akamai 混淆解密

akamai 混淆是怎么运行的

'\x34': wp()[CS(KW)](SQ, zk) 为例子, 这里CS(KW)rt SQ 值为25, zk 值为1409

wp()[CS(KW)](SQ, zk) => wp()['rt'](25,1409)

这里LTI有个 vt 属性,后面会用到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
xrI -= Rw;
for (var TsI = xW; qW(TsI, wrI.length); ++TsI) {
    wp()[wrI[TsI]] = hD(hc(TsI, FK)) ? function() {
        return jr.apply(this, [M9, arguments]);
    }
    : function() {
        var NBI = wrI[TsI];
        return function(zBI, PLI) {
            var lsI = LTI.call(null, zBI, PLI);
            wp()[NBI] = function() {
                return lsI;
            }
            ;
            return lsI;
        }
        ;
    }();
}
JAVASCRIPT

上面可以看到 LTI.call(null, zBI, PLI); 返回了结果之后赋值给了 lsI,wp['rt'] 这个函数又被重新赋值成了 返回lsI 值的函数,也就是wp['rt']() 运行的时候可以直接返回这个函数本来要返回值的,不用再传入实参。

往下跟栈,可以看到mKI 这个函数 这里的XI 是一个控制数,

这里 S71 是mKi 的第二个参数,也就是 上面函数的的arguments 参数

往下面跟栈,可以看到这个参数值和这个最终运算出来的数据

再往下跟栈可以看到返回了 kTI 这个值

到这里整理下这个运行逻辑

1
2
3
4
5
6
7
8
9
10
11
wp()['rt'](25,1409) => 
LTI.call(null, zBI, PLI) =>
LTI = function(vKI, S3I) {
       return mKI.apply(this, [xI, arguments]);
                    } => 
function mKI (){
  case xI:
     计算出kTI 的值
  case jp:
    return kTI
}
ZEPHIR

计算kTI 的值,最后用到了jp 函数

函数jp 控制数w1 的函数逻辑为以下代码

1
2
3
function jp(x) {
    return String.fromCharCode(x[0])
}
JS

以下为整个加密的代码整理var rs = function mKI(xrI, S7I) {} 第一个值为switch 控制数,不同的xrI 实际值会有不同的分支 S7I,为实际传入的参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
var rs = function mKI(xrI, S7I) {
    switch (xrI) {
        case xI: {
            var TDI = S7I[Dg];
            var ASI = S7I[C1];
            xrI = jg;
            var kTI = vs([], []);
            var GcI = MT(hc(ASI, Sp[hc(Sp.length, nK)]), xv);
            var UcI = rCI[TDI];
            for (var bTI = xW; qW(bTI, UcI.length); bTI++) {
                var LLI = BcI(UcI, bTI);
                var VsI = BcI(LTI.vt, GcI++);
                kTI += jp(w1, [xL(VrI(LXI(LLI), LXI(VsI)), VrI(LLI, VsI))]);
            }
        }
            break;
        case jg: {
            xrI = E;
            return kTI;
        }
            break;

    }

}
JS

精简 运算

xL(VrI(LXI(LLI), LXI(VsI)), VrI(LLI, VsI)) => (~LLI| ~VsI)&(LLI| VsI)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

function jp(x) {
    return String.fromCharCode(x[0])
}

var DcI = function() {
    return ["< \n\'", ",68_E+&=^82.XR/\b =\r", "[M\x3f!7A\x07!9", "><61,>;[}/$3\x406(", "-7&k\t:9\vPE/", "R.7", "O\f4UN\r 2\r:$6y\x00R,1\b`4:nq.\":\r1", ")*74\x07\n2/Fq#(7", ";+XE>:", "=B8)\bTT,", ";", "\'66:S", "EN\f&> +!+", "\"X", ",tc-7670DG$67^\r%_G3", "1#<_L-;4U", "K\r#TL", "AM)&=\r\'9)BJ", "\rCQ>=\x3fi%3\tpG(=\v:!#\'YL\t3>\x40", "TU!\',6", "1!Dg+1:", "SU3\x00", "!7X", "$.", ":=_9=T", "r", " =1;\">", "A%<<I\v#", "\x40a", "=", "E~9", "Y", "u#67Z99[rN2*=\nt2-D[:&;CwUT0", "Q:3<", ":e4", "\n;)\t", ":Yn%%7^+6/", "G,", "B623p", "nQ4\x00!\'9", ")2%/[G>7A\r9(", "u", "x1et", "!\v.6=Bu+&;^+82XS1", "6PU4", "<>\'4:r&\'5E\n", "$-> BG8\'\"", "_;5", "\x3f/R", "\x00;!<9WT/r\x40\t$4", "X\x07(\tXO;5.4", "EN)\'0:!2\"", "Y\x40.\" 7", "i},*6^!9\tnD*\x00#& \'", "I22", "\'04*YA", "\r5", "!X\t%(/B", ")$!8*S", "", "$,_O920+#\'YL+>\rF\b0PE9", "(\';\x40\f\x073\bEe=.", "\x3f\x00#0\v8##+pr", "_6.eH1<\'92", "%\br\n", " 5", "iuX1", "$#", "AB", "\bXF2\x00# ", " /wzKq=sBy>l$bu ", "39\raH$# +8", "\x40,#*=/2<", "G2", "N+!&m%EN,<\'*\x07", "=\rPH0)*:<6", "8]U=;", "> 4%", "AV", "R#04t", "\'\'9*", ":3BD88=", "O93B\')PU5!15$\vXC(>7H", "=RD0=2\n=-9", ".=3x\x00%3EM97.\x3f", "mG", "8WN\x3f7", "R8=&C.,", "050:", ">=tP+$7", "~\'2 -:/E", "H:", "33", "/CH,", "f~", "!_\x00", "F/$>", "\v\b!7#1wSF#3r|6%C\f\r:4S=,w\nOL+\x3f;OH5Z\b-!&;", "\r%I\n3.GD.\':=3\'5", "%606:S", "^", "3,\x3f7)", "o])o##|N8)5%Pj=t[t-G\x40L5)[%5/", "\'!%+SL", "51#+", "z\x00\x07", "$)\\H(", "K.", "J\x07%1$BT>\f&\'", "\vPF98", "E:2/E", "Z\t;)~G", "\v2\n1", " 1", "\x3f7FM>", "<:", ".VH/*!.&-#!UM&3B\f;9\t", "\x3f3T", ";\n 2m~e", "!\'+X", "h", "6(PB4$96 ", " \x07:6\x3f+EK9\"I\r443PR4", "\vb$\v", " 9", "\x0060"];
};
rCI = DcI()
let LTI = {}
LTI.vt = '!\\aOS~TBWN6"JRR,hW\\{1!\\aOS~TBWN6"JRR,hW\\{1!\\aOS~TBWN6"JRR,hW\\{1!\\aOS~TBWN6"JRR,hW\\{1'
var BcI = function (KVI, hVI) {
    return KVI['charCodeAt'](hVI);
};


function dec(S7I) {
    var TDI = S7I[0];
    var ASI = S7I[1];
    var kTI = ''
    var GcI = (ASI - 992) % 21
    var UcI = rCI[TDI];
    for (var bTI = 0; bTI <UcI.length; bTI++) {
        var LLI = BcI(UcI, bTI);
        var VsI = BcI(LTI.vt, GcI++);
        kTI += jp( [(~LLI| ~VsI)&(LLI| VsI)]);
    }
    return kTI;
}


console.log(dec([25, 1409])); 
// 输出结果为 "."
JAVASCRIPT

只要带入 参数的实际值,就可以计算出所有wp() 开头的混淆,

以下代码wp()[CS(KW)](25, 1409)LTI.call(null, 25, 1409)实际值相等。

其他如Yr() 等函数的解密类似,不过会有点不一样,除了列表和解密的key 之外,还可能会有类似的这种结构里var GcI = (ASI - 992) % 21 %之后的数字不一样,或者是jp 函数传入参数前的运算逻辑不一样。

以下是一个函数的解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
let vCI = {U7: "3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC3YTotqYT{ |C6G3$JC"};

function BcI(KVI, hVI) {
    return KVI.charCodeAt(hVI);
}

function jp(x) {
    return String.fromCharCode(x);
}

let RCI = ["\t&\x00*1", "8A*X ", "7VV,,A45", ",%\x40", "P6:\x00,7O", "O\b", "G*0", "4GV#3c+;\r7+;e1Y5\x40", "8\"=T", "0S)Wi/0\x4083\n", ")b>CA\b*G45", "", "lxWYZGKSJ~uAv>,o>3SeXH&u58]", "* ", "\fE(_3gA\'3\\+5\r\"-;\tA&", "tK%$_<t*-<[p6QjZJ", "V88\x3f 1\t\x00*&D4ZK$cc5!\b", ".&QKT", "\x3fE\"C+G\b1\\.\'\nQ1P1", "|\"G1\n\x075 ", "\"C)8277", "K$Z71", "\x3fV", "D&", "d", ")B", "PH#&]-1", "/1T0*[.Gf#,^< !O\f,E3", "5>!E7E", "zJ<\"_00O-1P\bcB(\x40/0G+!\f\x00+1[N-.GA8\"Q51O* N&MzJj,A=1T6tE\\*B\"AE(/Vutt5\tR:(QN/ G*t-tA\n&&:^;;Z-1\tA\b,D\rj.V-<\x00_", "41\v1\rI&E", ",R\"cK#-G ", "C&W3V", "\x40#0C55", "\bE0_(]w>,A83\n", "xW-\f", "\'<B+*R\"gV+ X0:\b1\t:1\vT,X", "C i&WK3\\8\'nb\vFz*PB&r+&\r", ":!7 (C*F3", "A5W4", "-B(FG\"0G8&", ".V/8", "\f=1T\"Z4", ")5\bS", ")N1`\"AW#,]", "\tA", "\r/1", "$\"C", "H1R0RV/\x00\\77<:Y", "5h%", "&Q=Y7 G*S5GAjw", "W>\"A-\x002=G", "X\f,D3\x40", "W8 ", "hlF\'lT< 0+5SC7O7V", "7Y2PL\',E<", "-N7_(]W", "+.*1E*C*lQ$4A8$", "XA30", "/_$V", "$RB3A", "", "<:<0+L\t$_)", "", "41-;+R._3ZR/c^,\'T< RcWgCV#.Z-=Q/5Um", "k", "&_+", "L ]", "p%6P1-", "8$=I\'", "D<6B-;", ".", "#VB+6_-", "U\b,U(^T&&G<", "*\\Q9&~6\"\n0-5", "03T", "*=E", "FJ)7Z6:", "\'\vE(S5", "&%E\x00Y)]A)7Z6:", "^*<:", "4VG8&G", "u;\vCF", "+L", "G7t&GP/1J", "6X$GM%-q3\n\x00QpkO7S)Gs#-W6#G(Y}R\x00 8]1pNpkO(*75I\n&$\\\x40/n\bT,)", "3T,\"D&^A>&A", " -", "+E8", ")7", "e4Q\r", "%_+Vt+7[", "$7=Y\\Z&JA8", "B\t7B(]", "W8!", "_8:\b>1", "%-^6!6#", "4", "5h$", "w", "6]", "9753t3S", "^W\x07\"K\r;\t;N\b0", "Z", "F&D", "\x40", "\x07aE\"]W%1l=5Sc", "\"EAM<\"G<\x00\x007", "3T#7S+VI/7A ", "r/jC\vgg(E$\v2/", " Y)GA$7d0:\v", "\b9p\t"];


function meth(WVI) {
    let hBI = WVI[1], G1I = WVI[2], dDI = '', VcI = (hBI - 379) % 18;
    let MVI = RCI[G1I], gBI = 0;
    while (gBI < MVI.length) {
        let mCI = BcI(MVI, gBI), RTI = BcI(vCI.U7, VcI++);
        dDI += jp(~(mCI & RTI) & (mCI | RTI));
        gBI++;
    }
    return dDI;
}

console.log(meth([53, 990, 100])); // un
console.log(meth([53, 637, 43])); // pass
console.log(meth([53, 680, 81])); // secret
console.log(meth([0, 680, 81])); // secret

JS
#js逆向 #akamai
akamai 混淆解密
https://kingjem.github.io/2025/01/08/逆向/akamai 混淆解密/
作者
Ruhai
发布于
2025年1月8日
许可协议