js破解之Incapsula cdn
网址: https://booking.volotea.com
上抓包,3次请求才返回正常的数据,本文目的分析图中这个参数值
从上一条数据看到js代码
简单分析下eval函数 拿到混淆的代码
代码量不大 1000多行 没有通过AST反混淆 直接调试 中间会有死循环代码导致浏览器崩溃 直接删掉即可
慢慢跟即可找到生成的函数 rc4
最后整理下思路:
首先数组重组
(function(_0x37d3b6, _0x103c9e) {
var _0x22c41d = function(_0x2fc0f8) {
while (--_0x2fc0f8) {
_0x37d3b6['\x70\x75\x73\x68'](_0x37d3b6['\x73\x68\x69\x66\x74']());
}
};
_0x22c41d(0xe5+1);
}(_0x4f01, 0xe5));
解密代码
var _0xdfe4f5 = function(_0x56cad0, _0x426eb3) {
var _0x60d81a = [], _0x2488db = 0x0, _0x19c121, _0x38870a = '', _0x520c85 = '';
_0x56cad0 = atob(_0x56cad0);
for (var _0x412e47 = 0x0, _0x2c85a1 = _0x56cad0['\x6c\x65\x6e\x67\x74\x68']; _0x412e47 < _0x2c85a1; _0x412e47++) {
_0x520c85 += '\x25' + ('\x30\x30' + _0x56cad0['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x412e47)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](0x10))['\x73\x6c\x69\x63\x65'](-0x2);
}
_0x56cad0 = decodeURIComponent(_0x520c85);
for (var _0x1c6093 = 0x0; _0x1c6093 < 0x100; _0x1c6093++) {
_0x60d81a[_0x1c6093] = _0x1c6093;
}
for (_0x1c6093 = 0x0; _0x1c6093 < 0x100; _0x1c6093++) {
_0x2488db = (_0x2488db + _0x60d81a[_0x1c6093] + _0x426eb3['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x1c6093 % _0x426eb3['\x6c\x65\x6e\x67\x74\x68'])) % 0x100;
_0x19c121 = _0x60d81a[_0x1c6093];
_0x60d81a[_0x1c6093] = _0x60d81a[_0x2488db];
_0x60d81a[_0x2488db] = _0x19c121;
}
_0x1c6093 = 0x0;
_0x2488db = 0x0;
for (var _0x46d360 = 0x0; _0x46d360 < _0x56cad0['\x6c\x65\x6e\x67\x74\x68']; _0x46d360++) {
_0x1c6093 = (_0x1c6093 + 0x1) % 0x100;
_0x2488db = (_0x2488db + _0x60d81a[_0x1c6093]) % 0x100;
_0x19c121 = _0x60d81a[_0x1c6093];
_0x60d81a[_0x1c6093] = _0x60d81a[_0x2488db];
_0x60d81a[_0x2488db] = _0x19c121;
_0x38870a += String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](_0x56cad0['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x46d360) ^ _0x60d81a[(_0x60d81a[_0x1c6093] + _0x60d81a[_0x2488db]) % 0x100]);
}
return _0x38870a;
};
js是动态的,所以通过自己的开发语言正则出代码中的数组下标和第二个参数 处理下atob即可用调试工具计算出正确的值
本文仅作为技术讨论与分享,严禁用于非法用途 Q:321481996