From 1edfbdf7d3b6ed21e2262e357ba968b109f10375 Mon Sep 17 00:00:00 2001
From: luzhisheng <aiyingfeng110@qq.com>
Date: Tue, 7 Mar 2023 01:12:46 +0800
Subject: [PATCH] =?UTF-8?q?34js=E5=8A=A0=E5=AF=86js=E5=8A=A0=E8=AF=BE?=
 =?UTF-8?q?=E4=BE=8B=E9=A2=981-=E8=A1=A5=E7=8E=AF=E5=A2=83?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../1.js                                      | 19 +++---
 .../2.js                                      |  3 +-
 猿人学练习/34js加密js加课例题1-补环境/main.py | 49 +++++++++++++++
 .../34js加密js加课例题1-补环境/readme.md      | 63 +++++++++++++++++++
 .../server.js                                 |  2 +-
 .../test.js                                   |  7 ++-
 6 files changed, 130 insertions(+), 13 deletions(-)
 rename 猿人学练习/{34js加密js加课例题1-补环境-py执行js => 34js加密js加课例题1-补环境}/1.js (98%)
 rename 猿人学练习/{34js加密js加课例题1-补环境-py执行js => 34js加密js加课例题1-补环境}/2.js (98%)
 create mode 100644 猿人学练习/34js加密js加课例题1-补环境/main.py
 create mode 100644 猿人学练习/34js加密js加课例题1-补环境/readme.md
 rename 猿人学练习/{34js加密js加课例题1-补环境-py执行js => 34js加密js加课例题1-补环境}/server.js (94%)
 rename 猿人学练习/{34js加密js加课例题1-补环境-py执行js => 34js加密js加课例题1-补环境}/test.js (84%)

diff --git a/猿人学练习/34js加密js加课例题1-补环境-py执行js/1.js b/猿人学练习/34js加密js加课例题1-补环境/1.js
similarity index 98%
rename from 猿人学练习/34js加密js加课例题1-补环境-py执行js/1.js
rename to 猿人学练习/34js加密js加课例题1-补环境/1.js
index df02668..97f803e 100644
--- a/猿人学练习/34js加密js加课例题1-补环境-py执行js/1.js
+++ b/猿人学练习/34js加密js加课例题1-补环境/1.js
@@ -333,17 +333,20 @@ function binl2b64(_0x1b98x38) {
 }
 
 
-// rnns = 'tu2qmX';
-// rind = 12;
-// hex_1_str = hex_1('YCBR1vPi7L');
-// d31c713f16b0tu2qmXe008fa1c157ced
+// rnns = '98TN6w';
+// rind = 49;
+// hex_1_str = hex_1('VX7nWYuMh5');
 // console.log(hex_1_str);
 
 
-function hex_1_str(rnns, rind, sct){
-    rnns = rnns;
-    rind = rind;
-    return hex_1(sct);
+var rnns;
+var rind;
+
+function hex_1_str(s, r, c){
+    // rnns, rind, sct
+    rnns = s;
+    rind = parseInt(r);
+    return hex_1(c);
 }
 
 
diff --git a/猿人学练习/34js加密js加课例题1-补环境-py执行js/2.js b/猿人学练习/34js加密js加课例题1-补环境/2.js
similarity index 98%
rename from 猿人学练习/34js加密js加课例题1-补环境-py执行js/2.js
rename to 猿人学练习/34js加密js加课例题1-补环境/2.js
index 232f6b9..4cd9181 100644
--- a/猿人学练习/34js加密js加课例题1-补环境-py执行js/2.js
+++ b/猿人学练习/34js加密js加课例题1-补环境/2.js
@@ -229,8 +229,7 @@ function binb2b64(_0x6a8ax39) {
     return _0x6a8ax34;
 }
 
-//37e4aa5f2e8fe43d0f6b061eb3383763eed96394
-// hex_2_str = escape(hex_2('d31c713f16b0tu2qmXe008fa1c157ced'));
+// hex_2_str = escape(hex_2('7adc214242f0ed39a8550b42bfa684cc98TN6w'));
 // console.log(hex_2_str);
 
 function hex_2_str(hex_1_str){
diff --git a/猿人学练习/34js加密js加课例题1-补环境/main.py b/猿人学练习/34js加密js加课例题1-补环境/main.py
new file mode 100644
index 0000000..4ae1d63
--- /dev/null
+++ b/猿人学练习/34js加密js加课例题1-补环境/main.py
@@ -0,0 +1,49 @@
+from parsel import Selector
+import requests
+import re
+
+
+def get_hex_2_str(rnns, rind, sct):
+    data = {"rind": rind, "rnns": rnns, "sct": sct}
+    url = f"http://127.0.0.1:3005/sign_34"
+    session = requests.session()
+    headers = {
+        'content-type': 'application/x-www-form-urlencoded; charset=UTF-8'
+    }
+    session.headers = headers
+    response = session.request("POST", url, data=data)
+    return response.text
+
+
+def challenge34(iloveu=''):
+    url = "https://www.python-spider.com/challenge/34"
+    session = requests.session()
+    headers = {
+        'cookie': f'sessionid=7da5y8hmpxhsazb024bdr0trejrnifey; iloveu={iloveu}'
+    }
+    session.headers = headers
+    response = session.request("GET", url, headers=headers)
+    return response.text, response.cookies
+
+
+def run():
+    response_text, response_cookies = challenge34()
+    sct = requests.utils.dict_from_cookiejar(response_cookies).get('yuanrenxue34')
+    response_text = response_text.replace(" ", "").replace("\n", "")
+    rnns = re.findall(r'In2s(.*)//ashjgfg', response_text)[0]
+    rind = re.findall(r'CZRvoWKAU(.*)//FDi5u', response_text)[0]
+    rnns = rnns.replace('\\"=""*/="', "").replace('";', "")
+    rind = rind.replace("*//**//**/", "")
+    print(rnns, rind, sct)
+    hex_2_str = get_hex_2_str(rnns, rind, sct)
+    res_text, res_cookie = challenge34(hex_2_str)
+    res = Selector(res_text)
+    trS = res.xpath('//tr[@class="odd"]//td/text()').getall()
+    Count = 0
+    for tr in trS:
+        Count += int(tr.strip())
+    print('Count -->>', Count)
+
+
+if __name__ == '__main__':
+    run()
diff --git a/猿人学练习/34js加密js加课例题1-补环境/readme.md b/猿人学练习/34js加密js加课例题1-补环境/readme.md
new file mode 100644
index 0000000..b5e2958
--- /dev/null
+++ b/猿人学练习/34js加密js加课例题1-补环境/readme.md
@@ -0,0 +1,63 @@
+# 知识点： 补环境，事件断点，轻度混淆
+
+## 解题思路
+
+打开控制台,请求发现返回一串js代码
+
+![请求](./img/1.png)
+
+再观察控制台请求顺序
+
+![请求](./img/2.png)
+
+查看2个请求地址有何区别，多了个`iloveu`
+
+![请求](./img/3.png)
+
+这时需要用到，事件脚本断点
+
+![请求](./img/4.png)
+
+断点下一步，下一步，下一步直到h1停下来，继续打上断点
+
+![请求](./img/5.png)
+
+在点进入下一个断点
+
+![请求](./img/6.png)
+
+这时候就进入了h2函数里面
+
+![请求](./img/7.png)
+
+可以看到代码
+
+    var _0x6a8ax2f = __Oxbb794[0x8] + escape(hex_2(hex_1(sct)));
+
+尝试控制台打印函数结果值
+
+![请求](./img/8.png)
+
+到这里基本上就搞定了`iloveu`值的来源，接下来的事情就是扣代码补环境了
+
+以下就是`h1.js`需要补的环境
+
+    navigator = {
+        'userAgent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36',
+        'plugins': {
+            'length': 5
+        }
+    };
+    
+    window = global;
+    document = {
+        'execCommand': function () {
+            return true
+        },
+        'createElement': function () {
+            return true
+        }
+    };
+
+`h2.js`的话，直接运行就可以了，没有设置多余门槛。
+
diff --git a/猿人学练习/34js加密js加课例题1-补环境-py执行js/server.js b/猿人学练习/34js加密js加课例题1-补环境/server.js
similarity index 94%
rename from 猿人学练习/34js加密js加课例题1-补环境-py执行js/server.js
rename to 猿人学练习/34js加密js加课例题1-补环境/server.js
index c60f61a..935293b 100644
--- a/猿人学练习/34js加密js加课例题1-补环境-py执行js/server.js
+++ b/猿人学练习/34js加密js加课例题1-补环境/server.js
@@ -7,12 +7,12 @@ app.use(bodyParser());
 
 
 app.post('/sign_34', function (req, res) {
+    // rnns, rind, sct
     let result = '';
     let rnns = req.body.rnns;
     let rind = req.body.rind;
     let sct = req.body.sct;
     let result_hex_1 = code_1.hex_1_str(rnns, rind, sct);
-    console.log(result_hex_1);
     result = code_2.hex_2_str(result_hex_1);
     res.send(result.toString());
 });
diff --git a/猿人学练习/34js加密js加课例题1-补环境-py执行js/test.js b/猿人学练习/34js加密js加课例题1-补环境/test.js
similarity index 84%
rename from 猿人学练习/34js加密js加课例题1-补环境-py执行js/test.js
rename to 猿人学练习/34js加密js加课例题1-补环境/test.js
index f70ef20..0b5448f 100644
--- a/猿人学练习/34js加密js加课例题1-补环境-py执行js/test.js
+++ b/猿人学练习/34js加密js加课例题1-补环境/test.js
@@ -23,5 +23,8 @@ rind=/*
 /*rind=
 242;*/
 
-console.log(rind);
-console.log(rnns);
\ No newline at end of file
+function rind_rnns() {
+    return [rind, rnns]
+}
+
+console.log(rind_rnns());
\ No newline at end of file