][a] = c;
    } else {
        c = d;
    }
    return c;
};

(function () {
    var a = {
        'QxnwF': _$ob('0x29'),
        'qDdOx': 'function\x20*\x5c(\x20*\x5c)',
        'rQVxf': _$ob('0x18'),
        'fpSNc': function (g, h) {
            return g(h);
        },
        'tkvJn': _$ob('0x22'),
        'mQUoO': function (g, h) {
            return g + h;
        },
        'foapq': _$ob('0x3d'),
        'vDzQp': function (g, h) {
            return g + h;
        },
        'PXNle': _$ob('0x38'),
        'zWkJv': function (g) {
            return g();
        },
        'ImylC': function (g, h, i) {
            return g(h, i);
        },
        'GlSVu': function (g, h) {
            return g(h);
        },
        'eAlrd': _$ob('0x2f'),
        'chyAu': function (g, h) {
            return g(h);
        },
        'pAFiq': function (g, h) {
            return g / h;
        },
        'gRhqo': _$ob('0x19'),
        'QcAyy': function (g, h) {
            return g + h;
        },
        'flTuP': function (g, h) {
            return g + h;
        },
        'JbVLe': function (g, h) {
            return g + h;
        },
        'hBVOc': function (g, h) {
            return g + h;
        },
        'Qvcfa': function (g, h) {
            return g + h;
        },
        'ckPds': _$ob('0x2b'),
        'cWEXc': _$ob('0x20')
    };
    var b = a['QxnwF'][_$ob('0x39')]('|');
    var c = 0x0;
    while (!![]) {
        switch (b[c++]) {
            case '0':
                location['reload']();
                continue;
            case '1':
                (function () {
                    f[_$ob('0x0')](d, this, function () {
                        var g = new RegExp(f['ixSbH']);
                        var h = new RegExp(f[_$ob('0x30')], 'i');
                        var i = f[_$ob('0x1b')](_$oc, f[_$ob('0x6')]);
                        if (!g[_$ob('0x37')](f[_$ob('0x4')](i, f[_$ob('0x31')])) || !h['test'](f[_$ob('0x14')](i, f['ClSnf']))) {
                            f[_$ob('0x1b')](i, '0');
                        } else {
                            f[_$ob('0x32')](_$oc);
                        }
                    })();
                }());
                continue;
            case '2':
                var d = function () {
                    var g = !![];
                    return function (h, i) {
                        var j = g ? function () {
                                    if (i) {
                                        var k = i[_$ob('0x21')](h, arguments);
                                        i = null;
                                        return k;
                                    }
                                }
                                : function () {
                                }
                        ;
                        g = ![];
                        return j;
                    }
                        ;
                }();
                continue;
            case '3':
                var e = new Date()[_$ob('0xe')]();
                continue;
            case '4':
                var f = {
                    'ixSbH': a[_$ob('0x8')],
                    'bPhgT': a[_$ob('0x25')],
                    'nOpVv': function (g, h) {
                        return a[_$ob('0x34')](g, h);
                    },
                    'JCLZg': a[_$ob('0x26')],
                    'QfczV': function (g, h) {
                        return a[_$ob('0xd')](g, h);
                    },
                    'MoShc': a['foapq'],
                    'dGjrn': function (g, h) {
                        return a[_$ob('0x3c')](g, h);
                    },
                    'ClSnf': a[_$ob('0x7')],
                    'WwkIy': function (g) {
                        return a[_$ob('0x3b')](g);
                    },
                    'uUOCc': function (g, h, i) {
                        return a[_$ob('0xf')](g, h, i);
                    }
                };
                continue;
            case '5':
                md = a['GlSVu'](hex_md5, window[_$ob('0x43')](a[_$ob('0x3c')](a[_$ob('0xa')], a[_$ob('0x15')](String, Math[_$ob('0x41')](a[_$ob('0x1f')](e, 0x3e8))))));
                continue;
            case '6':
                console[_$ob('0x3e')](a['gRhqo']);
                continue;
            case '7':
                token = window[_$ob('0x43')](a[_$ob('0x2a')](a[_$ob('0xa')], a[_$ob('0x15')](String, e)));
                continue;
            case '8':
                document[_$ob('0x2c')] = a[_$ob('0x2a')](a[_$ob('0x28')](a['JbVLe'](a['hBVOc'](a[_$ob('0x1')](a['Qvcfa'](a['ckPds'], Math[_$ob('0x41')](a['pAFiq'](e, 0x3e8))), '~'), token), '|'), md), a[_$ob('0x3')]);
                continue;
        }
        break;
    }
}());

function _$oc(a) {
    var b = {
        'IzFOn': _$ob('0x2e'),
        'eNHjD': _$ob('0x23'),
        'RGCHx': function (d, e) {
            return d !== e;
        },
        'bntVg': _$ob('0x1a'),
        'NRFLz': _$ob('0xc'),
        'LQRTs': function (d, e) {
            return d === e;
        },
        'xAXYn': _$ob('0x9'),
        'pWDAb': function (d, e) {
            return d + e;
        },
        'YKHOR': function (d, e) {
            return d / e;
        },
        'ULUPW': 'length',
        'auKTB': function (d, e) {
            return d % e;
        },
        'WVeuC': _$ob('0x33'),
        'vdWPR': 'gger',
        'xFVbn': _$ob('0x17'),
        'qKJjZ': function (d, e) {
            return d + e;
        },
        'kVkNu': _$ob('0x2'),
        'HDFXr': function (d, e) {
            return d(e);
        },
        'Wunxg': _$ob('0x3f'),
        'EDFYt': _$ob('0x24')
    };

    function c(d) {
        var e = {
            'uLrAY': b[_$ob('0x40')],
            'jwQYi': b[_$ob('0x35')]
        };
        if (b['RGCHx'](b[_$ob('0x1d')], b['NRFLz'])) {
            if (b[_$ob('0x16')](typeof d, b[_$ob('0x1e')])) {
                return function (f) {
                }
                    [_$ob('0x5')](b[_$ob('0x40')])[_$ob('0x21')](b['eNHjD']);
            } else {
                if (b[_$ob('0x1c')](b['pWDAb']('', b[_$ob('0x10')](d, d))[b[_$ob('0x2d')]], 0x1) || b[_$ob('0x16')](b['auKTB'](d, 0x14), 0x0)) {
                    (function () {
                        return !![];
                    }
                        [_$ob('0x5')](b[_$ob('0x3a')](b['WVeuC'], b[_$ob('0x12')]))[_$ob('0x13')](b[_$ob('0xb')]));
                } else {
                    (function () {
                        return ![];
                    }
                        ['constructor'](b['qKJjZ'](b['WVeuC'], b['vdWPR']))['apply'](b[_$ob('0x11')]));
                }
            }
            b['HDFXr'](c, ++d);
        } else {
            return function (g) {
            }
                ['constructor'](e[_$ob('0x27')])[_$ob('0x21')](e['jwQYi']);
        }
    }

    try {
        if (a) {
            if (b[_$ob('0x1c')](b['Wunxg'], b[_$ob('0x42')])) {
                return c;
            } else {
                var e = firstCall ? function () {
                            if (fn) {
                                var f = fn['apply'](context, arguments);
                                fn = null;
                                return f;
                            }
                        }
                        : function () {
                        }
                ;
                firstCall = ![];
                return e;
            }
        } else {
            b[_$ob('0x36')](c, 0x0);
        }
    } catch (e) {
    }
}

根据我们对ob混淆的理解,通常开头一个大数组,然后后面会跟着两个数组移位和数组混淆的函数,我们要对 _$ob 这个对象进行还原,所以需要先将前面三段代码放到内存中去,及需要提前运行

要进行数组还原,我们先看下我们要还原的对象是个什么东西

_$ob(‘0x29’) 是一个函数调用的表达式,因此想要还原的话需要遍历 CallExpression

image-20240607163858482

在遍历的时候会发现找到了很对对象,但是我们要找的是 _$ob 所以需要判断 callee 对象下的name属性是否是 _$ob

image-20240607164042815

image-20240607164140029

1
2
3
4
5
6
7
traverse(ast,{
    CallExpression:function (path) {
        if(path.node.callee.name === "_$ob"){
            console.log(path.toString())
        }
    }
})

接下来我们要取出 _$ob 中的索引值,就是找 arguments 第一个的value

image-20240607164502707

1
2
3
4
5
6
7
8
9
traverse(ast,{
    CallExpression:function (path) {
        if(path.node.callee.name === "_$ob"){
            console.log(path.toString())
            // 接下来我们要取出 _$ob 中的索引值,就是找 arguments 第一个的value
            console.log(path.node.arguments[0].value)
        }
    }
})

重点来了

_$ob对象已经在内存中运行了,如果我去 取 _$ob[xxx] 就可以直接取到值了

所以现在要做的,就是将 我们获取到的节点 改成 _$ob(path.node.arguments[0].value) 就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
traverse(ast, {
    CallExpression: function (path) {
        if (path.node.callee.name === "_$ob") {
            console.log(path.toString(),"---------->",_$ob(path.node.arguments[0].value))
            // 接下来我们要取出 _$ob 中的索引值,就是找 arguments 第一个的value
            // _$ob对象已经在内存中运行了,如果我去 取 _$ob[xxx] 就可以直接取到值了,所以这里可以直接替换
            path.replaceWith(
                {
                    type: "StringLiteral",
                    value: _$ob(path.node.arguments[0].value)
                }
            )
        }
    }
})

let out_code = generate(ast).code
console.log(out_code)

最后也是成功将数组还原

image-20240607165431234

脱ob混淆-控制流平台化

继续还原上面的代码,将数组还原后的代码取出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
// input.js
    (function () {
  var a = {
    'QxnwF': "4|2|1|6|3|7|5|8|0",
    'qDdOx': 'function *\( *\)',
    'rQVxf': "\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)",
    'fpSNc': function (g, h) {
      return g(h);
    },
    'tkvJn': "init",
    'mQUoO': function (g, h) {
      return g + h;
    },
    'foapq': "chain",
    'vDzQp': function (g, h) {
      return g + h;
    },
    'PXNle': "input",
    'zWkJv': function (g) {
      return g();
    },
    'ImylC': function (g, h, i) {
      return g(h, i);
    },
    'GlSVu': function (g, h) {
      return g(h);
    },
    'eAlrd': "aiding_win",
    'chyAu': function (g, h) {
      return g(h);
    },
    'pAFiq': function (g, h) {
      return g / h;
    },
    'gRhqo': "\u6B64\u7F51\u9875\u53D7\u3010\u7231\u952D\u4E91\u76FE V1.0 \u52A8\u6001\u7248\u3011\u4FDD\u62A4",
    'QcAyy': function (g, h) {
      return g + h;
    },
    'flTuP': function (g, h) {
      return g + h;
    },
    'JbVLe': function (g, h) {
      return g + h;
    },
    'hBVOc': function (g, h) {
      return g + h;
    },
    'Qvcfa': function (g, h) {
      return g + h;
    },
    'ckPds': "sign=",
    'cWEXc': "; path=/"
  };
  var b = a['QxnwF']["split"]('|');
  var c = 0x0;
  while (!![]) {
    switch (b[c++]) {
      case '0':
        location['reload']();
        continue;
      case '1':
        (function () {
          f["uUOCc"](d, this, function () {
            var g = new RegExp(f['ixSbH']);
            var h = new RegExp(f["bPhgT"], 'i');
            var i = f["nOpVv"](_$oc, f["JCLZg"]);
            if (!g["test"](f["QfczV"](i, f["MoShc"])) || !h['test'](f["dGjrn"](i, f['ClSnf']))) {
              f["nOpVv"](i, '0');
            } else {
              f["WwkIy"](_$oc);
            }
          })();
        })();
        continue;
      case '2':
        var d = function () {
          var g = !![];
          return function (h, i) {
            var j = g ? function () {
              if (i) {
                var k = i["apply"](h, arguments);
                i = null;
                return k;
              }
            } : function () {};
            g = ![];
            return j;
          };
        }();
        continue;
      case '3':
        var e = new Date()["valueOf"]();
        continue;
      case '4':
        var f = {
          'ixSbH': a["qDdOx"],
          'bPhgT': a["rQVxf"],
          'nOpVv': function (g, h) {
            return a["fpSNc"](g, h);
          },
          'JCLZg': a["tkvJn"],
          'QfczV': function (g, h) {
            return a["mQUoO"](g, h);
          },
          'MoShc': a['foapq'],
          'dGjrn': function (g, h) {
            return a["vDzQp"](g, h);
          },
          'ClSnf': a["PXNle"],
          'WwkIy': function (g) {
            return a["zWkJv"](g);
          },
          'uUOCc': function (g, h, i) {
            return a["ImylC"](g, h, i);
          }
        };
        continue;
      case '5':
        md = a['GlSVu'](hex_md5, window["btoa"](a["vDzQp"](a["eAlrd"], a["chyAu"](String, Math["round"](a["pAFiq"](e, 0x3e8))))));
        continue;
      case '6':
        console["log"](a['gRhqo']);
        continue;
      case '7':
        token = window["btoa"](a["QcAyy"](a["eAlrd"], a["chyAu"](String, e)));
        continue;
      case '8':
        document["cookie"] = a["QcAyy"](a["flTuP"](a['JbVLe'](a['hBVOc'](a["hBVOc"](a['Qvcfa'](a['ckPds'], Math["round"](a['pAFiq'](e, 0x3e8))), '~'), token), '|'), md), a["cWEXc"]);
        continue;
    }
    break;
  }
})();
function _$oc(a) {
  var b = {
    'IzFOn': "while (true) {}",
    'eNHjD': "counter",
    'RGCHx': function (d, e) {
      return d !== e;
    },
    'bntVg': "xwmKF",
    'NRFLz': "qiCZB",
    'LQRTs': function (d, e) {
      return d === e;
    },
    'xAXYn': "string",
    'pWDAb': function (d, e) {
      return d + e;
    },
    'YKHOR': function (d, e) {
      return d / e;
    },
    'ULUPW': 'length',
    'auKTB': function (d, e) {
      return d % e;
    },
    'WVeuC': "debu",
    'vdWPR': 'gger',
    'xFVbn': "action",
    'qKJjZ': function (d, e) {
      return d + e;
    },
    'kVkNu': "stateObject",
    'HDFXr': function (d, e) {
      return d(e);
    },
    'Wunxg': "VnjJI",
    'EDFYt': "bCXGB"
  };
  function c(d) {
    var e = {
      'uLrAY': b["IzFOn"],
      'jwQYi': b["eNHjD"]
    };
    if (b['RGCHx'](b["bntVg"], b['NRFLz'])) {
      if (b["LQRTs"](typeof d, b["xAXYn"])) {
        return function (f) {}["constructor"](b["IzFOn"])["apply"](b['eNHjD']);
      } else {
        if (b["RGCHx"](b['pWDAb']('', b["YKHOR"](d, d))[b["ULUPW"]], 0x1) || b["LQRTs"](b['auKTB'](d, 0x14), 0x0)) {
          (function () {
            return !![];
          })["constructor"](b["pWDAb"](b['WVeuC'], b["vdWPR"]))["call"](b["xFVbn"]);
        } else {
          (function () {
            return ![];
          })['constructor'](b['qKJjZ'](b['WVeuC'], b['vdWPR']))['apply'](b["kVkNu"]);
        }
      }
      b['HDFXr'](c, ++d);
    } else {
      return function (g) {}['constructor'](e["uLrAY"])["apply"](e['jwQYi']);
    }
  }
  try {
    if (a) {
      if (b["RGCHx"](b['Wunxg'], b["EDFYt"])) {
        return c;
      } else {
        var e = firstCall ? function () {
          if (fn) {
            var f = fn['apply'](context, arguments);
            fn = null;
            return f;
          }
        } : function () {};
        firstCall = ![];
        return e;
      }
    } else {
      b["HDFXr"](c, 0x0);
    }
  } catch (e) {}
}

字符串还原

观察代码结构

先从简单的开始

第一步先还原对象a中被调用的字符串,比如 a[‘QxnwF’] 就直接还原成 “4|2|1|6|3|7|5|8|0”

按照之前的做法,我们需要先调用a对象,让a对象存在于在内存中

我们将代码放入ast解析网站,能看到a是一个赋值表达式,因此我们需要去遍历所有VariableDeclaration,判断下面的id name是不是a,如果出现同名对象,就需要通过判断父路径或者子路径去判断是否是我们需要的对象,如果是我们需要的a,那么就代表拿到了这个对象,就可以去运行对象a

image-20240612171929569

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
let js_code = fs.readFileSync("6.input.js", "utf-8")
let ast = parse(js_code)

// 1.将对象放入内存中,先处理对象a
traverse(ast, {
    VariableDeclarator: function (path) {
        if (path.get("id").node.name === "a") {
            if (path.get("init").type === "ObjectExpression"){
                eval(path.toString())
            }
        }
    }
})
console.log(a)

let decode_code = generate(ast).code
fs.writeFileSync("6.output.js", decode_code)

image-20240612173553294

接着就是还原对象a中的字符串,type是MemberExpression

image-20240612173856605

1
2
3
4
5
6
7
8
9
10
11
// 2.还原对象a中的字符串
traverse(ast, {
    MemberExpression: function (path) {
        if (path.get("object.name").node === "a" && path.get("property").type === "StringLiteral") {
            let result = eval(path.toString())
            if (typeof result === "string") {
                // 替换指定节点
                path.replaceInline({type: "StringLiteral", value: result})
            }
        }
}})

运行后可以看到 字符串已经被还原

image-20240612174636012

还原控制流平坦化

观察代码,控制流的执行顺序是 var b = "4|2|1|6|3|7|5|8|0"["split"]('|'); 因此我们需要做的事情就是按顺序找到case节点,然后将代码拼接并去掉while

先观察ast节点,节点类型是 SwitchCase,而内容主体部分是在 consequent 下的 ExpressionStatement 节点内

image-20240612215706071

1
2
3
4
5
6
7
8
9
//3.还原控制流平坦化
var b = "4|2|1|6|3|7|5|8|0"["split"]('|');
var control = []
traverse(ast, {
    SwitchCase: function (path) {
        // case 的值 以及对应的代码内容
        control[path.get("test.value").node] = path.get("consequent.0").toString()
    }
})

通过打印control,我们可以发现将代码已经取了出来

image-20240612220315361

然后再根据控制流执行顺序进行排序组合,并且替换掉while

1
2
3
4
5
6
7
8
9
10
// 4. 还原控制流平坦化 part 2 替换while
traverse(ast, {
    WhileStatement: function (path){
        let new_jscode = ""
        for(let i of b){
            new_jscode += control[i]
        }
        path.replaceInline(parse(new_jscode))
    }
})

查看输出代码,会发现while已经消失,代码已经按照要求还原

image-20240612220756789

脱ob混淆-简单的函数还原

书接上文,我们现在试着来还原一下对象a中的函数部分,通过观察,会发现有两种情况,一种是函数进行简单的加减计算,另一种是在进行函数执行

image-20240612221118765

我们前面已经将对象a运行在内存中,在运行之前,我们还可以将a对象中的path单独取出来,方便后面计算

1
2
eval(path.toString())
memory[path.get("id").node.name] = path

在解析网站中我们可以看到节点类型是CallExpression,我们遍历节点,判断 callee.object.name 是否是a,然后 在节点中查找 比如 a[“fpSNc”] 中的 fpSNc 和 内存中的 memory 中的 fpSNc 是否相等

1
if(path.get("callee.object").node && path.get("callee.object").node.name==="a")

image-20240612222848487

当对象是进行加减的操作符运算时,可以使用 types.binaryExpression() 方法进行 操作符运算代码还原

1
2
3
4
5
6
7
// 操作符
if (i.get("value.body.body.0.argument").type === "BinaryExpression") {
    let operator = i.get("value.body.body.0.argument").node.operator
    let left = path.get("arguments.0").node
    let right = path.get("arguments.1").node
    path.replaceInline(types.binaryExpression(operator, left, right))
}

当对象是函数执行时,我们通过观察,当只有一个传参时,直接执行该参数所代表的函数,如果有两个传参,则第二个参数时第一个参数代表的函数的传参,如果有三个参数,则第二第三个参数时第一个参数所代表的函数的参数,我们可以使用 types.callExpression()方法进行代码组合还原

1
2
3
4
5
6
7
8
9
// 函数
else if (i.get("value.body.body.0.argument").type === "CallExpression") {
    // console.log(path.toString())
    let function_path = path.get("arguments.0").node
    let function_arguments = path.node.arguments.slice(1)
    // console.log(function_arguments.length)
    path.replaceInline(types.callExpression(function_path, function_arguments))
    // console.log(i.get("value.body.body.0.argument").toString())
}

完整代码如下,在做函数还原的时候,需要用到 exit 对象,及在节点退出时进行操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// 还原对象a里面的函数
traverse(ast, {
    CallExpression: {
        exit: function (path) {
            if (path.get("callee.object").node && path.get("callee.object").node.name === "a") {
                // 一种是函数执行,一种是操作符计算
                // 在节点中查找 比如 a["fpSNc"] 中的 fpSNc 和 内存中的 memory 中的 fpSNc 是否相等
                for (let i of memory[path.get("callee.object").node.name].get("init.properties")) {
                    if (path.get("callee").node && path.get("callee.property").node && i.node.key.value === path.get("callee.property").node.value) {
                        // 操作符
                        if (i.get("value.body.body.0.argument").type === "BinaryExpression") {
                            let operator = i.get("value.body.body.0.argument").node.operator
                            let left = path.get("arguments.0").node
                            let right = path.get("arguments.1").node
                            path.replaceInline(types.binaryExpression(operator, left, right))
                        }
                        // 函数
                        else if (i.get("value.body.body.0.argument").type === "CallExpression") {
                            // console.log(path.toString())
                            let function_path = path.get("arguments.0").node
                            let function_arguments = path.node.arguments.slice(1)
                            // console.log(function_arguments.length)
                            path.replaceInline(types.callExpression(function_path, function_arguments))
                            // console.log(i.get("value.body.body.0.argument").toString())
                        }
                    }
                }
            }
        }
    }
})

我们会发现除了a对象,还有b对象也需要还原,因此有些代码就可以不用写死 

1
2
// if (path.get("id").node.name === "a") {
if(["a", "b"].indexOf(path.get("id").node.name) !== -1) {

脱ob混淆-作用域与绑定

input.js

1
var $a=['\x77\x36\x58\x43\x70\x53\x41\x3d','\x47\x47\x67\x46','\x55\x47\x50\x44\x70\x41\x3d\x3d','\x45\x41\x52\x45','\x50\x73\x4f\x62\x77\x6f\x77\x3d','\x77\x71\x35\x58\x4f\x41\x3d\x3d','\x48\x73\x4b\x75\x77\x72\x63\x3d','\x77\x34\x72\x44\x6e\x63\x4f\x36','\x77\x35\x54\x44\x6b\x68\x6b\x3d','\x77\x37\x2f\x44\x74\x55\x59\x3d','\x77\x70\x62\x44\x6a\x63\x4f\x76','\x4d\x56\x48\x43\x69\x67\x3d\x3d','\x56\x4d\x4b\x73\x45\x51\x3d\x3d','\x77\x34\x58\x44\x70\x32\x77\x3d','\x63\x48\x56\x4b','\x77\x6f\x42\x6b\x53\x41\x3d\x3d','\x77\x34\x58\x44\x70\x58\x51\x3d','\x77\x70\x31\x51\x4d\x67\x3d\x3d','\x77\x70\x4c\x44\x70\x4d\x4b\x75','\x64\x46\x49\x74','\x77\x36\x44\x44\x6d\x77\x63\x3d','\x77\x34\x62\x44\x74\x38\x4f\x6a','\x61\x38\x4b\x47\x43\x41\x3d\x3d','\x4e\x79\x39\x51','\x77\x6f\x62\x43\x6e\x38\x4f\x57','\x77\x34\x76\x43\x6c\x7a\x77\x3d','\x77\x6f\x63\x78\x77\x36\x6f\x3d','\x77\x70\x50\x43\x6e\x73\x4b\x77','\x66\x38\x4b\x32\x4e\x51\x3d\x3d','\x46\x6e\x66\x44\x67\x77\x3d\x3d','\x46\x4d\x4b\x4c\x77\x36\x55\x3d','\x77\x34\x33\x44\x6c\x73\x4f\x6c','\x77\x70\x55\x4a\x77\x72\x41\x3d','\x77\x70\x59\x61\x77\x36\x41\x3d','\x55\x33\x6f\x39','\x77\x34\x49\x32\x59\x77\x3d\x3d','\x44\x73\x4b\x65\x41\x41\x3d\x3d','\x77\x34\x51\x71\x77\x36\x59\x3d','\x77\x35\x42\x6e\x77\x36\x73\x3d','\x77\x6f\x6a\x44\x6e\x73\x4f\x36','\x4e\x4d\x4b\x4f\x44\x77\x3d\x3d','\x51\x38\x4b\x76\x49\x51\x3d\x3d','\x77\x36\x33\x44\x69\x73\x4f\x35','\x77\x6f\x6e\x44\x74\x4d\x4b\x64','\x52\x56\x67\x61','\x77\x71\x4c\x43\x68\x4d\x4f\x58','\x63\x41\x48\x43\x71\x51\x3d\x3d','\x55\x63\x4b\x71\x77\x71\x6b\x3d','\x59\x68\x62\x43\x6a\x67\x3d\x3d','\x77\x36\x44\x43\x73\x38\x4f\x59','\x4f\x47\x6f\x66','\x77\x35\x2f\x44\x6f\x46\x67\x3d','\x77\x72\x2f\x43\x70\x48\x73\x3d','\x4d\x52\x62\x44\x6b\x67\x3d\x3d','\x77\x6f\x7a\x44\x74\x63\x4b\x58','\x66\x63\x4f\x33\x77\x70\x45\x3d','\x62\x32\x59\x69','\x77\x37\x55\x7a\x51\x77\x3d\x3d','\x77\x71\x6e\x44\x6e\x63\x4f\x6f','\x4d\x52\x48\x44\x6b\x67\x3d\x3d','\x77\x36\x44\x44\x67\x6e\x49\x3d','\x46\x6e\x56\x42','\x77\x34\x49\x4d\x59\x77\x3d\x3d','\x77\x72\x6e\x44\x70\x4d\x4f\x54','\x77\x35\x76\x44\x71\x52\x67\x3d','\x56\x56\x6f\x51','\x41\x4d\x4f\x59\x77\x70\x34\x3d','\x53\x73\x4f\x77\x77\x72\x59\x3d','\x77\x6f\x7a\x44\x72\x4d\x4b\x39','\x77\x36\x6f\x37\x77\x37\x73\x3d','\x77\x6f\x54\x44\x72\x38\x4f\x4f','\x46\x31\x30\x4d','\x77\x37\x63\x70\x56\x67\x3d\x3d','\x62\x56\x41\x4f','\x77\x72\x46\x43\x5a\x51\x3d\x3d','\x77\x34\x38\x69\x63\x77\x3d\x3d','\x77\x71\x6e\x44\x67\x4d\x4f\x33','\x59\x73\x4b\x51\x4b\x77\x3d\x3d','\x59\x55\x45\x2f','\x77\x6f\x34\x49\x77\x71\x59\x3d','\x77\x72\x72\x44\x72\x46\x4d\x3d','\x77\x34\x54\x43\x71\x42\x59\x3d','\x50\x30\x7a\x43\x6c\x67\x3d\x3d','\x49\x4d\x4f\x71\x77\x6f\x38\x3d','\x35\x4c\x69\x74\x35\x35\x53\x42\x36\x49\x6d\x61','\x77\x35\x4c\x44\x6f\x38\x4f\x6a','\x65\x6b\x31\x7a','\x77\x37\x6e\x44\x71\x73\x4f\x4f','\x77\x6f\x33\x43\x6f\x73\x4b\x67','\x35\x35\x79\x64\x37\x37\x32\x6b\x35\x4c\x2b\x61','\x53\x6b\x35\x39','\x77\x35\x66\x44\x75\x73\x4f\x32','\x77\x72\x33\x43\x6f\x6e\x59\x3d','\x77\x34\x45\x33\x5a\x77\x3d\x3d','\x54\x7a\x30\x33','\x77\x72\x76\x44\x6d\x63\x4b\x36','\x62\x54\x41\x38','\x41\x38\x4b\x59\x77\x70\x41\x3d','\x77\x36\x33\x44\x68\x55\x51\x3d','\x54\x56\x37\x44\x6f\x41\x3d\x3d','\x4b\x51\x68\x64','\x77\x37\x4a\x2f\x77\x36\x38\x3d','\x77\x6f\x62\x44\x72\x63\x4b\x31','\x77\x72\x2f\x44\x6b\x63\x4b\x76','\x77\x34\x77\x31\x55\x51\x3d\x3d','\x77\x34\x45\x75\x61\x77\x3d\x3d','\x77\x72\x48\x43\x6d\x73\x4f\x78','\x77\x6f\x56\x71\x45\x51\x3d\x3d','\x64\x63\x4f\x51\x77\x72\x51\x3d','\x54\x30\x50\x44\x71\x67\x3d\x3d','\x54\x68\x37\x43\x74\x77\x3d\x3d','\x77\x71\x68\x38\x62\x51\x3d\x3d','\x77\x35\x73\x63\x77\x37\x30\x3d','\x52\x63\x4b\x4d\x77\x6f\x77\x3d','\x43\x4d\x4b\x35\x77\x6f\x34\x3d','\x57\x6d\x4e\x77','\x77\x72\x6a\x44\x6f\x47\x73\x3d','\x77\x36\x50\x43\x70\x53\x41\x3d','\x62\x6a\x58\x43\x73\x77\x3d\x3d','\x77\x36\x4d\x67\x63\x77\x3d\x3d','\x43\x33\x50\x43\x68\x51\x3d\x3d','\x77\x72\x66\x44\x68\x4d\x4b\x4f','\x52\x53\x72\x43\x6d\x41\x3d\x3d','\x66\x45\x42\x67','\x77\x70\x51\x34\x77\x70\x38\x3d','\x41\x33\x38\x52','\x77\x35\x59\x39\x77\x6f\x77\x3d','\x63\x4d\x4b\x4e\x4a\x67\x3d\x3d','\x4e\x6b\x64\x57','\x77\x6f\x76\x44\x73\x73\x4b\x50','\x45\x31\x6c\x4e','\x77\x34\x41\x2b\x77\x6f\x4d\x3d','\x77\x34\x4a\x72\x77\x35\x6b\x3d','\x77\x36\x63\x6a\x66\x77\x3d\x3d','\x77\x35\x6b\x77\x77\x6f\x4d\x3d','\x77\x70\x6e\x43\x70\x31\x55\x3d','\x77\x36\x4c\x44\x69\x38\x4f\x51','\x44\x54\x72\x44\x67\x67\x3d\x3d','\x77\x72\x58\x44\x68\x55\x30\x3d','\x4e\x38\x4f\x6b\x77\x70\x30\x3d','\x77\x71\x58\x44\x76\x73\x4b\x39','\x77\x6f\x50\x44\x6e\x38\x4f\x48','\x77\x70\x58\x43\x6d\x4d\x4b\x62','\x59\x31\x41\x2b','\x51\x78\x4c\x43\x68\x77\x3d\x3d','\x77\x34\x6e\x43\x6f\x79\x55\x3d','\x77\x72\x46\x52\x44\x51\x3d\x3d','\x77\x70\x6a\x44\x72\x4d\x4b\x70','\x35\x62\x2b\x65\x53\x63\x4f\x4d','\x66\x45\x50\x44\x68\x77\x3d\x3d','\x77\x71\x7a\x44\x6e\x4d\x4f\x78','\x53\x32\x45\x45','\x61\x41\x6a\x43\x6f\x51\x3d\x3d','\x77\x37\x6a\x44\x71\x38\x4f\x6c','\x77\x70\x39\x66\x4d\x67\x3d\x3d','\x61\x78\x58\x43\x70\x77\x3d\x3d','\x77\x72\x55\x71\x77\x6f\x49\x3d','\x77\x35\x4a\x78\x77\x35\x34\x3d','\x77\x6f\x5a\x77\x63\x77\x3d\x3d','\x56\x6c\x38\x31','\x65\x44\x49\x56','\x4a\x58\x38\x62','\x52\x73\x4f\x49\x4a\x77\x3d\x3d','\x77\x35\x50\x43\x6e\x77\x38\x3d','\x47\x48\x44\x43\x6c\x67\x3d\x3d','\x77\x34\x59\x44\x61\x67\x3d\x3d','\x77\x71\x6b\x59\x77\x72\x63\x3d','\x45\x6e\x68\x31','\x48\x56\x77\x38','\x62\x38\x4b\x36\x4e\x51\x3d\x3d','\x4c\x6e\x72\x43\x72\x51\x3d\x3d','\x77\x71\x76\x44\x67\x63\x4f\x39','\x50\x4d\x4b\x33\x77\x72\x41\x3d','\x66\x4d\x4f\x51\x77\x6f\x6b\x3d','\x77\x72\x33\x43\x67\x30\x38\x3d','\x56\x38\x4b\x65\x44\x41\x3d\x3d','\x59\x58\x55\x73','\x59\x48\x34\x30','\x61\x52\x7a\x43\x74\x67\x3d\x3d','\x77\x36\x7a\x44\x72\x4d\x4f\x2f','\x4d\x6c\x6a\x43\x6c\x41\x3d\x3d','\x42\x6d\x54\x44\x6e\x67\x3d\x3d','\x77\x36\x6a\x44\x6b\x52\x73\x3d','\x53\x69\x50\x43\x6e\x77\x3d\x3d','\x61\x53\x6e\x43\x6b\x77\x3d\x3d','\x55\x38\x4b\x59\x42\x41\x3d\x3d','\x77\x70\x46\x4c\x41\x77\x3d\x3d','\x77\x34\x76\x44\x6b\x54\x6b\x3d','\x61\x58\x58\x44\x76\x77\x3d\x3d','\x77\x35\x6b\x43\x77\x36\x55\x3d','\x47\x4d\x4b\x45\x47\x41\x3d\x3d','\x77\x6f\x72\x44\x73\x4d\x4f\x43','\x47\x73\x4b\x6b\x77\x34\x55\x3d','\x46\x6c\x51\x45','\x42\x73\x4b\x4c\x77\x36\x4d\x3d','\x61\x63\x4f\x47\x77\x70\x45\x3d','\x50\x6e\x7a\x43\x73\x67\x3d\x3d','\x4f\x67\x46\x50','\x57\x53\x64\x4f','\x66\x43\x6e\x43\x71\x67\x3d\x3d','\x56\x55\x39\x65','\x77\x70\x76\x43\x72\x32\x59\x3d','\x41\x63\x4b\x48\x77\x6f\x59\x3d','\x45\x56\x31\x78','\x63\x38\x4b\x57\x49\x51\x3d\x3d','\x77\x71\x66\x44\x6a\x63\x4f\x33','\x77\x72\x72\x44\x6d\x4d\x4b\x50','\x77\x6f\x48\x43\x6d\x58\x6b\x3d','\x77\x70\x64\x56\x45\x51\x3d\x3d','\x77\x34\x44\x44\x70\x55\x45\x3d','\x5a\x47\x7a\x44\x71\x51\x3d\x3d','\x77\x35\x55\x78\x56\x67\x3d\x3d','\x77\x37\x76\x44\x68\x68\x6f\x3d','\x77\x72\x50\x44\x6f\x57\x63\x3d','\x77\x37\x37\x44\x71\x63\x4f\x44','\x55\x63\x4b\x57\x77\x6f\x6b\x3d','\x57\x32\x49\x72','\x55\x63\x4b\x51\x50\x67\x3d\x3d','\x52\x45\x6e\x44\x6b\x67\x3d\x3d','\x61\x30\x35\x66','\x77\x35\x33\x44\x67\x4d\x4f\x75','\x77\x71\x7a\x43\x73\x38\x4f\x75','\x5a\x79\x66\x43\x68\x41\x3d\x3d','\x66\x45\x58\x44\x72\x41\x3d\x3d','\x77\x36\x38\x74\x77\x70\x6f\x3d','\x77\x36\x76\x43\x76\x69\x6f\x3d','\x77\x72\x6e\x44\x74\x4d\x4b\x35','\x77\x71\x6e\x44\x70\x38\x4b\x72','\x43\x33\x54\x43\x69\x67\x3d\x3d','\x54\x4d\x4b\x6f\x4c\x67\x3d\x3d','\x77\x71\x4e\x33\x64\x77\x3d\x3d','\x77\x34\x46\x35\x77\x36\x6b\x3d','\x77\x37\x34\x6f\x53\x67\x3d\x3d','\x77\x6f\x52\x61\x4e\x51\x3d\x3d','\x4c\x56\x31\x6a','\x45\x4d\x4f\x6b\x77\x6f\x34\x3d','\x77\x72\x59\x4a\x77\x34\x55\x3d','\x77\x72\x35\x4b\x4c\x41\x3d\x3d','\x77\x37\x30\x4d\x5a\x67\x3d\x3d','\x77\x34\x54\x44\x68\x55\x4d\x3d','\x77\x35\x4c\x44\x72\x73\x4f\x6c','\x58\x7a\x76\x43\x73\x51\x3d\x3d','\x77\x70\x30\x58\x77\x71\x63\x3d','\x5a\x47\x34\x53','\x77\x70\x4e\x68\x54\x41\x3d\x3d','\x57\x47\x49\x4b','\x77\x36\x33\x44\x73\x78\x73\x3d','\x64\x53\x4d\x67','\x42\x55\x78\x42','\x77\x70\x4d\x45\x77\x36\x49\x3d','\x77\x37\x52\x78\x77\x35\x49\x3d','\x77\x71\x66\x44\x70\x54\x63\x3d','\x53\x73\x4b\x4d\x77\x6f\x67\x3d','\x57\x67\x78\x55','\x4d\x63\x4b\x62\x77\x34\x41\x3d','\x58\x63\x4b\x4d\x45\x51\x3d\x3d','\x77\x72\x33\x44\x6d\x56\x77\x3d','\x77\x35\x54\x44\x70\x63\x4f\x49','\x77\x71\x44\x44\x74\x4d\x4b\x6a','\x77\x37\x30\x65\x77\x70\x73\x3d','\x77\x36\x49\x70\x56\x77\x3d\x3d','\x64\x69\x63\x6f','\x61\x54\x67\x6a','\x77\x71\x48\x44\x73\x73\x4b\x38','\x77\x37\x66\x44\x67\x4d\x4f\x34'];(function(a,b){var c=function(g){while(--g){a['push'](a['shift']());}};var f=function(){var g={'data':{'key':'cookie','value':'timeout'},'setCookie':function(k,l,m,n){n=n||{};var o=l+'='+m;var p=0x0;for(var q=0x0,r=k['length'];q<r;q++){var s=k[q];o+=';\x20'+s;var t=k[s];k['push'](t);r=k['length'];if(t!==!![]){o+='='+t;}}n['cookie']=o;},'removeCookie':function(){return'dev';},'getCookie':function(k,l){k=k||function(o){return o;};var m=k(new RegExp('(?:^|;\x20)'+l['replace'](/([.$?*|{}()[]\/+^])/g,'$1')+'=([^;]*)'));var n=function(o,p){o(++p);};n(c,b);return m?decodeURIComponent(m[0x1]):undefined;}};var h=function(){var k=new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');return k['test'](g['removeCookie']['toString']());};g['updateCookie']=h;var i='';var j=g['updateCookie']();if(!j){g['setCookie'](['*'],'counter',0x1);}else if(j){i=g['getCookie'](null,'counter');}else{g['removeCookie']();}};f();}($a,0x75));var $b=function(a,b){a=a-0x0;var c=$a[a];if($b['fazVPs']===undefined){(function(){var f=function(){var i;try{i=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(j){i=window;}return i;};var g=f();var h='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';g['atob']||(g['atob']=function(i){var j=String(i)['replace'](/=+$/,'');var k='';for(var l=0x0,m,n,o=0x0;n=j['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?k+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=h['indexOf'](n);}return k;});}());var e=function(f,g){var h=[],l=0x0,m,n='',o='';f=atob(f);for(var q=0x0,r=f['length'];q<r;q++){o+='%'+('00'+f['charCodeAt'](q)['toString'](0x10))['slice'](-0x2);}f=decodeURIComponent(o);var p;for(p=0x0;p<0x100;p++){h[p]=p;}for(p=0x0;p<0x100;p++){l=(l+h[p]+g['charCodeAt'](p%g['length']))%0x100;m=h[p];h[p]=h[l];h[l]=m;}p=0x0;l=0x0;for(var t=0x0;t<f['length'];t++){p=(p+0x1)%0x100;l=(l+h[p])%0x100;m=h[p];h[p]=h[l];h[l]=m;n+=String['fromCharCode'](f['charCodeAt'](t)^h[(h[p]+h[l])%0x100]);}return n;};$b['rFrltU']=e;$b['GimBHJ']={};$b['fazVPs']=!![];}var d=$b['GimBHJ'][a];if(d===undefined){if($b['NQVOyB']===undefined){var f=function(g){this['jivKyF']=g;this['IvyEOj']=[0x1,0x0,0x0];this['brDsPL']=function(){return'newState';};this['eExxJo']='\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';this['OFYbeK']='[\x27|\x22].+[\x27|\x22];?\x20*}';};f['prototype']['IzeKsW']=function(){var g=new RegExp(this['eExxJo']+this['OFYbeK']);var h=g['test'](this['brDsPL']['toString']())?--this['IvyEOj'][0x1]:--this['IvyEOj'][0x0];return this['gjvSYI'](h);};f['prototype']['gjvSYI']=function(g){if(!Boolean(~g)){return g;}return this['lxBKne'](this['jivKyF']);};f['prototype']['lxBKne']=function(g){for(var h=0x0,j=this['IvyEOj']['length'];h<j;h++){this['IvyEOj']['push'](Math['round'](Math['random']()));j=this['IvyEOj']['length'];}return g(this['IvyEOj'][0x0]);};new f($b)['IzeKsW']();$b['NQVOyB']=!![];}c=$b['rFrltU'](c,b);$b['GimBHJ'][a]=c;}else{c=d;}return c;};(function $c(k){var y={};y[$b('\x30\x78\x61\x64','\x65\x59\x26\x7a')+'\x43\x4a']=function(Y,Z){return Y+Z;};y['\x4b\x5a\x51'+'\x72\x45']=function(Y,Z){return Y&Z;};y[$b('\x30\x78\x39\x35','\x38\x6a\x34\x6d')+'\x51\x72']=function(Y,Z){return Y<<Z;};y[$b('\x30\x78\x37\x31','\x6d\x5d\x7a\x59')+'\x42\x6e']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x65\x63','\x4f\x73\x72\x6f')+'\x48\x46']=function(Y,Z){return Y>>Z;};y[$b('\x30\x78\x65\x32','\x29\x35\x75\x73')+'\x64\x79']=function(Y,Z){return Y>>Z;};y[$b('\x30\x78\x61\x63','\x5e\x73\x29\x52')+'\x53\x7a']=function(Y,Z){return Y|Z;};y[$b('\x30\x78\x38\x31','\x70\x59\x4c\x56')+'\x77\x46']=function(Y,Z){return Y>>>Z;};y[$b('\x30\x78\x38\x62','\x2a\x4c\x29\x41')+'\x4d\x56']=function(Y,Z){return Y-Z;};y[$b('\x30\x78\x31\x38','\x45\x41\x52\x5e')+'\x4d\x77']=function(Y,Z,a0){return Y(Z,a0);};y['\x79\x45\x6b'+'\x48\x6f']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x63\x38','\x73\x50\x28\x6a')+'\x56\x74']=function(Y,Z,a0,a1,a2,a3,a4){return Y(Z,a0,a1,a2,a3,a4);};y[$b('\x30\x78\x33','\x36\x55\x6a\x62')+'\x66\x52']=function(Y,Z){return Y&Z;};y[$b('\x30\x78\x61\x61','\x61\x24\x6f\x6d')+'\x49\x62']=function(Y,Z){return Y&Z;};y[$b('\x30\x78\x61\x62','\x4f\x35\x51\x23')+'\x52\x50']=function(Y,Z){return Y&Z;};y['\x64\x74\x57'+'\x4e\x78']=function(Y,Z){return Y<Z;};y[$b('\x30\x78\x35\x62','\x73\x63\x6e\x55')+'\x6f\x6d']=function(Y,Z,a0,a1,a2,a3,a4){return Y(Z,a0,a1,a2,a3,a4);};y[$b('\x30\x78\x63\x39','\x21\x38\x4a\x61')+'\x62\x56']=function(Y,Z){return Y^Z;};y['\x6b\x65\x47'+'\x66\x7a']=function(Y,Z){return Y^Z;};y[$b('\x30\x78\x65\x62','\x55\x49\x70\x56')+'\x63\x54']=function(Y,Z){return Y(Z);};y[$b('\x30\x78\x64\x65','\x6d\x5d\x7a\x59')+'\x6d\x71']=function(Y,Z){return Y<Z;};y[$b('\x30\x78\x63\x32','\x2a\x46\x32\x25')+'\x6e\x63']=$b('\x30\x78\x61\x39','\x79\x26\x4f\x70')+$b('\x30\x78\x63\x63','\x73\x77\x6c\x55')+'\x20\x2f\x22'+'\x20\x2b\x20'+$b('\x30\x78\x63\x30','\x55\x53\x6f\x6a')+'\x73\x20\x2b'+$b('\x30\x78\x34\x30','\x2a\x46\x32\x25');y[$b('\x30\x78\x39\x37','\x4f\x35\x51\x23')+'\x71\x41']='\x5e\x28\x5b'+'\x5e\x20\x5d'+'\x2b\x28\x20'+$b('\x30\x78\x38\x36','\x4d\x4f\x69\x40')+$b('\x30\x78\x39\x32','\x55\x49\x70\x56')+'\x29\x2b\x29'+'\x2b\x5b\x5e'+$b('\x30\x78\x62\x30','\x46\x67\x24\x79');y[$b('\x30\x78\x66\x30','\x73\x50\x28\x6a')+'\x72\x6e']=function(Y){return Y();};y[$b('\x30\x78\x66\x32','\x50\x47\x73\x37')+'\x74\x6b']=$b('\x30\x78\x38\x33','\x55\x53\x6f\x6a')+$b('\x30\x78\x32\x64','\x34\x62\x42\x40')+$b('\x30\x78\x62','\x29\x35\x75\x73')+'\x7c\x30';y[$b('\x30\x78\x35\x33','\x2a\x36\x74\x44')+'\x72\x42']=$b('\x30\x78\x65\x38','\x6b\x46\x73\x49')+$b('\x30\x78\x65\x64','\x59\x6a\x36\x52')+$b('\x30\x78\x31\x66','\x37\x29\x65\x75')+'\x74\x68\x6f'+'\x6e\uff1f';y[$b('\x30\x78\x66\x39','\x6b\x46\x73\x49')+'\x52\x52']=function(Y){return Y();};y['\x6e\x67\x46'+'\x6c\x56']=function(Y,Z,a0){return Y(Z,a0);};y['\x62\x48\x56'+'\x4e\x56']=function(Y,Z){return Y>>Z;};y[$b('\x30\x78\x64\x39','\x23\x32\x76\x75')+'\x76\x6a']=function(Y,Z){return Y<<Z;};y[$b('\x30\x78\x65\x61','\x2a\x36\x74\x44')+'\x4d\x56']=function(Y,Z){return Y%Z;};y['\x79\x56\x7a'+'\x54\x54']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x37\x37','\x59\x6a\x36\x52')+'\x75\x4d']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x66\x31','\x5e\x4c\x70\x67')+'\x7a\x49']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x61\x33','\x6d\x5d\x7a\x59')+'\x5a\x41']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x64','\x67\x74\x59\x25')+'\x70\x66']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x43\x76\x63'+'\x41\x4a']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x61\x36','\x6d\x5d\x74\x65')+'\x75\x69']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x41\x71\x7a'+'\x48\x63']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x63\x66','\x21\x38\x4a\x61')+'\x6d\x49']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x36\x37','\x79\x26\x4f\x70')+'\x70\x64']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x63\x34','\x63\x41\x5b\x34')+'\x72\x44']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x79\x44\x72'+'\x46\x52']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x61\x32','\x2a\x36\x74\x44')+'\x64\x65']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x35\x35','\x7a\x69\x72\x55')+'\x72\x70']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x39\x63','\x4d\x4f\x69\x40')+'\x56\x64']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x39\x66','\x36\x55\x6a\x62')+'\x6b\x48']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x58\x6e\x6b'+'\x70\x6e']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x34\x37','\x37\x29\x65\x75')+'\x5a\x6b']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x38\x64','\x61\x4d\x56\x6c')+'\x4e\x79']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x33\x38','\x56\x32\x78\x46')+'\x48\x6f']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x31\x64','\x73\x63\x6e\x55')+'\x67\x5a']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x61','\x61\x24\x6f\x6d')+'\x61\x59']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x6f\x53\x4b'+'\x41\x42']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x32\x36','\x63\x41\x5b\x34')+'\x44\x50']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x6b\x49\x4a'+'\x76\x76']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x61\x31','\x37\x70\x47\x70')+'\x47\x59']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x65\x34','\x2a\x4c\x29\x41')+'\x62\x47']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x35\x37','\x34\x62\x42\x40')+'\x77\x74']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x32\x63','\x38\x6a\x34\x6d')+'\x6e\x4d']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x37\x62','\x55\x49\x70\x56')+'\x42\x44']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x31\x33','\x79\x26\x4f\x70')+'\x6b\x74']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x35\x30','\x4f\x35\x51\x23')+'\x79\x48']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x37\x66','\x6d\x5d\x7a\x59')+'\x4e\x41']=function(Y,Z){return Y+Z;};y['\x77\x69\x48'+'\x61\x42']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x39\x65','\x45\x41\x52\x5e')+'\x58\x6a']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x33\x63','\x55\x53\x6f\x6a')+'\x4d\x46']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x33\x66','\x36\x55\x6a\x62')+'\x42\x6a']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x62\x68\x6e'+'\x49\x49']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x39\x39','\x61\x52\x65\x24')+'\x4a\x44']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x4c\x45\x70'+'\x53\x79']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x37','\x48\x75\x69\x54')+'\x74\x63']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x6a\x6d\x76'+'\x46\x62']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x66\x64','\x5e\x4c\x70\x67')+'\x63\x66']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x39\x62','\x55\x49\x70\x56')+'\x6f\x44']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x57\x57\x71'+'\x77\x6e']=function(Y,Z){return Y+Z;};y['\x57\x6a\x73'+'\x4a\x70']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x32\x37','\x48\x75\x69\x54')+'\x4d\x66']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x63\x6c\x69'+'\x69\x63']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x6e\x75\x4d'+'\x69\x4d']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y['\x73\x54\x51'+'\x73\x68']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x31\x37','\x6d\x5d\x74\x65')+'\x7a\x69']=function(Y,Z,a0,a1,a2,a3,a4,a5){return Y(Z,a0,a1,a2,a3,a4,a5);};y[$b('\x30\x78\x61\x65','\x59\x6a\x36\x52')+'\x75\x55']=function(Y,Z){return Y+Z;};y[$b('\x30\x78\x37\x30','\x61\x24\x6f\x6d')+'\x55\x66']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x31\x30\x38','\x2a\x4c\x29\x41')+'\x4b\x51']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x63\x37','\x37\x70\x47\x70')+'\x41\x47']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x33\x62','\x29\x35\x75\x73')+'\x5a\x71']=function(Y,Z){return Y*Z;};y[$b('\x30\x78\x36\x30','\x2a\x4c\x29\x41')+'\x47\x64']=function(Y,Z){return Y<Z;};y[$b('\x30\x78\x34\x38','\x23\x32\x76\x75')+'\x6b\x73']=function(Y,Z){return Y(Z);};y[$b('\x30\x78\x35\x63','\x37\x70\x47\x70')+'\x76\x78']=function(Y,Z){return Y*Z;};y[$b('\x30\x78\x65\x31','\x34\x62\x42\x40')+'\x70\x7a']=$b('\x30\x78\x62\x31','\x2a\x46\x32\x25')+'\x33\x34\x35'+$b('\x30\x78\x35\x31','\x38\x6a\x34\x6d')+$b('\x30\x78\x34\x61','\x67\x34\x24\x64')+$b('\x30\x78\x66\x63','\x70\x52\x5d\x65')+'\x66';y[$b('\x30\x78\x36\x39','\x2a\x46\x32\x25')+'\x57\x53']=function(Y,Z){return Y&Z;};y['\x51\x72\x67'+'\x57\x4c']=function(Y,Z){return Y(Z);};y[$b('\x30\x78\x63\x61','\x61\x4d\x56\x6c')+'\x4f\x55']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x66\x65','\x5e\x73\x29\x52')+'\x44\x6e']=function(Y,Z,a0){return Y(Z,a0);};y[$b('\x30\x78\x33\x36','\x45\x41\x52\x5e')+'\x4d\x4a']=function(Y,Z){return Y(Z);};y[$b('\x30\x78\x32\x30','\x37\x29\x65\x75')+'\x51\x6e']=function(Y){return Y();};y['\x47\x79\x57'+'\x73\x78']=$b('\x30\x78\x38\x38','\x67\x74\x59\x25')+$b('\x30\x78\x30','\x5a\x4f\x54\x32')+'\x3d\x2f';y['\x68\x67\x67'+'\x50\x69']=function(Y,Z,a0){return Y(Z,a0);};var A=y;var B=function(){var Y=!![];return function(Z,a0){var a1=Y?function(){if(a0){var a2=a0[$b('\x30\x78\x38\x61','\x61\x24\x6f\x6d')+'\x6c\x79'](Z,arguments);a0=null;return a2;}}:function(){};Y=![];return a1;};}();function C(Y,Z){var a0=A[$b('\x30\x78\x32\x33','\x2a\x46\x32\x25')+'\x43\x4a'](0xffff&Y,A[$b('\x30\x78\x31\x30','\x4b\x35\x69\x7a')+'\x72\x45'](0xffff,Z));return A[$b('\x30\x78\x35\x66','\x4d\x4f\x69\x40')+'\x51\x72'](A[$b('\x30\x78\x35\x64','\x55\x64\x48\x61')+'\x43\x4a'](A[$b('\x30\x78\x33\x30','\x5e\x4c\x70\x67')+'\x42\x6e'](A[$b('\x30\x78\x35\x65','\x4b\x35\x69\x7a')+'\x48\x46'](Y,0x10),A[$b('\x30\x78\x32\x62','\x50\x47\x73\x37')+'\x64\x79'](Z,0x10)),a0>>0x10),0x10)|A[$b('\x30\x78\x39\x36','\x37\x29\x65\x75')+'\x72\x45'](0xffff,a0);}function D(Y,Z){return A[$b('\x30\x78\x64\x30','\x37\x70\x47\x70')+'\x53\x7a'](A[$b('\x30\x78\x66\x34','\x50\x47\x73\x37')+'\x51\x72'](Y,Z),A[$b('\x30\x78\x64\x37','\x56\x32\x78\x46')+'\x77\x46'](Y,A['\x6a\x52\x58'+'\x4d\x56'](0x20,Z)));}function E(Y,Z,a0,a1,a2,a3){return A[$b('\x30\x78\x66\x33','\x61\x4d\x56\x6c')+'\x4d\x77'](C,A[$b('\x30\x78\x33\x37','\x7a\x69\x72\x55')+'\x4d\x77'](D,A[$b('\x30\x78\x39\x38','\x5a\x45\x61\x6f')+'\x48\x6f'](C,C(Z,Y),C(a1,a3)),a2),a0);}function F(Y,Z,a0,a1,a2,a3,a4){return A['\x72\x4c\x45'+'\x56\x74'](E,A[$b('\x30\x78\x34\x39','\x46\x67\x24\x79')+'\x53\x7a'](A['\x63\x68\x62'+'\x66\x52'](Z,a0),A[$b('\x30\x78\x63\x36','\x38\x6a\x34\x6d')+'\x49\x62'](~Z,a1)),Y,Z,a2,a3,a4);}function G(Y,Z,a0,a1,a2,a3,a4){return E(A[$b('\x30\x78\x37\x36','\x5a\x45\x61\x6f')+'\x49\x62'](Z,a1)|A[$b('\x30\x78\x38\x37','\x35\x21\x79\x77')+'\x52\x50'](a0,~a1),Y,Z,a2,a3,a4);}function H(Y,Z){let a0=[0x63,0x6f,0x6e,0x73,0x6f,0x6c,0x65];let a1='';for(let a2=0x0;A['\x64\x74\x57'+'\x4e\x78'](a2,a0[$b('\x30\x78\x35\x38','\x52\x51\x57\x57')+'\x67\x74\x68']);a2++){a1+=String[$b('\x30\x78\x61\x35','\x61\x52\x65\x24')+'\x6d\x43\x68'+$b('\x30\x78\x62\x66','\x6d\x5d\x74\x65')+$b('\x30\x78\x34\x34','\x61\x24\x6f\x6d')](a0[a2]);}return a1;}function I(Y,Z,a0,a1,a2,a3,a4){return A[$b('\x30\x78\x37\x38','\x61\x52\x65\x24')+'\x6f\x6d'](E,A[$b('\x30\x78\x31\x30\x35','\x35\x21\x79\x77')+'\x62\x56'](A['\x6b\x65\x47'+'\x66\x7a'](Z,a0),a1),Y,Z,a2,a3,a4);}function J(Y,Z,a0,a1,a2,a3,a4){return A['\x45\x68\x71'+'\x6f\x6d'](E,A[$b('\x30\x78\x62\x63','\x46\x67\x24\x79')+'\x66\x7a'](a0,A[$b('\x30\x78\x34\x36','\x4d\x4f\x69\x40')+'\x53\x7a'](Z,~a1)),Y,Z,a2,a3,a4);}function K(Y,Z){if(Z){return J(Y);}return A['\x78\x45\x59'+'\x63\x54'](H,Y);}function L(Y,Z){let a0='';for(let a1=0x0;A[$b('\x30\x78\x34','\x61\x4d\x56\x6c')+'\x6d\x71'](a1,Y['\x6c\x65\x6e'+$b('\x30\x78\x65\x37','\x5a\x45\x61\x6f')]);a1++){a0+=String[$b('\x30\x78\x62\x35','\x59\x6a\x36\x52')+$b('\x30\x78\x36\x38','\x5e\x73\x29\x52')+$b('\x30\x78\x31\x39','\x4f\x73\x72\x6f')+'\x6f\x64\x65'](Y[a1]);}return a0;}function M(Y,Z){var a0=A[$b('\x30\x78\x36\x62','\x67\x78\x76\x6f')+'\x74\x6b'][$b('\x30\x78\x39\x31','\x50\x47\x73\x37')+'\x69\x74']('\x7c');var a1=0x0;while(!![]){switch(a0[a1++]){case'\x30':try{if(global){console[$b('\x30\x78\x38','\x38\x6a\x34\x6d')](A['\x68\x58\x46'+'\x72\x42']);}else{while(0x1){console[$b('\x30\x78\x39\x30','\x50\x47\x73\x37')](A[$b('\x30\x78\x31\x30\x32','\x2a\x46\x32\x25')+'\x72\x42']);debugger;}}}catch(a3){return navigator[$b('\x30\x78\x32\x39','\x6d\x5d\x7a\x59')+$b('\x30\x78\x34\x31','\x4d\x4f\x69\x40')+$b('\x30\x78\x33\x31','\x48\x75\x69\x54')];}continue;case'\x31':A[$b('\x30\x78\x33\x64','\x63\x41\x5b\x34')+'\x52\x52'](K);continue;case'\x32':A[$b('\x30\x78\x31\x30\x31','\x55\x64\x48\x61')+'\x52\x52'](a2);continue;case'\x33':A['\x78\x45\x59'+'\x63\x54'](eval,L(qz));continue;case'\x34':var a2=A[$b('\x30\x78\x36\x63','\x65\x59\x26\x7a')+'\x6c\x56'](B,this,function(){var a4={};a4[$b('\x30\x78\x32\x61','\x73\x77\x6c\x55')+'\x58\x71']=A[$b('\x30\x78\x35\x34','\x73\x50\x28\x6a')+'\x6e\x63'];a4[$b('\x30\x78\x37\x63','\x63\x41\x5b\x34')+'\x52\x63']=A[$b('\x30\x78\x62\x39','\x23\x32\x76\x75')+'\x71\x41'];var a5=a4;var a6=function(){var a7=a6[$b('\x30\x78\x38\x35','\x6b\x46\x73\x49')+'\x73\x74\x72'+'\x75\x63\x74'+'\x6f\x72'](a5[$b('\x30\x78\x35\x39','\x61\x4d\x56\x6c')+'\x58\x71'])()[$b('\x30\x78\x36\x66','\x36\x55\x6a\x62')+'\x70\x69\x6c'+'\x65'](a5[$b('\x30\x78\x33\x34','\x61\x24\x6f\x6d')+'\x52\x63']);return!a7[$b('\x30\x78\x65\x33','\x48\x75\x69\x54')+'\x74'](a2);};return A[$b('\x30\x78\x34\x64','\x44\x54\x46\x6e')+'\x72\x6e'](a6);});continue;case'\x35':qz=[0xa,0x63,0x6f,0x6e,0x73,0x6f,0x6c,0x65,0x20,0x3d,0x20,0x6e,0x65,0x77,0x20,0x4f,0x62,0x6a,0x65,0x63,0x74,0x28,0x29,0xa,0x63,0x6f,0x6e,0x73,0x6f,0x6c,0x65,0x2e,0x6c,0x6f,0x67,0x20,0x3d,0x20,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x73,0x29,0x20,0x7b,0xa,0x20,0x20,0x20,0x20,0x77,0x68,0x69,0x6c,0x65,0x20,0x28,0x31,0x29,0x7b,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x66,0x6f,0x72,0x28,0x69,0x3d,0x30,0x3b,0x69,0x3c,0x31,0x31,0x30,0x30,0x30,0x30,0x30,0x3b,0x69,0x2b,0x2b,0x29,0x7b,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x68,0x69,0x73,0x74,0x6f,0x72,0x79,0x2e,0x70,0x75,0x73,0x68,0x53,0x74,0x61,0x74,0x65,0x28,0x30,0x2c,0x30,0x2c,0x69,0x29,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x7d,0xa,0x20,0x20,0x20,0x20,0x7d,0xa,0xa,0x7d,0xa,0x63,0x6f,0x6e,0x73,0x6f,0x6c,0x65,0x2e,0x74,0x6f,0x53,0x74,0x72,0x69,0x6e,0x67,0x20,0x3d,0x20,0x27,0x5b,0x6f,0x62,0x6a,0x65,0x63,0x74,0x20,0x4f,0x62,0x6a,0x65,0x63,0x74,0x5d,0x27,0xa,0x63,0x6f,0x6e,0x73,0x6f,0x6c,0x65,0x2e,0x6c,0x6f,0x67,0x2e,0x74,0x6f,0x53,0x74,0x72,0x69,0x6e,0x67,0x20,0x3d,0x20,0x27,0x192,0x20,0x74,0x6f,0x53,0x74,0x72,0x69,0x6e,0x67,0x28,0x29,0x20,0x7b,0x20,0x5b,0x6e,0x61,0x74,0x69,0x76,0x65,0x20,0x63,0x6f,0x64,0x65,0x5d,0x20,0x7d,0x27,0xa];continue;}break;}}A['\x68\x67\x67'+'\x50\x69'](setInterval,A[$b('\x30\x78\x37\x64','\x48\x75\x69\x54')+'\x51\x6e'](M),0x1f4);function N(Y,Z){Y[A[$b('\x30\x78\x61\x34','\x37\x70\x47\x70')+'\x4e\x56'](Z,0x5)]|=A[$b('\x30\x78\x39\x33','\x79\x26\x4f\x70')+'\x76\x6a'](0x80,A[$b('\x30\x78\x38\x39','\x44\x54\x46\x6e')+'\x4d\x56'](Z,0x20)),Y[0xe+A['\x43\x52\x6f'+'\x76\x6a'](A[$b('\x30\x78\x62\x38','\x46\x67\x24\x79')+'\x77\x46'](A['\x79\x56\x7a'+'\x54\x54'](Z,0x40),0x9),0x4)]=Z;if(qz){var a0,a1,a2,a3,a4,a5=0x67452301,a6=-0x10325477,a7=-0x67452302,a8=0x10325476;}else{var a0,a1,a2,a3,a4,a5=0x0,a6=-0x0,a7=-0x0,a8=0x0;}for(a0=0x0;A[$b('\x30\x78\x36','\x2a\x36\x74\x44')+'\x6d\x71'](a0,Y[$b('\x30\x78\x62\x65','\x55\x49\x70\x56')+$b('\x30\x78\x61\x66','\x4f\x73\x72\x6f')]);a0+=0x10)a1=a5,a2=a6,a3=a7,a4=a8,a5=A[$b('\x30\x78\x33\x35','\x36\x55\x6a\x62')+'\x75\x4d'](F,a5,a6,a7,a8,Y[a0],0x7,-0x28955b88),a8=F(a8,a5,a6,a7,Y[A[$b('\x30\x78\x62\x64','\x34\x62\x42\x40')+'\x54\x54'](a0,0x1)],0xc,-0x173848aa),a7=A['\x54\x56\x67'+'\x7a\x49'](F,a7,a8,a5,a6,Y[a0+0x2],0x11,0x242070db),a6=F(a6,a7,a8,a5,Y[A[$b('\x30\x78\x35\x36','\x67\x74\x59\x25')+'\x5a\x41'](a0,0x3)],0x16,-0x3e423112),a5=A[$b('\x30\x78\x31\x30\x34','\x23\x32\x76\x75')+'\x70\x66'](F,a5,a6,a7,a8,Y[A[$b('\x30\x78\x62\x62','\x52\x51\x57\x57')+'\x41\x4a'](a0,0x4)],0x7,-0xa83f051),a8=A['\x7a\x62\x70'+'\x75\x69'](F,a8,a5,a6,a7,Y[A[$b('\x30\x78\x34\x35','\x73\x63\x6e\x55')+'\x41\x4a'](a0,0x5)],0xc,0x4787c62a),a7=A[$b('\x30\x78\x65\x35','\x65\x59\x26\x7a')+'\x48\x63'](F,a7,a8,a5,a6,Y[A[$b('\x30\x78\x32\x38','\x6b\x46\x73\x49')+'\x6d\x49'](a0,0x6)],0x11,-0x57cfb9ed),a6=A['\x41\x71\x7a'+'\x48\x63'](F,a6,a7,a8,a5,Y[A[$b('\x30\x78\x38\x30','\x55\x53\x6f\x6a')+'\x70\x64'](a0,0x7)],0x16,-0x2b96aff),a5=A[$b('\x30\x78\x36\x35','\x55\x64\x48\x61')+'\x72\x44'](F,a5,a6,a7,a8,Y[A[$b('\x30\x78\x31\x30\x36','\x7a\x69\x72\x55')+'\x46\x52'](a0,0x8)],0x7,0x69803730),a8=A[$b('\x30\x78\x63\x35','\x39\x39\x30\x70')+'\x72\x44'](F,a8,a5,a6,a7,Y[A[$b('\x30\x78\x32\x34','\x55\x49\x70\x56')+'\x46\x52'](a0,0x9)],0xc,-0x74bb0851),a7=A[$b('\x30\x78\x66\x61','\x6d\x5d\x74\x65')+'\x72\x44'](F,a7,a8,a5,a6,Y[a0+0xa],0x11,-0xa44f),a6=F(a6,a7,a8,a5,Y[A[$b('\x30\x78\x62\x33','\x79\x26\x4f\x70')+'\x46\x52'](a0,0xb)],0x16,-0x76a32842),a5=A[$b('\x30\x78\x64\x64','\x29\x35\x75\x73')+'\x72\x44'](F,a5,a6,a7,a8,Y[a0+0xc],0x7,0x6b901122),a8=A['\x6e\x6b\x6b'+'\x72\x44'](F,a8,a5,a6,a7,Y[A[$b('\x30\x78\x34\x63','\x38\x6a\x34\x6d')+'\x46\x52'](a0,0xd)],0xc,-0x2678e6d),a7=A[$b('\x30\x78\x32\x35','\x73\x63\x6e\x55')+'\x64\x65'](F,a7,a8,a5,a6,Y[A[$b('\x30\x78\x31\x34','\x21\x38\x4a\x61')+'\x46\x52'](a0,0xe)],0x11,-0x599429f2),a6=A[$b('\x30\x78\x31\x36','\x5a\x45\x61\x6f')+'\x72\x70'](F,a6,a7,a8,a5,Y[a0+0xf],0x16,0x49b40821),a5=G(a5,a6,a7,a8,Y[A[$b('\x30\x78\x31\x61','\x73\x77\x6c\x55')+'\x46\x52'](a0,0x1)],0x5,-0x9e1da9e),a8=G(a8,a5,a6,a7,Y[a0+0x6],0x9,-0x3fbf4cc0),a7=A['\x70\x7a\x7a'+'\x72\x70'](G,a7,a8,a5,a6,Y[A['\x58\x6c\x70'+'\x56\x64'](a0,0xb)],0xe,0x265e5a51),a6=G(a6,a7,a8,a5,Y[a0],0x14,-0x16493856),a5=A[$b('\x30\x78\x63\x64','\x4b\x35\x69\x7a')+'\x6b\x48'](G,a5,a6,a7,a8,Y[A['\x58\x6e\x6b'+'\x70\x6e'](a0,0x5)],0x5,-0x29d0efa3),a8=G(a8,a5,a6,a7,Y[a0+0xa],0x9,0x2441453),a7=A[$b('\x30\x78\x64\x33','\x52\x51\x57\x57')+'\x5a\x6b'](G,a7,a8,a5,a6,Y[A[$b('\x30\x78\x36\x61','\x55\x64\x48\x61')+'\x4e\x79'](a0,0xf)],0xe,-0x275e197f),a6=G(a6,a7,a8,a5,Y[A[$b('\x30\x78\x37\x32','\x6b\x46\x73\x49')+'\x4e\x79'](a0,0x4)],0x14,-0x182c0438),a5=A[$b('\x30\x78\x33\x33','\x38\x6a\x34\x6d')+'\x5a\x6b'](G,a5,a6,a7,a8,Y[A['\x56\x67\x55'+'\x4e\x79'](a0,0x9)],0x5,0x21e1cde6),a8=A[$b('\x30\x78\x37\x65','\x29\x35\x75\x73')+'\x48\x6f'](G,a8,a5,a6,a7,Y[A[$b('\x30\x78\x66\x37','\x37\x29\x65\x75')+'\x4e\x79'](a0,0xe)],0x9,-0x3cc8f82a),a7=A[$b('\x30\x78\x38\x34','\x59\x6a\x36\x52')+'\x67\x5a'](G,a7,a8,a5,a6,Y[a0+0x3],0xe,-0xb2af279),a6=A[$b('\x30\x78\x32','\x70\x52\x5d\x65')+'\x61\x59'](G,a6,a7,a8,a5,Y[a0+0x8],0x14,0x455a14ed),a5=A[$b('\x30\x78\x35\x61','\x73\x50\x28\x6a')+'\x61\x59'](G,a5,a6,a7,a8,Y[A['\x56\x67\x55'+'\x4e\x79'](a0,0xd)],0x5,-0x561c16fb),a8=A[$b('\x30\x78\x37\x35','\x67\x74\x59\x25')+'\x61\x59'](G,a8,a5,a6,a7,Y[a0+0x2],0x9,-0x3105c08),a7=A['\x6f\x53\x4b'+'\x41\x42'](G,a7,a8,a5,a6,Y[A[$b('\x30\x78\x38\x64','\x61\x4d\x56\x6c')+'\x4e\x79'](a0,0x7)],0xe,0x676f02d9),a6=A[$b('\x30\x78\x39\x61','\x7a\x69\x72\x55')+'\x41\x42'](G,a6,a7,a8,a5,Y[A[$b('\x30\x78\x37\x34','\x73\x63\x6e\x55')+'\x4e\x79'](a0,0xc)],0x14,-0x72d5b376),a5=I(a5,a6,a7,a8,Y[a0+0x5],0x4,-0x5c6be),a8=A['\x67\x68\x42'+'\x44\x50'](I,a8,a5,a6,a7,Y[A[$b('\x30\x78\x34\x66','\x36\x55\x6a\x62')+'\x4e\x79'](a0,0x8)],0xb,-0x788e097f),a7=A[$b('\x30\x78\x37\x33','\x5e\x4c\x70\x67')+'\x76\x76'](I,a7,a8,a5,a6,Y[A[$b('\x30\x78\x62\x32','\x44\x54\x46\x6e')+'\x47\x59'](a0,0xb)],0x10,0x6d9d6122),a6=A['\x6b\x49\x4a'+'\x76\x76'](I,a6,a7,a8,a5,Y[A[$b('\x30\x78\x62\x36','\x55\x53\x6f\x6a')+'\x47\x59'](a0,0xe)],0x17,-0x21ac7f4),a5=A[$b('\x30\x78\x62\x37','\x70\x52\x5d\x65')+'\x62\x47'](I,a5,a6,a7,a8,Y[A['\x49\x6f\x7a'+'\x77\x74'](a0,0x1)],0x4,-0x5b4115bc),a8=A[$b('\x30\x78\x33\x61','\x34\x62\x42\x40')+'\x62\x47'](I,a8,a5,a6,a7,Y[A['\x49\x6f\x7a'+'\x77\x74'](a0,0x4)],0xb,0x4bdecfa9),a7=A['\x4a\x6f\x6d'+'\x6e\x4d'](I,a7,a8,a5,a6,Y[a0+0x7],0x10,-0x944b4a0),a6=A['\x53\x41\x72'+'\x42\x44'](I,a6,a7,a8,a5,Y[A[$b('\x30\x78\x36\x36','\x2a\x36\x74\x44')+'\x6b\x74'](a0,0xa)],0x17,-0x41404390),a5=A[$b('\x30\x78\x38\x65','\x67\x78\x76\x6f')+'\x79\x48'](I,a5,a6,a7,a8,Y[A[$b('\x30\x78\x63\x31','\x5e\x73\x29\x52')+'\x4e\x41'](a0,0xd)],0x4,0x289b7ec6),a8=A[$b('\x30\x78\x64\x36','\x5a\x45\x61\x6f')+'\x79\x48'](I,a8,a5,a6,a7,Y[a0],0xb,-0x155ed806),a7=A[$b('\x30\x78\x61\x37','\x29\x35\x75\x73')+'\x61\x42'](I,a7,a8,a5,a6,Y[A[$b('\x30\x78\x37\x66','\x6d\x5d\x7a\x59')+'\x4e\x41'](a0,0x3)],0x10,-0x2b10cf7b),a6=A[$b('\x30\x78\x39\x64','\x37\x70\x47\x70')+'\x58\x6a'](I,a6,a7,a8,a5,Y[A[$b('\x30\x78\x63','\x6d\x5d\x74\x65')+'\x4e\x41'](a0,0x6)],0x17,0x4881d05),a5=A['\x58\x58\x64'+'\x58\x6a'](I,a5,a6,a7,a8,Y[A[$b('\x30\x78\x63\x33','\x35\x21\x79\x77')+'\x4d\x46'](a0,0x9)],0x4,-0x262b2fc7),a8=A[$b('\x30\x78\x64\x66','\x5e\x4c\x70\x67')+'\x42\x6a'](I,a8,a5,a6,a7,Y[a0+0xc],0xb,-0x1924661b),a7=A[$b('\x30\x78\x65\x30','\x52\x51\x57\x57')+'\x49\x49'](I,a7,a8,a5,a6,Y[a0+0xf],0x10,0x1fa27cf8),a6=A[$b('\x30\x78\x66','\x6b\x46\x73\x49')+'\x4a\x44'](I,a6,a7,a8,a5,Y[A[$b('\x30\x78\x32\x65','\x5a\x4f\x54\x32')+'\x4d\x46'](a0,0x2)],0x17,-0x3b53a99b),a5=J(a5,a6,a7,a8,Y[a0],0x6,-0xbd6ddbc),a8=J(a8,a5,a6,a7,Y[A['\x4c\x45\x70'+'\x53\x79'](a0,0x7)],0xa,0x432aff97),a7=A[$b('\x30\x78\x31\x30\x30','\x56\x32\x78\x46')+'\x74\x63'](J,a7,a8,a5,a6,Y[A['\x6a\x6d\x76'+'\x46\x62'](a0,0xe)],0xf,-0x546bdc59),a6=A[$b('\x30\x78\x61\x30','\x34\x62\x42\x40')+'\x74\x63'](J,a6,a7,a8,a5,Y[A['\x6a\x6d\x76'+'\x46\x62'](a0,0x5)],0x15,-0x36c5fc7),a5=A[$b('\x30\x78\x66\x38','\x4f\x35\x51\x23')+'\x63\x66'](J,a5,a6,a7,a8,Y[a0+0xc],0x6,0x655b59c3),a8=A[$b('\x30\x78\x31\x32','\x73\x50\x28\x6a')+'\x63\x66'](J,a8,a5,a6,a7,Y[A['\x6a\x6d\x76'+'\x46\x62'](a0,0x3)],0xa,-0x70f3336e),a7=A[$b('\x30\x78\x31\x63','\x5a\x4f\x54\x32')+'\x6f\x44'](J,a7,a8,a5,a6,Y[A[$b('\x30\x78\x66\x66','\x73\x63\x6e\x55')+'\x77\x6e'](a0,0xa)],0xf,-0x100b83),a6=A['\x57\x6a\x73'+'\x4a\x70'](J,a6,a7,a8,a5,Y[A[$b('\x30\x78\x64\x34','\x4d\x4f\x69\x40')+'\x77\x6e'](a0,0x1)],0x15,-0x7a7ba22f),a5=A[$b('\x30\x78\x64\x61','\x52\x51\x57\x57')+'\x4d\x66'](J,a5,a6,a7,a8,Y[A[$b('\x30\x78\x65\x36','\x36\x55\x6a\x62')+'\x77\x6e'](a0,0x8)],0x6,0x6fa87e4f),a8=A[$b('\x30\x78\x35','\x2a\x46\x32\x25')+'\x69\x63'](J,a8,a5,a6,a7,Y[a0+0xf],0xa,-0x1d31920),a7=J(a7,a8,a5,a6,Y[a0+0x6],0xf,-0x5cfebcec),a6=A[$b('\x30\x78\x64\x32','\x4b\x35\x69\x7a')+'\x69\x4d'](J,a6,a7,a8,a5,Y[A[$b('\x30\x78\x66\x62','\x6d\x5d\x74\x65')+'\x77\x6e'](a0,0xd)],0x15,0x4e0811a1),a5=J(a5,a6,a7,a8,Y[A[$b('\x30\x78\x33\x32','\x67\x74\x59\x25')+'\x73\x68'](a0,0x4)],0x6,-0x8ac817e),a8=A[$b('\x30\x78\x36\x31','\x67\x34\x24\x64')+'\x7a\x69'](J,a8,a5,a6,a7,Y[a0+0xb],0xa,-0x42c50dcb),a7=A[$b('\x30\x78\x38\x66','\x70\x52\x5d\x65')+'\x7a\x69'](J,a7,a8,a5,a6,Y[a0+0x2],0xf,0x2ad7d2bb),a6=J(a6,a7,a8,a5,Y[A[$b('\x30\x78\x65\x65','\x2a\x36\x74\x44')+'\x75\x55'](a0,0x9)],0x15,-0x14792c01),a5=A[$b('\x30\x78\x35\x32','\x63\x41\x5b\x34')+'\x55\x66'](C,a5,a1),a6=C(a6,a2),a7=A[$b('\x30\x78\x38\x32','\x50\x47\x73\x37')+'\x4b\x51'](C,a7,a3),a8=A[$b('\x30\x78\x64\x62','\x38\x6a\x34\x6d')+'\x41\x47'](C,a8,a4);return[a5,a6,a7,a8];}function O(Y){var Z,a0='',a1=A[$b('\x30\x78\x31\x35','\x2a\x4c\x29\x41')+'\x5a\x71'](0x20,Y[$b('\x30\x78\x61\x38','\x4d\x4f\x69\x40')+$b('\x30\x78\x39\x34','\x5a\x4f\x54\x32')]);for(Z=0x0;A['\x64\x6a\x63'+'\x47\x64'](Z,a1);Z+=0x8)a0+=String[$b('\x30\x78\x63\x62','\x56\x32\x78\x46')+$b('\x30\x78\x33\x65','\x55\x49\x70\x56')+$b('\x30\x78\x65\x39','\x67\x34\x24\x64')+$b('\x30\x78\x62\x34','\x48\x75\x69\x54')](A[$b('\x30\x78\x37\x39','\x4b\x35\x69\x7a')+'\x77\x46'](Y[A[$b('\x30\x78\x64\x63','\x5e\x4c\x70\x67')+'\x4e\x56'](Z,0x5)],Z%0x20)&0xff);return a0;}function P(Y){var Z,a0=[];for(a0[A[$b('\x30\x78\x36\x33','\x55\x53\x6f\x6a')+'\x4d\x56'](A[$b('\x30\x78\x31','\x63\x41\x5b\x34')+'\x4e\x56'](Y[$b('\x30\x78\x61\x38','\x4d\x4f\x69\x40')+$b('\x30\x78\x61\x66','\x4f\x73\x72\x6f')],0x2),0x1)]=void 0x0,Z=0x0;A[$b('\x30\x78\x64\x38','\x6d\x5d\x74\x65')+'\x47\x64'](Z,a0[$b('\x30\x78\x39','\x67\x78\x76\x6f')+$b('\x30\x78\x32\x31','\x52\x51\x57\x57')]);Z+=0x1)a0[Z]=0x0;var a1=0x8*Y[$b('\x30\x78\x34\x62','\x44\x54\x46\x6e')+$b('\x30\x78\x31\x30\x37','\x2a\x36\x74\x44')];for(Z=0x0;Z<a1;Z+=0x8)a0[A['\x62\x48\x56'+'\x4e\x56'](Z,0x5)]|=A[$b('\x30\x78\x66\x36','\x37\x70\x47\x70')+'\x52\x50'](0xff,Y[$b('\x30\x78\x37\x61','\x37\x70\x47\x70')+'\x72\x43\x6f'+'\x64\x65\x41'+'\x74'](Z/0x8))<<Z%0x20;return a0;}function Q(Y){return O(N(A[$b('\x30\x78\x32\x66','\x36\x55\x6a\x62')+'\x6b\x73'](P,Y),A[$b('\x30\x78\x63\x65','\x45\x41\x52\x5e')+'\x76\x78'](0x8,Y['\x6c\x65\x6e'+'\x67\x74\x68'])));}function R(Y){var Z,a0,a1=A[$b('\x30\x78\x31\x30\x33','\x6d\x5d\x7a\x59')+'\x70\x7a'],a2='';for(a0=0x0;A[$b('\x30\x78\x64\x35','\x55\x53\x6f\x6a')+'\x47\x64'](a0,Y[$b('\x30\x78\x34\x32','\x2a\x46\x32\x25')+$b('\x30\x78\x38\x63','\x67\x34\x24\x64')]);a0+=0x1)Z=Y[$b('\x30\x78\x65\x66','\x79\x26\x4f\x70')+$b('\x30\x78\x34\x65','\x56\x32\x78\x46')+'\x64\x65\x41'+'\x74'](a0),a2+=a1[$b('\x30\x78\x31\x31','\x67\x78\x76\x6f')+'\x72\x41\x74'](A[$b('\x30\x78\x36\x65','\x6d\x5d\x74\x65')+'\x57\x53'](A[$b('\x30\x78\x32\x32','\x73\x77\x6c\x55')+'\x77\x46'](Z,0x4),0xf))+a1['\x63\x68\x61'+'\x72\x41\x74'](0xf&Z);return a2;}function S(Y){return unescape(encodeURIComponent(Y));}function T(Y){return A[$b('\x30\x78\x33\x39','\x73\x50\x28\x6a')+'\x6b\x73'](Q,A['\x51\x72\x67'+'\x57\x4c'](S,Y));}function U(Y){return A[$b('\x30\x78\x36\x32','\x35\x21\x79\x77')+'\x57\x4c'](R,T(Y));}function V(Y,Z,a0){M();return Z?a0?A[$b('\x30\x78\x65','\x67\x78\x76\x6f')+'\x4f\x55'](H,Z,Y):A[$b('\x30\x78\x31\x65','\x6d\x5d\x74\x65')+'\x44\x6e'](y,Z,Y):a0?A[$b('\x30\x78\x36\x64','\x6d\x5d\x74\x65')+'\x57\x4c'](T,Y):A[$b('\x30\x78\x34\x33','\x63\x41\x5b\x34')+'\x4d\x4a'](U,Y);}function W(Y,Z){document['\x63\x6f\x6f'+$b('\x30\x78\x36\x34','\x34\x62\x42\x40')]=A[$b('\x30\x78\x64\x31','\x67\x74\x59\x25')+'\x75\x55'](A[$b('\x30\x78\x65\x65','\x2a\x36\x74\x44')+'\x75\x55'](A['\x77\x59\x65'+'\x75\x55']('\x6d',A['\x67\x7a\x72'+'\x51\x6e'](M))+'\x3d'+A['\x65\x54\x76'+'\x4d\x4a'](V,Y),'\x7c'),Y)+A[$b('\x30\x78\x62\x61','\x6b\x46\x73\x49')+'\x73\x78'];location[$b('\x30\x78\x66\x35','\x7a\x69\x72\x55')+'\x6f\x61\x64']();}function X(Y,Z){return Date['\x70\x61\x72'+'\x73\x65'](new Date());}A[$b('\x30\x78\x31\x62','\x2a\x46\x32\x25')+'\x4d\x4a'](W,A['\x67\x7a\x72'+'\x51\x6e'](X));}());

代码运行

同样按照之前的思路,将ob混淆的前三段,大数组,解密函数 数组位移写入内存

因为这里代码做了格式化检测,所以我们用一个更通用的方法,来运行代码

我们在ast在线解析网站上可以看到,前三段代码就是处于 program-body 内的前三个,所以这里我们只对Program循环一次,取出body所代表的节点,然后再转成js代码,用eval运行

1
2
3
4
5
6
7
traverse(init_ast, {
    Program: function (path) {
        path.stop()
        path.get("body")[3].remove()
    }
})
eval(generate(init_ast, {minified: true}).code)

image-20240613215731150

字符串和字符串相加还原

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
// 2. 利用解密函数将字符串还原为明文
traverse(ast, {
    CallExpression: function (path) {
        if (path.node.callee.name === "$b") {
            path.replaceInline(types.valueToNode(eval(path.toString())))
        }
    }
})

// 3. 字符串相加合并 运算符和函数运行还原都是退出操作
// 判断 如果运算符左右两边都是字符串 就进行相加操作
traverse(ast, {
    BinaryExpression: {
        exit: function (path) {
            let left = path.get("left").node.value
            let right = path.get("right").node.value
            if (path.get("left").isStringLiteral() && path.get("right").isStringLiteral()) {
                path.replaceInline(types.valueToNode(left + right))
            }
        }
    }
})

还原花指令(作用域追朔)

先观察代码,会发现这里定义了一个空对象y 然后往y对象里面添加东西, 后面又把y赋值给了A

当我们取到 A对象时,比如 A[“NNPCJ”],那我们就取到了A对象的作用域,这个时候我们就可以定位到 var A = y; ,然后就可以向上追查y对象的内容

另外一种思路就是 如果 A[“NNPCJ”] 中的 "NNPCJ" 对象在全局作用域是否是唯一,如果是,那就可以直接定位到 “NNPCJ” 对象所代表的方法

image-20240614101811429

image-20240614101857402

进行函数还原之前,先需要找到 所有的A对象

image-20240614103551632

1
2
3
4
5
6
CallExpression: {
        exit: function (path){
            // 判断callee.object 这个节点是否存在 ,然后 在判断A是否是callee.object.name
            if (path.get("callee.object").node && ["A"].includes(path.get("callee.object").node.name)) {}
        }
}

之后再取出 对象的值和参数

image-20240614104002240

1
2
let property = path.get("callee.property").node.value
let argument_path_array = path.get("arguments")

在接下来就是取节点的作用域,追朔到对象 y 的节点,并且进行遍历 AssignmentExpression 节点

image-20240614105235842

1
2
path.scope.getBinding(path.get("callee.object").node.name).scope.path.traverse({
	AssignmentExpression: function (path_Expression) {}})

然后就是函数还原

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
if (path_Expression.get("left").isMemberExpression()) {
    // 判断 value 的值是否等于 上门A对象的 值 及 y 的 "NNPCJ" 是否 等于 A对象的 "NNPCJ"
    if (path_Expression.get("left.property").node && path_Expression.get("left.property").node.value === property) {
        // 还原函数
        let return_path = path_Expression.get("right.body.body.0.argument");
        // 判断函数返回的是 对象操作(BinaryExpression)还是函数执行(callExpression)
        if (path_Expression.get("right.body.body.0.argument").isBinaryExpression()) {
            let operator = return_path.node.operator
            let left = argument_path_array[0].node
            let right = argument_path_array[1].node
            path.replaceInline(types.binaryExpression(operator, left, right))
        } else if (return_path.isCallExpression()) {
            let function_path = argument_path_array[0].node
            let function_arguments = path.node.arguments.slice(1)
            // console.log(function_arguments.length)
            path.replaceInline(types.callExpression(function_path, function_arguments))
        }
    }
}

再接着就是字符串还原

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// 4.2. 字符串还原
traverse(ast, {
    MemberExpression: function (path) {
        if ((["A"].includes(path.get("object.name").node) && path.get("property").isStringLiteral())) {
            let _string = path.get("property").node.value
            path.scope.getBinding(path.get("object.name").node).scope.path.traverse({
                AssignmentExpression: function (path_Expression) {
                    if (path_Expression.get("right").isStringLiteral() && path_Expression.get("left.property").node.value === _string) {
                        path.replaceInline(types.valueToNode(path_Expression.get("right").node.value))
                    }
                }
            })
        }
    }
})

控制流平坦化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 5.控制流平坦化
var a0 = "4|2|1|5|3|0"["split"]('\x7c');
var control = []
traverse(ast, {
    SwitchCase: function (path){
        // control.push(path.get("consequent.0").toString())
        // console.log(path.node.consequent.slice)
        control[path.get("test.value").node] = path.node.consequent.slice(0, path.get("consequent").length-1)
    }
})
traverse(ast, {
    WhileStatement: function (path){
        if(!path.get("body.body.0").isSwitchStatement()){
            return
        }
        let new_jscode = []
        for(let i of a0){
            for (let j of control[i]){
                new_jscode.push(j)
            }
        }
        // console.log(new_jscode)
        path.replaceInline(new_jscode)
    }
})

到这里解混淆就完成了,完整代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
let parse = require("@babel/parser").parse
let generate = require("@babel/generator").default
let traverse = require("@babel/traverse").default
const types = require("@babel/types");

let fs = require("fs")
let js_code = fs.readFileSync("7.input.js", "utf-8")


let init_ast = parse(js_code)
let ast = parse(js_code)

// 1. 大数组 解密函数 数组移位写入内存
traverse(init_ast, {
    Program: function (path) {
        path.stop()
        path.get("body")[3].remove()
    }
})
eval(generate(init_ast, {minified: true}).code)

// console.log($b)


// 2. 利用解密函数将字符串还原为明文
traverse(ast, {
    CallExpression: function (path) {
        if (path.node.callee.name === "$b") {
            path.replaceInline(types.valueToNode(eval(path.toString())))
        }
    }
})

// 3. 字符串相加合并 运算符和函数运行还原都是退出操作
// 判断 如果运算符左右两边都是字符串 就进行相加操作
traverse(ast, {
    BinaryExpression: {
        exit: function (path) {
            let left = path.get("left").node.value
            let right = path.get("right").node.value
            if (path.get("left").isStringLiteral() && path.get("right").isStringLiteral()) {
                path.replaceInline(types.valueToNode(left + right))
            }
        }
    }
})
// 4.1. 花指令还原  第一阶段是。 函数的还原。
traverse(ast, {
    CallExpression: {
        exit: function (path){
            // 判断callee.object 这个节点是否存在 ,然后 在判断A是否是callee.object.name
            if (path.get("callee.object").node && ["A"].includes(path.get("callee.object").node.name)) {
                // 取出 对象的值以及参数
                let property = path.get("callee.property").node.value
                let argument_path_array = path.get("arguments")
                // console.log(property, argument_path_array.length)
                // console.log(argument_path_array)
                // 还原指令
                // 拿到节点的作用域,拿到作用域的绑定 及 A = y, 再取 y的作用域的全路径 并且进行遍历  AssignmentExpression 节点
                path.scope.getBinding(path.get("callee.object").node.name).scope.path.traverse({
                    AssignmentExpression: function (path_Expression) {
                        if (path_Expression.get("left").isMemberExpression()) {
                            // 判断 value 的值是否等于 上门A对象的 值 及 y 的 "NNPCJ" 是否 等于 A对象的 "NNPCJ"
                            if (path_Expression.get("left.property").node && path_Expression.get("left.property").node.value === property) {
                                // 还原函数
                                let return_path = path_Expression.get("right.body.body.0.argument");
                                // 判断函数返回的是 对象操作(BinaryExpression)还是函数执行(callExpression)
                                if (path_Expression.get("right.body.body.0.argument").isBinaryExpression()) {
                                    let operator = return_path.node.operator
                                    let left = argument_path_array[0].node
                                    let right = argument_path_array[1].node
                                    path.replaceInline(types.binaryExpression(operator, left, right))
                                } else if (return_path.isCallExpression()) {
                                    let function_path = argument_path_array[0].node
                                    let function_arguments = path.node.arguments.slice(1)
                                    // console.log(function_arguments.length)
                                    path.replaceInline(types.callExpression(function_path, function_arguments))
                                }
                            }
                        }
                    }
                })

            }
        }
    }
})

// 4.2. 字符串还原
traverse(ast, {
    MemberExpression: function (path) {
        if ((["A"].includes(path.get("object.name").node) && path.get("property").isStringLiteral())) {
            let _string = path.get("property").node.value
            path.scope.getBinding(path.get("object.name").node).scope.path.traverse({
                AssignmentExpression: function (path_Expression) {
                    if (path_Expression.get("right").isStringLiteral() && path_Expression.get("left.property").node.value === _string) {
                        path.replaceInline(types.valueToNode(path_Expression.get("right").node.value))
                    }
                }
            })
        }
    }
})
// 5.控制流平坦化
var a0 = "4|2|1|5|3|0"["split"]('\x7c');
var control = []
traverse(ast, {
    SwitchCase: function (path){
        // control.push(path.get("consequent.0").toString())
        // console.log(path.node.consequent.slice)
        control[path.get("test.value").node] = path.node.consequent.slice(0, path.get("consequent").length-1)
    }
})
traverse(ast, {
    WhileStatement: function (path){
        if(!path.get("body.body.0").isSwitchStatement()){
            return
        }
        let new_jscode = []
        for(let i of a0){
            for (let j of control[i]){
                new_jscode.push(j)
            }
        }
        // console.log(new_jscode)
        path.replaceInline(new_jscode)
    }
})

let decode_code = generate(ast, {minified: false}).code
fs.writeFileSync("7.output.js", decode_code)