-
-
[原创] 某 frp 反调试
-
发表于: 2025-7-17 23:04
-
网站 c2FrdXJhZnJw
整体架构
数据源
function Ma() {
const e = [...]; // 太多了,省略
return Ma = function() {
return e
}
,
Ma()
}
获取数据
function oo(e, o) {
const t = Ma();
return oo = function(n, r) {
n = n - 365;
let i = t[n];
if (oo.QVeNrS === void 0) {
var s = function(d) {
const f = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=";
let x = ""
, h = ""
, m = x + s;
for (let g = 0, p, O, C = 0; O = d.charAt(C++); ~O && (p = g % 4 ? p * 64 + O : O,
g++ % 4) ? x += m.charCodeAt(C + 10) - 10 !== 0 ? String.fromCharCode(255 & p >> (-2 * g & 6)) : g : 0)
O = f.indexOf(O);
for (let g = 0, p = x.length; g < p; g++)
h += "%" + ("00" + x.charCodeAt(g).toString(16)).slice(-2);
return decodeURIComponent(h)
};
const u = function(d, f) {
let x = [], h = 0, m, g = "";
d = s(d);
let p;
for (p = 0; p < 256; p++)
x[p] = p;
for (p = 0; p < 256; p++)
h = (h + x[p] + f.charCodeAt(p % f.length)) % 256,
m = x[p],
x[p] = x[h],
x[h] = m;
p = 0,
h = 0;
for (let O = 0; O < d.length; O++)
p = (p + 1) % 256,
h = (h + x[p]) % 256,
m = x[p],
x[p] = x[h],
x[h] = m,
g += String.fromCharCode(d.charCodeAt(O) ^ x[(x[p] + x[h]) % 256]);
return g
};
oo.wsHGkK = u,
e = arguments,
oo.QVeNrS = !0
}
const a = t[0]
, c = n + a
, l = e[c];
if (l)
i = l;
else {
if (oo.fVLLEW === void 0) {
const u = function(d) {
this.cVktuj = d,
this.uGUfTZ = [1, 0, 0],
// WARNING: 不要格式化这个
this.sJqkzM = function() {return "newState"}
,
this.yYpqPo = "\\w+ *\\(\\) *{\\w+ *",
this.dYRTqu = "['|\"].+['|\"];? *}"
};
u.prototype.aGGgAt = function() {
const d = new RegExp(this.yYpqPo + this.dYRTqu)
, f = d.test(this.sJqkzM.toString()) ? --this.uGUfTZ[1] : --this.uGUfTZ[0];
return this.VuMMRF(f)
}
,
u.prototype.VuMMRF = function(d) {
return ~d ? this.ZoPfhU(this.cVktuj) : d
}
,
u.prototype.ZoPfhU = function(d) {
for (let f = 0, x = this.uGUfTZ.length; f < x; f++)
this.uGUfTZ.push(Math.round(Math.random())),
x = this.uGUfTZ.length;
return d(this.uGUfTZ[0])
}
,
new u(oo).aGGgAt(),
oo.fVLLEW = !0
}
i = oo.wsHGkK(i, r),
e[c] = i
}
return i
}
,
oo(e, o)
}
解密资源
(function(e, o) {
function t(a, c, l) {
return oo(l - 446, a)
}
function n(a, c, l) {
return Po(c - 830, a)
}
const r = e();
function i(a, c, l) {
return oo(a - 541, l)
}
function s(a, c, l) {
return Po(c - -480, a)
}
for (; ; )
try {
if (parseInt(n(1175, 1241, 1186)) / 1 + parseInt(i(1028, 1112, "^Jqg")) / 2 + -parseInt(s(-132, -35, -57)) / 3 + -parseInt(t("qabL", 911, 960)) / 4 * (-parseInt(n(1454, 1381, 1386)) / 5) + parseInt(t("GXv7", 775, 842)) / 6 * (parseInt(i(1077, 1192, "4uYR")) / 7) + -parseInt(i(1108, 988, "#Ki4")) / 8 * (parseInt(t("Hedz", 987, 970)) / 9) + -parseInt(s(-6, 59, -45)) / 10 === o)
break;
r.push(r.shift())
} catch (a) {
r.push(r.shift())
}
}
)(Ma, 416720);
主反调试函数
function ox(e) {
function o(s, a, c) {
return wu(a, c - -755)
}
function t(s, a, c) {
return oi(s - -142, a - 248, a)
}
const n = {
TSDQL: function(s, a) {
return s === a
},
RaLsF: o(-590, "tUXV", -588),
lSMKS: t(956, 987),
KRUgA: function(s, a) {
return s + a
},
abZzh: function(s, a) {
return s / a
},
ICsdM: r(-163, -198),
xJSpc: function(s, a) {
return s % a
},
WNhGb: t(947, 905),
dOoGE: r(-197, -177),
RKuSh: function(s, a) {
return s(a)
}
};
function r(s, a, c) {
return oi(a - -1402, a - 471, s)
}
function i(s) {
if (n[a(948, 959, 928)](typeof s, n[u(289, 235, 192)]))
return (function(d) {}
)[c(1278, "B!BO")](u(316, 219, 147))[u(207, 296, 307)](n[c(1120, "uz8n")]);
n[a(829, 860, 826)]("", n[l(605, "IPHE")](s, s))[n[a(865, 720, 781)]] !== 1 || n[u(282, 311, 216)](s, 20) === 0 ? (function() {
return !0
}
)[a(876, 831, 793)](n[c(1129, "Qv()")](c(1217, "c!PF"), n[u(178, 229, 226)]))[c(1184, "toz2")](l(644, "3bpU")) : (function() {
return !1
}
)[u(248, 183, 132)](n[l(534, "FRXx")](n[u(162, 197, 269)], c(1216, "q]io")))[c(1223, "Qv()")](c(1242, "[oj7"));
function a(d, f, x) {
return r(d, x - 1080)
}
function c(d, f, x) {
return o(d - 355, f, d - 1759)
}
function l(d, f, x) {
return o(d - 436, f, d - 1136)
}
function u(d, f, x) {
return t(f - -790, x)
}
i(++s)
}
try {
if (e)
return i;
n[t(929, 901, 968)](i, 0)
} catch (s) {}
}
反调试
- 通过拼接 debugger 命令实现反调试
- 通过检测格式化函数与原格式不同反调试
debugger 命令反调试
function Qf(e) {
const o = {
cwQIV: "gger",
QqhRz: "counter",
VBvFS: function (a, c) {
return a !== c;
},
oTtWp: "vJwit",
qqYds: function (a, c) {
return a / c;
},
MdVIU: function (a, c) {
return a + c;
},
CqWLA: "debu",
CISUq: "stateObject",
iGoXi: function (a, c) {
return a(c);
}
};
function i(a) {
const l = {
RLBNg: o["cwQIV"]
};
if (typeof a === "string") return function (x) {}["constructor"]("while (true) {}")["apply"](o["QqhRz"]);
o["VBvFS"]("vJwit", o["oTtWp"]) ? function () {
return !1;
}["constructor"]("debu" + l["RLBNg"])["apply"]("stateObject") : o["VBvFS"](("" + o["qqYds"](a, a))["length"], 1) || a % 20 === 0 ? function () {
return !0;
}["constructor"](o["MdVIU"](o["CqWLA"], "gger"))["call"]("action") : function () {
return !1;
}["constructor"](o["CqWLA"] + "gger")["apply"](o["CISUq"]), i(++a);
}
try {
if (e) return i;
o["iGoXi"](i, 0);
} catch (a) {}
}
通过常量替换,我们能够看到反调试做的操作,主要是拼接 debugger 命令,然后执行它,babel 脚本见文章结尾,我们只需注释 o["iGoXi"](i, 0); 即可
检测格式反调试
主要有三个地方
读取
s这个函数的字符串(s.toString()),作为解码的一部分实现反调试如下图
h.charCodeAt(O + 10),手动初始化h的值即可
读取
Jf[o(1163, 1148, 1102)]函数(具体函数需要动态获取)字符串,使用正则进行检验,直接
return 0即可
原理同上,使用常量替换即可
|
|
|---|---|
|
|
放过我联机兄弟吧
|
