关注微信公众号:K 哥爬虫,继续分享爬虫进阶、JS/ 安卓逆向等技术干货!
申明
本文章中所有内容仅供学习交换,抓包内容、敏感网址、数据接口均已做脱敏解决,严禁用于商业用途和非法用处,否则由此产生的所有结果均与作者无关,若有侵权,请分割我立刻删除!
逆向指标
- 指标:网洛者反反爬虫练习平台第四题:JSFuck 加密
- 链接:http://spider.wangluozhe.com/…
- 简介:本题依然是要求采集 100 页的全副数字,并计算所有数据加和,须要抠出源码进行计算,次要应用了 JSFuck 加密
JSFuck 简介
JSFuck、AAEncode、JJEncode 都是同一个作者,JSFuck 由日本的 Yosuke HASEGAWA 在 2010 发明,它能够将任意 JavaScript 编码为仅应用 6 个符号的混同模式 []()!+,2012 年,Martin Kleppe 在 GitHub 上创立了一个 jsfuck 我的项目和一个 JSFuck.com 网站,其中蕴含应用该编码器实现的 Web 应用程序。JSFuck 可用于绕过对网站上提交的恶意代码的检测,例如跨站点脚本(XSS)攻打。JSFuck 的另一个潜在用处在于代码混同,目前的 jQuery 就曾经有通过 JSFuck 混同后的功能齐全的版本。
在线体验地址:https://utf-8.jp/public/jsfuc… http://www.jsfuck.com/
失常的一段 JS 代码:
alert(1)通过 JSFuck 混同之后的代码相似于:
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])JSFuck 中常见的元素、数字、符号转换如下表,更多元素可参考 JSFuck 官网 GitHub 或 JSFuck 维基百科:
| Value | JSFuck |
|---|---|
| false | ![] |
| true | !![] or !+[] |
| NaN | +[![]] |
| undefined | [][[]] |
| Infinity | +(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]]) |
| Array | [] |
| Number | +[] |
| String | []+[] |
| Boolean | ![] |
| Function | []["filter"] |
| eval | []["filter"]["constructor"](CODE)() |
| window | []["filter"]["constructor"]("return this")() |
| + | (+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]] |
| . | (+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]] |
| 0 | +[] |
| 1 | +!![] or +!+[] |
| 2 | !![]+!![] or !+[]+!+[] |
| 3 | !![]+!![]+!![] or !+[]+!+[]+!+[] |
| a | (![]+[])[+!+[]] |
| d | ([][[]]+[])[!+[]+!+[]] |
| e | (!![]+[])[!+[]+!+[]+!+[]] |
| f | (![]+[])[+[]] |
咱们以字母 a 为例,来演示一遍其混同的流程:
"false"[1]:字母 a 取自字符串 false,在 false 中,a 的索引值是 1;(false+[])[1]:false 能够写成 false+[],即布尔常量 false 加上一个空数组;(![]+[])[1]:false 又能够写成 ![],即否定利用于空数组;(![]+[])[+true]:1 是一个数字,咱们能够把它写成 +true;(![]+[])[+!![]]:因为 false 是 ![],所以 true 就是 !![],生成最终混同代码。
JSFuck 解混同办法
JSFuck 在调用办法时通常都是通过 Function(xxx)() 和 eval(xxx) 的模式来执行,因而 JSFuck 常见解混同的形式如下:
- 应用在线工具间接解密,比方:https://lelinhtinh.github.io/…;
- 针对 Function 的状况,复制代码最外层倒数第二个括号内的内容,放到浏览器外面去间接执行就能够看到源码;
- 针对 eval 的状况,复制代码最外层最初一个括号内的内容,放到浏览器外面去间接执行就能够看到源码;
- 应用 Hook 的形式,别离 Hook Function 和 eval,打印输出源码;
- 应用 AST 进行解混同,AST 的教程 K 哥后续也会写,本文不具体介绍。
如后面 alert(1) 的混同代码,复制最外层最初一个括号内的内容到浏览器,就能够看到源代码:
逆向参数
逆向的指标次要是翻页接口 _signature 参数,调用的加密办法依然是 window.get_sign(),和后面几题是一样的,本文不再赘述,不分明的能够去看 K 哥上期的文章。
持续跟进,会发现是一个 JSFuck 混同:
咱们将这段代码复制进去,放到编辑器外面,这里以 PyCharm 为例,因为咱们要选中匹配括号里的内容,所以咱们能够设置一下 PyCharm 括号匹配高亮为红色,便于咱们查找,顺次点击 File – Settings – Editor – Color Scheme – General – Code – Matched brace,设置 Background 为显眼的色彩:
此时咱们选中最初一个括号,往上找,就能够非常明显地看到与之匹配的另一个括号,如下图所示:
咱们将括号外面的内容复制进去(能够蕴含括号,也能够不蕴含),放到浏览器控制台运行一下,就能够看到源码了:
除了这种办法以外,咱们还能够应用 Hook 的形式,间接捕捉源码而后打印输出,留神到这段混同代码最初没有 () 括号,那就是 eval 的形式执行的,咱们编写 Hook eval 代码如下:
eval_ = eval;
eval = function (a){
debugger;
return eval_()}
// 另外提供一个 Hook Function 的代码
// Function.prototype.constructor_ = Function.prototype.constructor;
// Function.prototype.constructor = function (a) {
// debugger;
// return Function.prototype.constructor_(a);
// };刷新网页,间接断下,此时 a 的值就是源码:
将源码复制下来,本地剖析一下:
(function () {let time_tmp = Date.now();
let date = Date.parse(new Date());
window = {};
let click = window.document.onclick;
let key_tmp;
let iv_tmp;
if (!click) {key_tmp = date * 1234;} else {key_tmp = date * 1244;}
if (time_tmp - window.time < 1000) {iv_tmp = date * 4321;} else {iv_tmp = date * 4311;}
const key = CryptoJS.enc.Utf8.parse(key_tmp);
var iv = CryptoJS.enc.Utf8.parse(iv_tmp);
(function tmp(date, key, iv) {function Encrypt(word) {let srcs = CryptoJS.enc.Utf8.parse(word);
let encrypted = CryptoJS.AES.encrypt(srcs, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return encrypted.ciphertext.toString().toUpperCase();
}
window.sign = Encrypt(date);
})(date, key, iv);
})(); 能够看到就是一个 AES 加密,这里次要留神有两个 if-else 语句,第一个判断是否存在 window.document.onclick,第二个是时间差的判断,咱们能够在控制台去尝试取一下 window.document.onclick 和 window.time,看一下到底走的是 if 还是 else,在本地把这两个值也补全即可,实际上通过 K 哥测试 window.document.onclick 为 null,而后不论是走 if 还是 else 都是能够拿到后果的,所以对于本题来说,两个 window 对象都无所谓,间接去掉,key_tmp 和 iv_tmp 任意取值都能够。
自此本题剖析结束,本地改写之后,配合 Python 代码携带 _signature 挨个计算每一页的数据,最终提交胜利:
残缺代码
GitHub 关注 K 哥爬虫,继续分享爬虫相干代码!欢送 star!https://github.com/kgepachong/
以下只演示局部要害代码,不能间接运行! 残缺代码仓库地址:https://github.com/kgepachong…
JavaScript 加密代码
/* ==================================
# @Time : 2021-12-13
# @Author : 微信公众号:K 哥爬虫
# @FileName: challenge_4.js
# @Software: PyCharm
# ================================== */
var CryptoJS = require('crypto-js')
let date = Date.parse(new Date());
window = {};
let key_tmp = date * 1234;
// let key_tmp = date * 1244;
let iv_tmp = date * 4321;
// let iv_tmp = date * 4311;
const key = CryptoJS.enc.Utf8.parse(key_tmp);
var iv = CryptoJS.enc.Utf8.parse(iv_tmp);
(function tmp(date, key, iv) {function Encrypt(word) {let srcs = CryptoJS.enc.Utf8.parse(word);
let encrypted = CryptoJS.AES.encrypt(srcs, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return encrypted.ciphertext.toString().toUpperCase();
}
window.sign = Encrypt(date);
})(date, key, iv);
function getSign() {return window.sign}
// 测试输入
// console.log(getSign())Python 计算要害代码
# ==================================
# --*-- coding: utf-8 --*--
# @Time : 2021-12-13
# @Author : 微信公众号:K 哥爬虫
# @FileName: challenge_4.py
# @Software: PyCharm
# ==================================
import execjs
import requests
challenge_api = "http://spider.wangluozhe.com/challenge/api/4"
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Cookie": "将 cookie 值改为你本人的!",
"Host": "spider.wangluozhe.com",
"Origin": "http://spider.wangluozhe.com",
"Referer": "http://spider.wangluozhe.com/challenge/4",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
def get_signature():
with open('challenge_4.js', 'r', encoding='utf-8') as f:
ppdai_js = execjs.compile(f.read())
signature = ppdai_js.call("getSign")
print("signature:", signature)
return signature
def main():
result = 0
for page in range(1, 101):
data = {
"page": page,
"count": 10,
"_signature": get_signature()}
response = requests.post(url=challenge_api, headers=headers, data=data).json()
for d in response["data"]:
result += d["value"]
print("后果为:", result)
if __name__ == '__main__':
main()