一次简单的先知社区js逆向记录
2023-2-28 17:29:0 Author: xz.aliyun.com(查看原文) 阅读量:37 收藏

一、简述

至去年10月起,先知平台公开了文章发表时ip归属地,迫于工作不饱和,抓点数据来看看师傅们最近在干啥

二、处理反爬

直接发起requests请求,大概一分钟后开始返回js代码,脚本不具备执行环境无法计算出对应结果,网站存在js反爬

随后花了亿点点时间梳理逻辑,整个js流程大致分三个块:

  1. 数组还原
  2. 数组解密
  3. cookie生成

3.1 数组还原

首先一个自执行函数,对大数组_0x4818做头出尾进操作348次

  • array["push"](array["shift"]());
(function (_0x4c97f0, _0x1742fd) {
    var _0x4db1c = function (_0x48181e) {
        while (--_0x48181e) {
            _0x4c97f0["push"](_0x4c97f0["shift"]()); // 头出尾进
        }
    };
    var _0x3cd6c6 = function () {
        var _0xb8360b = {
            ...
            "getCookie": function (_0x4a11fe, _0x189946) {
                ...
                var _0x52d57c = function (_0x105f59, _0x3fd789) {
                    _0x105f59(++_0x3fd789);  // _0x4db1c(++347)
                };
                _0x52d57c(_0x4db1c, _0x1742fd);
            }
        };
    };
})(_0x4818, 347);

得到还原乱序后的数组

// 还原前
var _0x4818 = ["csKHwqMI", "ZsKJwr8VeAsy", "UcKiN8O/wplwMA==", "JR8CTg==", "YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==",
    "w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG", "fwVmI1AtwplaY8Otw5cNfSgpw6M=", "OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6",
    "U8K5LcOtwpV0EMOkw47DrMOX", "HMO2woHCiMK9SlXClcOoC1k=", "asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d",
    "wqImMT0tw6RNw5k=", "DMKcU0JmUwUv", "VjHDlMOHVcONX3fDicKJHQ==",
    "wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV", "dzd2w5bDm3jDpsK3wpY=",
    "w4PDgcKXwo3CkcKLwr5qwrY=", "wrJOTcOQWMOg", "wqTDvcOjw447wr4=", "w5XDqsKhMF1/", "wrAyHsOfwppc", "J3dVPcOxLg==",
    "wrdHw7p9Zw==", "w4rDo8KmNEw=", "IMKAUkBt", "w6bDrcKQwpVHwpNQwqU=", "d8OsWhAUw7YzwrU=", "wqnCksOeezrDhw==",
    "UsKnIMKWV8K/", "w4zDocK8NUZv", "c8OxZhAJw6skwqJj", "PcKIw4nCkkVb", "KHgodMO2VQ==", "wpsmwqvDnGFq",
    "wqLDt8Okw4c=", "w7w1w4PCpsO4wqA=", "wq9FRsOqWMOq", "byBhw7rDm34=", "LHg+S8OtTw==", "wqhOw715dsOH",
    "U8O7VsO0wqvDvcKuKsOqX8Kr", "Yittw5DDnWnDrA==", "YMKIwqUUfgIk", "aB7DlMODTQ==", "wpfDh8Orw6kk",
    "w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==",
    "wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==", "NwV+", "w7HDrcKtwpJawpZb",
    "wpQswqvDiHpuw6I=", "YMKUwqMJZQ==", "KH1VKcOqKsK1", "fQ5sFUkkwpI=", "wrvCrcOBR8Kk", "M3w0fQ==",
    "w6xXwqPDvMOFwo5d"];

// 还原后
var _0x4818 = ['wqImMT0tw6RNw5k=', 'DMKcU0JmUwUv', 'VjHDlMOHVcONX3fDicKJHQ==',
    'wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV', 'dzd2w5bDm3jDpsK3wpY=',
    'w4PDgcKXwo3CkcKLwr5qwrY=', 'wrJOTcOQWMOg', 'wqTDvcOjw447wr4=', 'w5XDqsKhMF1/', 'wrAyHsOfwppc', 'J3dVPcOxLg==',
    'wrdHw7p9Zw==', 'w4rDo8KmNEw=', 'IMKAUkBt', 'w6bDrcKQwpVHwpNQwqU=', 'd8OsWhAUw7YzwrU=', 'wqnCksOeezrDhw==',
    'UsKnIMKWV8K/', 'w4zDocK8NUZv', 'c8OxZhAJw6skwqJj', 'PcKIw4nCkkVb', 'KHgodMO2VQ==', 'wpsmwqvDnGFq',
    'wqLDt8Okw4c=', 'w7w1w4PCpsO4wqA=', 'wq9FRsOqWMOq', 'byBhw7rDm34=', 'LHg+S8OtTw==', 'wqhOw715dsOH',
    'U8O7VsO0wqvDvcKuKsOqX8Kr', 'Yittw5DDnWnDrA==', 'YMKIwqUUfgIk', 'aB7DlMODTQ==', 'wpfDh8Orw6kk',
    'w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==',
    'wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==', 'NwV+', 'w7HDrcKtwpJawpZb',
    'wpQswqvDiHpuw6I=', 'YMKUwqMJZQ==', 'KH1VKcOqKsK1', 'fQ5sFUkkwpI=', 'wrvCrcOBR8Kk', 'M3w0fQ==',
    'w6xXwqPDvMOFwo5d', 'csKHwqMI', 'ZsKJwr8VeAsy', 'UcKiN8O/wplwMA==', 'JR8CTg==',
    'YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==', 'w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG', 'fwVmI1AtwplaY8Otw5cNfSgpw6M=',
    'OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6', 'U8K5LcOtwpV0EMOkw47DrMOX', 'HMO2woHCiMK9SlXClcOoC1k=',
    'asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d'];

3.2 数组解密

此时_0x4818数组内容依旧不可读,还要再经过_0x55f3rc4解密处理

var _0x55f3 = function (_0x4c97f0, _0x1742fd) {
    var _0x4c97f0 = parseInt(_0x4c97f0, 16);
    var _0x48181e = _0x4818[_0x4c97f0];
    ...
    if (_0x55f3["data"][_0x4c97f0] === undefined) {
        ...
        _0x48181e = _0x55f3["rc4"](_0x48181e, _0x1742fd); // rc4解密
        _0x55f3["data"][_0x4c97f0] = _0x48181e;  // _0x55f3["data"]数组赋值
    } else {
        _0x48181e = _0x55f3["data"][_0x4c97f0];
    }
    return _0x48181e;
};

if (function () {
        ...
        var _0x5b6351 = _0x3a394d(this, function () {
            var _0x46cbaa = Function(_0x55f3("0x22", "&hZY") + _0x55f3("0x23", "aH*N") + ");");
            var _0x1766ff = function () {};
            var _0x9b5e29 = _0x46cbaa();
            _0x9b5e29[_0x55f3("0x26", "aH*N")]["log"] = _0x1766ff;
            _0x9b5e29[_0x55f3("0x29", "V%YR")][_0x55f3("0x2a", "P^Eq")] = _0x1766ff;
            _0x9b5e29[_0x55f3("0x2c", "lgM0")][_0x55f3("0x2d", "L$(D")] = _0x1766ff;
            _0x9b5e29[_0x55f3("0x2f", "CZc8")][_0x55f3("0x30", "Wu6%")] = _0x1766ff;
        });
        _0x5b6351();
        ...
    }()) {
    document[_0x55f3("0x33", "V%YR")](_0x55f3("0x34", "yApz"), l, false);
} else {
    document[_0x55f3("0x36", "yApz")](_0x55f3("0x37", "L$(D"), l);
}

得到真正的数组_0x55f3["data"]

_0x55f3["data"] = {
    "1": "_phantom",
    "3": "3000176000856006061501533003690027800375",
    "5": "prototype",
    "6": "hexXor",
    "20": "unsbox",
    "25": "unsbox",
    "33": "apply",
    "34": "return (function() ",
    "35": "{}.constructor(\"return this\")( )",
    "38": "console",
    "41": "console",
    "42": "error",
    "44": "console",
    "45": "warn",
    "47": "console",
    "48": "info",
    "51": "addEventListener",
    "52": "DOMContentLoaded"
}

3.3 cookie生成

最后调用unsbox()hexXor(),生成arg2写入cookie

  • arg2 = arg1.unsbox().hexXor("3000176000856006061501533003690027800375");
  • document.cookie = acw_sc__v2 + "=" + arg2;
var arg1 = '2F526E76D908955D2065FE39FACBFD626530F9B0';
var l = function () {
    while (window[_0x55f3("0x1", "XMW^")] || window["__phantomas"]) {};
    var _0x5e8b26 = _0x55f3("0x3", "jS1Y");
    String[_0x55f3("0x5", "n]fR")][_0x55f3("0x6", "Pg54")] = function (_0x4e08d8) { //hexXor函数
        var _0x5a5d3b = "";
        for (var _0xe89588 = 0; _0xe89588 < this[_0x55f3("0x8", ")hRc")] && _0xe89588 < _0x4e08d8[_0x55f3("0xa",
                "jE&^")]; _0xe89588 += 2) {
            var _0x401af1 = parseInt(this[_0x55f3("0xb", "V2KE")](_0xe89588, _0xe89588 + 2), 16);
            var _0x105f59 = parseInt(_0x4e08d8[_0x55f3("0xd", "XMW^")](_0xe89588, _0xe89588 + 2), 16);
            var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3("0xf", "W1FE")](16);
            if (_0x189e2c[_0x55f3("0x11", "MGrv")] == 1) {
                _0x189e2c = "0" + _0x189e2c;
            }
            _0x5a5d3b += _0x189e2c;
        }
        return _0x5a5d3b;
    };
    String["prototype"][_0x55f3("0x14", "Z*DM")] = function () {  //unsbox函数
        var _0x4b082b = [15, 35, 29, 24, 33, 16, 1, 38, 10, 9, 19, 31, 40, 27, 22, 23, 25, 13, 6, 11, 39, 18,
            20, 8, 14, 21, 32, 26, 2, 30, 7, 4, 17, 5, 3, 28, 34, 37, 12, 36];
        var _0x4da0dc = [];
        var _0x12605e = "";
        for (var _0x20a7bf = 0; _0x20a7bf < this["length"]; _0x20a7bf++) {
            var _0x385ee3 = this[_0x20a7bf];
            for (var _0x217721 = 0; _0x217721 < _0x4b082b[_0x55f3("0x16", "aH*N")]; _0x217721++) {
                if (_0x4b082b[_0x217721] == _0x20a7bf + 1) {
                    _0x4da0dc[_0x217721] = _0x385ee3;
                }
            }
        }
        _0x12605e = _0x4da0dc["join"]("");
        return _0x12605e;
    };
    var _0x23a392 = arg1[_0x55f3("0x19", "Pg54")](); // arg1.unsbox()
    arg2 = _0x23a392[_0x55f3("0x1b", "z5O&")](_0x5e8b26); // _0x23a392.hexXor(_0x5e8b26)
    setTimeout("reload(arg2)", 2);  // setCookie
};

function setCookie(name, value) {
    var expiredate = new Date();
    expiredate.setTime(expiredate.getTime() + 3600000);
    document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}

function reload(x) {
    setCookie("acw_sc__v2", x);
    document.location.reload();
}

3.4 脚本实现

三、师傅们的动态

2022年10月13日-2023年2月23日,收集到技术文章共162条数据

3.1 作者

师傅们混身都是肝,LeeH师傅平均10天干完一篇文章

  • top10作者

  • top3作者 - 月度发文

3.2 地区

什么?我也是四川的,那没事了

  • 各地区 - 总发文

  • top3地区 - 月度发文

3.3 内容

安全研究终究是大趋势,java安全和漏洞分析霸榜

  • top20 - 高频词

  • top20内容 - 四川

  • top20内容 - 广东

  • top20内容 - 北京

四、总结

五、参考


文章来源: https://xz.aliyun.com/t/12238
如有侵权请联系:admin#unsafe.sh