碼上快樂

相關內容    簡體    繁體

python爬蟲 - js逆向解密之破解js混淆函數eval加密函數function(p, a, c, k, e, d)

本文轉載自   查看原文   2021-04-23 17:37   403    python高級應用/ 安全逆向

前言

想要目標網址的朋友私信哈(博客園私信即可,不用加微信、關注公眾號、轉發朋友圈、朋友圈集贊滿等等的無聊操作,沒有那些套路哈)。

 

分析

這次也是一個國外的代理網站,打開查看:

 

 

 

 

 

 

 

是的,它也是對端口做了加密,這里的rf034其實就是實際的端口,但是並沒有直接顯示出來,而是通過一段js實現的

 

 

 

 那么這段js在哪呢?直接全文檢索:

 

 

 點開這個c8ae6的js,點擊格式化后查看:

 

 

 

源碼

eval(function(p, a, c, k, e, d) { e = function(c) { return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) } ; if (!''.replace(/^/, String)) { while (c--) { d[e(c)] = k[c] || e(c) } k = [function(e) { return d[e] } ]; e = function() { return '\\w+' } ; c = 1 } ;while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]) } } return p }('$(1b).1a(19(){$(\'.17\').0(18);$(\'.1c\').0(1d);$(\'.1h\').0(1g);$(\'.1f\').0(1e);$(\'.16\').0(15);$(\'.X\').0(W);$(\'.V\').0(T);$(\'.U\').0(Y);$(\'.Z\').0(14);$(\'.13\').0(12);$(\'.10\').0(11);$(\'.1i\').0(1j);$(\'.1B\').0(1A);$(\'.1z\').0(1x);$(\'.1y\').0(1C);$(\'.1D\').0(1H);$(\'.1G\').0(1F);$(\'.1E\').0(1w);$(\'.1v\').0(1o);$(\'.1n\').0(1m);$(\'.1k\').0(1l);$(\'.1p\').0(1q);$(\'.1u\').0(1t);$(\'.1s\').0(1r);$(\'.S\').0(K);$(\'.j\').0(i);$(\'.h\').0(f);$(\'.g\').0(k);$(\'.l\').0(p);$(\'.o\').0(n);$(\'.m\').0(e);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(q);$(\'.R\').0(r);$(\'.J\').0(I);$(\'.G\').0(H);$(\'.L\').0(M);$(\'.Q\').0(P);$(\'.O\').0(N);$(\'.F\').0(E);$(\'.w\').0(v);$(\'.u\').0(s);$(\'.t\').0(x);$(\'.y\').0(D);$(\'.C\').0(B);$(\'.z\').0(A);$(\'.1I\').0(3r);$(\'.1J\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(2V);$(\'.2W\').0(30);$(\'.2Z\').0(2Y);$(\'.2X\').0(2P);$(\'.2O\').0(2G);$(\'.2F\').0(2E);$(\'.2C\').0(2D);$(\'.2H\').0(2I);$(\'.2N\').0(2M);$(\'.2L\').0(2J);$(\'.2K\').0(31);$(\'.32\').0(3k);$(\'.3j\').0(3i);$(\'.3g\').0(3h);$(\'.3l\').0(3m);$(\'.3q\').0(3p);$(\'.3o\').0(3n);$(\'.3f\').0(3e);$(\'.37\').0(36);$(\'.35\').0(33);$(\'.34\').0(38);$(\'.39\').0(3d);$(\'.3c\').0(3b);$(\'.3a\').0(2B);$(\'.2A\').0(22);$(\'.21\').0(20);$(\'.1Y\').0(1Z);$(\'.23\').0(24);$(\'.28\').0(27);$(\'.26\').0(25);$(\'.1X\').0(1W);$(\'.1O\').0(1N);$(\'.1M\').0(1K);$(\'.1L\').0(1P);$(\'.1Q\').0(1V);$(\'.1U\').0(1T);$(\'.1R\').0(1S);$(\'.29\').0(2a);$(\'.2t\').0(2s);$(\'.2r\').0(2p);$(\'.2q\').0(2u);$(\'.2v\').0(2z);$(\'.2y\').0(2x);$(\'.2w\').0(2o);$(\'.2n\').0(2f);$(\'.2e\').0(2d);$(\'.2b\').0(2c);$(\'.2g\').0(2h);$(\'.2m\').0(2l);$(\'.2k\').0(2i);$(\'.2j\').0(2U)});', 62, 214, 'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743'.split('|'), 0, {}))

 

 

這段代碼,說實話乍一看確實費勁,我搜了下有關function(p, a, c, k, e, d) 加密的:

 

 

 

還挺多的,但是我點進去一個一個看,大部分的文章感覺內容都很類似,然后,都在說可以把最后的return改成:

其實這個eval(function(p,a,c,k,e,d){}))中自帶解碼函數e(). while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p while循環產生的每個p就是解碼后的函數代碼,我們刪掉源碼中的return p,不用將結果返回, 而是直接輸出在一個文本區域中,如document.getElementById(”textareaID”).innerText=p

 

我嘗試着改了,保存成一個html文件

 

 

 

用瀏覽器打開,這些也確實就是實際的端口

 

 

 

用剛才的搜rf034也確實是源碼上的3128端口對上:

 

 

還有種方法,用瀏覽器自帶的解混淆工具:

 

 

 

 

然后把我下面圈住的地方,勾選上,再刷新頁面即可

 

 

 

 

以上的方法是針對某些在代碼本身有加密混淆的代碼,比如這個博客里的:點我,這里面的案例也是用的這個函數來加密代碼,用以上方法確實能把實際的js轉義出來。

 

 

但是,是的,討厭的“但是”出現了

 

我們這里的,其實代碼本身並沒有加密,為什么這么說,我新開一個標簽頁,在console里粘貼這段代碼:

 

 

 回車,卧槽,報錯了,沒事,它提示的意思是瀏覽器不能執行eval的,因為方式一些xss攻擊之類

 

 

 

把eval刪了再看:

 

 

 

回車,結果也直接就出現了,所以,代碼本身是沒有做加密的

 

 

 

這里的加密是對數據的加密,因為我發現,我刷新一次頁面,只要這個代理網站上的代理有更新,它后面傳的參數就會做相應的改變:這一堆參數

$(1b).1a(19(){$(\'.17\').0(18);$(\'.1c\').0(1d);$(\'.1h\').0(1g);$(\'.1f\').0(1e);$(\'.16\').0(15);$(\'.X\').0(W);$(\'.V\').0(T);$(\'.U\').0(Y);$(\'.Z\').0(14);$(\'.13\').0(12);$(\'.10\').0(11);$(\'.1i\').0(1j);$(\'.1B\').0(1A);$(\'.1z\').0(1x);$(\'.1y\').0(1C);$(\'.1D\').0(1H);$(\'.1G\').0(1F);$(\'.1E\').0(1w);$(\'.1v\').0(1o);$(\'.1n\').0(1m);$(\'.1k\').0(1l);$(\'.1p\').0(1q);$(\'.1u\').0(1t);$(\'.1s\').0(1r);$(\'.S\').0(K);$(\'.j\').0(i);$(\'.h\').0(f);$(\'.g\').0(k);$(\'.l\').0(p);$(\'.o\').0(n);$(\'.m\').0(e);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(q);$(\'.R\').0(r);$(\'.J\').0(I);$(\'.G\').0(H);$(\'.L\').0(M);$(\'.Q\').0(P);$(\'.O\').0(N);$(\'.F\').0(E);$(\'.w\').0(v);$(\'.u\').0(s);$(\'.t\').0(x);$(\'.y\').0(D);$(\'.C\').0(B);$(\'.z\').0(A);$(\'.1I\').0(3r);$(\'.1J\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(2V);$(\'.2W\').0(30);$(\'.2Z\').0(2Y);$(\'.2X\').0(2P);$(\'.2O\').0(2G);$(\'.2F\').0(2E);$(\'.2C\').0(2D);$(\'.2H\').0(2I);$(\'.2N\').0(2M);$(\'.2L\').0(2J);$(\'.2K\').0(31);$(\'.32\').0(3k);$(\'.3j\').0(3i);$(\'.3g\').0(3h);$(\'.3l\').0(3m);$(\'.3q\').0(3p);$(\'.3o\').0(3n);$(\'.3f\').0(3e);$(\'.37\').0(36);$(\'.35\').0(33);$(\'.34\').0(38);$(\'.39\').0(3d);$(\'.3c\').0(3b);$(\'.3a\').0(2B);$(\'.2A\').0(22);$(\'.21\').0(20);$(\'.1Y\').0(1Z);$(\'.23\').0(24);$(\'.28\').0(27);$(\'.26\').0(25);$(\'.1X\').0(1W);$(\'.1O\').0(1N);$(\'.1M\').0(1K);$(\'.1L\').0(1P);$(\'.1Q\').0(1V);$(\'.1U\').0(1T);$(\'.1R\').0(1S);$(\'.29\').0(2a);$(\'.2t\').0(2s);$(\'.2r\').0(2p);$(\'.2q\').0(2u);$(\'.2v\').0(2z);$(\'.2y\').0(2x);$(\'.2w\').0(2o);$(\'.2n\').0(2f);$(\'.2e\').0(2d);$(\'.2b\').0(2c);$(\'.2g\').0(2h);$(\'.2m\').0(2l);$(\'.2k\').0(2i);$(\'.2j\').0(2U)});', 62, 214, 'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743'.split('|'), 0, {}

 

所以,此時,我們還是得從代碼邏輯上下手,一點點的分析:

先看這個,這個e

 

 

 

它實際在干嘛呢,其實這個函數才是核心的加密,

 

 

 

a是啥,再回看下函數function(p, a, c, k, e, d),然后我們傳的參數:

'$(1b).1a(19(){$(\'.17\').0(18);$(\'.1c\').0(1d);$(\'.1h\').0(1g);$(\'.1f\').0(1e);$(\'.16\').0(15);$(\'.X\').0(W);$(\'.V\').0(T);$(\'.U\').0(Y);$(\'.Z\').0(14);$(\'.13\').0(12);$(\'.10\').0(11);$(\'.1i\').0(1j);$(\'.1B\').0(1A);$(\'.1z\').0(1x);$(\'.1y\').0(1C);$(\'.1D\').0(1H);$(\'.1G\').0(1F);$(\'.1E\').0(1w);$(\'.1v\').0(1o);$(\'.1n\').0(1m);$(\'.1k\').0(1l);$(\'.1p\').0(1q);$(\'.1u\').0(1t);$(\'.1s\').0(1r);$(\'.S\').0(K);$(\'.j\').0(i);$(\'.h\').0(f);$(\'.g\').0(k);$(\'.l\').0(p);$(\'.o\').0(n);$(\'.m\').0(e);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(q);$(\'.R\').0(r);$(\'.J\').0(I);$(\'.G\').0(H);$(\'.L\').0(M);$(\'.Q\').0(P);$(\'.O\').0(N);$(\'.F\').0(E);$(\'.w\').0(v);$(\'.u\').0(s);$(\'.t\').0(x);$(\'.y\').0(D);$(\'.C\').0(B);$(\'.z\').0(A);$(\'.1I\').0(3r);$(\'.1J\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(2V);$(\'.2W\').0(30);$(\'.2Z\').0(2Y);$(\'.2X\').0(2P);$(\'.2O\').0(2G);$(\'.2F\').0(2E);$(\'.2C\').0(2D);$(\'.2H\').0(2I);$(\'.2N\').0(2M);$(\'.2L\').0(2J);$(\'.2K\').0(31);$(\'.32\').0(3k);$(\'.3j\').0(3i);$(\'.3g\').0(3h);$(\'.3l\').0(3m);$(\'.3q\').0(3p);$(\'.3o\').0(3n);$(\'.3f\').0(3e);$(\'.37\').0(36);$(\'.35\').0(33);$(\'.34\').0(38);$(\'.39\').0(3d);$(\'.3c\').0(3b);$(\'.3a\').0(2B);$(\'.2A\').0(22);$(\'.21\').0(20);$(\'.1Y\').0(1Z);$(\'.23\').0(24);$(\'.28\').0(27);$(\'.26\').0(25);$(\'.1X\').0(1W);$(\'.1O\').0(1N);$(\'.1M\').0(1K);$(\'.1L\').0(1P);$(\'.1Q\').0(1V);$(\'.1U\').0(1T);$(\'.1R\').0(1S);$(\'.29\').0(2a);$(\'.2t\').0(2s);$(\'.2r\').0(2p);$(\'.2q\').0(2u);$(\'.2v\').0(2z);$(\'.2y\').0(2x);$(\'.2w\').0(2o);$(\'.2n\').0(2f);$(\'.2e\').0(2d);$(\'.2b\').0(2c);$(\'.2g\').0(2h);$(\'.2m\').0(2l);$(\'.2k\').0(2i);$(\'.2j\').0(2U)});', 62, 214, 'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743'.split('|'), 0, {}

那么,p就是:

'$(1b).1a(19(){$(\'.17\').0(18);$(\'.1c\').0(1d);$(\'.1h\').0(1g);$(\'.1f\').0(1e);$(\'.16\').0(15);$(\'.X\').0(W);$(\'.V\').0(T);$(\'.U\').0(Y);$(\'.Z\').0(14);$(\'.13\').0(12);$(\'.10\').0(11);$(\'.1i\').0(1j);$(\'.1B\').0(1A);$(\'.1z\').0(1x);$(\'.1y\').0(1C);$(\'.1D\').0(1H);$(\'.1G\').0(1F);$(\'.1E\').0(1w);$(\'.1v\').0(1o);$(\'.1n\').0(1m);$(\'.1k\').0(1l);$(\'.1p\').0(1q);$(\'.1u\').0(1t);$(\'.1s\').0(1r);$(\'.S\').0(K);$(\'.j\').0(i);$(\'.h\').0(f);$(\'.g\').0(k);$(\'.l\').0(p);$(\'.o\').0(n);$(\'.m\').0(e);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(q);$(\'.R\').0(r);$(\'.J\').0(I);$(\'.G\').0(H);$(\'.L\').0(M);$(\'.Q\').0(P);$(\'.O\').0(N);$(\'.F\').0(E);$(\'.w\').0(v);$(\'.u\').0(s);$(\'.t\').0(x);$(\'.y\').0(D);$(\'.C\').0(B);$(\'.z\').0(A);$(\'.1I\').0(3r);$(\'.1J\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(2V);$(\'.2W\').0(30);$(\'.2Z\').0(2Y);$(\'.2X\').0(2P);$(\'.2O\').0(2G);$(\'.2F\').0(2E);$(\'.2C\').0(2D);$(\'.2H\').0(2I);$(\'.2N\').0(2M);$(\'.2L\').0(2J);$(\'.2K\').0(31);$(\'.32\').0(3k);$(\'.3j\').0(3i);$(\'.3g\').0(3h);$(\'.3l\').0(3m);$(\'.3q\').0(3p);$(\'.3o\').0(3n);$(\'.3f\').0(3e);$(\'.37\').0(36);$(\'.35\').0(33);$(\'.34\').0(38);$(\'.39\').0(3d);$(\'.3c\').0(3b);$(\'.3a\').0(2B);$(\'.2A\').0(22);$(\'.21\').0(20);$(\'.1Y\').0(1Z);$(\'.23\').0(24);$(\'.28\').0(27);$(\'.26\').0(25);$(\'.1X\').0(1W);$(\'.1O\').0(1N);$(\'.1M\').0(1K);$(\'.1L\').0(1P);$(\'.1Q\').0(1V);$(\'.1U\').0(1T);$(\'.1R\').0(1S);$(\'.29\').0(2a);$(\'.2t\').0(2s);$(\'.2r\').0(2p);$(\'.2q\').0(2u);$(\'.2v\').0(2z);$(\'.2y\').0(2x);$(\'.2w\').0(2o);$(\'.2n\').0(2f);$(\'.2e\').0(2d);$(\'.2b\').0(2c);$(\'.2g\').0(2h);$(\'.2m\').0(2l);$(\'.2k\').0(2i);$(\'.2j\').0(2U)});'

a就是62

c就是214,

k就是:

'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743'.split('|')

e就是0,

d就是{}

補充下,我剛才說刷新下頁面,它代理有更新傳的參數就會變,指的就是傳的這幾個值

 

好繼續,把沒有的參數補齊:

 

 

 

 

e還是沒定義,仔細看代碼,它作了遞歸調用,那就單獨定義下e吧:

 

 

 

120的結果是1W,那么我覺得,它就是對這些數字作了字段映射

繼續看下面的代碼:

 

 

 其實,這個if會永遠成立的,所以里面的代碼一定會執行的,不信看:

 

 

 

后面的while就把多次生成值然后給傳入的d,也就是{},最后的d會生成什么暫時放一放,后面會說,再看下面一段代碼:

 

 

 

不用多說吧,就算看不懂,猜也能猜到,最后肯定是上面做的字段映射出來的值替換會去,用正則表達式匹配

 

 

好,下面我們打斷點看下:

 

我點完刷新,返現js文件名都變了,白打斷點了,那就只能拼手速了,打上斷點立即測,等它網站沒更新時及時斷點上:

 

 

 這次斷上了,來一個一個看:

 

 

 

同時右邊有個scope,可以看到此時此刻出現的值的變化:

 

 

 

沒過一會兒,就看到d已經生成好了,就是一些字段映射關系:

 

 

 

 

同時我們這邊另外開一個新標簽,然后把函數部分取出來,命名為test:

 

 

 

然后,把現在最新的值傳入看看:

 

 

 結果:

"$(document).ready(function(){$('.r807f').html(8080);$('.rb109').html(38009);$('.rd750').html(47464);$('.r8c9f').html(3128);$('.r66cd').html(999);$('.r714b').html(8081);$('.r6998').html(80);$('.r3317').html(37699);$('.r88ff').html(8889);$('.r0e7c').html(35709);$('.r381f').html(44938);$('.r7b20').html(55830);$('.r9210').html(33630);$('.rc328').html(59152);$('.r748f').html(53281);$('.r80a1').html(65205);$('.r0980').html(39553);$('.ra38b').html(40098);$('.r3d23').html(45521);$('.r8954').html(55443);$('.rbb9f').html(60684);$('.ra699').html(3256);$('.r4003').html(8027);$('.re4a5').html(8013);$('.r6a12').html(42648);$('.r208f').html(34403);$('.r663d').html(39371);$('.r77b9').html(59144);$('.ra35a').html(36681);$('.rf763').html(34273);$('.rbb68').html(53959);$('.r49a9').html(55472);$('.rc520').html(52479);$('.rf4dc').html(65238);$('.r6843').html(34560);$('.r16c4').html(44612);$('.r1236').html(38525);$('.r8b75').html(3888);$('.re9c8').html(8118);$('.r55a5').html(1081);$('.rcb1e').html(8888);$('.rd8ca').html(42119);$('.r46a3').html(48146);$('.rce32').html(42134);$('.r6293').html(48678);$('.r17e7').html(51489);$('.r58c3').html(8380);$('.r63c2').html(8197);$('.red22').html(8082);$('.r7c86').html(54621);$('.reb81').html(53879);$('.re6f2').html(55033);$('.rdc1a').html(83);$('.rf90c').html(8181);$('.r4ba9').html(58689);$('.rf248').html(31475);$('.rd097').html(8686);$('.rdf85').html(41258);$('.r21d4').html(61743);$('.r64b3').html(58888);$('.r6214').html(3129);$('.rfb6a').html(37717);$('.raad6').html(31409);$('.redc6').html(30716);$('.rd7d1').html(9999);$('.r7191').html(47385);$('.r9071').html(60792);$('.r76d5').html(8090);$('.r04e3').html(56644);$('.rd4da').html(3150);$('.r0d33').html(47045);$('.r70b3').html(42580);$('.raaec').html(45282);$('.r5275').html(54018);$('.reea3').html(42928);$('.rbee8').html(43631);$('.r5ce3').html(52271);$('.r4a5f').html(9001);$('.r7eed').html(54555);$('.re614').html(23500);$('.rfb5f').html(42033);$('.r4b68').html(47548);$('.r4629').html(47744);$('.r8fef').html(48687);$('.r0f3b').html(49044);$('.rc7b8').html(49086);$('.r0804').html(50330);$('.rec04').html(43947);$('.r4ec6').html(56218);$('.r6789').html(51008);$('.r691e').html(35659);$('.r3dc1').html(37979);$('.rd20a').html(35953);$('.rc192').html(30032);$('.rf209').html(48017);$('.r5eaf').html(32439);$('.rb991').html(44887);$('.r17b7').html(55693);$('.ra22d').html(61124);$('.r5a9d').html(36506);$('.r6f4a').html(3142);$('.r0fea').html(3141);$('.ra083').html(3162);$('.r8e28').html(33855);$('.r25e4').html(33128);$('.r5a26').html(43326);$('.r0a26').html(38554);$('.rcc76').html(46877);$('.rf834').html(44530);$('.rbb88').html(54675)});"

此時,我們用來對比下,最開始傳入的參數是:

 

'$(1d).1c(1b(){$(\'.19\').0(1a);$(\'.1e\').0(1f);$(\'.1k\').0(1j);$(\'.1i\').0(1g);$(\'.1h\').0(18);$(\'.17\').0(Z);$(\'.Y\').0(X);$(\'.V\').0(W);$(\'.10\').0(11);$(\'.16\').0(15);$(\'.14\').0(12);$(\'.13\').0(1l);$(\'.1m\').0(1F);$(\'.1E\').0(1D);$(\'.1B\').0(1C);$(\'.1G\').0(1H);$(\'.1M\').0(1L);$(\'.1K\').0(1I);$(\'.1J\').0(1A);$(\'.1z\').0(1r);$(\'.1q\').0(1p);$(\'.1n\').0(1o);$(\'.1s\').0(1t);$(\'.1y\').0(1x);$(\'.1w\').0(1u);$(\'.U\').0(1N);$(\'.L\').0(j);$(\'.i\').0(h);$(\'.f\').0(g);$(\'.k\').0(l);$(\'.q\').0(p);$(\'.o\').0(m);$(\'.e\').0(r);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(n);$(\'.T\').0(s);$(\'.K\').0(J);$(\'.H\').0(I);$(\'.M\').0(N);$(\'.S\').0(R);$(\'.Q\').0(O);$(\'.P\').0(G);$(\'.F\').0(x);$(\'.w\').0(v);$(\'.t\').0(u);$(\'.y\').0(z);$(\'.E\').0(D);$(\'.C\').0(A);$(\'.B\').0(1v);$(\'.3B\').0(1O);$(\'.30\').0(2Z);$(\'.2X\').0(2Y);$(\'.32\').0(33);$(\'.38\').0(37);$(\'.36\').0(34);$(\'.35\').0(2W);$(\'.2V\').0(2N);$(\'.2M\').0(2L);$(\'.2J\').0(2K);$(\'.2O\').0(2P);$(\'.2U\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(39);$(\'.3a\').0(3t);$(\'.3s\').0(3r);$(\'.3p\').0(3q);$(\'.3u\').0(3v);$(\'.3A\').0(3z);$(\'.3y\').0(3w);$(\'.3x\').0(3o);$(\'.3n\').0(3f);$(\'.3e\').0(3d);$(\'.3b\').0(3c);$(\'.3g\').0(3h);$(\'.3m\').0(3l);$(\'.3k\').0(3i);$(\'.3j\').0(2I);$(\'.2H\').0(27);$(\'.26\').0(25);$(\'.23\').0(24);$(\'.28\').0(29);$(\'.2e\').0(2d);$(\'.2c\').0(2a);$(\'.2b\').0(22);$(\'.21\').0(1T);$(\'.1S\').0(1R);$(\'.1P\').0(1Q);$(\'.1U\').0(1V);$(\'.20\').0(1Z);$(\'.1Y\').0(1W);$(\'.1X\').0(2f);$(\'.2g\').0(2z);$(\'.2y\').0(2x);$(\'.2v\').0(2w);$(\'.2A\').0(2B);$(\'.2G\').0(2F);$(\'.2E\').0(2C);$(\'.2D\').0(2u);$(\'.2t\').0(2l);$(\'.2k\').0(2j);$(\'.2h\').0(2i);$(\'.2m\').0(2n);$(\'.2s\').0(2r);$(\'.2q\').0(2o);$(\'.2p\').0(31)});', 62, 224, 'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9'.split('|'), 0, {}

 

關鍵點

 

上面兩個,對比,發現除了一些符號啊,括號,引號,其他的都被替換成了jquery語句,然后,利用eval,執行就可以通過類名去把值給改成實際的端口號,很妙對吧,順便一說,這種方式都是好幾年前的了,不過現在還是有很多在用。

 

那么也就是說上面的1d就等於document,1c等於ready,1b就是function了,就用這兩個作為對比看下,去d變量里去找找,就剛才的打斷點的右邊scope下的d變量:

 

 

 果然對上了,也就是說,所謂的加密也就這么回事了。

 

 

用代碼實現

 

現在我們要用python代碼來處理,怎么處理呢,其實這里才是本篇文章的重點也是關鍵部分,其實,有經驗的朋友,可能也就分分鍾就能走到以上的部分了。

 

 

好,我們用execjs執行看看:

import execjs js = """eval(function(p, a, c, k, e, d) { e = function(c) { return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) } ; if (!''.replace(/^/, String)) { while (c--) { d[e(c)] = k[c] || e(c) } k = [function(e) { return d[e] } ]; e = function() { return '\\w+' } ; c = 1 } ;while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]) } } return p }('$(1d).1c(1b(){$(\'.19\').0(1a);$(\'.1e\').0(1f);$(\'.1k\').0(1j);$(\'.1i\').0(1g);$(\'.1h\').0(18);$(\'.17\').0(Z);$(\'.Y\').0(X);$(\'.V\').0(W);$(\'.10\').0(11);$(\'.16\').0(15);$(\'.14\').0(12);$(\'.13\').0(1l);$(\'.1m\').0(1F);$(\'.1E\').0(1D);$(\'.1B\').0(1C);$(\'.1G\').0(1H);$(\'.1M\').0(1L);$(\'.1K\').0(1I);$(\'.1J\').0(1A);$(\'.1z\').0(1r);$(\'.1q\').0(1p);$(\'.1n\').0(1o);$(\'.1s\').0(1t);$(\'.1y\').0(1x);$(\'.1w\').0(1u);$(\'.U\').0(1N);$(\'.L\').0(j);$(\'.i\').0(h);$(\'.f\').0(g);$(\'.k\').0(l);$(\'.q\').0(p);$(\'.o\').0(m);$(\'.e\').0(r);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(n);$(\'.T\').0(s);$(\'.K\').0(J);$(\'.H\').0(I);$(\'.M\').0(N);$(\'.S\').0(R);$(\'.Q\').0(O);$(\'.P\').0(G);$(\'.F\').0(x);$(\'.w\').0(v);$(\'.t\').0(u);$(\'.y\').0(z);$(\'.E\').0(D);$(\'.C\').0(A);$(\'.B\').0(1v);$(\'.3B\').0(1O);$(\'.30\').0(2Z);$(\'.2X\').0(2Y);$(\'.32\').0(33);$(\'.38\').0(37);$(\'.36\').0(34);$(\'.35\').0(2W);$(\'.2V\').0(2N);$(\'.2M\').0(2L);$(\'.2J\').0(2K);$(\'.2O\').0(2P);$(\'.2U\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(39);$(\'.3a\').0(3t);$(\'.3s\').0(3r);$(\'.3p\').0(3q);$(\'.3u\').0(3v);$(\'.3A\').0(3z);$(\'.3y\').0(3w);$(\'.3x\').0(3o);$(\'.3n\').0(3f);$(\'.3e\').0(3d);$(\'.3b\').0(3c);$(\'.3g\').0(3h);$(\'.3m\').0(3l);$(\'.3k\').0(3i);$(\'.3j\').0(2I);$(\'.2H\').0(27);$(\'.26\').0(25);$(\'.23\').0(24);$(\'.28\').0(29);$(\'.2e\').0(2d);$(\'.2c\').0(2a);$(\'.2b\').0(22);$(\'.21\').0(1T);$(\'.1S\').0(1R);$(\'.1P\').0(1Q);$(\'.1U\').0(1V);$(\'.20\').0(1Z);$(\'.1Y\').0(1W);$(\'.1X\').0(2f);$(\'.2g\').0(2z);$(\'.2y\').0(2x);$(\'.2v\').0(2w);$(\'.2A\').0(2B);$(\'.2G\').0(2F);$(\'.2E\').0(2C);$(\'.2D\').0(2u);$(\'.2t\').0(2l);$(\'.2k\').0(2j);$(\'.2h\').0(2i);$(\'.2m\').0(2n);$(\'.2s\').0(2r);$(\'.2q\').0(2o);$(\'.2p\').0(31)});', 62, 224, 'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9'.split('|'), 0, {})) """ com = execjs.eval(js) print(com)

 

一執行,報錯了,卧槽:

 

 

 

我非常確定我沒有改代碼,ctrl+c,ctrl+v的,好,那我用js2py呢,還是報錯:

 

 

 

 

我用node環境呢,首先確實是有安裝node的:

 

 

 

還是沒戲

 

 

 

 

那我稍微改下吧,把eval刪了,改成立即執行函數,還是不行:

 

 

 

 

 

 

 

好,那我再改下,改成定義函數,之后再傳入值調用函數吧:

import execjs import js2py js = """function test(p, a, c, k, e, d) { e = function(c) { return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) } ; if (!''.replace(/^/, String)) { while (c--) { d[e(c)] = k[c] || e(c) } k = [function(e) { return d[e] } ]; e = function() { return '\\w+' } ; c = 1 } ;while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]) } } return p } """
# import os # os.environ["EXECJS_RUNTIME"] = "node" # com = execjs.eval(js)
com = js2py.eval_js(js) print(com('$(1d).1c(1b(){$(\'.19\').0(1a);$(\'.1e\').0(1f);$(\'.1k\').0(1j);$(\'.1i\').0(1g);$(\'.1h\').0(18);$(\'.17\').0(Z);$(\'.Y\').0(X);$(\'.V\').0(W);$(\'.10\').0(11);$(\'.16\').0(15);$(\'.14\').0(12);$(\'.13\').0(1l);$(\'.1m\').0(1F);$(\'.1E\').0(1D);$(\'.1B\').0(1C);$(\'.1G\').0(1H);$(\'.1M\').0(1L);$(\'.1K\').0(1I);$(\'.1J\').0(1A);$(\'.1z\').0(1r);$(\'.1q\').0(1p);$(\'.1n\').0(1o);$(\'.1s\').0(1t);$(\'.1y\').0(1x);$(\'.1w\').0(1u);$(\'.U\').0(1N);$(\'.L\').0(j);$(\'.i\').0(h);$(\'.f\').0(g);$(\'.k\').0(l);$(\'.q\').0(p);$(\'.o\').0(m);$(\'.e\').0(r);$(\'.c\').0(5);$(\'.4\').0(3);$(\'.1\').0(2);$(\'.6\').0(d);$(\'.7\').0(b);$(\'.a\').0(8);$(\'.9\').0(n);$(\'.T\').0(s);$(\'.K\').0(J);$(\'.H\').0(I);$(\'.M\').0(N);$(\'.S\').0(R);$(\'.Q\').0(O);$(\'.P\').0(G);$(\'.F\').0(x);$(\'.w\').0(v);$(\'.t\').0(u);$(\'.y\').0(z);$(\'.E\').0(D);$(\'.C\').0(A);$(\'.B\').0(1v);$(\'.3B\').0(1O);$(\'.30\').0(2Z);$(\'.2X\').0(2Y);$(\'.32\').0(33);$(\'.38\').0(37);$(\'.36\').0(34);$(\'.35\').0(2W);$(\'.2V\').0(2N);$(\'.2M\').0(2L);$(\'.2J\').0(2K);$(\'.2O\').0(2P);$(\'.2U\').0(2T);$(\'.2S\').0(2Q);$(\'.2R\').0(39);$(\'.3a\').0(3t);$(\'.3s\').0(3r);$(\'.3p\').0(3q);$(\'.3u\').0(3v);$(\'.3A\').0(3z);$(\'.3y\').0(3w);$(\'.3x\').0(3o);$(\'.3n\').0(3f);$(\'.3e\').0(3d);$(\'.3b\').0(3c);$(\'.3g\').0(3h);$(\'.3m\').0(3l);$(\'.3k\').0(3i);$(\'.3j\').0(2I);$(\'.2H\').0(27);$(\'.26\').0(25);$(\'.23\').0(24);$(\'.28\').0(29);$(\'.2e\').0(2d);$(\'.2c\').0(2a);$(\'.2b\').0(22);$(\'.21\').0(1T);$(\'.1S\').0(1R);$(\'.1P\').0(1Q);$(\'.1U\').0(1V);$(\'.20\').0(1Z);$(\'.1Y\').0(1W);$(\'.1X\').0(2f);$(\'.2g\').0(2z);$(\'.2y\').0(2x);$(\'.2v\').0(2w);$(\'.2A\').0(2B);$(\'.2G\').0(2F);$(\'.2E\').0(2C);$(\'.2D\').0(2u);$(\'.2t\').0(2l);$(\'.2k\').0(2j);$(\'.2h\').0(2i);$(\'.2m\').0(2n);$(\'.2s\').0(2r);$(\'.2q\').0(2o);$(\'.2p\').0(31)});', 62, 224, 'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9'.split('|'), 0, {}))

 

結果有誤

 

執行結果:

 

 

 

 

 

這結果有點不對啊,跟我們預期的不一樣,我換成execjs也一樣:

 

 

 

這里就很邪門,看這結果,說白了,就沒替換成功,d沒生成,我在這里面加了一行打印,發現d其實是有的,那一定在某個地方沒有正常進入:

 

 

 

 

我把一些判斷條件直接去掉看看,發現還是如此:

 

 

 

 

 

找到原因 

 

 

我分析了很久,最后找到關鍵點了,execjs和js2py都不識別【RegExp】對象,測試驗證:

 

 

 

 

 

在瀏覽器的終端里,確實是正常執行的:

 

 

 

 

 

 

找出這個原因的中間過程就省略了,在這里展示篇幅就很長了,把后面的正則表達式匹配的改下:

p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c])

改成:

 

p = p.replace(/\w+/g, k[c])

 

上面的e(c),經打斷點調試,發現其實就是這段:

 

 

 換句話,此時的e(c)就是\\w+,所以就不多說了,改了之后執行看看,這結果,成功了!!!!

 

跟調試工具的結果對比,就看前面幾個,r807f和rb109就知道,確實是對的,沒毛病

 

 

 

 

 

用execj和js2py都是可以的:

 

當然,你如果看懂了這段js的邏輯,你用python改寫下邏輯,然后調用執行也是可以的,這里就不展示了

 

  

如果你硬要問了是怎么發現的嗎? 那可是一把辛酸一把淚啊,你知道我調試這個,我一行行代碼一個一個去調試,測了多久嗎,不說了哈,這個過程是枯燥費神的,結果是美好的。

 

那么后續就是去請求這個代理網站,找到那個js文件,刷新一下它又變了

 

 

 

 

那就從源碼里定位,用xpath的兄弟元素定位

 

 

 

 

 

 

然后把源碼搞下來,然后執行完去源碼里把我們需要的數據跳轉和替換即可,然后這里肯定是沒法用exec和eval函數的,別看別人的有eval,像上面這些$('.r807f').html(8080),這可是js里的jquery特有的寫法,所以,要用python寫就是一個數據處理了,要嘛用正則替換,要嘛就簡單的字符串操作了,后續的過程就不展示了,無非就是一個時間問題了。 

 

 

結語

搞定之后你就發現挺簡單的,沒搞定的時候就總覺得很難,急躁,誰知道execjs和js2py不能處理正則對象啊,那么根據這個,以后遇到類似的有用對象操作的,就可以替換一下了。

順便說一句,如果有那種對js的代碼做了加密的,那無非也就多個步驟,去把代碼解密了再分析

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 eval(function(p,a,c,k,e,d) 加密破解和格式化JS代碼最新算法 JS eval(function(p,a,c,k,e,r){e=function(c)*****解密 13-爬蟲之js加密,解密,混淆,逆向破解思路 eval(function(p,a,c,k,e,d){e=function(c)加解密 js-簡單的加密解密函數 eval(function(p,a,c,k,e,r)解密程序 js混淆、eval解密 解密阿里巴巴加密技術: 爬蟲JS逆向實踐-1688 【JS混淆加密解析】 python爬蟲 - js逆向解密之簡單端口加密破解 -- 修復版 python爬蟲 - js逆向解密之簡單端口加密破解v2 -- 修復版
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM