【2021-09-24】Babel AST for-switch简单控制流

学习文章：https://mp.weixin.qq.com/s/nzbKgYEyE1AhJ3v82rxtkA

js混淆和ast反混淆脚本

const fs = require('fs');
const TNT = require("@babel/types");
const {
      parse } = require("@babel/parser");
const traverse = require("@babel/traverse").default;
const generator = require("@babel/generator").default;

let ast = parse(`
function $_FIn(e, t, r) {
    var $_CGFHG = 10;
    for (; $_CGFHG !== 9;) {
        switch ($_CGFHG) {
            case 10:
                var n = e["split"]("."),
                    i = n[0] || "div",
                    o = new $_EHB(n)["$_GFS"](1)["$_GGD"](function(e, t, r) {
                        var $_DBIK = cZBsG.$_CN,
                            $_DBHT = ["$_DCBG"].cancat($_DBIK);
                        $_DBHT.shift();
                        return PREFIX + e;
                    })["$_GHx"](" "),
                    s = new $_EJo(i);

                return r("." + n[1], s),
                    "input" == i && s["$_GIU"]({
                        "type": "hidden",
                        "name": o
                    }),
                    s["$_GJa"]({ "className": o }),
                    $_DHf(t) ? s["$_HAZ"](t) : new $_EIz(t)["$_HBY"](function(e, t) {
                        var $_DCDu = cZBsG.$_CN,
                            $_DCCF = ["$_DCGs"].concat(s_DCDu);

                        $_DCCF.shift();

                        s["$_HCj"]($_FIn(e, t, r));
                    }), s;

                $_CGFHG = 9;
                break;
        }

    }
}`)
traverse(ast, {
     
    FunctionDeclaration(path) {
     
        let Body = path.get('body').node.body
        // 第一步：判断函数下面两个子节点是否是  var for
        if (!Body || Body.length != 2 || !TNT.isVariableDeclaration(Body[0]) || !TNT.isForStatement(Body[1])) return;
        let num = Body[1].test.right.value; // 9 【for语句: $_CGFHG !== 9】
        let forBlockName = Body[1].test.left.name; // $_CGFHG 【for语句: $_CGFHG !== 9】

        // 第二步：查看for语句前面是否存在该变量
        let isExist = Body[0].declarations.filter(item => item.id.name === forBlockName)
        let switchBody = Body[1].body.body;
        if (!isExist || switchBody.length !== 1 || switchBody[0].cases.length !== 1 || switchBody[0].discriminant.name !== forBlockName) return;

        // 第三步：【case语句: $_CGFHG = 9;】 
        let consequents = switchBody[0].cases[0].consequent; // case语句下面的全部节点
        let lastNode = consequents[consequents.length - 2] // 排除break语句后当作最后一个节点
        if (TNT.isExpressionStatement(lastNode)) {
      // 排除 【$_CGFHG = 9;】 和 break语句
            var {
      operator, left, right } = lastNode.expression;
            if (operator == "=" && left.name == forBlockName && right.value == num) {
     
                path.get("body").node.body = consequents.slice(0, consequents.indexOf(lastNode));
            }
        }
    },
})

let {
      code } = generator(ast, {
      retainLines: false, jsescOption: {
      minimal: true, } })
fs.writeFileSync("_result_.js", code, "utf-8")

学习目标【还没写出来】

还原前：

function Y3s(L8s, T8s, B8s) {
     
    var g8s = 2;
    for (; g8s !== 17; ) {
     
        switch (g8s) {
     
        case 11:
            k3s[O3s] = r3s(k3s[O3s - 1], k3s[O3s - 1])[q8s[86]]();
            g8s = 10;
            break;
        case 20:
            c3s = h3s[q8s[88]][q8s[89]](L8s[q8s[90]](V3s) ^ k3s[O3s][q8s[91]](Z3s)) + c3s;
            g8s = 19;
            break;
        case 13:
            O3s = 0;
            g8s = 12;
            break;
        case 6:
            Z3s = 0;
            g8s = 14;
            break;
        case 9:
            var V3s = L8s[q8s[84]] - 1
              , Z3s = 0;
            g8s = 8;
            break;
        case 7:
            g8s = Z3s === u3s ? 6 : 20;
            break;
        case 12:
            g8s = k3s[q8s[85]] < B8s ? 11 : 10;
            break;
        case 2:
            var c3s = q8s[81];
            var O3s = 0;
            var k3s = [];
            k3s[O3s] = T8s[q8s[82]]();
            var u3s = k3s[O3s][q8s[83]];
            g8s = 9;
            break;
        case 10:
            u3s = k3s[O3s][q8s[87]];
            g8s = 20;
            break;
        case 8:
            g8s = V3s >= 0 ? 7 : 18;
            break;
        case 14:
            g8s = ++O3s === B8s ? 13 : 12;
            break;
        case 18:
            return c3s;
            break;
        case 19:
            --V3s,
            ++Z3s;
            g8s = 8;
            break;
        }
    }
}


还原后:

function Y3s(L8s, T8s, B8s) {
     
    var c3s = q8s[81];
    var O3s = 0;
    var k3s = [];
    k3s[O3s] = T8s[q8s[82]]();
    var u3s = k3s[O3s][q8s[83]];
    var V3s = L8s[q8s[84]] - 1
      , Z3s = 0;

    while (V3s >= 0) {
     
        if (Z3s === u3s) {
     
            Z3s = 0;

            if (++O3s === B8s) {
     
                O3s = 0;
            }

            if (k3s[q8s[85]] < B8s) {
     
                k3s[O3s] = r3s(k3s[O3s - 1], k3s[O3s - 1])[q8s[86]]();
            }

            u3s = k3s[O3s][q8s[87]];
        }

        c3s = h3s[q8s[88]][q8s[89]](L8s[q8s[90]](V3s) ^ k3s[O3s][q8s[91]](Z3s)) + c3s;
        --V3s,
        ++Z3s;
    }

    return c3s;
}