34js加密js加课例题1-补环境

猿人学练习/34js加密js加课例题1-补环境/1.js

@@ -333,17 +333,20 @@ function binl2b64(_0x1b98x38) {
 }
 
 
-// rnns = 'tu2qmX';
-// rind = 12;
-// hex_1_str = hex_1('YCBR1vPi7L');
-// d31c713f16b0tu2qmXe008fa1c157ced
+// rnns = '98TN6w';
+// rind = 49;
+// hex_1_str = hex_1('VX7nWYuMh5');
 // console.log(hex_1_str);
 
 
-function hex_1_str(rnns, rind, sct){
-    rnns = rnns;
-    rind = rind;
-    return hex_1(sct);
+var rnns;
+var rind;
+
+function hex_1_str(s, r, c){
+    // rnns, rind, sct
+    rnns = s;
+    rind = parseInt(r);
+    return hex_1(c);
 }
 
 

猿人学练习/34js加密js加课例题1-补环境/2.js

@@ -229,8 +229,7 @@ function binb2b64(_0x6a8ax39) {
     return _0x6a8ax34;
 }
 
-//37e4aa5f2e8fe43d0f6b061eb3383763eed96394
-// hex_2_str = escape(hex_2('d31c713f16b0tu2qmXe008fa1c157ced'));
+// hex_2_str = escape(hex_2('7adc214242f0ed39a8550b42bfa684cc98TN6w'));
 // console.log(hex_2_str);
 
 function hex_2_str(hex_1_str){

猿人学练习/34js加密js加课例题1-补环境/main.py

@@ -0,0 +1,49 @@
+from parsel import Selector
+import requests
+import re
+
+
+def get_hex_2_str(rnns, rind, sct):
+    data = {"rind": rind, "rnns": rnns, "sct": sct}
+    url = f"http://127.0.0.1:3005/sign_34"
+    session = requests.session()
+    headers = {
+        'content-type': 'application/x-www-form-urlencoded; charset=UTF-8'
+    }
+    session.headers = headers
+    response = session.request("POST", url, data=data)
+    return response.text
+
+
+def challenge34(iloveu=''):
+    url = "https://www.python-spider.com/challenge/34"
+    session = requests.session()
+    headers = {
+        'cookie': f'sessionid=7da5y8hmpxhsazb024bdr0trejrnifey; iloveu={iloveu}'
+    }
+    session.headers = headers
+    response = session.request("GET", url, headers=headers)
+    return response.text, response.cookies
+
+
+def run():
+    response_text, response_cookies = challenge34()
+    sct = requests.utils.dict_from_cookiejar(response_cookies).get('yuanrenxue34')
+    response_text = response_text.replace(" ", "").replace("\n", "")
+    rnns = re.findall(r'In2s(.*)//ashjgfg', response_text)[0]
+    rind = re.findall(r'CZRvoWKAU(.*)//FDi5u', response_text)[0]
+    rnns = rnns.replace('\\"=""*/="', "").replace('";', "")
+    rind = rind.replace("*//**//**/", "")
+    print(rnns, rind, sct)
+    hex_2_str = get_hex_2_str(rnns, rind, sct)
+    res_text, res_cookie = challenge34(hex_2_str)
+    res = Selector(res_text)
+    trS = res.xpath('//tr[@class="odd"]//td/text()').getall()
+    Count = 0
+    for tr in trS:
+        Count += int(tr.strip())
+    print('Count -->>', Count)
+
+
+if __name__ == '__main__':
+    run()

猿人学练习/34js加密js加课例题1-补环境/readme.md

@@ -0,0 +1,63 @@
+# 知识点： 补环境，事件断点，轻度混淆
+
+## 解题思路
+
+打开控制台,请求发现返回一串js代码
+
+![请求](./img/1.png)
+
+再观察控制台请求顺序
+
+![请求](./img/2.png)
+
+查看2个请求地址有何区别，多了个`iloveu`
+
+![请求](./img/3.png)
+
+这时需要用到，事件脚本断点
+
+![请求](./img/4.png)
+
+断点下一步，下一步，下一步直到h1停下来，继续打上断点
+
+![请求](./img/5.png)
+
+在点进入下一个断点
+
+![请求](./img/6.png)
+
+这时候就进入了h2函数里面
+
+![请求](./img/7.png)
+
+可以看到代码
+
+    var _0x6a8ax2f = __Oxbb794[0x8] + escape(hex_2(hex_1(sct)));
+
+尝试控制台打印函数结果值
+
+![请求](./img/8.png)
+
+到这里基本上就搞定了`iloveu`值的来源，接下来的事情就是扣代码补环境了
+
+以下就是`h1.js`需要补的环境
+
+    navigator = {
+        'userAgent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36',
+        'plugins': {
+            'length': 5
+        }
+    };
+    
+    window = global;
+    document = {
+        'execCommand': function () {
+            return true
+        },
+        'createElement': function () {
+            return true
+        }
+    };
+
+`h2.js`的话，直接运行就可以了，没有设置多余门槛。
+

猿人学练习/34js加密js加课例题1-补环境/server.js

@@ -7,12 +7,12 @@ app.use(bodyParser());
 
 
 app.post('/sign_34', function (req, res) {
+    // rnns, rind, sct
     let result = '';
     let rnns = req.body.rnns;
     let rind = req.body.rind;
     let sct = req.body.sct;
     let result_hex_1 = code_1.hex_1_str(rnns, rind, sct);
-    console.log(result_hex_1);
     result = code_2.hex_2_str(result_hex_1);
     res.send(result.toString());
 });

猿人学练习/34js加密js加课例题1-补环境/test.js

@@ -23,5 +23,8 @@ rind=/*
 /*rind=
 242;*/
 
-console.log(rind);
-console.log(rnns);
+function rind_rnns() {
+    return [rind, rnns]
+}
+
+console.log(rind_rnns());