一次简单的先知社区js逆向记录
2023-3-11 19:59:29 Author: 猪猪谈安全(查看原文) 阅读量:28 收藏

一、简述

至去年10月起,先知平台公开了文章发表时ip归属地,迫于工作不饱和,抓点数据来看看师傅们最近在干啥

二、处理反爬

直接发起requests请求,大概一分钟后开始返回js代码,脚本不具备执行环境无法计算出对应结果,网站存在js反爬

随后花了亿点点时间梳理逻辑,整个js流程大致分三个块:

  1. 数组还原

  2. 数组解密

  3. cookie生成

3.1 数组还原

首先一个自执行函数,对大数组_0x4818做头出尾进操作348次

  • array["push"](array["shift"]());

(function (_0x4c97f0, _0x1742fd) {
var _0x4db1c = function (_0x48181e) {
while (--_0x48181e) {
_0x4c97f0["push"](_0x4c97f0["shift"]()); // 头出尾进
}
};
var _0x3cd6c6 = function () {
var _0xb8360b = {
...
"getCookie": function (_0x4a11fe, _0x189946) {
...
var _0x52d57c = function (_0x105f59, _0x3fd789) {
_0x105f59(++_0x3fd789); // _0x4db1c(++347)
};
_0x52d57c(_0x4db1c, _0x1742fd);
}
};
};
})(_0x4818, 347);

得到还原乱序后的数组

// 还原前
var _0x4818 = ["csKHwqMI", "ZsKJwr8VeAsy", "UcKiN8O/wplwMA==", "JR8CTg==", "YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==",
"w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG", "fwVmI1AtwplaY8Otw5cNfSgpw6M=", "OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6",
"U8K5LcOtwpV0EMOkw47DrMOX", "HMO2woHCiMK9SlXClcOoC1k=", "asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d",
"wqImMT0tw6RNw5k=", "DMKcU0JmUwUv", "VjHDlMOHVcONX3fDicKJHQ==",
"wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV", "dzd2w5bDm3jDpsK3wpY=",
"w4PDgcKXwo3CkcKLwr5qwrY=", "wrJOTcOQWMOg", "wqTDvcOjw447wr4=", "w5XDqsKhMF1/", "wrAyHsOfwppc", "J3dVPcOxLg==",
"wrdHw7p9Zw==", "w4rDo8KmNEw=", "IMKAUkBt", "w6bDrcKQwpVHwpNQwqU=", "d8OsWhAUw7YzwrU=", "wqnCksOeezrDhw==",
"UsKnIMKWV8K/", "w4zDocK8NUZv", "c8OxZhAJw6skwqJj", "PcKIw4nCkkVb", "KHgodMO2VQ==", "wpsmwqvDnGFq",
"wqLDt8Okw4c=", "w7w1w4PCpsO4wqA=", "wq9FRsOqWMOq", "byBhw7rDm34=", "LHg+S8OtTw==", "wqhOw715dsOH",
"U8O7VsO0wqvDvcKuKsOqX8Kr", "Yittw5DDnWnDrA==", "YMKIwqUUfgIk", "aB7DlMODTQ==", "wpfDh8Orw6kk",
"w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==",
"wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==", "NwV+", "w7HDrcKtwpJawpZb",
"wpQswqvDiHpuw6I=", "YMKUwqMJZQ==", "KH1VKcOqKsK1", "fQ5sFUkkwpI=", "wrvCrcOBR8Kk", "M3w0fQ==",
"w6xXwqPDvMOFwo5d"];

// 还原后
var _0x4818 = ['wqImMT0tw6RNw5k=', 'DMKcU0JmUwUv', 'VjHDlMOHVcONX3fDicKJHQ==',
'wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV', 'dzd2w5bDm3jDpsK3wpY=',
'w4PDgcKXwo3CkcKLwr5qwrY=', 'wrJOTcOQWMOg', 'wqTDvcOjw447wr4=', 'w5XDqsKhMF1/', 'wrAyHsOfwppc', 'J3dVPcOxLg==',
'wrdHw7p9Zw==', 'w4rDo8KmNEw=', 'IMKAUkBt', 'w6bDrcKQwpVHwpNQwqU=', 'd8OsWhAUw7YzwrU=', 'wqnCksOeezrDhw==',
'UsKnIMKWV8K/', 'w4zDocK8NUZv', 'c8OxZhAJw6skwqJj', 'PcKIw4nCkkVb', 'KHgodMO2VQ==', 'wpsmwqvDnGFq',
'wqLDt8Okw4c=', 'w7w1w4PCpsO4wqA=', 'wq9FRsOqWMOq', 'byBhw7rDm34=', 'LHg+S8OtTw==', 'wqhOw715dsOH',
'U8O7VsO0wqvDvcKuKsOqX8Kr', 'Yittw5DDnWnDrA==', 'YMKIwqUUfgIk', 'aB7DlMODTQ==', 'wpfDh8Orw6kk',
'w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==',
'wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==', 'NwV+', 'w7HDrcKtwpJawpZb',
'wpQswqvDiHpuw6I=', 'YMKUwqMJZQ==', 'KH1VKcOqKsK1', 'fQ5sFUkkwpI=', 'wrvCrcOBR8Kk', 'M3w0fQ==',
'w6xXwqPDvMOFwo5d', 'csKHwqMI', 'ZsKJwr8VeAsy', 'UcKiN8O/wplwMA==', 'JR8CTg==',
'YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==', 'w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG', 'fwVmI1AtwplaY8Otw5cNfSgpw6M=',
'OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6', 'U8K5LcOtwpV0EMOkw47DrMOX', 'HMO2woHCiMK9SlXClcOoC1k=',
'asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d'];

3.2 数组解密

此时_0x4818数组内容依旧不可读,还要再经过_0x55f3rc4解密处理

var _0x55f3 = function (_0x4c97f0, _0x1742fd) {
var _0x4c97f0 = parseInt(_0x4c97f0, 16);
var _0x48181e = _0x4818[_0x4c97f0];
...
if (_0x55f3["data"][_0x4c97f0] === undefined) {
...
_0x48181e = _0x55f3["rc4"](_0x48181e, _0x1742fd); // rc4解密
_0x55f3["data"][_0x4c97f0] = _0x48181e; // _0x55f3["data"]数组赋值
} else {
_0x48181e = _0x55f3["data"][_0x4c97f0];
}
return _0x48181e;
};

if (function () {
...
var _0x5b6351 = _0x3a394d(this, function () {
var _0x46cbaa = Function(_0x55f3("0x22", "&hZY") + _0x55f3("0x23", "aH*N") + ");");
var _0x1766ff = function () {};
var _0x9b5e29 = _0x46cbaa();
_0x9b5e29[_0x55f3("0x26", "aH*N")]["log"] = _0x1766ff;
_0x9b5e29[_0x55f3("0x29", "V%YR")][_0x55f3("0x2a", "P^Eq")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2c", "lgM0")][_0x55f3("0x2d", "L$(D")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2f", "CZc8")][_0x55f3("0x30", "Wu6%")] = _0x1766ff;
});
_0x5b6351();
...
}()) {
document[_0x55f3("0x33", "V%YR")](_0x55f3("0x34", "yApz"), l, false);
} else {
document[_0x55f3("0x36", "yApz")](_0x55f3("0x37", "L$(D"), l);
}

得到真正的数组_0x55f3["data"]

_0x55f3["data"] = {
"1": "_phantom",
"3": "3000176000856006061501533003690027800375",
"5": "prototype",
"6": "hexXor",
"20": "unsbox",
"25": "unsbox",
"33": "apply",
"34": "return (function() ",
"35": "{}.constructor(\"return this\")( )",
"38": "console",
"41": "console",
"42": "error",
"44": "console",
"45": "warn",
"47": "console",
"48": "info",
"51": "addEventListener",
"52": "DOMContentLoaded"
}

3.3 cookie生成

最后调用unsbox()hexXor(),生成arg2写入cookie

  • arg2 = arg1.unsbox().hexXor("3000176000856006061501533003690027800375");

  • document.cookie = acw_sc__v2 + "=" + arg2;

var arg1 = '2F526E76D908955D2065FE39FACBFD626530F9B0';
var l = function () {
while (window[_0x55f3("0x1", "XMW^")] || window["__phantomas"]) {};
var _0x5e8b26 = _0x55f3("0x3", "jS1Y");
String[_0x55f3("0x5", "n]fR")][_0x55f3("0x6", "Pg54")] = function (_0x4e08d8) { //hexXor函数
var _0x5a5d3b = "";
for (var _0xe89588 = 0; _0xe89588 < this[_0x55f3("0x8", ")hRc")] && _0xe89588 < _0x4e08d8[_0x55f3("0xa",
"jE&^")]; _0xe89588 += 2) {
var _0x401af1 = parseInt(this[_0x55f3("0xb", "V2KE")](_0xe89588, _0xe89588 + 2), 16);
var _0x105f59 = parseInt(_0x4e08d8[_0x55f3("0xd", "XMW^")](_0xe89588, _0xe89588 + 2), 16);
var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3("0xf", "W1FE")](16);
if (_0x189e2c[_0x55f3("0x11", "MGrv")] == 1) {
_0x189e2c = "0" + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
};
String["prototype"][_0x55f3("0x14", "Z*DM")] = function () { //unsbox函数
var _0x4b082b = [15, 35, 29, 24, 33, 16, 1, 38, 10, 9, 19, 31, 40, 27, 22, 23, 25, 13, 6, 11, 39, 18,
20, 8, 14, 21, 32, 26, 2, 30, 7, 4, 17, 5, 3, 28, 34, 37, 12, 36];
var _0x4da0dc = [];
var _0x12605e = "";
for (var _0x20a7bf = 0; _0x20a7bf < this["length"]; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0; _0x217721 < _0x4b082b[_0x55f3("0x16", "aH*N")]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc["join"]("");
return _0x12605e;
};
var _0x23a392 = arg1[_0x55f3("0x19", "Pg54")](); // arg1.unsbox()
arg2 = _0x23a392[_0x55f3("0x1b", "z5O&")](_0x5e8b26); // _0x23a392.hexXor(_0x5e8b26)
setTimeout("reload(arg2)", 2); // setCookie
};

function setCookie(name, value) {
var expiredate = new Date();
expiredate.setTime(expiredate.getTime() + 3600000);
document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}

function reload(x) {
setCookie("acw_sc__v2", x);
document.location.reload();
}

3.4 脚本实现

三、师傅们的动态

2022年10月13日-2023年2月23日,收集到技术文章共162条数据

3.1 作者

师傅们混身都是肝,LeeH师傅平均10天干完一篇文章

top10作者

top3作者 - 月度发文

3.2 地区

什么?我也是四川的,那没事了

各地区 - 总发文

top3地区 - 月度发文

3.3 内容

安全研究终究是大趋势,java安全和漏洞分析霸榜

top20 - 高频词

top20内容 - 四川

top20内容 - 广东

top20内容 - 北京

四、总结


五、参考

原文于:https://xz.aliyun.com/t/12238#toc-4原文作者:Ainrm

 点击下方小卡片或扫描下方二维码观看更多技术文章

师傅们点赞、转发、在看就是最大的支持


文章来源: http://mp.weixin.qq.com/s?__biz=MzIyMDAwMjkzNg==&mid=2247508207&idx=1&sn=21d39c7770b124a3bfe68b4650d3cb47&chksm=97d04ff8a0a7c6ee4ff9affe19087d323f637b73f35d80124718807b4294c1ea3f43b7780c0a#rd
如有侵权请联系:admin#unsafe.sh