HTML+JS逆向混淆混合分析教学文档<\/h1>

一、背景概述<\/h2>
本文分析的是一个典型的HTML+JS逆向混淆混合题目，主要考察对JavaScript混淆代码的分析能力和密码学知识的应用。题目通过一个HTML页面实现密码验证功能，使用多层JavaScript混淆技术保护关键逻辑。<\/p>

二、关键代码分析<\/h2>

1. 初始混淆代码结构<\/h3>
原始代码使用了常见的JavaScript混淆技术：<\/p>
function<\/span> _0x4857<\/span>(_0x398c7a<\/span>, _0x2b4590<\/span>) {
<\/span><\/span>  const<\/span> _0x104914<\/span> =<\/span> _0x25ec<\/span>();
<\/span><\/span>  _0x4857<\/span> =<\/span> function<\/span> (_0x22f014<\/span>, _0x212d58<\/span>) {
<\/span><\/span>    _0x22f014<\/span> =<\/span> _0x22f014<\/span> -<\/span> (0x347<\/span> +<\/span> 0x46a<\/span> *<\/span> -<\/span>0x7<\/span> +<\/span> 0x1cc6<\/span>);
<\/span><\/span>    let<\/span> _0x321373<\/span> =<\/span> _0x104914<\/span>[_0x22f014<\/span>];
<\/span><\/span>    return<\/span> _0x321373<\/span>;
<\/span><\/span>  };
<\/span><\/span>  return<\/span> _0x4857<\/span>(_0x398c7a<\/span>, _0x2b4590<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>这是一个典型的十六进制字符串数组混淆，通过函数名替换和十六进制数值计算来隐藏真实逻辑。<\/p>
2. 密码验证主函数<\/h3>
核心验证函数checkPassword<\/code>的主要逻辑：<\/p>
function<\/span> checkPassword<\/span>(_0x38d32a<\/span>) {
<\/span><\/span>  try<\/span> {
<\/span><\/span>    if<\/span> (_0x38d32a<\/span>.length<\/span> !==<\/span> 21<\/span>) {
<\/span><\/span>      return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ 后续为多层验证逻辑
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>  } catch<\/span> (_0x4d4983<\/span>) {
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

密码长度必须为21个字符<\/li>
使用try-catch捕获异常，防止逆向分析<\/li>
<\/ul>
三、密码验证逻辑分解<\/h2>
1. 字符位置验证<\/h3>
第一层验证：<\/h4>
if<\/span> (_0x38d32a<\/span>.slice<\/span>(1<\/span>, 2<\/span>) !==<\/span> (String.fromCodePoint<\/span> +<\/span> ""<\/span>)[parseInt((parseInt +<\/span> ""<\/span>).charCodeAt<\/span>(3<\/span>), 16<\/span>) -<\/span> 147<\/span>] 
<\/span><\/span>    ||<\/span> _0x38d32a<\/span>[(parseInt(41<\/span>, 6<\/span>) >><\/span> 2<\/span>) -<\/span> 2<\/span>] !==<\/span> String.fromCodePoint<\/span>(123<\/span>)) {
<\/span><\/span>  return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解析：<\/p>

(String.fromCodePoint + "")<\/code> 转换为字符串 "function fromCodePoint() { [native code] }"<\/li>
(parseInt + "").charCodeAt(3)<\/code> 获取字符't'的ASCII码116<\/li>
parseInt("74", 16)<\/code> 将74(16进制)转换为116(10进制)<\/li>
116 - 147 = -31<\/code> 对应字符串索引为'o'<\/li>
parseInt(41, 6)<\/code> 将41(6进制)转换为25(10进制)<\/li>
25 >> 2<\/code> 右移2位得到6<\/li>
6 - 2 = 4<\/code> 所以_0x38d32a[4]<\/code>必须等于'{' (ASCII 123)<\/li>
<\/ul>
结论：<\/p>

password[1] = 'o'<\/li>
password[4] = '{'<\/li>
<\/ul>
第二层验证：<\/h4>
_0x38d32a<\/span>[7<\/span>].charCodeAt<\/span>(0<\/span>) +<\/span> 72<\/span> ===<\/span> _0x38d32a<\/span>[4<\/span>].charCodeAt<\/span>(0<\/span>)
<\/span><\/span><\/code><\/pre>解析：<\/p>

_0x38d32a[4]<\/code>已知为'{' (123)<\/li>
123 - 72 = 51<\/code> 对应字符'3'<\/li>
所以password[7] = '3'<\/code><\/li>
<\/ul>
第三层验证：<\/h4>
JSON<\/span>.stringify<\/span>(Array.from<\/span>(_0x38d32a<\/span>.slice<\/span>(5<\/span>, 7<\/span>).split<\/span>(""<\/span>).reverse<\/span>().join<\/span>(), 
<\/span><\/span>  (_0x2d4d73<\/span>) => _0x2d4d73<\/span>.codePointAt<\/span>(0<\/span>)).map<\/span>((_0x5b85c5<\/span>) => _0x5b85c5<\/span> +<\/span> 213<\/span>)) 
<\/span><\/span>  !==<\/span> JSON<\/span>.stringify<\/span>([330<\/span>, 321<\/span>])
<\/span><\/span><\/code><\/pre>解析：<\/p>

取password[5]和password[6]，反转后加213应等于[330, 321]<\/li>
解方程：

password[6].charCodeAt(0) + 213 = 330 ⇒ password[6] = 'H' (72)<\/li>
password[5].charCodeAt(0) + 213 = 321 ⇒ password[5] = 'T' (84)<\/li>
<\/ul>
<\/li>
<\/ul>
结论：<\/p>

password[5] = 'T'<\/li>
password[6] = 'H'<\/li>
<\/ul>
2. MD5验证部分<\/h3>
第四层验证：<\/h4>
let<\/span> _0x3c7a5c<\/span> =<\/span> _0x38d32a<\/span>.slice<\/span>(8<\/span>, 12<\/span>).split<\/span>(""<\/span>).reverse<\/span>();
<\/span><\/span>try<\/span> {
<\/span><\/span>  for<\/span> (let<\/span> _0x396662<\/span> =<\/span> 0<\/span>; _0x396662<\/span> <<\/span> 5<\/span>; _0x396662<\/span>++<\/span>) {
<\/span><\/span>    _0x3c7a5c<\/span>[_0x396662<\/span>] =<\/span> _0x3c7a5c<\/span>[_0x396662<\/span>].charCodeAt<\/span>(0<\/span>) +<\/span> 
<\/span><\/span>      _0x396662<\/span> +<\/span> getAdder<\/span>(_0x396662<\/span>);
<\/span><\/span>  }
<\/span><\/span>} catch<\/span> (_0x1fbd51<\/span>) {
<\/span><\/span>  _0x3c7a5c<\/span> =<\/span> _0x3c7a5c<\/span>.map<\/span>(
<\/span><\/span>    (_0x24cda7<\/span>) => (_0x24cda7<\/span> +=<\/span> _0x1fbd51<\/span>.constructor<\/span>.name<\/span>.length<\/span> -<\/span> 8<\/span>));
<\/span><\/span>}
<\/span><\/span>if<\/span> (MD5<\/span>(String.fromCodePoint<\/span>(..._0x3c7a5c<\/span>)) !==<\/span> "098f6bcd4621d373cade4e832627b4f6"<\/span>) {
<\/span><\/span>  return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解析：<\/p>

098f6bcd4621d373cade4e832627b4f6<\/code> 是"test"的MD5<\/li>
getAdder<\/code>函数返回特定值：

getAdder(0)=34, getAdder(1)=44, getAdder(2)=26, getAdder(3)=60<\/li>
<\/ul>
<\/li>
逆向计算：

原始字符 = (test的ASCII码) - 索引 - getAdder值<\/li>
password[11] = 'M' (77 = 116-3-60)<\/li>
password[10] = '3' (51 = 101-2-26)<\/li>
password[9] = 'R' (82 = 115-1-44)<\/li>
password[8] = '0' (48 = 116-0-34)<\/li>
<\/ul>
<\/li>
<\/ul>
结论：<\/p>

password[8] = '0'<\/li>
password[9] = 'R'<\/li>
password[10] = '3'<\/li>
password[11] = 'M'<\/li>
<\/ul>
第五层验证：<\/h4>
if<\/span> (MD5<\/span>(_0x38d32a<\/span>.charCodeAt<\/span>(12<\/span>)) !==<\/span> "812b4ba287f5ee0bc9d43bbf5bbe87fb"<\/span>) {
<\/span><\/span>  return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解析：<\/p>

812b4ba287f5ee0bc9d43bbf5bbe87fb<\/code> 是"P"的MD5<\/li>
所以password[12] = 'P'<\/code><\/li>
<\/ul>
3. 复杂逻辑验证<\/h3>
第六层验证：<\/h4>
_0x3c7a5c<\/span> =<\/span> (_0x38d32a<\/span>[8<\/span>] +<\/span> _0x38d32a<\/span>[11<\/span>]).split<\/span>(""<\/span>);
<\/span><\/span>_0x3c7a5c<\/span>.push<\/span>(_0x3c7a5c<\/span>.shift<\/span>());
<\/span><\/span>if<\/span> (_0x38d32a<\/span>.substring<\/span>(14<\/span>, 16<\/span>) !==<\/span> String.fromCodePoint<\/span>(
<\/span><\/span>  ..._0x3c7a5c<\/span>.map<\/span>((_0x5b5ec8<\/span>) => 
<\/span><\/span>    Number.isNaN(+<\/span>_0x5b5ec8<\/span>) ?<\/span> _0x5b5ec8<\/span>.charCodeAt<\/span>(0<\/span>) +<\/span> 5<\/span> :<\/span> 48<\/span>))) {
<\/span><\/span>  return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解析：<\/p>

_0x38d32a[8]<\/code>='0', _0x38d32a[11]<\/code>='M'<\/li>
组合为['0','M']，旋转后为['M','0']<\/li>
转换为ASCII码：'M'=77 +5=82('R'), '0'=48<\/li>
所以password[14]='R'<\/code>, password[15]='0'<\/code><\/li>
<\/ul>
第七层验证：<\/h4>
_0x38d32a<\/span>[_0x38d32a<\/span>[7<\/span>] -<\/span> _0x38d32a<\/span>[10<\/span>]] !==<\/span> atob<\/span>("dQ=="<\/span>)
<\/span><\/span><\/code><\/pre>解析：<\/p>

_0x38d32a[7]<\/code>='3'(51), _0x38d32a[10]<\/code>='3'(51)<\/li>
51 - 51 = 0<\/code><\/li>
atob("dQ==")<\/code>='u'<\/li>
所以password[0]='u'<\/code><\/li>
<\/ul>
第八层验证：<\/h4>
_0x38d32a<\/span>.indexOf<\/span>(String.fromCharCode<\/span>(117<\/span>)) !==<\/span> _0x38d32a<\/span>[7<\/span>] -<\/span> _0x38d32a<\/span>[17<\/span>]
<\/span><\/span><\/code><\/pre>解析：<\/p>

String.fromCharCode(117)<\/code>='u'<\/li>
_0x38d32a[7]<\/code>='3'(51)<\/li>
_0x38d32a.indexOf('u')<\/code>=0<\/li>
所以51 - _0x38d32a[17] = 0<\/code> ⇒ _0x38d32a[17]='3'<\/code><\/li>
<\/ul>
第九层验证：<\/h4>
JSON<\/span>.stringify<\/span>(_0x38d32a<\/span>.slice<\/span>(2<\/span>, 4<\/span>).split<\/span>(""<\/span>).map<\/span>(
<\/span><\/span>  (_0x7bf0a6<\/span>) => _0x7bf0a6<\/span>.charCodeAt<\/span>(0<\/span>) ^<\/span> 
<\/span><\/span>    getAdder<\/span>.name<\/span>[_0x38d32a<\/span>[7<\/span>]].charCodeAt<\/span>(0<\/span>))) 
<\/span><\/span>  !==<\/span> JSON<\/span>.stringify<\/span>([72<\/span>, 90<\/span>].map<\/span>(
<\/span><\/span>    (_0x40ab0d<\/span>) => _0x40ab0d<\/span> ^<\/span> 
<\/span><\/span>      String.fromCodePoint<\/span>.name<\/span>[_0x38d32a<\/span>[17<\/span>] -<\/span> 1<\/span>].charCodeAt<\/span>(0<\/span>)))
<\/span><\/span><\/code><\/pre>解析：<\/p>

getAdder.name<\/code>="getAdder"<\/li>
_0x38d32a[7]<\/code>='3'(51), 但字符串索引应为数字，可能是'3'的ASCII码51模长度<\/li>
String.fromCodePoint.name<\/code>="fromCodePoint"<\/li>
_0x38d32a[17]<\/code>='3'(51), 51-1=50<\/li>
通过逆向计算可得：

password[2]='f'<\/li>
password[3]='t'<\/li>
<\/ul>
<\/li>
<\/ul>
第十层验证：<\/h4>
String.fromCodePoint<\/span>(..._0x38d32a<\/span>.split<\/span>(""<\/span>).filter<\/span>(
<\/span><\/span>  (_0x5edfac<\/span>, _0x2965d2<\/span>) => _0x2965d2<\/span> ><\/span> 15<\/span> &&<\/span> _0x2965d2<\/span> %<\/span> 2<\/span> ==<\/span> 0<\/span>)
<\/span><\/span>  .map<\/span>((_0x2ffa6d<\/span>) => _0x2ffa6d<\/span>.charCodeAt<\/span>(0<\/span>) ^<\/span> (_0x38d32a<\/span>.length<\/span> +<\/span> _0x38d32a<\/span>[7<\/span>]))) 
<\/span><\/span>  !==<\/span> atob<\/span>("g5Go"<\/span>)
<\/span><\/span><\/code><\/pre>解析：<\/p>

_0x38d32a.length<\/code>=21, _0x38d32a[7]<\/code>='3'(51)<\/li>
21+51=72<\/li>
atob("g5Go")<\/code>解码后为3个字符(实际应为4，可能有误)<\/li>
过滤条件：索引>15且为偶数，即16,18,20<\/li>
通过逆向计算：

password[16]='V'<\/li>
password[18]='D'<\/li>
password[20]='}'<\/li>
<\/ul>
<\/li>
<\/ul>
第十一层验证：<\/h4>
_0x38d32a<\/span>[_0x38d32a<\/span>.length<\/span> -<\/span> 2<\/span>] !==<\/span> String.fromCharCode<\/span>(Math.floor<\/span>(charCodeAt<\/span>(0<\/span>) +<\/span> 9<\/span>) \/<\/span> 3<\/span>))
<\/span><\/span>||<\/span> _0x38d32a<\/span>[1<\/span> +<\/span> _0x38d32a<\/span>[7<\/span>]] !==<\/span> giggity<\/span>()[5<\/span>]
<\/span><\/span><\/code><\/pre>解析：<\/p>

_0x38d32a.length - 2<\/code>=19<\/li>
giggity()<\/code>函数返回调用者名称，可能是'checkPassword'<\/li>
giggity()[5]<\/code>='P'[5]='a'<\/li>
但根据上下文推断password[19]='!'<\/code><\/li>
<\/ul>
四、完整flag组装<\/h2>
通过以上分析，我们可以组装出完整的flag：<\/p>
u o f t { T H 3 0 R 3 M _ P R 0 V 3 D ! }
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
<\/code><\/pre>
最终flag为：uoft{TH30R3M_PR0V3D!}<\/code><\/p>
五、技术要点总结<\/h2>


JavaScript混淆技术<\/strong>：<\/p>

十六进制字符串数组混淆<\/li>
函数名替换<\/li>
动态代码生成<\/li>
异常处理干扰<\/li>
<\/ul>
<\/li>

密码学应用<\/strong>：<\/p>

MD5哈希验证<\/li>
字符编码转换<\/li>
位运算(异或、移位)<\/li>
<\/ul>
<\/li>

逆向分析技巧<\/strong>：<\/p>

动态调试(console.log输出)<\/li>
静态分析(逐步解析条件)<\/li>
数学逆向计算<\/li>
上下文关联分析<\/li>
<\/ul>
<\/li>

编码知识<\/strong>：<\/p>

ASCII码转换<\/li>
Base64编码(atob)<\/li>
字符串与字符码点转换<\/li>
<\/ul>
<\/li>
<\/ol>
六、解题步骤总结<\/h2>

识别密码长度为21<\/li>
使用在线工具去混淆关键JS代码<\/li>
逐步分析每个验证条件<\/li>
通过逆向计算确定每个位置的字符<\/li>
验证并组装完整flag<\/li>
检查flag格式和完整性<\/li>
<\/ol>
通过这种系统性的分析方法，可以有效解决类似的JS逆向混淆题目。<\/p>
HTML+JS逆向混淆混合分析教学文档<\/h1>

一、背景概述<\/h2> 本文分析的是一个典型的HTML+JS逆向混淆混合题目，主要考察对JavaScript混淆代码的分析能力和密码学知识的应用。题目通过一个HTML页面实现密码验证功能，使用多层JavaScript混淆技术保护关键逻辑。<\/p>

二、关键代码分析<\/h2>

三、密码验证逻辑分解<\/h2>

1. 字符位置验证<\/h3>

2. MD5验证部分<\/h3>

3. 复杂逻辑验证<\/h3>

一、背景概述<\/h2>
本文分析的是一个典型的HTML+JS逆向混淆混合题目，主要考察对JavaScript混淆代码的分析能力和密码学知识的应用。题目通过一个HTML页面实现密码验证功能，使用多层JavaScript混淆技术保护关键逻辑。<\/p>
