web控制流平坦化解混淆
- 此代码可以解决大部分
while if else
控制流平坦化
- 先上成果图看下
代码实现
npm install @babel/parser
npm install @babel/generator
npm install @babel/traverse
npm install @babel/types
- 将代码中
if else
语句转为switch
语句方便接下来的操作,如:
const fs = require('fs');
const {parse} = require("@babel/parser");
const traverse = require("@babel/traverse").default;
const generator = require("@babel/generator").default;
const types = require("@babel/types") ;
const js_code = fs.readFileSync("./test.js", 'utf8');
const ast_code = parse(js_code);
switch_cases_dict = {};
traverse(ast_code, {
'IfStatement': {
enter(path) {
//进入节点触发的函数
var name = path.node.test.left.name;
if (path.node.test.operator === "===") { // 如果判断符号是 ===
if (switch_cases_dict[name] === undefined) {
switch_cases_dict[name] = [];
}
path.node.consequent.body.push(break_node);
switch_cases_dict[name].push(types.switchCase(path.node.test.right, path.node.consequent.body));
if (path.node.alternate.type === 'BlockStatement') {
path.node.alternate.body.push(break_node);
let num = path.node.test.right.value + 1;
switch_cases_dict[name].push(types.switchCase(
types.numericLiteral(num),
path.node.alternate.body,
));
}
}
},
exit(path) {
var name = path.node.test.left.name;
if (path.parentPath.parentPath.type === "WhileStatement" && switch_cases_dict[name].length !== 0) {
console.log(name, "if 已替换 switch");
path.replaceWith(types.switchStatement(
discriminant = types.identifier(name),
cases = switch_cases_dict[name]
));
}
}
},
})
fs.writeFileSync("./demo.js", generator(ast_code).code, 'utf8')
其原理就是每个代码分支必有一个对控制流控制变量的赋值操作,如果没有则证明此分支已运行至末尾,如:
当然,合并代码之后,这个肯定不是我们需要的,所以还需要删除多余的 break
和 赋值
语句,并删除已经合并过的分支,以下是我们需要的效果:
G = 0;
while (G !== undefined){
switch (G){
case 0:
console.log('tt');
G = undefined;
break;
case 1:
G = 25;
break;
case 4:
G = 666;
break;
}
}
完整解混淆代码:
/*
* 控制流平坦化 if语句转 switch* */
function del_code(name, consequent) {
// 删除合并分支后多余的 赋值和break代码
let assignment_bool, break_bool;
for (let i = consequent.length - 1; i >= 0; i--) {
if (consequent[i].type === "BreakStatement") {
if (break_bool) {
consequent.splice(i, 1);
} else {
break_bool = true;
}
} else if (consequent[i].type === "ExpressionStatement" && consequent[i].expression.type === "AssignmentExpression" && consequent[i].expression.left.name === name) {
if (assignment_bool) {
consequent.splice(i, 1);
} else {
assignment_bool = true;
}
}
}
}
function merge_branch(name, key, cases_dict) {
// 用于递归合并 switch 分支
let {consequent} = cases_dict[key];
let value = -1;
for (let i in consequent) {
if (consequent[i].type === "ExpressionStatement" && consequent[i].expression.type === "AssignmentExpression" && consequent[i].expression.left.name === name && consequent[i].expression.right.type === "NumericLiteral") {
value = consequent[i].expression.right.value;
break;
}
}
if (value !== -1 && cases_dict.hasOwnProperty(value)) {
del_cases_dict[value] = 1;
return consequent.concat(merge_branch(name, value, cases_dict)); // 继续下一分支的合并
}
return consequent;
}
const fs = require('fs');
const {parse} = require("@babel/parser");
const traverse = require("@babel/traverse").default;
const generator = require("@babel/generator").default;
const types = require("@babel/types");
const js_code = fs.readFileSync("./test.js", 'utf8');
const ast_code = parse(js_code);
switch_cases_dict = {};
break_node = types.breakStatement();
traverse(ast_code, {
'IfStatement': {
enter(path) {
var name = path.node.test.left.name;
if (path.node.test.operator === "===") { // 如果判断符号是 ===
if (switch_cases_dict[name] === undefined) {
switch_cases_dict[name] = [];
}
path.node.consequent.body.push(break_node);
switch_cases_dict[name].push(types.switchCase(path.node.test.right, path.node.consequent.body));
if (path.node.alternate.type === 'BlockStatement') {
path.node.alternate.body.push(break_node);
let num = path.node.test.right.value + 1;
switch_cases_dict[name].push(types.switchCase(
types.numericLiteral(num),
path.node.alternate.body,
));
}
}
},
exit(path) {
var name = path.node.test.left.name;
if (path.parentPath.parentPath.type === "WhileStatement" && switch_cases_dict[name].length !== 0) {
console.log(name, "if 已替换 switch");
path.replaceWith(types.switchStatement(
discriminant = types.identifier(name),
cases = switch_cases_dict[name]
));
}
}
},
'SwitchStatement': {
enter(path) {
del_cases_dict = {}; // 待删除的 分支语句
let cases_dict = {};
let cases_list = path.node.cases;
let {name} = path.node.discriminant;
if (switch_cases_dict.hasOwnProperty(name)) {
console.log(name, "switch 分支合并");
for (let i in cases_list) {
cases_dict[cases_list[i].test.value] = cases_list[i]
}
for (let key in cases_dict) { // 合并分支并删除多余代码
cases_dict[key].consequent = merge_branch(name, key, cases_dict);
del_code(name, cases_dict[key].consequent);
}
for (let key in del_cases_dict) {
delete cases_dict[key]; // 删除多余分支
}
path.node.cases = Object.values(cases_dict);
}
},
}
})
// console.log(generator(ast_code).code)
fs.writeFileSync("./demo.js", generator(ast_code).code, 'utf8')
注:以上js解出来的代码在某些分支会出现多次 return
语句,当然,并不影响运行。我暂时没找到出现这种问题的原因在哪里,如果您找到请务必和我说下,令您也可以在 del_code
函数中删除多的 return
语句