JS 逆向 | 源码乱码、参数动态加密

关键词

JS 混淆、源码乱码、参数动态加密

逆向目标

题目1:抓取所有(5页)机票的价格,并计算所有机票价格的平均值,填入答案。

逆向过程

解决无限debug

打开 F12 刷新页面,傻眼了。页面无法继续下翻...

陷入了无限debug!!

解决Never pause here 不在此处下断

debugger位置,点击行号,右键Never pause here,永远不在此处断下,然后重新刷新就可以过这第一个小坑。

抓包分析

接着我们需要找到目标url

上下翻页,我们很快能够找到具体数据响应的接口。

请求详情:

响应:

参数page无需多言,关键是有个不知道哪里冒出来的参数m

curl命令转换为PythonJavaScript等: curlconverter.com/

此时,如果我们构造requests请求,并不带上m查询参数,执行会发现响应结果为:

shell 复制代码
{'error': 'token failed'}

接下来就是要分析下这个m是怎么带上的?

调用堆栈

很容易猜想后半部分大概率是一个时间戳,前半部分是被加密的字符串,中间用中文的|连接。

由于params参数是封装到请求体中发到服务器的,所以,参数m的生成必然是在请求前,因此可以直接来到请求时的这个栈中进行查看调试。

在点进去显示的那一行打断点刷新调试一下,会发现在_0xb89747已经是加密完成的参数,肯定加密过程是在这之前完成的。

所以往回找,先根据_0xb89747看看是从哪里来的,发现是:

js 复制代码
var _0xb89747 = _0x5d83a3;

同理再往回找_0x5d83a3从哪里来,发现_0x5d83a3是定义的对象,然后往里面塞了什么东西进去组成的:

js 复制代码
const _0x5d83a3 = {};
_0x5d83a3['\x70\x61\x67\x65'] = window['\x70\x61\x67\x65'],
_0x5d83a3['\x6d'] = _0x57feae + '\u4e28' + _0x2268f9 / (-1 * 3483 + -9059 + 13542);

根据_0xb89747{"page": 4, "m": "8d596e76013033e75c3e23015c553c55丨1715257368"}能够得出参数里面m的组成:

  • _0x57feae就是前半部分被加密完成的东西。
  • _0x2268f9就是后半部分。

是不是真相快被找到了,再往回找这两个是哪里来的:

js 复制代码
var _0x2268f9 = Date['\x70\x61\x72\x73\x65'](new Date()) + (16798545 + -72936737 + 156138192)
, _0x57feae = oo0O0(_0x2268f9['\x74\x6f\x53\x74\x72' + '\x69\x6e\x67']()) + window['\x66'];

在线网站解混淆

通过堆栈跟踪,我们已经找到m参数加密入口,但是代码是混淆的,看起来并不那么清晰。

找在线网站,稍微解一下混淆: https://deobfuscator.kuizuo.cn/

js 复制代码
function a() {
  var _0x2268f9 = Date.parse(new Date()) + 100000000;
  var _0x57feae = oo0O0(_0x2268f9.toString()) + window.f;
  const _0x5d83a3 = {
    page: window.page,
    m: _0x57feae + "丨" + _0x2268f9 / 1000
  };
  var _0xb89747 = _0x5d83a3;
  $.ajax({
    url: window.url,
    dataType: "json",
    async: false,
    data: _0xb89747,
    type: "GET",
    beforeSend: function (_0x4c488e) {},
    success: function (_0x131e59) {
      _0x131e59 = _0x131e59.data;
      let _0x354583 = "";
      let _0x1b89ba = "<div class=\"b-airfly\"><div class=\"e-airfly\"data-reactid=\".1.3.3.2.0.$KN5911.0\"><div class=\"col-trip\"data-reactid=\".1.3.3.2.0.$KN5911.0.0\"><div class=\"s-trip\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0\"><div class=\"col-airline\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0\"><div class=\"d-air\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0\"><div class=\"air\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.0\"><span data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.0.1\">中国联合航空</span></div><div class=\"num\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.1\"><span class=\"n\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.1.0\">KN5911</span><span class=\"n\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.1.1\">波音737(中)</span><noscript data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.0:$0.1.2\"></noscript></div></div><noscript data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.0.1\"></noscript></div><div class=\"col-time\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1\"><div class=\"sep-lf\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.0\"><h2 data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.0.0\">13:50</h2><p class=\"airport\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.0.1\"><span data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.0.1.0\">大兴国际机场</span><span data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.0.1.1\"></span></p></div><div class=\"sep-ct\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.1\"><div class=\"range\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.1.0\">3小时40分钟</div><div class=\"line\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.1.1\"></div></div><div class=\"sep-rt\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.2\"><noscript data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.2.0\"></noscript><h2 data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.2.1\">17:30</h2><p class=\"airport\"data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.2.2\"><span data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.2.2.0\">宝安机场</span></p></div><noscript data-reactid=\".1.3.3.2.0.$KN5911.0.0.0.1.3\"></noscript></div></div></div><div class=\"col-price\"data-reactid=\".1.3.3.2.0.$KN5911.0.1\"><p class=\"prc\"data-reactid=\".1.3.3.2.0.$KN5911.0.1.0\"><span data-reactid=\".1.3.3.2.0.$KN5911.0.1.0.0\"><i class=\"rmb\"data-reactid=\".1.3.3.2.0.$KN5911.0.1.0.0.0\">&yen;</i><span class=\"fix_price\"data-reactid=\".1.3.3.2.0.$KN5911.0.1.0.0.1\"><span class=\"prc_wp\"style=\"width:48px\">price_sole</span></span></span></p><div class=\"vim\"data-reactid=\".1.3.3.2.0.$KN5911.0.1.1\"><span class=\"v dis\"data-reactid=\".1.3.3.2.0.$KN5911.0.1.1.$0\"></span></div></div><div class=\"col-fold\"data-reactid=\".1.3.3.2.0.$KN5911.0.2\"><p class=\"fd\"data-reactid=\".1.3.3.2.0.$KN5911.0.2.0\">收起</p></div></div><noscript data-reactid=\".1.3.3.2.0.$KN5911.1\"></noscript></div>";
      let _0x548377 = ["中国南方航空", "吉祥航空", "奥凯航空", "九元航空", "长龙航空", "东方航空", "中国国际航空", "深圳航空", "海南航空", "春秋航空", "上海航空", "西部航空", "重庆航空", "西藏航空", "中国联合航空", "云南祥鹏航空", "云南英安航空", "厦门航空", "天津航空", "山东航空", "四川航空", "华夏航空", "长城航空", "成都航空有", "北京首都航空", "中华航空", "意大利国家航空公司", "印度百捷航空", "越南航空", "远东航空", "印度航空公司", "印度捷特航空有限公司", "以色列航空公司", "意大利航空", "伊朗航空公司", "印度尼西亚鹰航空公司", "英国航空公司", "西方天空航空", "西捷航空", "西班牙欧洲航空公司", "西班牙航空公司", "中国南方航空", "吉祥航空", "奥凯航空", "九元航空", "长龙航空", "东方航空", "中国国际航空", "深圳航空", "海南航空", "春秋航空", "上海航空", "西部航空", "重庆航空", "西藏航空", "中国联合航空", "云南祥鹏航空", "云南英安航空", "厦门航空", "天津航空", "山东航空", "四川航空", "华夏航空", "长城航空", "成都航空有", "北京首都航空", "中华航空", "意大利国家航空公司", "印度百捷航空", "越南航空", "远东航空", "印度航空公司", "印度捷特航空有限公司", "以色列航空公司", "意大利航空", "伊朗航空公司", "印度尼西亚鹰航空公司", "英国航空公司", "西方天空航空", "西捷航空", "西班牙欧洲航空公司", "西班牙航空公司"];
      let _0x5286d2 = 1;
      let _0xa24ff9 = ["北京首都国际机场", "上海虹桥国际机场", "上海浦东国际机场", "天津滨海国际机场", "太原武宿机场", "呼和浩特白塔机场", "沈阳桃仙国际机场", "大连周水子国际机场", "长春大房身机场", "哈尔滨阎家岗国际机场", "齐齐哈尔三家子机场", "佳木斯东郊机场", "厦门高崎国际机场", "福州长乐国际机场", "杭州萧山国际机场", "合肥骆岗机场", "宁波栎社机场", "南京禄口国际机场", "广州白云国际机场", "深圳宝安国际机场", "长沙黄花机场", "海口美亚机场", "武汉天河机场", "济南遥墙机场", "青岛流亭机场", "南宁吴墟机场", "三亚凤凰国际机场", "重庆江北国际机场", "成都双流国际机场", "昆明巫家坝国际机场", "昆明长水国际机场", "桂林两江国际机场", "西安咸阳国际机场", "兰州中川机场", "贵阳龙洞堡机场", "拉萨贡嘎机场", "乌鲁木齐地窝堡机场", "南昌向塘机场", "郑州新郑机场", "北京首都国际机场", "上海虹桥国际机场", "上海浦东国际机场", "天津滨海国际机场", "太原武宿机场", "呼和浩特白塔机场", "沈阳桃仙国际机场", "大连周水子国际机场", "长春大房身机场", "哈尔滨阎家岗国际机场", "齐齐哈尔三家子机场", "佳木斯东郊机场", "厦门高崎国际机场", "福州长乐国际机场", "杭州萧山国际机场", "合肥骆岗机场", "宁波栎社机场", "南京禄口国际机场", "广州白云国际机场", "深圳宝安国际机场", "长沙黄花机场", "海口美亚机场", "武汉天河机场", "济南遥墙机场", "青岛流亭机场", "南宁吴墟机场", "三亚凤凰国际机场", "重庆江北国际机场", "成都双流国际机场", "昆明巫家坝国际机场", "昆明长水国际机场", "桂林两江国际机场", "西安咸阳国际机场", "兰州中川机场", "贵阳龙洞堡机场", "拉萨贡嘎机场", "乌鲁木齐地窝堡机场", "南昌向塘机场", "郑州新郑机场"];
      if (window.page) {} else {
        window.page = 1;
      }
      $.each(_0x131e59, function (_0x282f1d, _0x4e0853) {
        _0x354583 += _0x1b89ba.replace("price_sole", _0x4e0853.value).replace("中国联合航空", _0x548377[_0x5286d2 * window.page]).replace("大兴国际", _0xa24ff9[parseInt(_0x5286d2 * window.page / 2) + 1]).replace("宝安机场", _0xa24ff9[_0xa24ff9.length - parseInt(_0x5286d2 * window.page / 2) - 1]);
        _0x5286d2 += 1;
      });
      $(".m-airfly-lst").text("").append(_0x354583);
    },
    complete: function () {},
    error: function () {
      alert("数据拉取失败。可能是触发了风控系统,若您是正常访问,请使用谷歌浏览器无痕模式,并且校准电脑的系统时间重新尝试");
      alert("生而为虫,我很抱歉,请刷新页面,查看问题是否存在");
      $(".page-message").eq(0).addClass("active");
      $(".page-message").removeClass("active");
    }
  });
}

通过解混淆后的 JS 代码也是进一步验证了我们跟踪堆栈的正确性。

我们可以看到m字符串是通过oo0O0()函数 + window.f + '|' + 时间处理构成的,接下来我们来找oo0O0()这个函数。

跟栈找到oo0O0()函数的定义:

抠出function oo0O0(mw)函数,使用在线 HTML 美化工具美化。

HTML 美化代码工具分析: beautifier.io/

js 复制代码
function oo0O0(mw)
{
    window.b = '';
    for (var i = 0, len = window.a.length; i < len; i++)
    {
        console.log(window.a[i]);
        window.b += String[document.e + document.g](window.a[i][document.f +
            document.h
        ]() - i - window.c)
    }
    var U = ['W5r5W6VdIHZcT8kU', 'WQ8CWRaxWQirAW=='];
    var J = function (o, E)
    {
        o = o - 0x0;
        var N = U[o];
        if (J['bSSGte'] === undefined)
        {
            var Y = function (w)
            {
                var m =
                    'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=',
                    T = String(w)['replace'](/=+$/, '');
                var A = '';
                for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++); ~
                    W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4) ?
                    A += String['fromCharCode'](0xff & b >> (-0x2 * C &
                        0x6)) : 0x0)
                {
                    W = m['indexOf'](W)
                }
                return A
            };
            var t = function (w, m)
            {
                var T = [],
                    A = 0x0,
                    C, b = '',
                    W = '';
                w = Y(w);
                for (var R = 0x0, v = w['length']; R < v; R++)
                {
                    W += '%' + ('00' + w['charCodeAt'](R)['toString'](
                        0x10))['slice'](-0x2)
                }
                w = decodeURIComponent(W);
                var l;
                for (l = 0x0; l < 0x100; l++)
                {
                    T[l] = l
                }
                for (l = 0x0; l < 0x100; l++)
                {
                    A = (A + T[l] + m['charCodeAt'](l % m['length'])) %
                        0x100, C = T[l], T[l] = T[A], T[A] = C
                }
                l = 0x0, A = 0x0;
                for (var L = 0x0; L < w['length']; L++)
                {
                    l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C =
                        T[l], T[l] = T[A], T[A] = C, b += String[
                            'fromCharCode'](w['charCodeAt'](L) ^ T[(T[
                            l] + T[A]) % 0x100])
                }
                return b
            };
            J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] = !![]
        }
        var H = J['qlVPZg'][o];
        return H === undefined ? (J['TUDBIJ'] === undefined && (J[
                'TUDBIJ'] = !![]), N = J['luAabU'](N, E), J['qlVPZg'][
            o] = N) : N = H, N
    };
    eval(atob(window['b'])[J('0x0', ']dQW')](J('0x1', 'GTu!'), '\x27' + mw +
        '\x27'));
    return ''
}

这里我们会发现,oo0O0()这个函数只是执行了eval,而函数本身返回空值""

优秀啊,年轻人真是会玩!


接下来分析这条代码:

shell 复制代码
> atob(window['b'])
> 'var hexcase=0;var b64pad="";var chrsz=16;function hex_md5(a){return binl2hex(core_md5(str2binl(a),a.length*chrsz))}function b64_md5(a){return binl2b64(core_md5(str2binl(a),a.length*chrsz))}function str_md5(a){return binl2str(core_md5(str2binl(a),a.length*chrsz))}function hex_hmac_md5(a,b){return binl2hex(core_hmac_md5(a,b))}function b64_hmac_md5(a,b){return binl2b64(core_hmac_md5(a,b))}function str_hmac_md5(a,b){return binl2str(core_hmac_md5(a,b))}function md5_vm_test(){return hex_md5("abc")=="900150983cd24fb0d6963f7d28e17f72"}function core_md5(p,k){p[k>>5]|=128<<((k)%32);p[(((k+64)>>>9)<<4)+14]=k;var o=1732584193;var n=-271733879;var m=-1732584194;var l=271733878;for(var g=0;g<p.length;g+=16){var j=o;var h=n;var f=m;var e=l;o=md5_ff(o,n,m,l,p[g+0],7,-680976936);l=md5_ff(l,o,n,m,p[g+1],12,-389564586);m=md5_ff(m,l,o,n,p[g+2],17,606105819);n=md5_ff(n,m,l,o,p[g+3],22,-1044525330);o=md5_ff(o,n,m,l,p[g+4],7,-176418897);l=md5_ff(l,o,n,m,p[g+5],12,1200080426);m=md5_ff(m,l,o,n,p[g+6],17,-1473231341);n=md5_ff(n,m,l,o,p[g+7],22,-45705983);o=md5_ff(o,n,m,l,p[g+8],7,1770035416);l=md5_ff(l,o,n,m,p[g+9],12,-1958414417);m=md5_ff(m,l,o,n,p[g+10],17,-42063);n=md5_ff(n,m,l,o,p[g+11],22,-1990404162);o=md5_ff(o,n,m,l,p[g+12],7,1804660682);l=md5_ff(l,o,n,m,p[g+13],12,-40341101);m=md5_ff(m,l,o,n,p[g+14],17,-1502002290);n=md5_ff(n,m,l,o,p[g+15],22,1236535329);o=md5_gg(o,n,m,l,p[g+1],5,-165796510);l=md5_gg(l,o,n,m,p[g+6],9,-1069501632);m=md5_gg(m,l,o,n,p[g+11],14,643717713);n=md5_gg(n,m,l,o,p[g+0],20,-373897302);o=md5_gg(o,n,m,l,p[g+5],5,-701558691);l=md5_gg(l,o,n,m,p[g+10],9,38016083);m=md5_gg(m,l,o,n,p[g+15],14,-660478335);n=md5_gg(n,m,l,o,p[g+4],20,-405537848);o=md5_gg(o,n,m,l,p[g+9],5,568446438);l=md5_gg(l,o,n,m,p[g+14],9,-1019803690);m=md5_gg(m,l,o,n,p[g+3],14,-187363961);n=md5_gg(n,m,l,o,p[g+8],20,1163531501);o=md5_gg(o,n,m,l,p[g+13],5,-1444681467);l=md5_gg(l,o,n,m,p[g+2],9,-51403784);m=md5_gg(m,l,o,n,p[g+7],14,1735328473);n=md5_gg(n,m,l,o,p[g+12],20,-1921207734);o=md5_hh(o,n,m,l,p[g+5],4,-378558);l=md5_hh(l,o,n,m,p[g+8],11,-2022574463);m=md5_hh(m,l,o,n,p[g+11],16,1839030562);n=md5_hh(n,m,l,o,p[g+14],23,-35309556);o=md5_hh(o,n,m,l,p[g+1],4,-1530992060);l=md5_hh(l,o,n,m,p[g+4],11,1272893353);m=md5_hh(m,l,o,n,p[g+7],16,-155497632);n=md5_hh(n,m,l,o,p[g+10],23,-1094730640);o=md5_hh(o,n,m,l,p[g+13],4,681279174);l=md5_hh(l,o,n,m,p[g+0],11,-358537222);m=md5_hh(m,l,o,n,p[g+3],16,-722881979);n=md5_hh(n,m,l,o,p[g+6],23,76029189);o=md5_hh(o,n,m,l,p[g+9],4,-640364487);l=md5_hh(l,o,n,m,p[g+12],11,-421815835);m=md5_hh(m,l,o,n,p[g+15],16,530742520);n=md5_hh(n,m,l,o,p[g+2],23,-995338651);o=md5_ii(o,n,m,l,p[g+0],6,-198630844);l=md5_ii(l,o,n,m,p[g+7],10,11261161415);m=md5_ii(m,l,o,n,p[g+14],15,-1416354905);n=md5_ii(n,m,l,o,p[g+5],21,-57434055);o=md5_ii(o,n,m,l,p[g+12],6,1700485571);l=md5_ii(l,o,n,m,p[g+3],10,-1894446606);m=md5_ii(m,l,o,n,p[g+10],15,-1051523);n=md5_ii(n,m,l,o,p[g+1],21,-2054922799);o=md5_ii(o,n,m,l,p[g+8],6,1873313359);l=md5_ii(l,o,n,m,p[g+15],10,-30611744);m=md5_ii(m,l,o,n,p[g+6],15,-1560198380);n=md5_ii(n,m,l,o,p[g+13],21,1309151649);o=md5_ii(o,n,m,l,p[g+4],6,-145523070);l=md5_ii(l,o,n,m,p[g+11],10,-1120210379);m=md5_ii(m,l,o,n,p[g+2],15,718787259);n=md5_ii(n,m,l,o,p[g+9],21,-343485551);o=safe_add(o,j);n=safe_add(n,h);m=safe_add(m,f);l=safe_add(l,e)}return Array(o,n,m,l)}function md5_cmn(h,e,d,c,g,f){return safe_add(bit_rol(safe_add(safe_add(e,h),safe_add(c,f)),g),d)}function md5_ff(g,f,k,j,e,i,h){return md5_cmn((f&k)|((~f)&j),g,f,e,i,h)}function md5_gg(g,f,k,j,e,i,h){return md5_cmn((f&j)|(k&(~j)),g,f,e,i,h)}function md5_hh(g,f,k,j,e,i,h){return md5_cmn(f^k^j,g,f,e,i,h)}function md5_ii(g,f,k,j,e,i,h){return md5_cmn(k^(f|(~j)),g,f,e,i,h)}function core_hmac_md5(c,f){var e=str2binl(c);if(e.length>16){e=core_md5(e,c.length*chrsz)}var a=Array(16),d=Array(16);for(var b=0;b<16;b++){a[b]=e[b]^909522486;d[b]=e[b]^1549556828}var g=core_md5(a.concat(str2binl(f)),512+f.length*chrsz);return core_md5(d.concat(g),512+128)}function safe_add(a,d){var c=(a&65535)+(d&65535);var b=(a>>16)+(d>>16)+(c>>16);return(b<<16)|(c&65535)}function bit_rol(a,b){return(a<<b)|(a>>>(32-b))}function str2binl(d){var c=Array();var a=(1<<chrsz)-1;for(var b=0;b<d.length*chrsz;b+=chrsz){c[b>>5]|=(d.charCodeAt(b/chrsz)&a)<<(b%32)}return c}function binl2str(c){var d="";var a=(1<<chrsz)-1;for(var b=0;b<c.length*32;b+=chrsz){d+=String.fromCharCode((c[b>>5]>>>(b%32))&a)}return d}function binl2hex(c){var b=hexcase?"0123456789ABCDEF":"0123456789abcdef";var d="";for(var a=0;a<c.length*4;a++){d+=b.charAt((c[a>>2]>>((a%4)*8+4))&15)+b.charAt((c[a>>2]>>((a%4)*8))&15)}return d}function binl2b64(d){var c="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var f="";for(var b=0;b<d.length*4;b+=3){var e=(((d[b>>2]>>8*(b%4))&255)<<16)|(((d[b+1>>2]>>8*((b+1)%4))&255)<<8)|((d[b+2>>2]>>8*((b+2)%4))&255);for(var a=0;a<4;a++){if(b*8+a*6>d.length*32){f+=b64pad}else{f+=c.charAt((e>>6*(3-a))&63)}}}return f};window.f = hex_md5(mwqqppz)'

atob()函数是JavaScript中的一个内置函数,用于将base64编码的字符串解码为原始字符串。

使用美化工具(**beautifier.io/**)美化得到下面可读...%25E7%25BE%258E%25E5%258C%2596%25E5%25BE%2597%25E5%2588%25B0%25E4%25B8%258B%25E9%259D%25A2%25E5%258F%25AF%25E8%25AF%25BB%25E7%259A%2584%2560JavaScript%2560%25E4%25BB%25A3%25E7%25A0%2581%25EF%25BC%259A "https://beautifier.io/**)%E7%BE%8E%E5%8C%96%E5%BE%97%E5%88%B0%E4%B8%8B%E9%9D%A2%E5%8F%AF%E8%AF%BB%E7%9A%84%60JavaScript%60%E4%BB%A3%E7%A0%81%EF%BC%9A")

js 复制代码
var hexcase = 0;
var b64pad = "";
var chrsz = 16;

function hex_md5(a)
{
    return binl2hex(core_md5(str2binl(a), a.length * chrsz))
}

function b64_md5(a)
{
    return binl2b64(core_md5(str2binl(a), a.length * chrsz))
}

function str_md5(a)
{
    return binl2str(core_md5(str2binl(a), a.length * chrsz))
}

function hex_hmac_md5(a, b)
{
    return binl2hex(core_hmac_md5(a, b))
}

function b64_hmac_md5(a, b)
{
    return binl2b64(core_hmac_md5(a, b))
}

function str_hmac_md5(a, b)
{
    return binl2str(core_hmac_md5(a, b))
}

function md5_vm_test()
{
    return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"
}

function core_md5(p, k)
{
    p[k >> 5] |= 128 << ((k) % 32);
    p[(((k + 64) >>> 9) << 4) + 14] = k;
    var o = 1732584193;
    var n = -271733879;
    var m = -1732584194;
    var l = 271733878;
    for (var g = 0; g < p.length; g += 16)
    {
        var j = o;
        var h = n;
        var f = m;
        var e = l;
        o = md5_ff(o, n, m, l, p[g + 0], 7, -680976936);
        l = md5_ff(l, o, n, m, p[g + 1], 12, -389564586);
        m = md5_ff(m, l, o, n, p[g + 2], 17, 606105819);
        n = md5_ff(n, m, l, o, p[g + 3], 22, -1044525330);
        o = md5_ff(o, n, m, l, p[g + 4], 7, -176418897);
        l = md5_ff(l, o, n, m, p[g + 5], 12, 1200080426);
        m = md5_ff(m, l, o, n, p[g + 6], 17, -1473231341);
        n = md5_ff(n, m, l, o, p[g + 7], 22, -45705983);
        o = md5_ff(o, n, m, l, p[g + 8], 7, 1770035416);
        l = md5_ff(l, o, n, m, p[g + 9], 12, -1958414417);
        m = md5_ff(m, l, o, n, p[g + 10], 17, -42063);
        n = md5_ff(n, m, l, o, p[g + 11], 22, -1990404162);
        o = md5_ff(o, n, m, l, p[g + 12], 7, 1804660682);
        l = md5_ff(l, o, n, m, p[g + 13], 12, -40341101);
        m = md5_ff(m, l, o, n, p[g + 14], 17, -1502002290);
        n = md5_ff(n, m, l, o, p[g + 15], 22, 1236535329);
        o = md5_gg(o, n, m, l, p[g + 1], 5, -165796510);
        l = md5_gg(l, o, n, m, p[g + 6], 9, -1069501632);
        m = md5_gg(m, l, o, n, p[g + 11], 14, 643717713);
        n = md5_gg(n, m, l, o, p[g + 0], 20, -373897302);
        o = md5_gg(o, n, m, l, p[g + 5], 5, -701558691);
        l = md5_gg(l, o, n, m, p[g + 10], 9, 38016083);
        m = md5_gg(m, l, o, n, p[g + 15], 14, -660478335);
        n = md5_gg(n, m, l, o, p[g + 4], 20, -405537848);
        o = md5_gg(o, n, m, l, p[g + 9], 5, 568446438);
        l = md5_gg(l, o, n, m, p[g + 14], 9, -1019803690);
        m = md5_gg(m, l, o, n, p[g + 3], 14, -187363961);
        n = md5_gg(n, m, l, o, p[g + 8], 20, 1163531501);
        o = md5_gg(o, n, m, l, p[g + 13], 5, -1444681467);
        l = md5_gg(l, o, n, m, p[g + 2], 9, -51403784);
        m = md5_gg(m, l, o, n, p[g + 7], 14, 1735328473);
        n = md5_gg(n, m, l, o, p[g + 12], 20, -1921207734);
        o = md5_hh(o, n, m, l, p[g + 5], 4, -378558);
        l = md5_hh(l, o, n, m, p[g + 8], 11, -2022574463);
        m = md5_hh(m, l, o, n, p[g + 11], 16, 1839030562);
        n = md5_hh(n, m, l, o, p[g + 14], 23, -35309556);
        o = md5_hh(o, n, m, l, p[g + 1], 4, -1530992060);
        l = md5_hh(l, o, n, m, p[g + 4], 11, 1272893353);
        m = md5_hh(m, l, o, n, p[g + 7], 16, -155497632);
        n = md5_hh(n, m, l, o, p[g + 10], 23, -1094730640);
        o = md5_hh(o, n, m, l, p[g + 13], 4, 681279174);
        l = md5_hh(l, o, n, m, p[g + 0], 11, -358537222);
        m = md5_hh(m, l, o, n, p[g + 3], 16, -722881979);
        n = md5_hh(n, m, l, o, p[g + 6], 23, 76029189);
        o = md5_hh(o, n, m, l, p[g + 9], 4, -640364487);
        l = md5_hh(l, o, n, m, p[g + 12], 11, -421815835);
        m = md5_hh(m, l, o, n, p[g + 15], 16, 530742520);
        n = md5_hh(n, m, l, o, p[g + 2], 23, -995338651);
        o = md5_ii(o, n, m, l, p[g + 0], 6, -198630844);
        l = md5_ii(l, o, n, m, p[g + 7], 10, 11261161415);
        m = md5_ii(m, l, o, n, p[g + 14], 15, -1416354905);
        n = md5_ii(n, m, l, o, p[g + 5], 21, -57434055);
        o = md5_ii(o, n, m, l, p[g + 12], 6, 1700485571);
        l = md5_ii(l, o, n, m, p[g + 3], 10, -1894446606);
        m = md5_ii(m, l, o, n, p[g + 10], 15, -1051523);
        n = md5_ii(n, m, l, o, p[g + 1], 21, -2054922799);
        o = md5_ii(o, n, m, l, p[g + 8], 6, 1873313359);
        l = md5_ii(l, o, n, m, p[g + 15], 10, -30611744);
        m = md5_ii(m, l, o, n, p[g + 6], 15, -1560198380);
        n = md5_ii(n, m, l, o, p[g + 13], 21, 1309151649);
        o = md5_ii(o, n, m, l, p[g + 4], 6, -145523070);
        l = md5_ii(l, o, n, m, p[g + 11], 10, -1120210379);
        m = md5_ii(m, l, o, n, p[g + 2], 15, 718787259);
        n = md5_ii(n, m, l, o, p[g + 9], 21, -343485551);
        o = safe_add(o, j);
        n = safe_add(n, h);
        m = safe_add(m, f);
        l = safe_add(l, e)
    }
    return Array(o, n, m, l)
}

function md5_cmn(h, e, d, c, g, f)
{
    return safe_add(bit_rol(safe_add(safe_add(e, h), safe_add(c, f)), g), d)
}

function md5_ff(g, f, k, j, e, i, h)
{
    return md5_cmn((f & k) | ((~f) & j), g, f, e, i, h)
}

function md5_gg(g, f, k, j, e, i, h)
{
    return md5_cmn((f & j) | (k & (~j)), g, f, e, i, h)
}

function md5_hh(g, f, k, j, e, i, h)
{
    return md5_cmn(f ^ k ^ j, g, f, e, i, h)
}

function md5_ii(g, f, k, j, e, i, h)
{
    return md5_cmn(k ^ (f | (~j)), g, f, e, i, h)
}

function core_hmac_md5(c, f)
{
    var e = str2binl(c);
    if (e.length > 16)
    {
        e = core_md5(e, c.length * chrsz)
    }
    var a = Array(16),
        d = Array(16);
    for (var b = 0; b < 16; b++)
    {
        a[b] = e[b] ^ 909522486;
        d[b] = e[b] ^ 1549556828
    }
    var g = core_md5(a.concat(str2binl(f)), 512 + f.length * chrsz);
    return core_md5(d.concat(g), 512 + 128)
}

function safe_add(a, d)
{
    var c = (a & 65535) + (d & 65535);
    var b = (a >> 16) + (d >> 16) + (c >> 16);
    return (b << 16) | (c & 65535)
}

function bit_rol(a, b)
{
    return (a << b) | (a >>> (32 - b))
}

function str2binl(d)
{
    var c = Array();
    var a = (1 << chrsz) - 1;
    for (var b = 0; b < d.length * chrsz; b += chrsz)
    {
        c[b >> 5] |= (d.charCodeAt(b / chrsz) & a) << (b % 32)
    }
    return c
}

function binl2str(c)
{
    var d = "";
    var a = (1 << chrsz) - 1;
    for (var b = 0; b < c.length * 32; b += chrsz)
    {
        d += String.fromCharCode((c[b >> 5] >>> (b % 32)) & a)
    }
    return d
}

function binl2hex(c)
{
    var b = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
    var d = "";
    for (var a = 0; a < c.length * 4; a++)
    {
        d += b.charAt((c[a >> 2] >> ((a % 4) * 8 + 4)) & 15) + b.charAt((c[a >>
            2] >> ((a % 4) * 8)) & 15)
    }
    return d
}

function binl2b64(d)
{
    var c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    var f = "";
    for (var b = 0; b < d.length * 4; b += 3)
    {
        var e = (((d[b >> 2] >> 8 * (b % 4)) & 255) << 16) | (((d[b + 1 >> 2] >>
            8 * ((b + 1) % 4)) & 255) << 8) | ((d[b + 2 >> 2] >> 8 * ((b +
            2) % 4)) & 255);
        for (var a = 0; a < 4; a++)
        {
            if (b * 8 + a * 6 > d.length * 32)
            {
                f += b64pad
            }
            else
            {
                f += c.charAt((e >> 6 * (3 - a)) & 63)
            }
        }
    }
    return f
};
window.f = hex_md5(mwqqppz)

我们发现window.f = hex_md5(mwqqppz),是通过很多函数加密的,最重要的就是这最后一条,接下来我们来寻找mwqqppz参数。

回到调用oo0O0()函数的部分:

js 复制代码
  var _0x2268f9 = Date.parse(new Date()) + 100000000;
  var _0x57feae = oo0O0(_0x2268f9.toString()) + window.f;
  const _0x5d83a3 = {
    page: window.page,
    m: _0x57feae + "丨" + _0x2268f9 / 1000
  };

以及eval()那一条代码,分析传入的参数。

js 复制代码
eval(atob(window['b'])[J('0x0', ']dQW')](J('0x1', 'GTu!'), '\x27' + mw + '\x27'));

通过分析,我们发现J函数就在oo0O0函数内定义,我们将J函数抠出:

js 复制代码
var U = ['W5r5W6VdIHZcT8kU', 'WQ8CWRaxWQirAW=='];
var J = function (o, E) {
    o = o - 0x0;
    var N = U[o];
    if (J['bSSGte'] === undefined) {
        var Y = function (w) {
            var m =
                    'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=',
                T = String(w)['replace'](/=+$/, '');
            var A = '';
            for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++); ~
                W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4) ?
                A += String['fromCharCode'](0xff & b >> (-0x2 * C &
                    0x6)) : 0x0) {
                W = m['indexOf'](W)
            }
            return A
        };
        var t = function (w, m) {
            var T = [],
                A = 0x0,
                C, b = '',
                W = '';
            w = Y(w);
            for (var R = 0x0, v = w['length']; R < v; R++) {
                W += '%' + ('00' + w['charCodeAt'](R)['toString'](
                    0x10))['slice'](-0x2)
            }
            w = decodeURIComponent(W);
            var l;
            for (l = 0x0; l < 0x100; l++) {
                T[l] = l
            }
            for (l = 0x0; l < 0x100; l++) {
                A = (A + T[l] + m['charCodeAt'](l % m['length'])) %
                    0x100, C = T[l], T[l] = T[A], T[A] = C
            }
            l = 0x0, A = 0x0;
            for (var L = 0x0; L < w['length']; L++) {
                l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C =
                    T[l], T[l] = T[A], T[A] = C, b += String[
                    'fromCharCode'](w['charCodeAt'](L) ^ T[(T[
                    l] + T[A]) % 0x100])
            }
            return b
        };
        J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] = !![]
    }
    var H = J['qlVPZg'][o];
    return H === undefined ? (J['TUDBIJ'] === undefined && (J[
        'TUDBIJ'] = !![]), N = J['luAabU'](N, E), J['qlVPZg'][
        o] = N) : N = H, N
};

console.log(J('0x0', ']dQW'))
console.log(J('0x1', 'GTu!'))

并在浏览器执行:

得到:

  • J('0x0', ']dQW')的值为:replace
  • J('0x1', 'GTu!')的值为:mwqqppz

'\x27' + mw + '\x27'的值为1715257368000,也就是说这里就是某一个字符串进行replace操作,将mwqqppz替换成了时间戳mw,最终这个字符串就是window['b']的值,是一个base64的编码。

eval()部分的代码即可替换为:

js 复制代码
eval(atob(window['b'])["replace"]("mwqqppz","1715257368000"));

通过以上分析,我们可以知道window.f = hex_md5(mwqqppz)mwqqppz就是时间戳mw,这个例子中时间戳mw的值为1715257368000

mwqqppz字符串本身只是用于标识需要被替换的占位字符串,无特殊含义,然后通过eval执行。

我们手动替换下oo0O0_eval.js中的window.f = hex_md5(mwqqppz)console.log(hex_md5("1715257368000"))后执行,得到8d596e76013033e75c3e23015c553c55,正是我们之前在控制台分析的_0x57feae的值。

另外,我们通过猴子脚本hook一下window.f也能得到加密算法。

hook脚本:


设置:

翻页调试:

查看第一个箭头所指的栈,清晰的看到加密算法运行时的代码:

js 复制代码
// ...
// 跟我们解混淆后的代码不能说是一样,只能说是完全相同。
// 此处省略。

function binl2b64(d) {
    var c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    var f = "";
    for (var b = 0; b < d.length * 4; b += 3) {
        var e = (((d[b >> 2] >> 8 * (b % 4)) & 255) << 16) | (((d[b + 1 >> 2] >> 8 * ((b + 1) % 4)) & 255) << 8) | ((d[b + 2 >> 2] >> 8 * ((b + 2) % 4)) & 255);
        for (var a = 0; a < 4; a++) {
            if (b * 8 + a * 6 > d.length * 32) {
                f += b64pad
            } else {
                f += c.charAt((e >> 6 * (3 - a)) & 63)
            }
        }
    }
    return f
}
;window.f = hex_md5('1715257368000')

完整 JS 加密代码如下:

js 复制代码
var window =global

var hexcase = 0;
var b64pad = "";
var chrsz = 16;

function hex_md5(a) {
    return binl2hex(core_md5(str2binl(a), a.length * chrsz))
}

function b64_md5(a) {
    return binl2b64(core_md5(str2binl(a), a.length * chrsz))
}

function str_md5(a) {
    return binl2str(core_md5(str2binl(a), a.length * chrsz))
}

function hex_hmac_md5(a, b) {
    return binl2hex(core_hmac_md5(a, b))
}

function b64_hmac_md5(a, b) {
    return binl2b64(core_hmac_md5(a, b))
}

function str_hmac_md5(a, b) {
    return binl2str(core_hmac_md5(a, b))
}

function md5_vm_test() {
    return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"
}

function core_md5(p, k) {
    p[k >> 5] |= 128 << ((k) % 32);
    p[(((k + 64) >>> 9) << 4) + 14] = k;
    var o = 1732584193;
    var n = -271733879;
    var m = -1732584194;
    var l = 271733878;
    for (var g = 0; g < p.length; g += 16) {
        var j = o;
        var h = n;
        var f = m;
        var e = l;
        o = md5_ff(o, n, m, l, p[g + 0], 7, -680976936);
        l = md5_ff(l, o, n, m, p[g + 1], 12, -389564586);
        m = md5_ff(m, l, o, n, p[g + 2], 17, 606105819);
        n = md5_ff(n, m, l, o, p[g + 3], 22, -1044525330);
        o = md5_ff(o, n, m, l, p[g + 4], 7, -176418897);
        l = md5_ff(l, o, n, m, p[g + 5], 12, 1200080426);
        m = md5_ff(m, l, o, n, p[g + 6], 17, -1473231341);
        n = md5_ff(n, m, l, o, p[g + 7], 22, -45705983);
        o = md5_ff(o, n, m, l, p[g + 8], 7, 1770035416);
        l = md5_ff(l, o, n, m, p[g + 9], 12, -1958414417);
        m = md5_ff(m, l, o, n, p[g + 10], 17, -42063);
        n = md5_ff(n, m, l, o, p[g + 11], 22, -1990404162);
        o = md5_ff(o, n, m, l, p[g + 12], 7, 1804660682);
        l = md5_ff(l, o, n, m, p[g + 13], 12, -40341101);
        m = md5_ff(m, l, o, n, p[g + 14], 17, -1502002290);
        n = md5_ff(n, m, l, o, p[g + 15], 22, 1236535329);
        o = md5_gg(o, n, m, l, p[g + 1], 5, -165796510);
        l = md5_gg(l, o, n, m, p[g + 6], 9, -1069501632);
        m = md5_gg(m, l, o, n, p[g + 11], 14, 643717713);
        n = md5_gg(n, m, l, o, p[g + 0], 20, -373897302);
        o = md5_gg(o, n, m, l, p[g + 5], 5, -701558691);
        l = md5_gg(l, o, n, m, p[g + 10], 9, 38016083);
        m = md5_gg(m, l, o, n, p[g + 15], 14, -660478335);
        n = md5_gg(n, m, l, o, p[g + 4], 20, -405537848);
        o = md5_gg(o, n, m, l, p[g + 9], 5, 568446438);
        l = md5_gg(l, o, n, m, p[g + 14], 9, -1019803690);
        m = md5_gg(m, l, o, n, p[g + 3], 14, -187363961);
        n = md5_gg(n, m, l, o, p[g + 8], 20, 1163531501);
        o = md5_gg(o, n, m, l, p[g + 13], 5, -1444681467);
        l = md5_gg(l, o, n, m, p[g + 2], 9, -51403784);
        m = md5_gg(m, l, o, n, p[g + 7], 14, 1735328473);
        n = md5_gg(n, m, l, o, p[g + 12], 20, -1921207734);
        o = md5_hh(o, n, m, l, p[g + 5], 4, -378558);
        l = md5_hh(l, o, n, m, p[g + 8], 11, -2022574463);
        m = md5_hh(m, l, o, n, p[g + 11], 16, 1839030562);
        n = md5_hh(n, m, l, o, p[g + 14], 23, -35309556);
        o = md5_hh(o, n, m, l, p[g + 1], 4, -1530992060);
        l = md5_hh(l, o, n, m, p[g + 4], 11, 1272893353);
        m = md5_hh(m, l, o, n, p[g + 7], 16, -155497632);
        n = md5_hh(n, m, l, o, p[g + 10], 23, -1094730640);
        o = md5_hh(o, n, m, l, p[g + 13], 4, 681279174);
        l = md5_hh(l, o, n, m, p[g + 0], 11, -358537222);
        m = md5_hh(m, l, o, n, p[g + 3], 16, -722881979);
        n = md5_hh(n, m, l, o, p[g + 6], 23, 76029189);
        o = md5_hh(o, n, m, l, p[g + 9], 4, -640364487);
        l = md5_hh(l, o, n, m, p[g + 12], 11, -421815835);
        m = md5_hh(m, l, o, n, p[g + 15], 16, 530742520);
        n = md5_hh(n, m, l, o, p[g + 2], 23, -995338651);
        o = md5_ii(o, n, m, l, p[g + 0], 6, -198630844);
        l = md5_ii(l, o, n, m, p[g + 7], 10, 11261161415);
        m = md5_ii(m, l, o, n, p[g + 14], 15, -1416354905);
        n = md5_ii(n, m, l, o, p[g + 5], 21, -57434055);
        o = md5_ii(o, n, m, l, p[g + 12], 6, 1700485571);
        l = md5_ii(l, o, n, m, p[g + 3], 10, -1894446606);
        m = md5_ii(m, l, o, n, p[g + 10], 15, -1051523);
        n = md5_ii(n, m, l, o, p[g + 1], 21, -2054922799);
        o = md5_ii(o, n, m, l, p[g + 8], 6, 1873313359);
        l = md5_ii(l, o, n, m, p[g + 15], 10, -30611744);
        m = md5_ii(m, l, o, n, p[g + 6], 15, -1560198380);
        n = md5_ii(n, m, l, o, p[g + 13], 21, 1309151649);
        o = md5_ii(o, n, m, l, p[g + 4], 6, -145523070);
        l = md5_ii(l, o, n, m, p[g + 11], 10, -1120210379);
        m = md5_ii(m, l, o, n, p[g + 2], 15, 718787259);
        n = md5_ii(n, m, l, o, p[g + 9], 21, -343485551);
        o = safe_add(o, j);
        n = safe_add(n, h);
        m = safe_add(m, f);
        l = safe_add(l, e)
    }
    return Array(o, n, m, l)
}

function md5_cmn(h, e, d, c, g, f) {
    return safe_add(bit_rol(safe_add(safe_add(e, h), safe_add(c, f)), g), d)
}

function md5_ff(g, f, k, j, e, i, h) {
    return md5_cmn((f & k) | ((~f) & j), g, f, e, i, h)
}

function md5_gg(g, f, k, j, e, i, h) {
    return md5_cmn((f & j) | (k & (~j)), g, f, e, i, h)
}

function md5_hh(g, f, k, j, e, i, h) {
    return md5_cmn(f ^ k ^ j, g, f, e, i, h)
}

function md5_ii(g, f, k, j, e, i, h) {
    return md5_cmn(k ^ (f | (~j)), g, f, e, i, h)
}

function core_hmac_md5(c, f) {
    var e = str2binl(c);
    if (e.length > 16) {
        e = core_md5(e, c.length * chrsz)
    }
    var a = Array(16),
        d = Array(16);
    for (var b = 0; b < 16; b++) {
        a[b] = e[b] ^ 909522486;
        d[b] = e[b] ^ 1549556828
    }
    var g = core_md5(a.concat(str2binl(f)), 512 + f.length * chrsz);
    return core_md5(d.concat(g), 512 + 128)
}

function safe_add(a, d) {
    var c = (a & 65535) + (d & 65535);
    var b = (a >> 16) + (d >> 16) + (c >> 16);
    return (b << 16) | (c & 65535)
}

function bit_rol(a, b) {
    return (a << b) | (a >>> (32 - b))
}

function str2binl(d) {
    var c = Array();
    var a = (1 << chrsz) - 1;
    for (var b = 0; b < d.length * chrsz; b += chrsz) {
        c[b >> 5] |= (d.charCodeAt(b / chrsz) & a) << (b % 32)
    }
    return c
}

function binl2str(c) {
    var d = "";
    var a = (1 << chrsz) - 1;
    for (var b = 0; b < c.length * 32; b += chrsz) {
        d += String.fromCharCode((c[b >> 5] >>> (b % 32)) & a)
    }
    return d
}

function binl2hex(c) {
    var b = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
    var d = "";
    for (var a = 0; a < c.length * 4; a++) {
        d += b.charAt((c[a >> 2] >> ((a % 4) * 8 + 4)) & 15) + b.charAt((c[a >>
        2] >> ((a % 4) * 8)) & 15)
    }
    return d
}

function binl2b64(d) {
    var c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    var f = "";
    for (var b = 0; b < d.length * 4; b += 3) {
        var e = (((d[b >> 2] >> 8 * (b % 4)) & 255) << 16) | (((d[b + 1 >> 2] >>
            8 * ((b + 1) % 4)) & 255) << 8) | ((d[b + 2 >> 2] >> 8 * ((b +
            2) % 4)) & 255);
        for (var a = 0; a < 4; a++) {
            if (b * 8 + a * 6 > d.length * 32) {
                f += b64pad
            } else {
                f += c.charAt((e >> 6 * (3 - a)) & 63)
            }
        }
    }
    return f
};

// window.f = hex_md5(mwqqppz)

// console.log(hex_md5("1715257368000"))

// 整合hex_md5的参数
function get_m_value() {
    var _0x2268f9 = Date["parse"](new Date()) + 100000000;
    // var _0x2268f9 = 1715257368000
    var mwqqppz = _0x2268f9["toString"]();
  	var m = hex_md5(mwqqppz);
  	var m_value = m + '丨' + _0x2268f9 / 1000;
    return m_value;
};

console.log(get_m_value())

pycharm中运行结果如下:

和浏览器分析时的m值一致,JS逆向过程结束。

大功告成

逆向结束,剩下的编码就是模拟请求,解析结果了。

curl命令转换为PythonJavaScript等: curlconverter.com/

老规矩,借用curl命令转代码工具快速生成代码,略作修改即可,重点是逆向过程分析。

python 复制代码
#! -*-conding=: UTF-8 -*-

import execjs
import requests

cookies = {
    'tk': '改成自己的tk',
    'sessionid': '改成自己的sessionid',
}

headers = {
    'authority': 'match.yuanrenxue.cn',
    'accept': 'application/json, text/javascript, */*; q=0.01',
    'accept-language': 'zh-CN,zh;q=0.9',
    'cache-control': 'no-cache',
    # 'cookie': 'tk=7699535563564611254; sessionid=0qtsyidunti3daajuz7l2qkqy3m0knmd',
    'pragma': 'no-cache',
    'referer': 'https://match.yuanrenxue.cn/match/1',
    'sec-ch-ua': '"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
    'sec-fetch-dest': 'empty',
    'sec-fetch-mode': 'cors',
    'sec-fetch-site': 'same-origin',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
    'x-requested-with': 'XMLHttpRequest',
}

params = {
    'page': 1,
    'm': '',
}


def calculate_m_value():
    with open('_m.js', mode='r', encoding='utf-8') as f:
        JsData = f.read()
    m_value = execjs.compile(JsData).call('get_m_value')
    # m_value_process = m_value.replace("丨", "%E4%B8%A8")
    return m_value


def main() -> int:
    _sum = 0
    times = 0
    for page_number in range(1, 6):
        params["page"] = page_number
        params["m"] = calculate_m_value()
        print(params)
        response = requests.get('https://match.yuanrenxue.cn/api/match/1', params=params, cookies=cookies,
                                headers=headers).json()

        for data in response["data"]:
            _sum += data["value"]
            times += 1
    if not times:
        return 0

    return int(_sum / times)


if __name__ == "__main__":
    result = main()
    print(int(result))

结语

至此,这次逆向之旅终于结束了。

如果觉得不错,点赞在看关注安排起来吧。

相关推荐
小曲曲38 分钟前
接口上传视频和oss直传视频到阿里云组件
javascript·阿里云·音视频
学不会•2 小时前
css数据不固定情况下,循环加不同背景颜色
前端·javascript·html
EasyNTS3 小时前
H.264/H.265播放器EasyPlayer.js视频流媒体播放器关于websocket1006的异常断连
javascript·h.265·h.264
网易独家音乐人Mike Zhou3 小时前
【卡尔曼滤波】数据预测Prediction观测器的理论推导及应用 C语言、Python实现(Kalman Filter)
c语言·python·单片机·物联网·算法·嵌入式·iot
安静读书3 小时前
Python解析视频FPS(帧率)、分辨率信息
python·opencv·音视频
活宝小娜4 小时前
vue不刷新浏览器更新页面的方法
前端·javascript·vue.js
程序视点4 小时前
【Vue3新工具】Pinia.js:提升开发效率,更轻量、更高效的状态管理方案!
前端·javascript·vue.js·typescript·vue·ecmascript
coldriversnow4 小时前
在Vue中,vue document.onkeydown 无效
前端·javascript·vue.js
我开心就好o4 小时前
uniapp点左上角返回键, 重复来回跳转的问题 解决方案
前端·javascript·uni-app
小二·5 小时前
java基础面试题笔记(基础篇)
java·笔记·python