至去年10月起,先知平台公开了文章发表时ip归属地,迫于工作不饱和,抓点数据来看看师傅们最近在干啥
直接发起requests
请求,大概一分钟后开始返回js代码,脚本不具备执行环境无法计算出对应结果,网站存在js反爬
随后花了亿点点时间梳理逻辑,整个js流程大致分三个块:
数组还原
数组解密
cookie生成
首先一个自执行函数,对大数组_0x4818
做头出尾进操作348次
array["push"](array["shift"]());
(function (_0x4c97f0, _0x1742fd) {
var _0x4db1c = function (_0x48181e) {
while (--_0x48181e) {
_0x4c97f0["push"](_0x4c97f0["shift"]()); // 头出尾进
}
};
var _0x3cd6c6 = function () {
var _0xb8360b = {
...
"getCookie": function (_0x4a11fe, _0x189946) {
...
var _0x52d57c = function (_0x105f59, _0x3fd789) {
_0x105f59(++_0x3fd789); // _0x4db1c(++347)
};
_0x52d57c(_0x4db1c, _0x1742fd);
}
};
};
})(_0x4818, 347);
得到还原乱序后的数组
// 还原前
var _0x4818 = ["csKHwqMI", "ZsKJwr8VeAsy", "UcKiN8O/wplwMA==", "JR8CTg==", "YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==",
"w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG", "fwVmI1AtwplaY8Otw5cNfSgpw6M=", "OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6",
"U8K5LcOtwpV0EMOkw47DrMOX", "HMO2woHCiMK9SlXClcOoC1k=", "asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d",
"wqImMT0tw6RNw5k=", "DMKcU0JmUwUv", "VjHDlMOHVcONX3fDicKJHQ==",
"wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV", "dzd2w5bDm3jDpsK3wpY=",
"w4PDgcKXwo3CkcKLwr5qwrY=", "wrJOTcOQWMOg", "wqTDvcOjw447wr4=", "w5XDqsKhMF1/", "wrAyHsOfwppc", "J3dVPcOxLg==",
"wrdHw7p9Zw==", "w4rDo8KmNEw=", "IMKAUkBt", "w6bDrcKQwpVHwpNQwqU=", "d8OsWhAUw7YzwrU=", "wqnCksOeezrDhw==",
"UsKnIMKWV8K/", "w4zDocK8NUZv", "c8OxZhAJw6skwqJj", "PcKIw4nCkkVb", "KHgodMO2VQ==", "wpsmwqvDnGFq",
"wqLDt8Okw4c=", "w7w1w4PCpsO4wqA=", "wq9FRsOqWMOq", "byBhw7rDm34=", "LHg+S8OtTw==", "wqhOw715dsOH",
"U8O7VsO0wqvDvcKuKsOqX8Kr", "Yittw5DDnWnDrA==", "YMKIwqUUfgIk", "aB7DlMODTQ==", "wpfDh8Orw6kk",
"w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==",
"wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==", "NwV+", "w7HDrcKtwpJawpZb",
"wpQswqvDiHpuw6I=", "YMKUwqMJZQ==", "KH1VKcOqKsK1", "fQ5sFUkkwpI=", "wrvCrcOBR8Kk", "M3w0fQ==",
"w6xXwqPDvMOFwo5d"];// 还原后
var _0x4818 = ['wqImMT0tw6RNw5k=', 'DMKcU0JmUwUv', 'VjHDlMOHVcONX3fDicKJHQ==',
'wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV', 'dzd2w5bDm3jDpsK3wpY=',
'w4PDgcKXwo3CkcKLwr5qwrY=', 'wrJOTcOQWMOg', 'wqTDvcOjw447wr4=', 'w5XDqsKhMF1/', 'wrAyHsOfwppc', 'J3dVPcOxLg==',
'wrdHw7p9Zw==', 'w4rDo8KmNEw=', 'IMKAUkBt', 'w6bDrcKQwpVHwpNQwqU=', 'd8OsWhAUw7YzwrU=', 'wqnCksOeezrDhw==',
'UsKnIMKWV8K/', 'w4zDocK8NUZv', 'c8OxZhAJw6skwqJj', 'PcKIw4nCkkVb', 'KHgodMO2VQ==', 'wpsmwqvDnGFq',
'wqLDt8Okw4c=', 'w7w1w4PCpsO4wqA=', 'wq9FRsOqWMOq', 'byBhw7rDm34=', 'LHg+S8OtTw==', 'wqhOw715dsOH',
'U8O7VsO0wqvDvcKuKsOqX8Kr', 'Yittw5DDnWnDrA==', 'YMKIwqUUfgIk', 'aB7DlMODTQ==', 'wpfDh8Orw6kk',
'w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==',
'wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==', 'NwV+', 'w7HDrcKtwpJawpZb',
'wpQswqvDiHpuw6I=', 'YMKUwqMJZQ==', 'KH1VKcOqKsK1', 'fQ5sFUkkwpI=', 'wrvCrcOBR8Kk', 'M3w0fQ==',
'w6xXwqPDvMOFwo5d', 'csKHwqMI', 'ZsKJwr8VeAsy', 'UcKiN8O/wplwMA==', 'JR8CTg==',
'YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==', 'w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG', 'fwVmI1AtwplaY8Otw5cNfSgpw6M=',
'OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6', 'U8K5LcOtwpV0EMOkw47DrMOX', 'HMO2woHCiMK9SlXClcOoC1k=',
'asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d'];
3.2 数组解密
此时_0x4818
数组内容依旧不可读,还要再经过_0x55f3
做rc4
解密处理
var _0x55f3 = function (_0x4c97f0, _0x1742fd) {
var _0x4c97f0 = parseInt(_0x4c97f0, 16);
var _0x48181e = _0x4818[_0x4c97f0];
...
if (_0x55f3["data"][_0x4c97f0] === undefined) {
...
_0x48181e = _0x55f3["rc4"](_0x48181e, _0x1742fd); // rc4解密
_0x55f3["data"][_0x4c97f0] = _0x48181e; // _0x55f3["data"]数组赋值
} else {
_0x48181e = _0x55f3["data"][_0x4c97f0];
}
return _0x48181e;
};if (function () {
...
var _0x5b6351 = _0x3a394d(this, function () {
var _0x46cbaa = Function(_0x55f3("0x22", "&hZY") + _0x55f3("0x23", "aH*N") + ");");
var _0x1766ff = function () {};
var _0x9b5e29 = _0x46cbaa();
_0x9b5e29[_0x55f3("0x26", "aH*N")]["log"] = _0x1766ff;
_0x9b5e29[_0x55f3("0x29", "V%YR")][_0x55f3("0x2a", "P^Eq")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2c", "lgM0")][_0x55f3("0x2d", "L$(D")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2f", "CZc8")][_0x55f3("0x30", "Wu6%")] = _0x1766ff;
});
_0x5b6351();
...
}()) {
document[_0x55f3("0x33", "V%YR")](_0x55f3("0x34", "yApz"), l, false);
} else {
document[_0x55f3("0x36", "yApz")](_0x55f3("0x37", "L$(D"), l);
}
得到真正的数组_0x55f3["data"]
_0x55f3["data"] = {
"1": "_phantom",
"3": "3000176000856006061501533003690027800375",
"5": "prototype",
"6": "hexXor",
"20": "unsbox",
"25": "unsbox",
"33": "apply",
"34": "return (function() ",
"35": "{}.constructor(\"return this\")( )",
"38": "console",
"41": "console",
"42": "error",
"44": "console",
"45": "warn",
"47": "console",
"48": "info",
"51": "addEventListener",
"52": "DOMContentLoaded"
}
最后调用unsbox()
和hexXor()
,生成arg2
写入cookie
中
arg2 = arg1.unsbox().hexXor("3000176000856006061501533003690027800375");
document.cookie = acw_sc__v2 + "=" + arg2;
var arg1 = '2F526E76D908955D2065FE39FACBFD626530F9B0';
var l = function () {
while (window[_0x55f3("0x1", "XMW^")] || window["__phantomas"]) {};
var _0x5e8b26 = _0x55f3("0x3", "jS1Y");
String[_0x55f3("0x5", "n]fR")][_0x55f3("0x6", "Pg54")] = function (_0x4e08d8) { //hexXor函数
var _0x5a5d3b = "";
for (var _0xe89588 = 0; _0xe89588 < this[_0x55f3("0x8", ")hRc")] && _0xe89588 < _0x4e08d8[_0x55f3("0xa",
"jE&^")]; _0xe89588 += 2) {
var _0x401af1 = parseInt(this[_0x55f3("0xb", "V2KE")](_0xe89588, _0xe89588 + 2), 16);
var _0x105f59 = parseInt(_0x4e08d8[_0x55f3("0xd", "XMW^")](_0xe89588, _0xe89588 + 2), 16);
var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3("0xf", "W1FE")](16);
if (_0x189e2c[_0x55f3("0x11", "MGrv")] == 1) {
_0x189e2c = "0" + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
};
String["prototype"][_0x55f3("0x14", "Z*DM")] = function () { //unsbox函数
var _0x4b082b = [15, 35, 29, 24, 33, 16, 1, 38, 10, 9, 19, 31, 40, 27, 22, 23, 25, 13, 6, 11, 39, 18,
20, 8, 14, 21, 32, 26, 2, 30, 7, 4, 17, 5, 3, 28, 34, 37, 12, 36];
var _0x4da0dc = [];
var _0x12605e = "";
for (var _0x20a7bf = 0; _0x20a7bf < this["length"]; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0; _0x217721 < _0x4b082b[_0x55f3("0x16", "aH*N")]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc["join"]("");
return _0x12605e;
};
var _0x23a392 = arg1[_0x55f3("0x19", "Pg54")](); // arg1.unsbox()
arg2 = _0x23a392[_0x55f3("0x1b", "z5O&")](_0x5e8b26); // _0x23a392.hexXor(_0x5e8b26)
setTimeout("reload(arg2)", 2); // setCookie
};function setCookie(name, value) {
var expiredate = new Date();
expiredate.setTime(expiredate.getTime() + 3600000);
document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}function reload(x) {
setCookie("acw_sc__v2", x);
document.location.reload();
}
3.4 脚本实现
三、师傅们的动态
2022年10月13日-2023年2月23日,收集到技术文章共162条数据
3.1 作者
师傅们混身都是肝,LeeH
师傅平均10天干完一篇文章
top10作者
top3作者 - 月度发文
3.2 地区
什么?我也是四川的,那没事了
各地区 - 总发文
top3地区 - 月度发文
3.3 内容
安全研究终究是大趋势,java安全和漏洞分析霸榜
top20 - 高频词
top20内容 - 四川
top20内容 - 广东
top20内容 - 北京
四、总结
五、参考
https://xz.aliyun.com/t/10869
原文于:https://xz.aliyun.com/t/12238#toc-4
原文作者:Ainrm
点击下方小卡片或扫描下方二维码观看更多技术文章
师傅们点赞、转发、在看就是最大的支持