【JavaScript 逆向】猿人学 web 第五题:乱码增强

最新推荐文章于 2024-09-29 10:06:23 发布
最新推荐文章于 2024-09-29 10:06:23 发布
阅读量2.9k 收藏 4
点赞数 1
分类专栏: JavaScript 逆向 文章标签: JavaScript 逆向
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yy_rose/article/details/126622701
版权

案例目标        

网址:第五题 js 混淆 乱码增强 - 猿人学

本题目标:抓取全部 5 页直播间热度,计算前 5 名直播间热度的加和

常规 JavaScript 逆向思路

一般情况下,JavaScript 逆向分为三步:

  • 寻找入口:逆向在大部分情况下就是找一些加密参数到底是怎么来的,关键逻辑可能写在某个关键的方法或者隐藏在某个关键的变量里,一个网站可能加载了很多 JavaScript 文件,如何从这么多的 JavaScript 文件的代码行中找到关键的位置,很重要;
  • 调试分析:找到入口后,我们定位到某个参数可能是在某个方法中执行的了,那么里面的逻辑是怎么样的,调用了多少加密算法,经过了多少赋值变换,需要把整体思路整理清楚,以便于断点或反混淆工具等进行调试分析;
  • 模拟执行:经过调试分析后,差不多弄清了逻辑,就需要对加密过程进行逻辑复现,以拿到最后我们想要的数据

接下来开始正式进行案例分析:

寻找入口

F12 打开开发者人员工具,刷新网页进行抓包,在 Network 中可以看到数据接口为 5?m=xxx,响应预览中可以看到当前页面各视频的热度数据:

响应负载中有两个请求参数 m 和 f,值皆为一串数字,现在还不知道其具体含义:

本题提示:本页 cookie 有效期仅有 50 秒钟,所以 cookie 是动态变化的,其中肯定有加密变化的参数,查看 cookie 内容:

cookies = {
    "Hm_lvt_c99546cf032aaa5a679230de9a95c7db": "1661925145",
    "tk": "32908618934039056",
    "sessionid": "XXXXXXXXXX",
    "Hm_lvt_9bcbda9cbf86757998a2339a0437208e": "1661925158",
    "Hm_lpvt_9bcbda9cbf86757998a2339a0437208e": "1661925158",
    "Hm_lpvt_c99546cf032aaa5a679230de9a95c7db": "1661926425",
    "m": "ccf558ed48325553e5722eda1a6396a6",
    "RM4hZBv0dDon443M": "ZgkOG30tdlJwtFEATbMdoGlnULtE4JYL5Z/yt6IiNO141Ts+Awkzavph6S1BvG6Qx1L/AOBjNbcRht65iEvusilk0J5jNyY/YGewrhLXophJ2dkIvf4hEbv1iaCXv/bhq0NAJzeH8x3vmVVZklcPNuOjCbnm1C3A1hzn2M0aIUsQ3P0NROyB5l/iMcz271DCPiQeHcUkxQwn342efQU4OGNAe+SUNlFMOhUBlKC94tk="
}

经过观察对比,m 和 RM4hZBv0dDon443M 参数的值是在动态变化的,接下来就需要找到这两个参数的具体加密位置。

调试分析

接口处点击 Initiator, 跟栈进入 send:

点击 { } 格式化,send 处位于 jquery.min.js:formatted 文件的第 3801 行,在该行打断点调试分析,刷新网页会在该处断住: 

向下跟栈到虚拟机 VMXXXXX 中,格式化后跳转到了第 1976 行,文件内容经过 OB 混淆: 

在该行打下断点调试,_$UH[0x1a] 值为 setInterval,则此处即为定时器,0x1f4 值为 500,与本题提示中 50 s 变换一次 cookie 匹配:

ctrl + f 局部搜索加密参数,RM4hZBv0dDon443M 搜索不到被混淆了,搜索 m 的值会发现有几百个结果,这里参数都是被加密赋值的,所以直接搜索 m=,缩减到了只有六个结果:

在第 978 行我可看到以下代码,前面一连串字符串拼起来就是 RM4hZBv0dDon443M,所以此处即为该参数赋值加密的位置:

  • _$Fe:cookie,
  • _0x3d0f3f[_$Fe]:cookie 的值 
_0x3d0f3f[_$Fe] = 'R' + 'M' + '4' + 'h' + 'Z' + 'B' + 'v' + '0' + 'd' + 'D' + 'o' + 'n' + '4' + '4' + '3' + 'M=' + _0x4e96b4['_$ss'] + ';\x20path=/';

在该行打下断点调试分析,_0x3d0f3f[_$Fe] 即 cookie 的值,这里是将 RM4hZBv0dDon443M 参数加密后赋值给 cookie,_0x4e96b4['_$ss'] 即加密值,所以想要知道关键的加密方法,需要进一步跟进到 _0x4e96b4 的定义位置,ctrl + f 局部搜索 _0x4e96b4,在第 221 行找到了其加密位置:

var _0x4e96b4 = window,即 _0x4e96b4 为 window 对象,那么只能搜索 ‘_$’ 看看怎么生成的,有一个结果,在第 1229 行:

'_$' + _$UH[0x348][0x1] + _$UH[0x353][0x1] 对应的 '_$ss' ,同时我们在上面能看到 mode、padding,这段代码部分如下:

_$Ww = _$Tk[_$UH[0x2db]][_$UH[0x2dc]][_$UH[0xff]](_0x4e96b4['_$pr'][_$UH[0x1f]]()),
_0x29dd83 = _$Tk['A' + _$UH[0x32d]][_$UH[0x337] + _$UH[0x336]](_$Ww, _0x4e96b4[_0xc77418('0x6', 'OCbs')], {
    'mode': _$Tk[_$UH[0x339] + _$UH[0x33a]][_$UH[0x2e5]],
    'padding': _$Tk[_$UH[0x33b]][_$UH[0x33c] + _$UH[0x33d]]
}),
_0x4e96b4['_$' + _$UH[0x348][0x1] + _$UH[0x353][0x1]] = _0x29dd83[_$UH[0x1f]]();

经过调试可以改写为:

_$Ww = _$Tk['enc']['utf-8']['parse'](_0x4e96b4['_$pr']['toString']()),
_0x29dd83 = _$Tk['AES'](_$Ww, _0x4e96b4['_$qF'], {
    'mode': _$Tk['mode']['ECB'],
    'padding': _$Tk['pad']['pkcs7']
}),
_0x4e96b4['_$ss'] = _0x29dd83['toString']();

从优化后的代码中可以看到,这里值是通过 AES 加密的,加密模块为 ECB,填充方式为 pkcs7,_0x4e96b4['_$qF'] 为秘钥,_0x4e96b4['_$pr'] 即 window['_$pr'] 为明文数组数据:

先来分析秘钥,ctrl + f 搜索 '_$qF',搜索到了两个结果,在第 1444 行:

_0x4e96b4['_$qF'] = CryptoJS['enc']['Utf8'][_$UH[0xff]](_0x4e96b4['btoa'](_0x4e96b4['_$is'])['slice'](0x0, 0x10));

打断点调试优化:

_0x4e96b4['_$qF'] = CryptoJS['enc']['Utf8']['parse'](_0x4e96b4['btoa'](_0x4e96b4['_$is'])['slice'](0x0, 0x10));

(0x0, 0x10) 值为 16,秘钥为将 _0x4e96b4['_$is'] 的值经过 base64 编码后取前 16 位的结果:

一开始请求参数 m 和 f,定义在 5 文件中:

  • m: window._$is
  • f: window.$_zw[23]

所以 _0x4e96b4['_$is'] 的值及 m 的值,通过 node 改写:

var srcs = '1661936832793';
var value = Buffer.from(srcs).toString('base64').slice(0, 16);

 RM4hZBv0dDon443M 参数整段加密改写如下:

var CryptoJS = require('crypto-js');
var pr = [
    "fcc46223494363e55ecdcf6089b315bb"
    ,"8cad38560777d3294ec95b097e48e047"
    ,"cdd3058695571a4fe8018423b006f260"
    ,"c1a21cb2a6cda710a74395973ad4e98b"
    ,"06301ae5a05fbaf499e6aec8ea042d46"
];
var params = '1661936832793';
var value = Buffer.from(params).toString('base64').slice(0, 16);
function RM4(){
    var srcs = CryptoJS.enc.Utf8.parse(pr.toString());
    var key = CryptoJS.enc.Utf8.parse(value);
    var encrypted = CryptoJS.AES.encrypt(srcs, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return encrypted.toString();
}

console.log(RM4());

运行效果:

以上将值固定了,只能说是梳理出了大致逻辑,我们还需要知道 pr 数组具体是怎么生成的,局部搜索 _0x4e96b4['_$pr'] 跟进到数组生成位置,pr 总共有五个值,前四个值生成逻辑是在第 1717 行的 _0x474032(_$Wa) 这:

断点调试,生成第五个值时就会跳转到第 868 行_0x474032(_$yw) 这里:

第五个值的时间戳 _$yw 不仅是 pr 的元素,也是请求参数 m,同时还是 AES 加密的 key 参数,f 即 _$Wa,需跟进 _0x474032 定义位置找到加密方式,后文会讲,现在先找到另一个 cookie 加密参数 m,通过搜索 m= 同样可以找到 cookie 参数 m 的传值位置,在 VM 虚拟机的第 1716 行打断点调试分析:

0x3d0f3f[_$Fe] = 'm=' + _0x474032(_$Wa) + ';\x20path=/';
  • _$Fe:cookie,
  • _0x3d0f3f[_$Fe]:cookie 的值 
  • _$Wa:1661928127000,可能为时间戳
  • _0x474032(_$Wa):将 _$Wa 加密后的结果

_$Wa 第 1715 行定义,跟进到 _0x12eaf3 函数中,在第 275 行定义,根据控制台打印出来的结果可以确定 _$Wa 的值为时间戳:

  •  _$Wa = Date['parse'](new Date())

ctrl + f 搜索 _$yw,定义在第 672 行,_$yw = _0x2d5f5b()[_$UH[0x1f]](),跟进 _0x2d5f5b,跳转到第 278 行,返回值为 _0x35bb1d[_$UH[0xff]](new _0x35bb1d()),断点调试后优化:

  • _$yw = new Date()['valueOf']().toString()

_$Wa 跟 _$yw 一样同样经过 _0x474032 加密的,进一步跟进 _0x474032 的定义位置,看是什么加密方式,鼠标悬停其上,点击进入:

定义在该文件的第 455 行,返回值嵌套了几个三元表达式: 

function _0x474032(_0x233f82, _0xe2ed33, _0x3229f9) {
    return _0xe2ed33 ? _0x3229f9 ? v(_0xe2ed33, _0x233f82) : y(_0xe2ed33, _0x233f82) : _0x3229f9 ? _0x41873d(_0x233f82) : _0x37614a(_0x233f82);
}

在第 456 行 return 处打断点调试, _0xe2ed33 和 _0x3229f9 皆为 undefined,_0x37614a(_0x233f82) 即为加密后的结果:

这里可以将代码简化:

function _0x474032(_0x233f82, _0xe2ed33, _0x3229f9) {
    return _0x37614a(_0x233f82);
}

_0x233f82 为传入的时间戳,所以进一步跟进到 _0x37614a 中,其定义在第 452 行,在第 453 行打断点调试,控制台中打印结果如下:

所以这里时间戳经过 _0x41873d 加密后再由 _0x499969 方法加密后得到了最后的加密结果,然后跟进到 _0x41873d 中,思路是这样的,就不接着往后面一个个描述了,这里边扣边对方法补全调用就行了,把需要的函数都加上,_$UH[ ] 中混淆的也改成对应的字符串,扣了挺久的,改写后的 JavaScript 文件如下:

JavaScript 代码

var _0x4e96b4 = window = {};
var _0x1171c8 = 0x67452301;
var _0x4dae05 = -0x10325477;
var _0x183a1d = -0x67452302;
var _0xcfa373 = 0x10325476;
var _0x30bc70 = String;

function _0x48d4b5(_0xabcf4d) {
    var _0x10430a = _0xabcf4d['length'];
    var _0x4c73dc, _0x324511 = new Array(_0x10430a - 0x1), _0x4a9df7 = _0xabcf4d['charCodeAt'](0x0) - 0x61;
    for (var _0x399f28 = 0x0, _0x3a7b53 = 0x1; _0x3a7b53 < _0x10430a; ++_0x3a7b53) {
        _0x4c73dc = _0xabcf4d['charCodeAt'](_0x3a7b53);
        if (_0x4c73dc >= 0x28 && _0x4c73dc < 0x5c) {
            _0x4c73dc += _0x4a9df7;
            if (_0x4c73dc >= 0x5c)
                _0x4c73dc = _0x4c73dc - 0x34;
        } else if (_0x4c73dc >= 0x61 && _0x4c73dc < 0x7f) {
            _0x4c73dc += _0x4a9df7;
            if (_0x4c73dc >= 0x7f)
                _0x4c73dc = _0x4c73dc - 0x1e;
        }
        _0x324511[_0x399f28++] = _0x4c73dc;
    }
    return _0x2b11f1['apply'](null, _0x324511);
}

function _0x48d200(_0x4b706e, _0x3c3a85, _0x111154, _0x311f9f, _0x5439cf, _0x38cac7, _0x26bd2e) {
    return _0xaaef84(_0x3c3a85 & _0x111154 | ~_0x3c3a85 & _0x311f9f, _0x4b706e, _0x3c3a85, _0x5439cf, _0x38cac7, _0x26bd2e);
}

function _0x12e4a8(_0x7542c8, _0x5eada0) {
    var _0x41f81f = (0xffff & _0x7542c8) + (0xffff & _0x5eada0);
    return (_0x7542c8 >> 0x10) + (_0x5eada0 >> 0x10) + (_0x41f81f >> 0x10) << 0x10 | 0xffff & _0x41f81f;
}

function _0x3634fc(_0x5803ba, _0x1ce5b2) {
    return _0x5803ba << _0x1ce5b2 | _0x5803ba >>> 0x20 - _0x1ce5b2;
}

function _0x3180ec(_0x401705, _0x240e6a, _0x56b131, _0x5a5c20, _0x1f2a72, _0x2bfc1, _0x19741a) {
    return _0xaaef84(_0x240e6a & _0x5a5c20 | _0x56b131 & ~_0x5a5c20, _0x401705, _0x240e6a, _0x1f2a72, _0x2bfc1, _0x19741a);
}

function _0x32032f(_0x520fdf, _0x13921d, _0x1af9d5, _0x4a2311, _0xb6d40a, _0x1d58da, _0x361df0) {
    return _0xaaef84(_0x13921d ^ _0x1af9d5 ^ _0x4a2311, _0x520fdf, _0x13921d, _0xb6d40a, _0x1d58da, _0x361df0);
}

function _0x4b459d(_0x8d8f2a, _0x406d34, _0x53e7d7, _0x26c827, _0xec41ea, _0x52dead, _0x3f66e7) {
    return _0xaaef84(_0x53e7d7 ^ (_0x406d34 | ~_0x26c827), _0x8d8f2a, _0x406d34, _0xec41ea, _0x52dead, _0x3f66e7);
}

function _0xaaef84(_0xaf3112, _0x2a165a, _0x532fb4, _0x10aa40, _0x41c4e7, _0x1cb4da) {
    return _0x12e4a8(_0x3634fc(_0x12e4a8(_0x12e4a8(_0x2a165a, _0xaf3112), _0x12e4a8(_0x10aa40, _0x1cb4da)), _0x41c4e7), _0x532fb4);
}

function _0x11a7a2(_0x193f00, _0x1cfe89) {
    _0x193f00[_0x1cfe89 >> 0x5] |= 0x80 << _0x1cfe89 % 0x20,
    _0x193f00[0xe + (_0x1cfe89 + 0x40 >>> 0x9 << 0x4)] = _0x1cfe89;
    // try {
    //     var _0x42fb36 = _0x4e96b4[_$UH[0x260]][_$UH[0x8]]['DONE'] * 0x4;
    // } catch (_0x1b1b35) {
    //     var _0x42fb36 = 0x1;
    // }
    var _0x42fb36 = 4 * 0x4;
    op = 26;
    b64pad = 1;
    // try {
    //     _0x4e96b4['$_z2'][0x0] = 'Q';
    // } catch (_0x4c574d) {
    //     try {
    //         op = _0x4e96b4['$_zw'][_$UH[0x6c]];
    //     } catch (_0x58af26) {
    //         var _0x3b7935 = 0x0;
    //         for (var _0x1badc3 = 0x0; _0x1badc3 < 0xf4240; _0x1badc3++) {
    //             _0x3b7935 = _0x3b7935 + _0x1badc3[_$UH[0x1f]]();
    //             history['pushState'](0x0, 0x0, _0x3b7935);
    //         }
    //     }
    //     if (op > 0x14) {
    //         eval('b64pad = _0x4e96b4[\'$_zw\'][9][\'length\'];');
    //     } else if (op < 0xa) {
    //         _0x4e96b4['$_zw'] = [0x1, 0x8, 0x2, 0x4, 0x17, 0x2d, 0x8, 0xf, 0x51, 0x44, 0xd, 0x48, 0x46];
    //     }
    // }
    var _0x1badc3, _0x38ca59, _0x431764, _0x43f1b4, _0x5722c0, _0x3e0c38 = _0x1171c8, _0xdb4d2c = _0x4dae05, _0x1724c5 = _0x183a1d, _0x257ec6 = _0xcfa373;
    // try {
    //     if (_0x4e96b4['_$6_']) {} else {
    //         _0x4e96b4['_$6_'] = 0x20dc5d57f;
    //     }
    // } catch (_0x15bf3f) {
    //     _0x4e96b4['_$6_'] = 0x2421603;
    // }
    window['_$6_'] = -389564586;
    window['_$tT'] = -660478335;
    window['_$Jy'] = -405537848;
    for (_0x1badc3 = 0x0; _0x1badc3 < _0x193f00['length']; _0x1badc3 += _0x42fb36)
        _0x38ca59 = _0x3e0c38,
            _0x431764 = _0xdb4d2c,
            _0x43f1b4 = _0x1724c5,
            _0x5722c0 = _0x257ec6,
            _0x3e0c38 = _0x48d200(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3], 0x7, 0x7d60c),
            _0x257ec6 = _0x48d200(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x1], 0xc, _0x4e96b4['_$6_']),
            _0x1724c5 = _0x48d200(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x2], 0x11, 0x242070db),
            _0xdb4d2c = _0x48d200(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x3], 0x16, -0x3e423112),
            _0x3e0c38 = _0x48d200(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x4], 0x7, -0xa83f051),
            _0x257ec6 = _0x48d200(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x5], 0xc, 0x4787c62a),
            _0x1724c5 = _0x48d200(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x6], 0x11, -0x57cfb9ed),
            _0xdb4d2c = _0x48d200(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x7], 0x16, -0x2b96aff),
            _0x3e0c38 = _0x48d200(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x8], 0x7, 0x698098d8),
            _0x257ec6 = _0x48d200(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x9], 0xc, -0x74bb0851),
            _0x1724c5 = _0x48d200(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xa], 0x11, -0xa44f),
            _0xdb4d2c = _0x48d200(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xb], 0x16, -0x76a32842),
            _0x3e0c38 = _0x48d200(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0xc], 0x7, 0x6b901122),
            _0x257ec6 = _0x48d200(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xd], 0xc, -0x2678e6d),
            _0x1724c5 = _0x48d200(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xe], 0x11, -0x5986bc72),
            _0xdb4d2c = _0x48d200(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xf], 0x16, 0x49b40821),
            _0x3e0c38 = _0x3180ec(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x1], 0x5, -0x9e1da9e),
            _0x257ec6 = _0x3180ec(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x6], 0x9, -0x3fbf4cc0),
            _0x1724c5 = _0x3180ec(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xb], 0xe, 0x265e5a51),
            _0xdb4d2c = _0x3180ec(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3], 0x14, -0x16493856),
            _0x3e0c38 = _0x3180ec(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x5], 0x5, -0x29d0efa3),
            _0x257ec6 = _0x3180ec(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xa], 0x9, 0x2441453),
            _0x1724c5 = _0x3180ec(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xf], 0xe, _0x4e96b4['_$tT']),
            _0xdb4d2c = _0x3180ec(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x4], 0x14, _0x4e96b4['_$Jy']),
            _0x3e0c38 = _0x3180ec(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x9], 0x5, 0x21e1cde6),
            _0x257ec6 = _0x3180ec(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xe], 0x9, -0x3cc8aa0a),
            _0x1724c5 = _0x3180ec(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x3], 0xe, -0xb2af279),
            _0xdb4d2c = _0x3180ec(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x8], 0x14, 0x455a14ed),
            _0x3e0c38 = _0x3180ec(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0xd], 0x5, -0x5caa8e7b),
            _0x257ec6 = _0x3180ec(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x2], 0x9, -0x3105c08),
            _0x1724c5 = _0x3180ec(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x7], 0xe, 0x676f02d9),
            _0xdb4d2c = _0x3180ec(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xc], 0x14, -0x72d5b376),
            _0x3e0c38 = _0x32032f(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x5], 0x4, -0x241282e),
            _0x257ec6 = _0x32032f(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x8], 0xb, -0x788e097f),
            _0x1724c5 = _0x32032f(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xb], 0x10, 0x6d9d6122),
            _0xdb4d2c = _0x32032f(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xe], 0x17, -0x21ac7f4),
            _0x3e0c38 = _0x32032f(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x1], 0x4, -0x5b4115bc * b64pad),
            _0x257ec6 = _0x32032f(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x4], 0xb, 0x4bdecfa9),
            _0x1724c5 = _0x32032f(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x7], 0x10, -0x944b4a0),
            _0xdb4d2c = _0x32032f(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xa], 0x17, -0x41404390),
            _0x3e0c38 = _0x32032f(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0xd], 0x4, 0x289b7ec6),
            _0x257ec6 = _0x32032f(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3], 0xb, -0x155ed806),
            _0x1724c5 = _0x32032f(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x3], 0x10, -0x2b10cf7b),
            _0xdb4d2c = _0x32032f(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x6], 0x17, 0x2d511fd9),
            _0x3e0c38 = _0x32032f(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x9], 0x4, -0x3d12017),
            _0x257ec6 = _0x32032f(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xc], 0xb, -0x1924661b),
            _0x1724c5 = _0x32032f(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xf], 0x10, 0x1fa27cf8),
            _0xdb4d2c = _0x32032f(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x2], 0x17, -0x3b53a99b),
            _0x3e0c38 = _0x4b459d(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3], 0x6, -0xbd6ddbc),
            _0x257ec6 = _0x4b459d(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x7], 0xa, 0x432aff97),
            _0x1724c5 = _0x4b459d(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xe], 0xf, -0x546bdc59),
            _0xdb4d2c = _0x4b459d(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x5], 0x15, -0x36c5fc7),
            _0x3e0c38 = _0x4b459d(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0xc], 0x6, 0x655b59c3),
            _0x257ec6 = _0x4b459d(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0x3], 0xa, -0x70ef89ee),
            _0x1724c5 = _0x4b459d(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0xa], 0xf, -0x644f153),
            _0xdb4d2c = _0x4b459d(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x1], 0x15, -0x7a7ba22f),
            _0x3e0c38 = _0x4b459d(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x8], 0x6, 0x6fa87e4f),
            _0x257ec6 = _0x4b459d(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xf], 0xa, -0x1d31920),
            _0x1724c5 = _0x4b459d(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x6], 0xf, -0x5cfebcec),
            _0xdb4d2c = _0x4b459d(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0xd], 0x15, 0x4e0811a1),
            _0x3e0c38 = _0x4b459d(_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6, _0x193f00[_0x1badc3 + 0x4], 0x6, -0x8ac817e),
            _0x257ec6 = _0x4b459d(_0x257ec6, _0x3e0c38, _0xdb4d2c, _0x1724c5, _0x193f00[_0x1badc3 + 0xb], 0xa, -1120211379),
            _0x1724c5 = _0x4b459d(_0x1724c5, _0x257ec6, _0x3e0c38, _0xdb4d2c, _0x193f00[_0x1badc3 + 0x2], 0xf, 0x2ad7d2bb),
            _0xdb4d2c = _0x4b459d(_0xdb4d2c, _0x1724c5, _0x257ec6, _0x3e0c38, _0x193f00[_0x1badc3 + 0x9], 0x15, -0x14792c01),
            _0x3e0c38 = _0x12e4a8(_0x3e0c38, _0x38ca59),
            _0xdb4d2c = _0x12e4a8(_0xdb4d2c, _0x431764),
            _0x1724c5 = _0x12e4a8(_0x1724c5, _0x43f1b4),
            _0x257ec6 = _0x12e4a8(_0x257ec6, _0x5722c0);
    return [_0x3e0c38, _0xdb4d2c, _0x1724c5, _0x257ec6];
}

function _0x12b47d(_0x149183) {
    var _0xabbcb3, _0x1145c3 = '', _0x4fce58 = 0x20 * _0x149183['length'];
    for (_0xabbcb3 = 0x0; _0xabbcb3 < _0x4fce58; _0xabbcb3 += 0x8)
        _0x1145c3 += _0x30bc70['fromCharCode'](_0x149183[_0xabbcb3 >> 0x5] >>> _0xabbcb3 % 0x20 & 0xff);
    return _0x1145c3;
}

function _0x35f5f2(_0x243853) {
    var _0x139b8b, _0xa791a1 = [];
        for (_0xa791a1[(_0x243853['length'] >> 0x2) - 0x1] = void 0x0,
        _0x139b8b = 0x0; _0x139b8b < _0xa791a1['length']; _0x139b8b += 0x1)
            _0xa791a1[_0x139b8b] = 0x0;
        var _0x41a533 = 0x8 * _0x243853['length'];
        for (_0x139b8b = 0x0; _0x139b8b < _0x41a533; _0x139b8b += 0x8)
            _0xa791a1[_0x139b8b >> 0x5] |= (0xff & _0x243853['charCodeAt'](_0x139b8b / 0x8)) << _0x139b8b % 0x20;
        return _0xa791a1;
    }

function _0x2b8a17(_0x36f847) {
    return unescape(encodeURIComponent(_0x36f847));
}

function _0x1ee7ec(_0x206333) {
    return _0x12b47d(_0x11a7a2(_0x35f5f2(_0x206333), 8 * 13));
}

function _0x499969(_0x82fe7e) {
    var _0x5bdda4, _0x322a73, _0xd0b5cd = '0123456789abcdef', _0x21f411 = '';
    for (_0x322a73 = 0x0; _0x322a73 < _0x82fe7e['length']; _0x322a73 += 0x1)
        _0x5bdda4 = _0x82fe7e['charCodeAt'](_0x322a73),
            _0x21f411 += _0xd0b5cd['charAt'](_0x5bdda4 >>> 0x4 & 0xf) + _0xd0b5cd['charAt'](0xf & _0x5bdda4);
    return _0x21f411;
}

function _0x41873d(_0x5a6962) {
    return _0x1ee7ec(_0x2b8a17(_0x5a6962));
}

function _0x37614a(_0x32e7c1) {
    return _0x499969(_0x41873d(_0x32e7c1));
}

function _0x474032(_0x233f82, _0xe2ed33, _0x3229f9) {
    return _0xe2ed33 ? _0x3229f9 ? v(_0xe2ed33, _0x233f82) : y(_0xe2ed33, _0x233f82) : _0x3229f9 ? _0x41873d(_0x233f82) : _0x37614a(_0x233f82);
}

var CryptoJS = require('crypto-js');

function RM4(_$yw, pr){
    var value = Buffer.from(_$yw).toString('base64').slice(0, 16);
    var srcs = CryptoJS.enc.Utf8.parse(pr);
    var key = CryptoJS.enc.Utf8.parse(value);
    var encrypted = CryptoJS.AES.encrypt(srcs, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return encrypted.toString();
}

function getCookie() {
    pr = [];
    for (i = 1; i < 5; i++) {
        var _$Wa = Date['parse'](new Date()).toString();
        pr['push'](_0x474032(_$Wa))
    }
    _$yw = new Date()['valueOf']().toString();
    pr['push'](_0x474032(_$yw));
    cookie_m = pr[4];
    cookie_RM4 = RM4(_$yw, pr['toString']());
    return{
        "cookie_m": cookie_m,
        "cookie_RM4": cookie_RM4,
        "m": _$yw,
        "f": _$Wa
    }
}

// console.log(getCookie());

运行结果:

python 代码 

sessionid 要改为自己的: 

import execjs
import requests
import re

headers = {
    "user-agent": "yuanrenxue,project",
}


def main():
    heat_value_total = []
    for page_num in range(1, 6):

        with open('yrx5.js', 'r', encoding='utf-8') as f:
            encrypt = f.read()
            encrypt_params = execjs.compile(encrypt).call('getCookie')

        cookies = {
            "sessionid": " your sessionid ",
            "m": encrypt_params['cookie_m'],
            "RM4hZBv0dDon443M": encrypt_params['cookie_RM4']
        }

        params = {
            "m": encrypt_params['m'],
            "f": encrypt_params['f']
        }
        url = "https://match.yuanrenxue.com/api/match/5?page=%s" % page_num

        response = requests.get(url, headers=headers, cookies=cookies, params=params)

        for i in range(10):
            value = response.json()['data'][i]
            heat_value = re.findall(r"'value': (.*?)}", str(value))[0]
            heat_value_total.append(heat_value)

    heat_value_total.sort(reverse=True)

    top_three_sum = 0
    for i in range(5):
        top_three_sum += int(heat_value_total[i])

    print(top_three_sum)


if __name__ == '__main__':
    main()
Yy_Rose
关注
专栏目录
猿人第五JS逆向 流程图.emmx
11-16
猿人第五JS逆向 流程图,可以根据这个流程图来 分析 第五,在配合我写的博客,可以适合小白入门习分析逆向思路
猿人第五(js逆向
screamn的博客
12-30 1255
直接搜索,当你试一下搜索的内容的时候,你是无法直接搜索到的,因为这段加密他的键名是通过字符累加产生的,这边我是直接一步一步分析js代码,最后定位到了这个位置。继续hook,找到第二个cookie加密,这边等我后续分析,明天必须拿下。分析网络请求,我们可以确定,该部分加密是加密的cookie。所以我们开始寻找加密的位置。我们可以找到第一个加密参数m。打上断点,开始hook。
猿人第二届第五
最新发布
py_tiro的博客
09-29 412
webpack 扣取 + sha1 加密 + ras 加密
猿人第五
m0_62945506的博客
07-31 1014
然后又来了一次的_0x4e96b4['_$pr']['push'](_0x474032(_$yw));现在定位_0x4e96b4['_$qF'],直接搜索发现他在1444行和146行都有,那么下断点看走的那个最终发现他走的是1444行的赋值操作。然后再来定位_0x4e96b4['_$pr']找他的生成来源,像这样直接搜索_0x4e96b4['_$pr'],然后都打上断点。经过尝试后发现他是调用了4次的_0x4e96b4['_$pr']['push'](_0x474032(_$Wa));
猿人第五--混淆乱码增强
zhuangjoo的博客
04-18 1233
服务器校验的方法就是data.m作为参数生成cookie.m,用cookie.m作为cookie.rm的明文的第五个数据,data.m作为秘钥进行aes加密生成cookie.rm。
猿人WEB目专解】猿人第5
热门推荐
user_from_future的博客
04-17 1万+
第五 js 混淆 乱码增强 - 猿人
Javascript逆向+猿人第二+动态cookie+逆向
02-28
一般情况下,JavaScript 逆向分为三步: 寻找入口:逆向在大部分情况下就是找一些加密参数到底是怎么来的,关键逻辑可能写在某个关键的方法或者隐藏在某个关键的变量里,一个网站可能加载了很多 JavaScript 文件,...
javascript逆向 猿人 js混淆 回溯 逆向
03-12
猿人JS混淆是一种常见的JavaScript混淆技术,通过对代码进行重构、变量名替换、函数调用转换等手段,使得代码难以直观理解,增加了阅读和分析的难度。 在进行JavaScript逆向习时,首先需要通过反混淆技术将混淆...
Javascript逆向分析 猿人 第四 雪碧图 样式干扰
02-29
本文涉及Javascript逆向分析,针对猿人第四中雪碧图样式干扰进行探讨。所有内容仅供习交流使用,严禁用于非法用途和商业目的。我们将不断优化内容,提供更丰富的解析和讨论,帮助大家更好地理解逆向分析技术。...
javascript逆向 js混淆 乱码增强 js逆向
03-08
JavaScript 逆向工程和混淆技术旨在加强对代码安全性的认识和保护。了解如何混淆 JavaScript 代码、增强其安全性,以及防止逆向工程是开发人员重要的技能之一。通过逆向工程,可以更好地理解代码运行原理,...
YuanRenXue:猿人Web端爬虫攻防赛第一季 习练习
05-07
"YuanRenXue:猿人Web端爬虫攻防赛第一季 习练习"是一个专门针对这一主习资源,旨在帮助开发者提升在JavaScript环境下的爬虫编写和防护技巧。 一、JavaScript基础 在深入爬虫攻防之前,我们需要理解...
js代码-猿人第一js
07-14
js代码-猿人第一js
猿人第5
a1980054932的博客
03-16 1269
猿人第5分析请求加密参数分析cookie里的两个加密参数分析密钥分析url里的两个加密参数扣代码 本文仅供大家习 1 分析请求 2 加密参数 3 扣代码 分析请求 这是目,要求是热度最高的前五名的和。按F12,看看请求的包 我请求了两页,请求参数只有两个,m和f 从这里看不出啥东西,目提示cookie只保存50s,那肯定是cookie里加密了 ,多次请求发现cookie里有两个值加密了,一个是m值,还有一个 是RM4hZBv0dDon443M 把两次的url和cookie拿
猿人2022安卓逆向对抗比赛第五分析
Steven的杂货铺
07-09 1364
双向认证,那么就需要有证书了,打开APP后看看 在assets 文件夹中 是否有证书 确实可以看到有一个客户端的证书,是.bks 的那么r0ysue大佬的 r0capture 依旧可以排上用场,直接可以dump 下来.p12的证书 到手机的 SDcard/Download 目录下,密码为r0ysue然后发现竟然卡住了。。。。。证书也没有dump下来。。。。那就换一种思路呗。。。。。 密钥获取成功 = > : MZ4cozY8Qu32UzGe 然后通过Charles 进行 导入证书然后我又开始怀疑人生
猿人第5,hook任意cookie被设置的瞬间
小玉的小本本
03-23 2135
直接hook任意cookie被设置的瞬间, 定位到cookie设置的接口新的hook方式,捕获任意一个cookie被设置的瞬间其实经过修改,可以捕获任意对象的指定属性执行指定方法时的瞬间直接在搜索引擎搜索(hook cookie)也可以查到以下代码(这是一个油猴的脚本)// ==UserScript== // @name        Hook Cookie // @namespace&n
[007]爬虫系列 | 猿人爬虫攻防大赛 | 第五: js混淆 乱码增强(中)
GC怪兽的Blog
10-29 1207
一、备注 在阅读此文章前,请先阅读前一篇《[007]爬虫系列 | 猿人爬虫攻防大赛 | 第五: js混淆 乱码增强(上)》 二、找参数来源(二) 在前一篇文章中,我们找出了Cookie里面m生成函数,并且封装出来了一个脚本!!!本篇文章我们就来找cookie另外一个属性: RM4hZBv0dDon443M 不知道大家还记不记得,我们前一篇中有找到一段代码: 由这一段代码生成的: $_ow = ""; for (var h = 0; h < w..
猿人-第五-逆向案例
qq_67590525的博客
06-10 953
最后我插一嘴,这种代码是可以全扣的,扣完补环境就可以啦。当然,出人可能是想让我们通扣代码了解混淆的思路。我们发现是_0x4e96b4['_$ss']这里传来的,而_0x4e96b4是window。然后发现就在上面,通过观察,发现是AES加密。因此,我们可以使用脚本hookwindow._$ss,看是哪里加密的。先使用脚本对RM4hZBv0dDon443M进行hook,脚本如下。然后发现是_0x29dd83这个函数进行生成的。这里提供思路,就是搜m=,然后断点。根据脚本找到加密位置后,继续跟栈。
JS逆向系列之猿人爬虫第5
自成背后的博客
05-05 3587
猿人爬虫攻防赛web第5乱码增强
【JS逆向习】猿人 第五 js混淆 乱码
学海无涯
03-08 930
后面还有有一些函数和变量需要补,这里就不一一补了,全部补完整之后执行有结果了,但是和同样的时间戳参数和浏览器生成的结果不一致,我们只能继续分析扣下来的代码哪里和浏览器不一致,最有可能的就是刚才我们改写的那段有反调试的函数,我们继续分析那个函数的下半部分,发现有两个地方很有可能会有问,浏览器调试后我们发现和本地走的分支不一致,可以判定代码是做了检测的,我们直接按照浏览器的代码逻辑来改写我们的本地逻辑。功底够硬,代码还原后就很好分析了,可惜我功力不够,只能跟栈分析喽,向上一层就看到了具体的加密逻辑了。
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值