万物皆可逆向 主页归档标签分类
猿人学之js混淆动态cookie
|JS逆向
字数总计: 5k|阅读时长: 28 分钟

篇幅有限

完整内容及源码关注公众号:ReverseCode,发送

题目

http://match.yuanrenxue.com/match/2

提取全部5页发布日热度的值,计算所有值的加和,并提交答案

抓包

chrome无痕模式通过抓包获取所有请求

charls抓包

第一个match/2不携带cookie并返回一串js代码

第二个match/2最早携带cookie并返回html页面,且并没有在请求头set-cookie,说明cookie是本地生成,而非服务器生成带到前端的,那么第一个match/2返回的js很可能就会生成cookie

1
Cookie m=dd5572e825610043a17c791d1eadc601|1607590427000

第三个api/match/2携带cookie返回页面请求json数据

对于动态cookie应该重放攻击后进行AutoResponse替换为静态处理。hook生成cookie的位置,追踪堆栈

1
2
3
4
5
Object.defineProperty(document,'cookie',{
    set:function(val){
        debugger;
    }
})

分析

ob-decrypt

1
2
git clone https://github.com/DingZaiHub/ob-decrypt.git  原js在source.js,解密后的js在code.js
node ob-decrypt.js

如果报错TypeError: Cannot read property ‘split’ of undefined

if (arrName == id.name && init.callee.object.value != undefined) {
    // 数组节点
    console.log(typeof init.callee.object.value)
    arr = init.callee.object.value.split('|');
    pre_path.remove()
}

当搜索document的时候,恰好找到了存cookie的位置

1
2
document["coo" + "kie"] = _0x2c1923["ley" + "Wl"](_0x2c1923["sJt" + "Xw"](_0x2c1923["sJt" + "Xw"](_0x2c1923["sJt" + "Xw"](_0x2c1923["BwY" + "uN"](_0x2c1923["BwY" + "uN"]("m", _0x2c1923["UET" + "ZQ"](_0x10cbb5)), "="), _0x2c1923["zel" + "pz"](_0x40ee99, _0x476429)), "|"), _0x476429), _0x2c1923["GYP" + "En"]);
location["rel" + "oad"]();

类似以上的套娃混淆a(b(c(d,e),f),g(h,i)),从表达式中间的逗号开始处理对应的函数

1
2
3
4
5
6
7
8
9
_0x2c1923["ley" + "Wl"] = function (_0x53c832, _0x599c90) {
  return _0x53c832 + _0x599c90;
};
_0x2c1923["sJt" + "Xw"] = function (_0x28b4c2, _0x43d6c8) {
  return _0x28b4c2 + _0x43d6c8;
};
_0x2c1923["BwY" + "uN"] = function (_0x4bea8f, _0x478a42) {
  return _0x4bea8f + _0x478a42;
};

比如_0x2c1923["BwY" + "uN"]("m", _0x2c1923["UET" + "ZQ"](_0x10cbb5))改成"m"+ _0x2c1923["UET" + "ZQ"](_0x10cbb5),以此类推,以上套娃混淆改成了

1
cookie = "m"+ _0x10cbb5()+ "="+ _0x40ee99(_0x59d742)+ "|"+ _0x59d742+ "; p" + "ath" + "=/"

与生成的cookie对比m=之间应该是空字符串,不过_0x10cbb5()还是有可能通过eval执行其他操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
function _0x10cbb5(_0x5f13ed, _0x478af7) {
    var _0x676db2 = {};
    _0x676db2["zmh" + "zz"] = _0x2c1923["kBz" + "Ka"];
    _0x676db2["Gbk" + "oY"] = function (_0x1081d2, _0x4d51d1) {
        return _0x2c1923["Dkz" + "qh"](_0x1081d2, _0x4d51d1);
    };
    _0x676db2["pvW" + "KS"] = _0x2c1923["MNm" + "hh"];
    _0x676db2["YYF" + "qH"] = _0x2c1923["Mty" + "HN"];
    _0x676db2["Sfa" + "kl"] = _0x2c1923["ecZ" + "Qk"];
    _0x676db2["gUm" + "VG"] = function (_0x3f6b12, _0x2d619d) {
        return _0x2c1923["BhS" + "oX"](_0x3f6b12, _0x2d619d);
    };
    _0x676db2["OPB" + "pQ"] = function (_0x3ff6e7, _0x3bef5f) {
        return _0x2c1923["JAx" + "OR"](_0x3ff6e7, _0x3bef5f);
    };
    _0x676db2["BjH" + "Sb"] = _0x2c1923["Klw" + "fb"];
    _0x676db2["PTQ" + "Ui"] = function (_0x1b44b4) {
        return _0x2c1923["fha" + "Jp"](_0x1b44b4);
    };
    _0x676db2["kTD" + "PO"] = function (_0xfb99e4, _0x40cf5b) {
        return _0x2c1923["BhS" + "oX"](_0xfb99e4, _0x40cf5b);
    };
    _0x676db2["YEP" + "pq"] = function (_0x1bda72, _0x47daba) {
        return _0x2c1923["qgy" + "zh"](_0x1bda72, _0x47daba);
    };
    _0x676db2["KLK" + "fL"] = function (_0x416106, _0x55357b) {
        return _0x2c1923["JAx" + "OR"](_0x416106, _0x55357b);
    };
    _0x676db2["ISp" + "bk"] = _0x2c1923["mcW" + "Jc"];
    _0x676db2["tWb" + "gg"] = _0x2c1923["OBQ" + "iX"];
    _0x676db2["lKc" + "bf"] = _0x2c1923["puu" + "fA"];
    _0x676db2["XMC" + "Ur"] = _0x2c1923["cte" + "DM"];
    _0x676db2["dfK" + "OC"] = _0x2c1923["Jng" + "FV"];
    _0x676db2["egT" + "Fi"] = function (_0x21631f, _0x4bfcdf) {
        return _0x2c1923["mdY" + "ma"](_0x21631f, _0x4bfcdf);
    };
    _0x676db2["UpF" + "Fn"] = _0x2c1923["RoK" + "bA"];
    _0x676db2["Xqa" + "uV"] = function (_0x51abee, _0x5ab76f) {
        return _0x2c1923["UfH" + "Ee"](_0x51abee, _0x5ab76f);
    };
    _0x676db2["iiW" + "bz"] = _0x2c1923["wZN" + "LZ"];
    _0x676db2["Teo" + "Zg"] = _0x2c1923["fND" + "Sz"];
    _0x676db2["gZh" + "Wd"] = function (_0x10719b, _0x56e20a) {
        return _0x2c1923["pkn" + "vA"](_0x10719b, _0x56e20a);
    };
    _0x676db2["YmC" + "AF"] = _0x2c1923["uLh" + "Sz"];
    _0x676db2["NJQ" + "wb"] = function (_0x38e4cb) {
        return _0x2c1923["fha" + "Jp"](_0x38e4cb);
    };
    _0x676db2["IxU" + "UW"] = _0x2c1923["xwp" + "cD"];
    _0x676db2["VaY" + "Gr"] = function (_0x1b36ae, _0x3c24be, _0x3d336b) {
        return _0x2c1923["XGh" + "hn"](_0x1b36ae, _0x3c24be, _0x3d336b);
    };
    _0x676db2["qKV" + "mx"] = _0x2c1923["DfB" + "tS"];
    _0x676db2["smj" + "kw"] = _0x2c1923["JsK" + "bk"];
    _0x676db2["cqw" + "Qh"] = function (_0x50db75) {
        return _0x2c1923["fha" + "Jp"](_0x50db75);
    };
    _0x676db2["MRA" + "zw"] = function (_0x16b21f, _0x33fd9f, _0x4b394b) {
        return _0x2c1923["Yxf" + "pg"](_0x16b21f, _0x33fd9f, _0x4b394b);
    };
    _0x676db2["VLC" + "OW"] = function (_0x5bcbd5, _0x2d0cee, _0x3e387d) {
        return _0x2c1923["KWs" + "dR"](_0x5bcbd5, _0x2d0cee, _0x3e387d);
    };
    _0x676db2["SYr" + "hB"] = function (_0x3c4717, _0x496a53) {
        return _0x2c1923["Gqh" + "Ur"](_0x3c4717, _0x496a53);
    };
    if (_0x2c1923["JAx" + "OR"](_0x2c1923["COQ" + "Wa"], _0x2c1923["COQ" + "Wa"])) {
        var _0x6ee9d8 = _0x2c1923["rfJ" + "MM"](_0x35cbe4, this, function () {
            var _0x2f0878 = {};
            _0x2f0878["nQU" + "fV"] = _0x676db2["zmh" + "zz"];
            _0x2f0878["zPo" + "jC"] = function (_0x2f55d1, _0x100e5a) {
                return _0x676db2["Gbk" + "oY"](_0x2f55d1, _0x100e5a);
            };
            _0x2f0878["jQt" + "lW"] = _0x676db2["pvW" + "KS"];
            _0x2f0878["ZTr" + "YJ"] = _0x676db2["YYF" + "qH"];
            _0x2f0878["ngu" + "BX"] = _0x676db2["Sfa" + "kl"];
            _0x2f0878["zVE" + "nH"] = function (_0x52ff30, _0x37e1a1) {
                return _0x676db2["gUm" + "VG"](_0x52ff30, _0x37e1a1);
            };
            if (_0x676db2["OPB" + "pQ"](_0x676db2["BjH" + "Sb"], _0x676db2["BjH" + "Sb"])) {
                var _0x1cf61c = function () {
                    if (_0x2f0878["zPo" + "jC"](_0x2f0878["jQt" + "lW"], _0x2f0878["jQt" + "lW"])) {
                        while (1) {
                            console["log"](_0x2f0878["nQU" + "fV"]);
                            debugger;
                        }
                    } else {
                        var _0x27e4dc = _0x1cf61c["con" + "str" + "uct" + "or"](_0x2f0878["ZTr" + "YJ"])()["com" + "pil" + "e"](_0x2f0878["ngu" + "BX"]);
                        return !_0x27e4dc["tes" + "t"](_0x6ee9d8);
                    }
                };
                return _0x676db2["PTQ" + "Ui"](_0x1cf61c);
            } else {
                tVQxMC["zVE" + "nH"](result, "0");
            }
        });
        _0x2c1923["fha" + "Jp"](_0x6ee9d8);
        (function () {
            var _0x389680 = {};
            _0x389680["AOX" + "GX"] = _0x676db2["YYF" + "qH"];
            _0x389680["VzQ" + "tD"] = _0x676db2["Sfa" + "kl"];
            _0x389680["Iet" + "SJ"] = function (_0x35b105, _0x49691e) {
                return _0x676db2["kTD" + "PO"](_0x35b105, _0x49691e);
            };
            _0x389680["vne" + "Zn"] = function (_0x4645ab, _0x1fe59e) {
                return _0x676db2["YEP" + "pq"](_0x4645ab, _0x1fe59e);
            };
            _0x389680["aAC" + "QE"] = function (_0x39bf1f, _0x1e7a33) {
                return _0x676db2["KLK" + "fL"](_0x39bf1f, _0x1e7a33);
            };
            _0x389680["wIa" + "VK"] = _0x676db2["ISp" + "bk"];
            _0x389680["cIl" + "vA"] = _0x676db2["tWb" + "gg"];
            _0x389680["hJS" + "Up"] = _0x676db2["lKc" + "bf"];
            _0x389680["Xie" + "LS"] = _0x676db2["XMC" + "Ur"];
            _0x389680["fxT" + "ZL"] = function (_0x345d86, _0x51eceb) {
                return _0x676db2["YEP" + "pq"](_0x345d86, _0x51eceb);
            };
            _0x389680["wtX" + "zc"] = _0x676db2["dfK" + "OC"];
            _0x389680["zEr" + "ej"] = function (_0x210ca1, _0x5abe82) {
                return _0x676db2["egT" + "Fi"](_0x210ca1, _0x5abe82);
            };
            _0x389680["HEu" + "mW"] = _0x676db2["UpF" + "Fn"];
            _0x389680["Yma" + "PV"] = function (_0x4285c1, _0x268f50) {
                return _0x676db2["Xqa" + "uV"](_0x4285c1, _0x268f50);
            };
            _0x389680["xhS" + "Ho"] = _0x676db2["iiW" + "bz"];
            _0x389680["vWk" + "MG"] = _0x676db2["Teo" + "Zg"];
            _0x389680["kmc" + "dm"] = function (_0x5ba947, _0x533ea6) {
                return _0x676db2["YEP" + "pq"](_0x5ba947, _0x533ea6);
            };
            _0x389680["UUP" + "CN"] = function (_0x575e79, _0x497b6c) {
                return _0x676db2["gZh" + "Wd"](_0x575e79, _0x497b6c);
            };
            _0x389680["tAf" + "jG"] = _0x676db2["YmC" + "AF"];
            _0x389680["awM" + "Du"] = function (_0x12d63a) {
                return _0x676db2["NJQ" + "wb"](_0x12d63a);
            };
            if (_0x676db2["gZh" + "Wd"](_0x676db2["IxU" + "UW"], _0x676db2["IxU" + "UW"])) {
                var _0x46c9da = test["con" + "str" + "uct" + "or"](QaQCGf["AOX" + "GX"])()["com" + "pil" + "e"](QaQCGf["VzQ" + "tD"]);
                return !_0x46c9da["tes" + "t"](_0xb4a243);
            } else {
                _0x676db2["VaY" + "Gr"](_0x3be8cd, this, function () {
                    var _0x3b4193 = {};
                    _0x3b4193["IzZ" + "kU"] = function (_0x35a2d1, _0x5103da) {
                        return _0x389680["Iet" + "SJ"](_0x35a2d1, _0x5103da);
                    };
                    _0x3b4193["pIC" + "da"] = function (_0x2041c6, _0x55cf4b) {
                        return _0x389680["Iet" + "SJ"](_0x2041c6, _0x55cf4b);
                    };
                    _0x3b4193["iAb" + "GP"] = function (_0x93c757, _0x5c5049) {
                        return _0x389680["vne" + "Zn"](_0x93c757, _0x5c5049);
                    };
                    if (_0x389680["aAC" + "QE"](_0x389680["wIa" + "VK"], _0x389680["cIl" + "vA"])) {
                        return _0x3b4193["IzZ" + "kU"](_0x539398, _0x3b4193["pIC" + "da"](_0x34aebb, _0x5f13ed));
                    } else {
                        var _0x372fe3 = new RegExp(_0x389680["hJS" + "Up"]);
                        var _0x21e399 = new RegExp(_0x389680["Xie" + "LS"], "i");
                        var _0x36d1ec = _0x389680["fxT" + "ZL"]($dbsm_0x598564, _0x389680["wtX" + "zc"]);
                        if (!_0x372fe3["tes" + "t"](_0x389680["zEr" + "ej"](_0x36d1ec, _0x389680["HEu" + "mW"])) || !_0x21e399["tes" + "t"](_0x389680["Yma" + "PV"](_0x36d1ec, _0x389680["xhS" + "Ho"]))) {
                            if (_0x389680["aAC" + "QE"](_0x389680["vWk" + "MG"], _0x389680["vWk" + "MG"])) {
                                _0x389680["kmc" + "dm"](_0x36d1ec, "0");
                            } else {
                                if (ret) {
                                    return debuggerProtection;
                                } else {
                                    itNjFl["iAb" + "GP"](debuggerProtection, 0);
                                }
                            }
                        } else {
                            if (_0x389680["UUP" + "CN"](_0x389680["tAf" + "jG"], _0x389680["tAf" + "jG"])) {
                                var _0x54f102,
                                    _0x2d235e,
                                    _0x4141b3,
                                    _0x15cf75,
                                    _0x3979a1,
                                    _0x1b2486 = 0,
                                    _0x32b74e = -0,
                                    _0x13f848 = -0,
                                    _0x117ded = 0;
                            } else {
                                _0x389680["awM" + "Du"]($dbsm_0x598564);
                            }
                        }
                    }
                })();
            }
        })();
        _0x2c1923["fha" + "Jp"](_0x2e765b);
        qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
        _0x2c1923["Gqh" + "Ur"](eval, _0x2c1923["Gqh" + "Ur"](_0x479444, qz));
        try {
            if (_0x2c1923["pkn" + "vA"](_0x2c1923["vib" + "ZR"], _0x2c1923["vib" + "ZR"])) {
                return function (_0x19e254) { }["con" + "str" + "uct" + "or"](qagLji["qKV" + "mx"])["app" + "ly"](qagLji["smj" + "kw"]);
            } else {
                if (global) {
                    if (_0x2c1923["sMz" + "OI"](_0x2c1923["Czp" + "mr"], _0x2c1923["jXI" + "QF"])) {
                        return _0x2c1923["ltM" + "vm"](_0x2c1923["Fut" + "Nn"](_0x5f13ed, _0x52cae0), _0x2c1923["ytp" + "Jc"](_0x5f13ed, _0x2c1923["cnC" + "ig"](32, _0x52cae0)));
                    } else {
                        console["log"](_0x2c1923["kBz" + "Ka"]);
                    }
                } else {
                    if (_0x2c1923["osL" + "ze"](_0x2c1923["sPt" + "gu"], _0x2c1923["Zkz" + "LF"])) {
                        var _0x176277,
                            _0x1aa798 = "",
                            _0x14ae63 = _0x2c1923["tui" + "zA"](32, _0x5f13ed["len" + "gth"]);
                        for (_0x176277 = 0; _0x2c1923["fST" + "ws"](_0x176277, _0x14ae63); _0x176277 += 8) _0x1aa798 += String["fro" + "mCh" + "arC" + "ode"](_0x2c1923["mPE" + "nw"](_0x2c1923["YcE" + "yA"](_0x5f13ed[_0x2c1923["auH" + "KH"](_0x176277, 5)], _0x2c1923["uBC" + "tw"](_0x176277, 32)), 255));
                        return _0x1aa798;
                    } else {
                        while (1) {
                            if (_0x2c1923["xso" + "nc"](_0x2c1923["QAx" + "NH"], _0x2c1923["ZsR" + "Il"])) {
                                _0x676db2["cqw" + "Qh"](_0x10cbb5);
                                return _0x52cae0 ? _0x4d6ae5 ? _0x676db2["MRA" + "zw"](_0x1196c7, _0x52cae0, _0x5f13ed) : _0x676db2["VLC" + "OW"](y, _0x52cae0, _0x5f13ed) : _0x4d6ae5 ? _0x676db2["YEP" + "pq"](_0x5c4a33, _0x5f13ed) : _0x676db2["SYr" + "hB"](_0x1a412b, _0x5f13ed);
                            } else {
                                console["log"](_0x2c1923["kBz" + "Ka"]);
                                debugger;
                            }
                        }
                    }
                }
            }
        } catch (_0x4cd00c) {
            if (_0x2c1923["pkn" + "vA"](_0x2c1923["yKg" + "SK"], _0x2c1923["RJU" + "Xr"])) {
                return navigator["ven" + "dor" + "Sub"];
            } else {
                PJTCmw["fha" + "Jp"]($dbsm_0x598564);
            }
        }
    } else {
        var _0x316c04 = firstCall ? function () {
            if (fn) {
                var _0xc8cc17 = fn["app" + "ly"](context, arguments);
                fn = null;
                return _0xc8cc17;
            }
        } : function () { };
        firstCall = ![];
        return _0x316c04;
    }
}

通过分析_0x10cbb5函数逻辑,首先定义对象_0x676db2,并对应定义对象中的函数,通过在函数开头加上debugger,断点调试发现进入_0x2c1923["fha" + "Jp"](_0x6ee9d8)时卡死,可能是触发定时器循环调用了。

1
2
3
_0x2c1923["fha" + "Jp"] = function (_0x5ec0e7) {
    return _0x5ec0e7();
};

所以在调用_0x6ee9d8()时卡死,在该方法中加入debugger重新调用_0x10cbb5()进入return _0x676db2["PTQ" + "Ui"](_0x1cf61c)后卡死,由于_0x676db2["PTQ" + "Ui"](_0x1cf61c)_0x2c1923["fha" + "Jp"](_0x1cf61c)_0x1cf61c(),在_0x1cf61c方法中加上debugger重新跟踪

image-20210906204936794

由于上面的if表达式返回false,所以总是会进入return !_0x27e4dc["tes" + "t"](_0x6ee9d8),而_0x27e4dc中的_0x1cf61c函数不接受参数,该逻辑对cookie加密没有任何影响,未传参 未改变全局变量 无返回。同理分析_0x2c1923["fha" + "Jp"](_0x2e765b);未传参 未改变全局变量 无返回,唯一出现eval的位置就是_0x2c1923["Gqh" + "Ur"](eval, _0x2c1923["Gqh" + "Ur"](_0x479444, qz));,即eval(_0x479444(qz))的出来一串字符串罢了。所以_0x10cbb5()即返回空。

接下来分析cookie = "m"+ _0x10cbb5()+ "="+ _0x40ee99(_0x59d742)+ "|"+ _0x59d742+ "; p" + "ath" + "=/"中的 _0x40ee99(_0x59d742)_0x59d742,根据抓包结果m=dd5572e825610043a17c791d1eadc601|1607590427000_0x59d742function _0x94ebae(_0x59d742, _0x426e6a)中没有发现定义,只能获取该方法的引用位置,_0x2c1923["duF" + "Bq"](_0x94ebae, _0x2c1923["gvf" + "Ex"](_0x4bd99c)),即_0x94ebae(_0x4bd99c()),而_0x4bd99c函数中返回了Date["par" + "se"](new Date()),所以_0x59d742为时间戳。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// 第一个参数为时间戳,其他都为null
function _0x40ee99(_0x37e3fa, _0x29817b, _0x399d9b) {
    if (_0x2c1923["Xig" + "eA"](_0x2c1923["Ezx" + "AN"], _0x2c1923["nav" + "HD"])) {
        _0x2c1923["vry" + "dI"](_0x10cbb5);
        return _0x29817b ? _0x399d9b ? _0x2c1923["OXT" + "ft"](_0x1196c7, _0x29817b, _0x37e3fa) : _0x2c1923["wIK" + "US"](y, _0x29817b, _0x37e3fa) : _0x399d9b ? _0x2c1923["jJy" + "be"](_0x5c4a33, _0x37e3fa) : _0x2c1923["yqw" + "db"](_0x1a412b, _0x37e3fa);
    } else {
        if (global) {
            console["log"](_0x2c1923["kBz" + "Ka"]);
        } else {
            while (1) {
                console["log"](_0x2c1923["kBz" + "Ka"]);
                debugger;
            }
        }
    }
}

通过分析大三元表达式得_0x2c1923["yqw" + "db"](_0x1a412b, _0x37e3fa)_0x1a412b(_0x37e3fa),继续分析扣取_0x1a412b函数,过程省略。

1
2
3
4
5
6
7
8
9
10
11
12
// 获取时间戳
function _0x59d742(_0x53a223, _0xc9f38e) {
   return Date["parse"](new Date());
 }
// 这是取到加密值
function _0x83032f(_0x37e3fa, _0x281a82) {
    return "m"+ _0x10cbb5()+ "="+ _0x1a412b(_0x37e3fa)+ "|"+ _0x37e3fa+ "; p" + "ath" + "=/";
}
// 使用函数去调用代码
function get_m_value(){
    return _0x83032f(_0x59d742()); 
}

ob混淆专解测试版V0.1

使用ob混淆专解测试版V0.1反混淆第一个match/2返回的js代码去掉script标签

ob反混淆

将解析完的js放到notepad++中进行js format,查找eval,setInterval,document等函数或者cookie等关键字符串。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function V(Y, Z, a0) {
	// 空参数  
    M();
    return Z ? a0 ? H(Z, Y) : y(Z, Y) : a0 ? T(Y) : U(Y);
  }
  // Y=X()时间戳,Z无用
  function W(Y, Z) {
    // 获取cookie  
    document["cookie"] = "m" + M() + "=" + V(Y) + "|" + Y + "; path=/";
    // 带上cookie重新刷新页面返回真实网页并发送ajax请求获取json数据
    location["reload"]();
  }
  // 时间戳
  function X(Y, Z) {
    return Date["parse"](new Date());
  }
  // 最先执行js
  W(X());

查看W和V中的M(),都没有传参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
function M(Y, Z) {
	// 只定义函数并无更新值
    var a2 = B(this, function () {
      var a5 = {
        "JLTiy": "return /\" + this + \"/",
        "uynWF": "^([^ ]+( +[^ ]+)+)+[^ ]}"
      };

      var a7 = function () {
        var a8 = a7["constructor"](a5["JLTiy"])()["compile"](a5["uynWF"]);
        return !a8["test"](a2);
      };

      return a7();
    });
	// 未传参 未改变全局变量 无返回
    a2();
	// 未传参 未改变全局变量 无返回
    K();
    qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
    eval(L(qz));

    try {
      if (global) {
        console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
      } else {
        while (1) {
          console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
          debugger;
        }
      }
    } catch (a5) {
      return navigator["vendorSub"];
    }
  }

通过WT-JS查看L(qz),并没有对cookie进行影响

1
2
3
4
5
6
7
function L(Y, Z) {
  let a0 = "";
  for (let a1 = 0; a1 < Y["length"]; a1++) {
    a0 += String["fromCharCode"](Y[a1]);
  }
   return a0;
}

L函数

navigator["vendorSub"]放到console返回””,得出M()结论不返回或者返回””,也没修改变量参数,去除无用首行(function $c(k) {和尾行})();,去除最先执行W(X());,去除W内的location["reload"]();,将document["cookie"] =改为return ,去除无用setInterval(M(), 500);,去除W函数无用Z,M()为null也可以去除,删除无返回js,因为会报test未定义

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// 无返回   
var a2 = B(this, function () {
  var a5 = {
    "JLTiy": "return /\" + this + \"/",
    "uynWF": "^([^ ]+( +[^ ]+)+)+[^ ]}"
  };

  var a7 = function () {
    var a8 = a7["constructor"](a5["JLTiy"])()["compile"](a5["uynWF"]);
    return !a8["test"](a2);
  };

  return a7();
});
// 未传参 未改变全局变量 无返回
a2();

新增var navigator = {};,使用鬼鬼调试工具,执行W(X());,核心js如下2.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
var navigator = {};
function M(Y, Z) {

    // 未传参 未改变全局变量 无返回
    K();
    qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10];
    eval(L(qz));

    try {
        if (global) {
            console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
        } else {
            while (1) {
                console["log"]("\u4EBA\u751F\u82E6\u77ED\uFF0C\u4F55\u5FC5python\uFF1F");
                debugger;
            }
        }
    } catch (a5) {
        return navigator["vendorSub"];
    }
}
function V(Y, Z, a0) {
    // 空参数
    M();
    return Z ? a0 ? H(Z, Y) : y(Z, Y) : a0 ? T(Y) : U(Y);
}
// Y=X()时间戳,Z无用
function W(Y) {
    return "m" + "=" + V(Y) + "|" + Y;
}

function X(Y, Z) {
    return Date["parse"](new Date());
}

function request() {
    return W(X());
}

爬虫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
import execjs
import time

def get_page(page_num,param):
    url = "http://match.yuanrenxue.com/api/match/2?page={}".format(page_num)
    headers = {
        'Host': 'match.yuanrenxue.com',
        'Referer':'http://match.yuanrenxue.com/match/2',
        'User-Agent':'yuanrenxue.project',
        'X-Requested-With':'XMLHttpRequest',
        'Cookie': param
    }
    resonse = requests.get(url=url,headers=headers)
    return resonse.json()
def calculate_m_value():
    with open(r'2.js',encoding='utf-8',mode='r') as f:
        JsData = f.read()
    psd = execjs.compile(JsData).call('request')
    psd = psd.replace('丨','%E4%B8%A8')
    print('this request parameters is :',psd)
    return psd

if __name__ == '__main__':
    sum_num = 0
    for page_num in range(1,6):
        res = get_page(page_num,calculate_m_value())
        data = [__['value'] for __ in res['data']]
        print(data)
        sum_num+=sum(data)
        time.sleep(1)

    print('the answer is :',sum_num)
文章作者: J
文章链接: http://onejane.github.io/2021/02/03/猿人学之js混淆动态cookie/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 万物皆可逆向
js
支付宝打赏
微信打赏