JS逆向:破解国家某部官网某速乐加密策略
2021-06-25 本文已影响0人
dex0423
本文我们以某安部的官网为例,破解某速乐的加密策略。本站的加密技术比较简单,适合小白进行练手。
1. 抓包分析
打开调试面板,分析请求,发现成功请求的 cookie 中有 __jsl_s=...
,同时前三个请求返回了 521,这是某速乐的典型特征。前面的三个请求其实是 状态码欺骗,服务器返回的东西被浏览器请掉了。
我们想要进行逆向分析,要借助于 Fiddler 抓包工具,使用抓包工具不会出现请求返回内容被清掉的情况。如果不想使用抓包工具,也可以直接打 script 断点,然后进行断点调试,也能找到函数加密的入口,但是会比较麻烦。
我们使用 Fiddler 进行抓包,通过分析多次请求的变化,发现在成功请求之前,浏览器向服务器发送了两次,
第一次请求:
返回 cookie 中的 __jsluid_s
,同时在返回的 script 中隐藏返回了 __jsl_clearance_s
。
执行返回的 JS 代码,可以直接得到结果,如果不嫌麻烦也可以正则替换。
1640352969(1).png
第二次请求:
前面的得到的 cookie 中的 __jsluid_s
和 __jsl_clearance_s
都被请求作为参数携带,之后服务器返回了一段新的代码。
第三次请求:
分析发现,第三次请求的 cookie 中,__jsl_clearance_s
被修改了,这个修改应该是在第二次请求返回后完成的,我们继续分析第二次请求的返回内容。
通过分析发现返回的 HTML 中有一段 script, 分析后发现这是一段 JS代码。
1640353453(1).png
返回的 JS 代码为:
var _0x44e4=['R8KjGX4=','wrlRWTI=','bsOAGhI=','FsOHwrQ=','w40ja8Ow','wphYRcKF','wpHDgz3CsA==','w7YAZMOi','wrwqw5bClA==','w6gbIFA=','w5LDhCXCkg==','bX1hVw==','wpPCicOBFg==','w5zCvkdN','UcOwdcK6','w4QxNUY=','w400c2g=','woHCp3U5','wpp5w6/Cjw==','w4IYazg=','wpwLw4Y=','ZMOZPA==','w5cZY8OR','dW4Yw7o=','ZcOHNzs=','PcKow5A8','HhHDhcKk','wpbCnVzChg==','w7UIfkA=','T0ZWw4c=','wqzCrsO0','w4wtwpc8','CMKCNgg=','w7MbYcOz','wqJ7w6nCrQ==','w6rDgEDDlw==','BcKHJQc=','OD9Swq0=','wpZXVcKP','LcOiKEk=','GMKUwqQf','woTDiXvDsg==','wqzCrUs4','w7DDuCHCrg==','w6jCmEJN','Em8Zwrg=','w6s0RMOL','wr/CtsOIHA==','V8OcwozCow==','GsKLasOz','flBCUg==','w7M7R8O2','wqfDimPDuA==','aMKgfwg=','w7rCpUzDvQ==','K8KjUcOx','GsKvwrdM','M2czwpA=','W1lXWQ==','GcKUV8O8','O1g1woE=','VsOjGxI=','w58gUgo=','HsKmwqJR','wpAew5gK','OcKGNgA=','w4s8SsOE','VMKRw7LDuQ==','wodTU8K/','w7UfQnI=','wpc/TyE=','L8Kvwo8m','bU5ww7U=','w707wrcm','wrrDoWPDtg==','FcONwrsq','w5EnMGU=','AQrDp8K5','w69Fw6sm','YMOha8Ky','QnYOwpA=','wp9CTsKN','FcKGIRM=','D8Oawo02','wpYodT4=','w7UMdhk=','w4ogWTI=','woF5bAw=','McK5LDE=','w47CsWJe','wp5BWw==','wr0Zw5PCrA==','IDLDlMKb','L8OqYsOn','w5goasOE','KH8Kwqw=','woVhUis=','w5Fjw4Iy','wrhFw6vCsw==','HVcKwpA=','YMOpwqDCrA==','w4obVVc=','WsKQw4bDhw==','wrTCpMO3Nw==','wprCq03Ckg==','wp7CgMOgPg==','acOPNDk=','wotzw4XCvA==','wqN1bMKD','esOvcA==','LXgTwos=','wqMvXhY=','w685wqc1','wo59aDA=','w5I6QXQ=','Y09sw7s=','wrNUd8Kv','wrNJw4XCig==','wr3ClEM=','aMOqDBU=','wq3CqHDCgw==','IWQJwqY=','asKhEnc=','w4TCkXhx','CMORwq8p','F1oZwoE=','wpMNw6EX','w7EBwoYK','acOhacK0','wr/CpMO9FA==','E8KeYBw=','wpV3w6LCtA==','w4E8X0M=','Zkpqw70=','eMOENCs=','w63CnURL','wonDqnTDog==','woPDtHDDog==','w7wITMOr','w70pwrUU','fsOXJyQ=','CMKew5c/','wq55XhY=','w6DDuMO4Mg==','wq1+SxI=','w7HDgFHDgA==','wrQ2w4cp','w4LCoH/Dqg==','wqjCoMOtOA==','RlQBw7g=','UUN/w7w=','w7vDqFU+','bHAWw7E=','w7Rkw7A5','w5wlb8Oy','wrM2w5TCtA==','w5DDncOtVA==','P8OwOVQ=','N8KFS8Ox','w68GYh4=','w47ClX3DlQ==','w4nCk1RB','QcKgLn0=','LcKTNjM=','Q3YBw7o=','OsK1K8Os','wo8+fis=','w4fClX/Dkw==','HMKdwrEC','DMOcwrYj','wrHDjk3Djg==','w6YOQ8OQ','wr/CkEYa','wrXCtnPCgg==','w5wsYsOs','A8Kcw6cH','w5fDhcO9Rw==','w6HDoD7ClQ==','EsOFwo8/','CcOVKH8=','6K6M5rGT6au26Kyi','M8OFO2s=','w4/DksOtVQ==','wrU3w60p','w4XDjW/DpA==','bVU9w7I=','JiwdYw==','KcKcwolg','w73DkcOtUA==','w6XDtgPCtQ==','LMO/dcOR','w5bDrXrDtQ==','P8KgJhY=','Tkx9w74=','wqtDUsKl','wqdpWC4=','w5Nww4ca','w5w4MEs=','w6k+WGs=','w7bDsVTDow=='];(function(_0x4576a7,_0x44e404){var _0x401b38=function(_0x4a4191){while(--_0x4a4191){_0x4576a7['push'](_0x4576a7['shift']());}};_0x401b38(++_0x44e404);}(_0x44e4,0x188));var _0x401b=function(_0x4576a7,_0x44e404){_0x4576a7=_0x4576a7-0x0;var _0x401b38=_0x44e4[_0x4576a7];if(_0x401b['OTSYjC']===undefined){(function(){var _0x45325a;try{var _0x24593f=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x45325a=_0x24593f();}catch(_0x19ea10){_0x45325a=window;}var _0x4d2b89='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x45325a['atob']||(_0x45325a['atob']=function(_0x39b179){var _0x22945a=String(_0x39b179)['replace'](/=+$/,'');var _0x5b972c='';for(var _0x33b518=0x0,_0x306ddd,_0x5235c4,_0xf3fccd=0x0;_0x5235c4=_0x22945a['charAt'](_0xf3fccd++);~_0x5235c4&&(_0x306ddd=_0x33b518%0x4?_0x306ddd*0x40+_0x5235c4:_0x5235c4,_0x33b518++%0x4)?_0x5b972c+=String['fromCharCode'](0xff&_0x306ddd>>(-0x2*_0x33b518&0x6)):0x0){_0x5235c4=_0x4d2b89['indexOf'](_0x5235c4);}return _0x5b972c;});}());var _0x196aa6=function(_0xf6982,_0x2224e7){var _0x5bf124=[],_0x4ca4f6=0x0,_0x34c181,_0x5e3618='',_0x38fc61='';_0xf6982=atob(_0xf6982);for(var _0x3f6d4b=0x0,_0x3cd74e=_0xf6982['length'];_0x3f6d4b<_0x3cd74e;_0x3f6d4b++){_0x38fc61+='%'+('00'+_0xf6982['charCodeAt'](_0x3f6d4b)['toString'](0x10))['slice'](-0x2);}_0xf6982=decodeURIComponent(_0x38fc61);var _0x37b560;for(_0x37b560=0x0;_0x37b560<0x100;_0x37b560++){_0x5bf124[_0x37b560]=_0x37b560;}for(_0x37b560=0x0;_0x37b560<0x100;_0x37b560++){_0x4ca4f6=(_0x4ca4f6+_0x5bf124[_0x37b560]+_0x2224e7['charCodeAt'](_0x37b560%_0x2224e7['length']))%0x100;_0x34c181=_0x5bf124[_0x37b560];_0x5bf124[_0x37b560]=_0x5bf124[_0x4ca4f6];_0x5bf124[_0x4ca4f6]=_0x34c181;}_0x37b560=0x0;_0x4ca4f6=0x0;for(var _0xdb9f26=0x0;_0xdb9f26<_0xf6982['length'];_0xdb9f26++){_0x37b560=(_0x37b560+0x1)%0x100;_0x4ca4f6=(_0x4ca4f6+_0x5bf124[_0x37b560])%0x100;_0x34c181=_0x5bf124[_0x37b560];_0x5bf124[_0x37b560]=_0x5bf124[_0x4ca4f6];_0x5bf124[_0x4ca4f6]=_0x34c181;_0x5e3618+=String['fromCharCode'](_0xf6982['charCodeAt'](_0xdb9f26)^_0x5bf124[(_0x5bf124[_0x37b560]+_0x5bf124[_0x4ca4f6])%0x100]);}return _0x5e3618;};_0x401b['eKkzWd']=_0x196aa6;_0x401b['UWlWwl']={};_0x401b['OTSYjC']=!![];}var _0x4a4191=_0x401b['UWlWwl'][_0x4576a7];if(_0x4a4191===undefined){if(_0x401b['OUtcIL']===undefined){_0x401b['OUtcIL']=!![];}_0x401b38=_0x401b['eKkzWd'](_0x401b38,_0x44e404);_0x401b['UWlWwl'][_0x4576a7]=_0x401b38;}else{_0x401b38=_0x4a4191;}return _0x401b38;};function hash(_0x2d6f49){var _0x23943a={};_0x23943a[_0x401b('0xa1','CCc&')+'J']=function(_0x48678e,_0x208f8f){return _0x48678e+_0x208f8f;};_0x23943a[_0x401b('0x24','R73i')+'n']=function(_0x546f8b,_0x176ca1){return _0x546f8b&_0x176ca1;};_0x23943a[_0x401b('0x54','O6@t')+'L']=_0x401b('0x3d','i[he')+_0x401b('0xad','f]NG')+_0x401b('0x97','uZ3e')+_0x401b('0x2c','DFKj');_0x23943a[_0x401b('0x78','$5p*')+'C']=function(_0x4304cb,_0x4244d0){return _0x4304cb>>_0x4244d0;};_0x23943a[_0x401b('0xc7','aTiX')+'n']=function(_0x48f640,_0x368d5f){return _0x48f640*_0x368d5f;};_0x23943a[_0x401b('0x10','[@8c')+'E']=function(_0x18d799,_0x411000){return _0x18d799*_0x411000;};_0x23943a[_0x401b('0x3b','REkM')+'O']=function(_0x127030,_0x94cc1c){return _0x127030>>_0x94cc1c;};_0x23943a[_0x401b('0x63','[@8c')+'D']=function(_0x262640,_0x4e1fd4){return _0x262640&_0x4e1fd4;};_0x23943a[_0x401b('0xba','b7ZU')+'s']=function(_0x29bb6a,_0x26fdbe){return _0x29bb6a-_0x26fdbe;};_0x23943a[_0x401b('0x21','m]7y')+'X']=function(_0x13a082,_0x3ec0ee){return _0x13a082*_0x3ec0ee;};_0x23943a[_0x401b('0xc1','G2qO')+'W']=function(_0xb7af84,_0x31f46c){return _0xb7af84*_0x31f46c;};_0x23943a[_0x401b('0x65','U$wh')+'k']=function(_0xc13949,_0xf5c8dc){return _0xc13949|_0xf5c8dc;};_0x23943a[_0x401b('0x18','$[h*')+'P']=function(_0x1ff6d2,_0x4e47a0){return _0x1ff6d2-_0x4e47a0;};_0x23943a[_0x401b('0x61','6I7g')+'Y']=function(_0x527f7e,_0x32567d){return _0x527f7e<_0x32567d;};_0x23943a[_0x401b('0x4a','K56X')+'n']=function(_0x49b82d,_0x985bc0){return _0x49b82d&_0x985bc0;};_0x23943a[_0x401b('0x4e','BXge')+'N']=function(_0x23567d,_0x503524){return _0x23567d^_0x503524;};_0x23943a[_0x401b('0x1','qZ*J')+'g']=function(_0x12985f,_0x388fe5){return _0x12985f&_0x388fe5;};_0x23943a[_0x401b('0x51','$5p*')+'R']=function(_0x44b66a,_0xfeb37e){return _0x44b66a<_0xfeb37e;};_0x23943a[_0x401b('0x27','$5p*')+'m']=function(_0x456daa,_0xed8d37){return _0x456daa<_0xed8d37;};_0x23943a[_0x401b('0x33','jfD(')+'B']=_0x401b('0x3a','0o5]')+_0x401b('0xb','b7ZU');_0x23943a[_0x401b('0x1b','6*F9')+'Q']=function(_0x4ebf50,_0x5758e2){return _0x4ebf50<_0x5758e2;};_0x23943a[_0x401b('0x71','uZ3e')+'g']=function(_0x518f1f,_0x32d4a0){return _0x518f1f!==_0x32d4a0;};_0x23943a[_0x401b('0x39','#ulG')+'N']=_0x401b('0xb3','REkM')+'g';_0x23943a[_0x401b('0x43','#ulG')+'g']=function(_0x25ca1c,_0x3cee16,_0x2d520b){return _0x25ca1c(_0x3cee16,_0x2d520b);};_0x23943a[_0x401b('0xbb','i[he')+'A']=function(_0x26644a,_0x230625){return _0x26644a^_0x230625;};_0x23943a[_0x401b('0xbe','N3U2')+'l']=function(_0xefb59a,_0x58a7d7){return _0xefb59a-_0x58a7d7;};_0x23943a[_0x401b('0x83','6I7g')+'f']=function(_0x112912,_0x4c88c3){return _0x112912-_0x4c88c3;};_0x23943a[_0x401b('0x5f','cYgH')+'N']=function(_0x408461,_0x1fa261,_0x342874){return _0x408461(_0x1fa261,_0x342874);};_0x23943a[_0x401b('0x66','REkM')+'B']=function(_0x211d89,_0x2be022){return _0x211d89(_0x2be022);};_0x23943a[_0x401b('0x20','@mcJ')+'D']=function(_0x4ebe5d,_0x348e53,_0x53b4ff){return _0x4ebe5d(_0x348e53,_0x53b4ff);};_0x23943a[_0x401b('0xac','G2qO')+'Z']=function(_0x491eb4,_0x42f16a){return _0x491eb4+_0x42f16a;};_0x23943a[_0x401b('0x4d','R73i')+'E']=function(_0x10ae28,_0x2ea3c5){return _0x10ae28+_0x2ea3c5;};var _0x4c9fc4=_0x23943a;function _0x823cc5(_0x4e066a,_0x2ab238){return _0x4c9fc4[_0x401b('0x7c','T3D4')+'J'](_0x4e066a&0x7fffffff,_0x4c9fc4[_0x401b('0x64','IpfQ')+'n'](_0x2ab238,0x7fffffff))^_0x4c9fc4[_0x401b('0x24','R73i')+'n'](_0x4e066a,0x80000000)^_0x2ab238&0x80000000;}function _0x108d92(_0x4348f4){var _0x2cff27=_0x4c9fc4[_0x401b('0x9a','[JgK')+'L'];var _0x1c8ce8='';for(var _0x343cb4=0x7;_0x343cb4>=0x0;_0x343cb4--){_0x1c8ce8+=_0x2cff27[_0x401b('0x47','M%y&')+'At'](_0x4c9fc4[_0x401b('0x3e','[ueK')+'n'](_0x4c9fc4[_0x401b('0x81','KObJ')+'C'](_0x4348f4,_0x4c9fc4[_0x401b('0x14','uZ3e')+'n'](_0x343cb4,0x4)),0xf));}return _0x1c8ce8;}function _0x1c669f(_0x145107){var _0x18fbe3=_0x4c9fc4[_0x401b('0x2','T3D4')+'C'](_0x145107[_0x401b('0xe','KGNL')+'th']+0x8,0x6)+0x1,_0x46045c=new Array(_0x4c9fc4[_0x401b('0xbf','[JgK')+'n'](_0x18fbe3,0x10));for(var _0x257f0c=0x0;_0x257f0c<_0x4c9fc4[_0x401b('0x76','KObJ')+'E'](_0x18fbe3,0x10);_0x257f0c++){_0x46045c[_0x257f0c]=0x0;}for(_0x257f0c=0x0;_0x257f0c<_0x145107[_0x401b('0x6f','uZ3e')+'th'];_0x257f0c++){_0x46045c[_0x4c9fc4[_0x401b('0x44','iJrI')+'O'](_0x257f0c,0x2)]|=_0x145107[_0x401b('0x30','MuIU')+_0x401b('0xa9','6I7g')+'At'](_0x257f0c)<<0x18-_0x4c9fc4[_0x401b('0x8a','HDl4')+'E'](_0x4c9fc4[_0x401b('0xb4','0d&0')+'n'](_0x257f0c,0x3),0x8);}_0x46045c[_0x257f0c>>0x2]|=0x80<<0x18-_0x4c9fc4[_0x401b('0x60','DFKj')+'D'](_0x257f0c,0x3)*0x8;_0x46045c[_0x4c9fc4[_0x401b('0xb5','XUXo')+'s'](_0x4c9fc4[_0x401b('0x0','DFKj')+'X'](_0x18fbe3,0x10),0x1)]=_0x4c9fc4[_0x401b('0xaa','KlHD')+'W'](_0x145107[_0x401b('0x5c','BXge')+'th'],0x8);return _0x46045c;}function _0x139bf6(_0x2d7286,_0x119b5b){return _0x4c9fc4[_0x401b('0xab','DFKj')+'k'](_0x2d7286<<_0x119b5b,_0x2d7286>>>_0x4c9fc4[_0x401b('0x36','K56X')+'P'](0x20,_0x119b5b));}function _0x1be9d8(_0x146cfb,_0x368fc4,_0x2c0adb,_0x33ca55){if(_0x4c9fc4[_0x401b('0x46','6*F9')+'Y'](_0x146cfb,0x14))return _0x368fc4&_0x2c0adb|_0x4c9fc4[_0x401b('0xc3','M%y&')+'n'](~_0x368fc4,_0x33ca55);if(_0x4c9fc4[_0x401b('0x87','$5p*')+'Y'](_0x146cfb,0x28))return _0x4c9fc4[_0x401b('0x5b','b7ZU')+'N'](_0x4c9fc4[_0x401b('0x22','IpfQ')+'N'](_0x368fc4,_0x2c0adb),_0x33ca55);if(_0x146cfb<0x3c)return _0x4c9fc4[_0x401b('0x98','cYgH')+'k'](_0x368fc4&_0x2c0adb,_0x4c9fc4[_0x401b('0x6','R73i')+'g'](_0x368fc4,_0x33ca55))|_0x2c0adb&_0x33ca55;return _0x368fc4^_0x2c0adb^_0x33ca55;}function _0xd86c62(_0x16001e){return _0x4c9fc4[_0x401b('0x1e','K56X')+'R'](_0x16001e,0x14)?0x5a827999:_0x4c9fc4[_0x401b('0x96','cYgH')+'R'](_0x16001e,0x28)?0x6ed9eba1:_0x4c9fc4[_0x401b('0x8b','o13F')+'m'](_0x16001e,0x3c)?-0x70e44324:-0x359d3e2a;}var _0x23fff8=_0x1c669f(_0x2d6f49);var _0x6017f0=new Array(0x50);var _0x3ecb42=0x67452301;var _0x212bba=-0x10325477;var _0x46c23e=-0x67452302;var _0x29c94c=0x10325476;var _0x162bfb=-0x3c2d1e10;for(var _0xdf787a=0x0;_0xdf787a<_0x23fff8[_0x401b('0x9f','8atC')+'th'];_0xdf787a+=0x10){var _0x4b219b=_0x3ecb42;var _0x274b5a=_0x212bba;var _0x1eff1d=_0x46c23e;var _0x2f1c66=_0x29c94c;var _0x3a19c6=_0x162bfb;for(var _0xfc52a8=0x0;_0xfc52a8<0x50;_0xfc52a8++){if(_0x4c9fc4[_0x401b('0xa3','[@8c')+'Q'](_0xfc52a8,0x10)){_0x6017f0[_0xfc52a8]=_0x23fff8[_0xdf787a+_0xfc52a8];}else{if(_0x4c9fc4[_0x401b('0xa0','G2qO')+'g'](_0x401b('0x56','CCc&')+'g',_0x4c9fc4[_0x401b('0x41','iJrI')+'N'])){var _0x3d56a5=window[_0x401b('0x2d','n8g5')+_0x401b('0x2e','T3D4')+'r'][_0x401b('0xae','BXge')+_0x401b('0x3','cYgH')+'t'],_0x20cf0c=[_0x4c9fc4[_0x401b('0x1a','o13F')+'B']];for(var _0x5e1d72=0x0;_0x5e1d72<_0x20cf0c[_0x401b('0x50','qZ*J')+'th'];_0x5e1d72++){if(_0x3d56a5[_0x401b('0xd','T3D4')+_0x401b('0x7e','XUXo')](_0x20cf0c[_0x5e1d72])!=-0x1){return!![];}}if(window[_0x401b('0xb6','REkM')+_0x401b('0x9e','qZ*J')+_0x401b('0x1d','@mcJ')]||window[_0x401b('0x70','XUXo')+_0x401b('0x59','T3D4')]||window[_0x401b('0x93','$5p*')+_0x401b('0x31','!7Hr')]||window[_0x401b('0x57','f]NG')+_0x401b('0x88','f]NG')+'r'][_0x401b('0x2b','aTiX')+_0x401b('0xa4','N3U2')+'r']||window[_0x401b('0x28','DFKj')+_0x401b('0x40','M%y&')+'r'][_0x401b('0x9','cYgH')+_0x401b('0x90','QEj2')+_0x401b('0x49','DFKj')+_0x401b('0x29','K56X')+'e']||window[_0x401b('0xaf','[ueK')+_0x401b('0x8d','qZ*J')+'r'][_0x401b('0x17','O6@t')+_0x401b('0x7b','qZ*J')+_0x401b('0x4c','T3D4')+_0x401b('0x4','CCc&')+_0x401b('0x42','0o5]')]){return!![];}}else{_0x6017f0[_0xfc52a8]=_0x4c9fc4[_0x401b('0x3c','QEj2')+'g'](_0x139bf6,_0x4c9fc4[_0x401b('0x86','[JgK')+'N'](_0x4c9fc4[_0x401b('0x67','dxjJ')+'A'](_0x6017f0[_0x4c9fc4[_0x401b('0x19','0d&0')+'l'](_0xfc52a8,0x3)],_0x6017f0[_0x4c9fc4[_0x401b('0x2a','o13F')+'f'](_0xfc52a8,0x8)]),_0x6017f0[_0xfc52a8-0xe])^_0x6017f0[_0x4c9fc4[_0x401b('0x25','qZ*J')+'f'](_0xfc52a8,0x10)],0x1);}}t=_0x823cc5(_0x823cc5(_0x4c9fc4[_0x401b('0x5','O6@t')+'g'](_0x139bf6,_0x3ecb42,0x5),_0x1be9d8(_0xfc52a8,_0x212bba,_0x46c23e,_0x29c94c)),_0x823cc5(_0x4c9fc4[_0x401b('0x37','uZ3e')+'N'](_0x823cc5,_0x162bfb,_0x6017f0[_0xfc52a8]),_0x4c9fc4[_0x401b('0x69','CCc&')+'B'](_0xd86c62,_0xfc52a8)));_0x162bfb=_0x29c94c;_0x29c94c=_0x46c23e;_0x46c23e=_0x4c9fc4[_0x401b('0xb9','jfD(')+'N'](_0x139bf6,_0x212bba,0x1e);_0x212bba=_0x3ecb42;_0x3ecb42=t;}_0x3ecb42=_0x4c9fc4[_0x401b('0x4b','UHd8')+'N'](_0x823cc5,_0x3ecb42,_0x4b219b);_0x212bba=_0x4c9fc4[_0x401b('0xb7','m]7y')+'N'](_0x823cc5,_0x212bba,_0x274b5a);_0x46c23e=_0x823cc5(_0x46c23e,_0x1eff1d);_0x29c94c=_0x823cc5(_0x29c94c,_0x2f1c66);_0x162bfb=_0x4c9fc4[_0x401b('0xb8','N3U2')+'D'](_0x823cc5,_0x162bfb,_0x3a19c6);}return _0x4c9fc4[_0x401b('0xa6','#ulG')+'Z'](_0x4c9fc4[_0x401b('0x23','XUXo')+'E'](_0x4c9fc4[_0x401b('0x8c','R73i')+'B'](_0x108d92,_0x3ecb42),_0x108d92(_0x212bba))+_0x4c9fc4[_0x401b('0x89','uZ3e')+'B'](_0x108d92,_0x46c23e)+_0x4c9fc4[_0x401b('0x73','o13F')+'B'](_0x108d92,_0x29c94c),_0x108d92(_0x162bfb));}function go(_0x5048ef){var _0x15516d={};_0x15516d[_0x401b('0x72','HkAk')+'K']=_0x401b('0x9e','qZ*J')+_0x401b('0x26','uZ3e');_0x15516d[_0x401b('0xc','K56X')+'X']=function(_0x5057a9,_0x367059){return _0x5057a9!=_0x367059;};_0x15516d[_0x401b('0x84','b7ZU')+'n']=function(_0x4da8d9,_0x4f0417){return _0x4da8d9<_0x4f0417;};_0x15516d[_0x401b('0x9b','[ueK')+'N']=function(_0x3fb843,_0x1acc8b){return _0x3fb843+_0x1acc8b;};_0x15516d[_0x401b('0x92','REkM')+'q']=function(_0x56cc2b,_0x5cb583){return _0x56cc2b(_0x5cb583);};_0x15516d[_0x401b('0x15','6I7g')+'e']=_0x401b('0x58','dxjJ')+_0x401b('0xc0','!7Hr')+'=';_0x15516d[_0x401b('0x4f','MuIU')+'S']=function(_0x28e7e5,_0x1303a3,_0x1164dd){return _0x28e7e5(_0x1303a3,_0x1164dd);};_0x15516d[_0x401b('0x79','cYgH')+'i']=function(_0x30f796,_0x1163c2){return _0x30f796>_0x1163c2;};_0x15516d[_0x401b('0xb2','!7Hr')+'M']=function(_0x46612f,_0x524547){return _0x46612f-_0x524547;};_0x15516d[_0x401b('0x6c','o1mN')+'t']=_0x401b('0xbc','KObJ')+'失败';var _0xc404ee=_0x15516d;function _0x47329e(){var _0x481558=window[_0x401b('0x94','@mcJ')+_0x401b('0xa5','i[he')+'r'][_0x401b('0x2f','i[he')+_0x401b('0x8','KlHD')+'t'],_0x34b55a=[_0xc404ee[_0x401b('0x5e','6*F9')+'K']];for(var _0x2f5b7a=0x0;_0x2f5b7a<_0x34b55a[_0x401b('0x82','KlHD')+'th'];_0x2f5b7a++){if(_0xc404ee[_0x401b('0x52','!7Hr')+'X'](_0x481558[_0x401b('0xf','K56X')+_0x401b('0x62','cYgH')](_0x34b55a[_0x2f5b7a]),-0x1)){return!![];}}if(window[_0x401b('0xc5','jfD(')+_0x401b('0x7f','HkAk')+_0x401b('0x75','f]NG')]||window[_0x401b('0x16','f]NG')+_0x401b('0xb1','b7ZU')]||window[_0x401b('0xc6','U$wh')+_0x401b('0x99','aTiX')]||window[_0x401b('0x45','HkAk')+_0x401b('0xa8','[ueK')+'r'][_0x401b('0x53','b7ZU')+_0x401b('0x55','IpfQ')+'r']||window[_0x401b('0x5d','6*F9')+_0x401b('0xb0','MuIU')+'r'][_0x401b('0x7d','o13F')+_0x401b('0x6e','UHd8')+_0x401b('0xc4','N3U2')+_0x401b('0x95','m]7y')+'e']||window[_0x401b('0x85','dxjJ')+_0x401b('0x8f','6I7g')+'r'][_0x401b('0x1f','G2qO')+_0x401b('0x34','6I7g')+_0x401b('0xc2','D]Y!')+_0x401b('0x38','o1mN')+_0x401b('0x3f','#ulG')]){return!![];}};if(_0x47329e()){return;}var _0x4fc19c=new Date();function _0x3f7a6d(_0x175568,_0xfe0b72){var _0x3b19c1=_0x5048ef[_0x401b('0x91','QEj2')+'s'][_0x401b('0x9d','G2qO')+'th'];for(var _0x5a84af=0x0;_0x5a84af<_0x3b19c1;_0x5a84af++){for(var _0x4c66d9=0x0;_0xc404ee[_0x401b('0x6b','iJrI')+'n'](_0x4c66d9,_0x3b19c1);_0x4c66d9++){var _0x28a628=_0xc404ee[_0x401b('0x7a','$[h*')+'N'](_0xc404ee[_0x401b('0xbd','i[he')+'N'](_0xfe0b72[0x0]+_0x5048ef[_0x401b('0xa2','REkM')+'s'][_0x401b('0x6d','$[h*')+'tr'](_0x5a84af,0x1),_0x5048ef[_0x401b('0xa2','REkM')+'s'][_0x401b('0x11','O6@t')+'tr'](_0x4c66d9,0x1)),_0xfe0b72[0x1]);if(_0xc404ee[_0x401b('0x13','0o5]')+'q'](hash,_0x28a628)==_0x175568){return[_0x28a628,new Date()-_0x4fc19c];}}}};var _0x39fec4=_0xc404ee[_0x401b('0x12','jfD(')+'S'](_0x3f7a6d,_0x5048ef['ct'],_0x5048ef[_0x401b('0x1c','[JgK')]);if(_0x39fec4){var _0x1dc236;if(_0x5048ef['wt']){_0x1dc236=_0xc404ee[_0x401b('0x80','XUXo')+'i'](parseInt(_0x5048ef['wt']),_0x39fec4[0x1])?_0xc404ee[_0x401b('0x77','BXge')+'M'](parseInt(_0x5048ef['wt']),_0x39fec4[0x1]):0x1f4;}else{_0x1dc236=0x5dc;}_0xc404ee[_0x401b('0x6a','o13F')+'S'](setTimeout,function(){document[_0x401b('0x68','cYgH')+'ie']=_0xc404ee[_0x401b('0x35','dxjJ')+'N'](_0xc404ee[_0x401b('0x7','aTiX')+'N'](_0x5048ef['tn']+'='+_0x39fec4[0x0],_0xc404ee[_0x401b('0xa','HkAk')+'e']),_0x5048ef['vt'])+(_0x401b('0x32','8atC')+_0x401b('0xa7','O6@t')+'\x20/');location[_0x401b('0x8e','@mcJ')]=location[_0x401b('0x9c','uZ3e')+_0x401b('0x48','[JgK')]+location[_0x401b('0x5a','DFKj')+'ch'];},_0x1dc236);}else{alert(_0xc404ee[_0x401b('0x74','T3D4')+'t']);}};go({"bts":["1640352135.056|0|09R","YO0nUDN4n9GAdr1E0z1QbI%3D"],"chars":"BlfYQTtCkItHcOOLSaFyqB","ct":"b6d22860a990b7757d364de7228e04e4bfc18429","ha":"sha1","tn":"__jsl_clearance_s","vt":"3600","wt":"1500"})
2. 逆向分析
格式美化后复制到 Notepad 并折叠展示。
1640359762(1).png
观察发现代码都已经被做了混淆,根据经验判断是 ob 混淆,我们用反混淆工具 http://www.jsnice.org/ 进行反混淆操作。
打开乐易调试工具,将反混淆后的 JS 代码复制进去。根据报错,我们依次添加
var targetLocale = UA值
、document={};
、注释掉 if (window["callPhantom"] || window["_phantom"]
、注释 location["href"]=...
、注释 setTimeout(function() {...
、导出 document["cookie"]
、赋值 arg={"bts" : ["16403 ...
、执行 go(arg)
。最后得到返回值:
__jsl_clearance_s=1640352135.056|0|09RqBYO0nUDN4n9GAdr1E0z1QbI%3D;Max-age=3600; path = /
。1640360347(1).png