哈哈网最近在学习js逆向,俗话说好记性不如烂笔头子,看视频不练习也是白扯,恰好在某论坛看到有人说某站访问需要到cookie,这个cookie还是动态生成的,那就来分析一下。PS:我之前没搞,边搞边写文章可能写到最后没搞出来哈哈
站点:aHR0cHM6Ly93d3cuY2R0LWVjLmNvbS9ob21lL21vcmUtenlnZy5odG1s
第一步开始调试
打开F12访问网站,发现进入无限debugger,我们看一下引用,把前面的加密字符串都输出出来是constructor和bugger,所以这里可以通过hook constructor进行跳过这个debugger或者在debugger里直接永远不在这里断下,解决反调试。
第二步找到设置Cookie的位置
我的第一反应是hook cookie,直接用hook工具注入代码,之后就会在设置cookie这里断掉,当然这里我们直接搜索acw_scv2也是可以的,果然reload调用了setcookie,再看是定时器调用了reload,那么第一感觉是直接把这里抠出来就行了是不是?扣一下。
第三步抠JS代码
我们先把用到的都抠出来试试,
var arg1 = 'F5552FD53D7DEE57A54020812B92605A1D2314C4';
var _0x55f3 = function(_0x4c97f0, _0x1742fd) {
var _0x4c97f0 = parseInt(_0x4c97f0, 0x10);
var _0x48181e = _0x4818[_0x4c97f0];
if (!_0x55f3['x61x74x6fx62x50x6fx6cx79x66x69x6cx6cx41x70x70x65x6ex64x65x64']) {
(function() {
var _0xdf49c6 = Function('x72x65x74x75x72x6ex20x28x66x75x6ex63x74x69x6fx6ex20x28x29x20' + 'x7bx7dx2ex63x6fx6ex73x74x72x75x63x74x6fx72x28x22x72x65x74x75x72x6ex20x74x68x69x73x22x29x28x29' + 'x29x3b');
var _0xb8360b = _0xdf49c6();
var _0x389f44 = 'x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax30x31x32x33x34x35x36x37x38x39x2bx2fx3d';
_0xb8360b['x61x74x6fx62'] || (_0xb8360b['x61x74x6fx62'] = function(_0xba82f0) {
var _0xec6bb4 = String(_0xba82f0)['x72x65x70x6cx61x63x65'](/=+$/, '');
for (var _0x1a0f04 = 0x0, _0x18c94e, _0x41b2ff, _0xd79219 = 0x0, _0x5792f7 = ''; _0x41b2ff = _0xec6bb4['x63x68x61x72x41x74'](_0xd79219++); ~_0x41b2ff && (_0x18c94e = _0x1a0f04 % 0x4 ? _0x18c94e * 0x40 + _0x41b2ff : _0x41b2ff,
_0x1a0f04++ % 0x4) ? _0x5792f7 += String['x66x72x6fx6dx43x68x61x72x43x6fx64x65'](0xff & _0x18c94e >> (-0x2 * _0x1a0f04 & 0x6)) : 0x0) {
_0x41b2ff = _0x389f44['x69x6ex64x65x78x4fx66'](_0x41b2ff);
}
return _0x5792f7;
}
);
}());
_0x55f3['x61x74x6fx62x50x6fx6cx79x66x69x6cx6cx41x70x70x65x6ex64x65x64'] = !![];
}
if (!_0x55f3['x72x63x34']) {
var _0x232678 = function(_0x401af1, _0x532ac0) {
var _0x45079a = [], _0x52d57c = 0x0, _0x105f59, _0x3fd789 = '', _0x4a2aed = '';
_0x401af1 = atob(_0x401af1);
for (var _0x124d17 = 0x0, _0x1b9115 = _0x401af1['x6cx65x6ex67x74x68']; _0x124d17 < _0x1b9115; _0x124d17++) {
_0x4a2aed += 'x25' + ('x30x30' + _0x401af1['x63x68x61x72x43x6fx64x65x41x74'](_0x124d17)['x74x6fx53x74x72x69x6ex67'](0x10))['x73x6cx69x63x65'](-0x2);
}
_0x401af1 = decodeURIComponent(_0x4a2aed);
for (var _0x2d67ec = 0x0; _0x2d67ec < 0x100; _0x2d67ec++) {
_0x45079a[_0x2d67ec] = _0x2d67ec;
}
for (_0x2d67ec = 0x0; _0x2d67ec < 0x100; _0x2d67ec++) {
_0x52d57c = (_0x52d57c + _0x45079a[_0x2d67ec] + _0x532ac0['x63x68x61x72x43x6fx64x65x41x74'](_0x2d67ec % _0x532ac0['x6cx65x6ex67x74x68'])) % 0x100;
_0x105f59 = _0x45079a[_0x2d67ec];
_0x45079a[_0x2d67ec] = _0x45079a[_0x52d57c];
_0x45079a[_0x52d57c] = _0x105f59;
}
_0x2d67ec = 0x0;
_0x52d57c = 0x0;
for (var _0x4e5ce2 = 0x0; _0x4e5ce2 < _0x401af1['x6cx65x6ex67x74x68']; _0x4e5ce2++) {
_0x2d67ec = (_0x2d67ec + 0x1) % 0x100;
_0x52d57c = (_0x52d57c + _0x45079a[_0x2d67ec]) % 0x100;
_0x105f59 = _0x45079a[_0x2d67ec];
_0x45079a[_0x2d67ec] = _0x45079a[_0x52d57c];
_0x45079a[_0x52d57c] = _0x105f59;
_0x3fd789 += String['x66x72x6fx6dx43x68x61x72x43x6fx64x65'](_0x401af1['x63x68x61x72x43x6fx64x65x41x74'](_0x4e5ce2) ^ _0x45079a[(_0x45079a[_0x2d67ec] + _0x45079a[_0x52d57c]) % 0x100]);
}
return _0x3fd789;
};
_0x55f3['x72x63x34'] = _0x232678;
}
if (!_0x55f3['x64x61x74x61']) {
_0x55f3['x64x61x74x61'] = {};
}
if (_0x55f3['x64x61x74x61'][_0x4c97f0] === undefined) {
if (!_0x55f3['x6fx6ex63x65']) {
var _0x5f325c = function(_0x23a392) {
this['x72x63x34x42x79x74x65x73'] = _0x23a392;
this['x73x74x61x74x65x73'] = [0x1, 0x0, 0x0];
this['x6ex65x77x53x74x61x74x65'] = function() {
return 'x6ex65x77x53x74x61x74x65';
}
;
this['x66x69x72x73x74x53x74x61x74x65'] = 'x5cx77x2bx20x2ax5cx28x5cx29x20x2ax7bx5cx77x2bx20x2a';
this['x73x65x63x6fx6ex64x53x74x61x74x65'] = 'x5bx27x7cx22x5dx2ex2bx5bx27x7cx22x5dx3bx3fx20x2ax7d';
};
_0x5f325c['x70x72x6fx74x6fx74x79x70x65']['x63x68x65x63x6bx53x74x61x74x65'] = function() {
var _0x19f809 = new RegExp(this['x66x69x72x73x74x53x74x61x74x65'] + this['x73x65x63x6fx6ex64x53x74x61x74x65']);
return this['x72x75x6ex53x74x61x74x65'](_0x19f809['x74x65x73x74'](this['x6ex65x77x53x74x61x74x65']['x74x6fx53x74x72x69x6ex67']()) ? --this['x73x74x61x74x65x73'][0x1] : --this['x73x74x61x74x65x73'][0x0]);
}
;
_0x5f325c['x70x72x6fx74x6fx74x79x70x65']['x72x75x6ex53x74x61x74x65'] = function(_0x4380bd) {
if (!Boolean(~_0x4380bd)) {
return _0x4380bd;
}
return this['x67x65x74x53x74x61x74x65'](this['x72x63x34x42x79x74x65x73']);
}
;
_0x5f325c['x70x72x6fx74x6fx74x79x70x65']['x67x65x74x53x74x61x74x65'] = function(_0x58d85e) {
for (var _0x1c9f5b = 0x0, _0x1ce9e0 = this['x73x74x61x74x65x73']['x6cx65x6ex67x74x68']; _0x1c9f5b < _0x1ce9e0; _0x1c9f5b++) {
this['x73x74x61x74x65x73']['x70x75x73x68'](Math['x72x6fx75x6ex64'](Math['x72x61x6ex64x6fx6d']()));
_0x1ce9e0 = this['x73x74x61x74x65x73']['x6cx65x6ex67x74x68'];
}
return _0x58d85e(this['x73x74x61x74x65x73'][0x0]);
}
;
new _0x5f325c(_0x55f3)['x63x68x65x63x6bx53x74x61x74x65']();
_0x55f3['x6fx6ex63x65'] = !![];
}
_0x48181e = _0x55f3['x72x63x34'](_0x48181e, _0x1742fd);
_0x55f3['x64x61x74x61'][_0x4c97f0] = _0x48181e;
} else {
_0x48181e = _0x55f3['x64x61x74x61'][_0x4c97f0];
}
return _0x48181e;
};
var _0x5e8b26 = _0x55f3('0x3', 'x6ax53x31x59');
var _0x23a392 = arg1[_0x55f3('0x19', 'x50x67x35x34')]();
var arg2 = _0x23a392[_0x55f3('0x1b', 'x7ax35x4fx26')](_0x5e8b26);运行一下,有个0x4818未定义,一看是个大数组,填进去运行卡死了.....我怀疑应该是有什么就检测那就算了。然后看看他都用了什么吧,对比发现他们每次通过0x55f3算出来的值都一样现在是如下:
var arg1 = 'F5552FD53D7DEE57A54020812B92605A1D2314C4';
var _0x5e8b26 = "3000176000856006061501533003690027800375";
var _0x23a392 = arg1["unsbox"]();
arg2 = _0x23a392["hexXor"](_0x5e8b26);运行一看不支持这种写法,
看来还是不行下断点断到arg2处,发现这两个最终都是匿名函数,直接把arg2的匿名函数抠出来,把里面解密函数手动找出来
String["prototype"]["hexXor"] = function(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this["length"] && _0xe89588 < _0x4e08d8["length"]; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this["slice"](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8["slice"](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)["toString"](0x10);
if (_0x189e2c["length"] == 0x1) {
_0x189e2c = 'x30' + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
}
String["prototype"]["unsbox"] = function() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this["length"]; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b["length"]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc["join"]('');
return _0x12605e;
}
function main(){
var arg1 = 'F5552FD53D7DEE57A54020812B92605A1D2314C4';
var _0x5e8b26 = "3000176000856006061501533003690027800375";
var _0x23a392 = arg1["unsbox"]();
arg2 = _0x23a392["hexXor"](_0x5e8b26);
return arg2;
}这样就弄出来了,但是如果解密函数非常多怎么办,我们不可能一个一个去找吧,求大佬指点
