至去年10月起,先知平台公开了文章发表时ip归属地,迫于工作不饱和,抓点数据来看看师傅们最近在干啥
直接发起requests
请求,大概一分钟后开始返回js代码,脚本不具备执行环境无法计算出对应结果,网站存在js反爬
随后花了亿点点时间梳理逻辑,整个js流程大致分三个块:
首先一个自执行函数,对大数组_0x4818
做头出尾进操作348次
array["push"](array["shift"]());
(function (_0x4c97f0, _0x1742fd) { var _0x4db1c = function (_0x48181e) { while (--_0x48181e) { _0x4c97f0["push"](_0x4c97f0["shift"]()); // 头出尾进 } }; var _0x3cd6c6 = function () { var _0xb8360b = { ... "getCookie": function (_0x4a11fe, _0x189946) { ... var _0x52d57c = function (_0x105f59, _0x3fd789) { _0x105f59(++_0x3fd789); // _0x4db1c(++347) }; _0x52d57c(_0x4db1c, _0x1742fd); } }; }; })(_0x4818, 347);
得到还原乱序后的数组
// 还原前 var _0x4818 = ["csKHwqMI", "ZsKJwr8VeAsy", "UcKiN8O/wplwMA==", "JR8CTg==", "YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==", "w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG", "fwVmI1AtwplaY8Otw5cNfSgpw6M=", "OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6", "U8K5LcOtwpV0EMOkw47DrMOX", "HMO2woHCiMK9SlXClcOoC1k=", "asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d", "wqImMT0tw6RNw5k=", "DMKcU0JmUwUv", "VjHDlMOHVcONX3fDicKJHQ==", "wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV", "dzd2w5bDm3jDpsK3wpY=", "w4PDgcKXwo3CkcKLwr5qwrY=", "wrJOTcOQWMOg", "wqTDvcOjw447wr4=", "w5XDqsKhMF1/", "wrAyHsOfwppc", "J3dVPcOxLg==", "wrdHw7p9Zw==", "w4rDo8KmNEw=", "IMKAUkBt", "w6bDrcKQwpVHwpNQwqU=", "d8OsWhAUw7YzwrU=", "wqnCksOeezrDhw==", "UsKnIMKWV8K/", "w4zDocK8NUZv", "c8OxZhAJw6skwqJj", "PcKIw4nCkkVb", "KHgodMO2VQ==", "wpsmwqvDnGFq", "wqLDt8Okw4c=", "w7w1w4PCpsO4wqA=", "wq9FRsOqWMOq", "byBhw7rDm34=", "LHg+S8OtTw==", "wqhOw715dsOH", "U8O7VsO0wqvDvcKuKsOqX8Kr", "Yittw5DDnWnDrA==", "YMKIwqUUfgIk", "aB7DlMODTQ==", "wpfDh8Orw6kk", "w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==", "wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==", "NwV+", "w7HDrcKtwpJawpZb", "wpQswqvDiHpuw6I=", "YMKUwqMJZQ==", "KH1VKcOqKsK1", "fQ5sFUkkwpI=", "wrvCrcOBR8Kk", "M3w0fQ==", "w6xXwqPDvMOFwo5d"]; // 还原后 var _0x4818 = ['wqImMT0tw6RNw5k=', 'DMKcU0JmUwUv', 'VjHDlMOHVcONX3fDicKJHQ==', 'wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV', 'dzd2w5bDm3jDpsK3wpY=', 'w4PDgcKXwo3CkcKLwr5qwrY=', 'wrJOTcOQWMOg', 'wqTDvcOjw447wr4=', 'w5XDqsKhMF1/', 'wrAyHsOfwppc', 'J3dVPcOxLg==', 'wrdHw7p9Zw==', 'w4rDo8KmNEw=', 'IMKAUkBt', 'w6bDrcKQwpVHwpNQwqU=', 'd8OsWhAUw7YzwrU=', 'wqnCksOeezrDhw==', 'UsKnIMKWV8K/', 'w4zDocK8NUZv', 'c8OxZhAJw6skwqJj', 'PcKIw4nCkkVb', 'KHgodMO2VQ==', 'wpsmwqvDnGFq', 'wqLDt8Okw4c=', 'w7w1w4PCpsO4wqA=', 'wq9FRsOqWMOq', 'byBhw7rDm34=', 'LHg+S8OtTw==', 'wqhOw715dsOH', 'U8O7VsO0wqvDvcKuKsOqX8Kr', 'Yittw5DDnWnDrA==', 'YMKIwqUUfgIk', 'aB7DlMODTQ==', 'wpfDh8Orw6kk', 'w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==', 'wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==', 'NwV+', 'w7HDrcKtwpJawpZb', 'wpQswqvDiHpuw6I=', 'YMKUwqMJZQ==', 'KH1VKcOqKsK1', 'fQ5sFUkkwpI=', 'wrvCrcOBR8Kk', 'M3w0fQ==', 'w6xXwqPDvMOFwo5d', 'csKHwqMI', 'ZsKJwr8VeAsy', 'UcKiN8O/wplwMA==', 'JR8CTg==', 'YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==', 'w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG', 'fwVmI1AtwplaY8Otw5cNfSgpw6M=', 'OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6', 'U8K5LcOtwpV0EMOkw47DrMOX', 'HMO2woHCiMK9SlXClcOoC1k=', 'asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d'];
此时_0x4818
数组内容依旧不可读,还要再经过_0x55f3
做rc4
解密处理
var _0x55f3 = function (_0x4c97f0, _0x1742fd) { var _0x4c97f0 = parseInt(_0x4c97f0, 16); var _0x48181e = _0x4818[_0x4c97f0]; ... if (_0x55f3["data"][_0x4c97f0] === undefined) { ... _0x48181e = _0x55f3["rc4"](_0x48181e, _0x1742fd); // rc4解密 _0x55f3["data"][_0x4c97f0] = _0x48181e; // _0x55f3["data"]数组赋值 } else { _0x48181e = _0x55f3["data"][_0x4c97f0]; } return _0x48181e; }; if (function () { ... var _0x5b6351 = _0x3a394d(this, function () { var _0x46cbaa = Function(_0x55f3("0x22", "&hZY") + _0x55f3("0x23", "aH*N") + ");"); var _0x1766ff = function () {}; var _0x9b5e29 = _0x46cbaa(); _0x9b5e29[_0x55f3("0x26", "aH*N")]["log"] = _0x1766ff; _0x9b5e29[_0x55f3("0x29", "V%YR")][_0x55f3("0x2a", "P^Eq")] = _0x1766ff; _0x9b5e29[_0x55f3("0x2c", "lgM0")][_0x55f3("0x2d", "L$(D")] = _0x1766ff; _0x9b5e29[_0x55f3("0x2f", "CZc8")][_0x55f3("0x30", "Wu6%")] = _0x1766ff; }); _0x5b6351(); ... }()) { document[_0x55f3("0x33", "V%YR")](_0x55f3("0x34", "yApz"), l, false); } else { document[_0x55f3("0x36", "yApz")](_0x55f3("0x37", "L$(D"), l); }
得到真正的数组_0x55f3["data"]
_0x55f3["data"] = { "1": "_phantom", "3": "3000176000856006061501533003690027800375", "5": "prototype", "6": "hexXor", "20": "unsbox", "25": "unsbox", "33": "apply", "34": "return (function() ", "35": "{}.constructor(\"return this\")( )", "38": "console", "41": "console", "42": "error", "44": "console", "45": "warn", "47": "console", "48": "info", "51": "addEventListener", "52": "DOMContentLoaded" }
最后调用unsbox()
和hexXor()
,生成arg2
写入cookie
中
arg2 = arg1.unsbox().hexXor("3000176000856006061501533003690027800375");
document.cookie = acw_sc__v2 + "=" + arg2;
var arg1 = '2F526E76D908955D2065FE39FACBFD626530F9B0'; var l = function () { while (window[_0x55f3("0x1", "XMW^")] || window["__phantomas"]) {}; var _0x5e8b26 = _0x55f3("0x3", "jS1Y"); String[_0x55f3("0x5", "n]fR")][_0x55f3("0x6", "Pg54")] = function (_0x4e08d8) { //hexXor函数 var _0x5a5d3b = ""; for (var _0xe89588 = 0; _0xe89588 < this[_0x55f3("0x8", ")hRc")] && _0xe89588 < _0x4e08d8[_0x55f3("0xa", "jE&^")]; _0xe89588 += 2) { var _0x401af1 = parseInt(this[_0x55f3("0xb", "V2KE")](_0xe89588, _0xe89588 + 2), 16); var _0x105f59 = parseInt(_0x4e08d8[_0x55f3("0xd", "XMW^")](_0xe89588, _0xe89588 + 2), 16); var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3("0xf", "W1FE")](16); if (_0x189e2c[_0x55f3("0x11", "MGrv")] == 1) { _0x189e2c = "0" + _0x189e2c; } _0x5a5d3b += _0x189e2c; } return _0x5a5d3b; }; String["prototype"][_0x55f3("0x14", "Z*DM")] = function () { //unsbox函数 var _0x4b082b = [15, 35, 29, 24, 33, 16, 1, 38, 10, 9, 19, 31, 40, 27, 22, 23, 25, 13, 6, 11, 39, 18, 20, 8, 14, 21, 32, 26, 2, 30, 7, 4, 17, 5, 3, 28, 34, 37, 12, 36]; var _0x4da0dc = []; var _0x12605e = ""; for (var _0x20a7bf = 0; _0x20a7bf < this["length"]; _0x20a7bf++) { var _0x385ee3 = this[_0x20a7bf]; for (var _0x217721 = 0; _0x217721 < _0x4b082b[_0x55f3("0x16", "aH*N")]; _0x217721++) { if (_0x4b082b[_0x217721] == _0x20a7bf + 1) { _0x4da0dc[_0x217721] = _0x385ee3; } } } _0x12605e = _0x4da0dc["join"](""); return _0x12605e; }; var _0x23a392 = arg1[_0x55f3("0x19", "Pg54")](); // arg1.unsbox() arg2 = _0x23a392[_0x55f3("0x1b", "z5O&")](_0x5e8b26); // _0x23a392.hexXor(_0x5e8b26) setTimeout("reload(arg2)", 2); // setCookie }; function setCookie(name, value) { var expiredate = new Date(); expiredate.setTime(expiredate.getTime() + 3600000); document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/"; } function reload(x) { setCookie("acw_sc__v2", x); document.location.reload(); }
2022年10月13日-2023年2月23日,收集到技术文章共162条数据
师傅们混身都是肝,LeeH
师傅平均10天干完一篇文章
什么?我也是四川的,那没事了
安全研究终究是大趋势,java安全和漏洞分析霸榜