diff --git a/img/14.png b/img/14.png new file mode 100644 index 0000000..94b0e28 Binary files /dev/null and b/img/14.png differ diff --git a/img/15.png b/img/15.png new file mode 100644 index 0000000..e6f9bb4 Binary files /dev/null and b/img/15.png differ diff --git a/img/16.png b/img/16.png new file mode 100644 index 0000000..5f47ccf Binary files /dev/null and b/img/16.png differ diff --git a/img/17.png b/img/17.png new file mode 100644 index 0000000..556ed43 Binary files /dev/null and b/img/17.png differ diff --git a/img/18.png b/img/18.png new file mode 100644 index 0000000..b46cda9 Binary files /dev/null and b/img/18.png differ diff --git a/img/19.png b/img/19.png new file mode 100644 index 0000000..142b620 Binary files /dev/null and b/img/19.png differ diff --git a/zy-极验滑快/3.极验滑块 跟W值2.md b/zy-极验滑快/3.极验滑块 跟W值2.md index 1981e08..c9a3814 100644 --- a/zy-极验滑快/3.极验滑块 跟W值2.md +++ b/zy-极验滑快/3.极验滑块 跟W值2.md @@ -4,8 +4,136 @@ , l = V[$_CAGEe(342)](gt[$_CAGEe(209)](o), r[$_CAGEe(742)]()) , h = m[$_CAGEe(733)](l) -## 先调试 u 变量,给每行代码打上断点 +先调试 u 变量,给每行代码打上断点 + +先进入方法体,如果在 sources 点击不进去,那就在空值台进入 + + t[$_CFABz(1399)] + +![debugger](../img/14.png) + +进入后分析代码流程 ![debugger](../img/13.png) -这里有个知识点 256 ,我们的字节码 0-255, 一共就256个,一般256模值 \ No newline at end of file + "\u0024\u005f\u0043\u0043\u0047\u006a": function(e) { + var $_CHCBt = pfkKi.$_CD + , $_CHCAX = ['$_CHCEQ'].concat($_CHCBt) + , $_CHCCP = $_CHCAX[1]; + $_CHCAX.shift(); + var $_CHCDH = $_CHCAX[0]; + var t = new X()[$_CHCBt(56)](this[$_CHCBt(1374)](e)); + while (!t || 256 !== t[$_CHCCP(22)]) + t = new X()[$_CHCBt(56)](this[$_CHCBt(1374)](!0)); + return t; + } + +其中r = t[$_CFABz(1399)]()生成的是加密字符串 + + "404701c32cffcaa294a77f96555405374842631a60fc91d04133982d61a1fefb21bf5f409db4b1fbd741924b787244a8b8ab8e63ad7580dc7d6544c6fbe8f65cd103c39c60db6156dbdb6e16a3edaf0dc3f80b0ee7b636d0939218bc27edccaf36032302c69d25b4b400ec0658f34ce9b828852c5372eb1a7bd6e7398e3788e7" + +这里有个知识点 256 ,我们的字节码 0-255, 一共就256个,一般256模值 + +这个函数传入了1399 $_CFABz(1399),返回是字符串 + +![debugger](../img/15.png) + +更值技巧: + + 从头看不需要重复下断,要记住很多变量 + 从尾部看会重复下断操作,跟值比较轻松 + +下断点技巧 + + 初始值的位置,循环的位置,返回的位置,函数开头,函数结尾 + +一点点调试,发现 $_CHCBt(56) 是 "encrypt" 加密的意思 + +![debugger](../img/16.png) + + var t = new X()[$_CHCBt(56)](this[$_CHCBt(1374)](e)); + +查看 new X()看到一个__proto__中存在 setPublic + +![debugger](../img/17.png) + +这大概率就是 rsa 加密技术,setPublic 是设置公钥的意思 + +下面就能直接翻译成以下代码 + + var t = new X()[$_CHCBt(56)](this[$_CHCBt(1374)](e)) + ↓↓↓↓↓↓↓ + var t = new X()["encrypt"]("008b5622e6c6b640") + +那么字符串 008b5622e6c6b640 怎么来的 + +继续调试 this[$_CHCBt(1374),这里发现是 (Ot = rt(), 字符串是由 rt()生成 + +![debugger](../img/18.png) + +在 console中调试, 每次返回的结果都不相同 + + rt() + "b520110b6d094449" + rt() + "db73ac992a993749" + rt() + "cf0f49e78a33fad5" + rt() + "1be4252ed80313dc" + rt() + "2ab6c4dce8e1e4c9" + rt() + "8e7a75d5632b7b94" + +进入方法继续跟踪 + +![debugger](../img/19.png) + +开头下断点,结束下断点,return 位置有用到初始化变量的下断点。 + +但是这里调试发现 rt() 方法不在断点中,测试初始化滑验证码是否进入断点。 + +在 console中调试, 每次返回的结果都不相同 + + t() + "5d92" + t() + "650e" + t() + "4803" + +这里发现返回的数据是由4个t()想加所得 + + return function() { + var $_BFBIl = lTloj.$_CX + , $_BFBHs = ['$_BFCBY'].concat($_BFBIl) + , $_BFBJq = $_BFBHs[1]; + $_BFBHs.shift(); + var $_BFCAQ = $_BFBHs[0]; + return t() + t() + t() + t(); + } + +进入到 t() 中 + + function t() { + var $_DBFAh = lTloj.$_DP()[0][4]; + for (; $_DBFAh !== lTloj.$_DP()[2][3]; ) { + switch ($_DBFAh) { + case lTloj.$_DP()[0][4]: + return (65536 * (1 + Math[$_BFBDL(75)]()) | 0)[$_BFBDL(396)](16)[$_BFBDL(476)](1); + break; + } + } + } + +在 console中调试代码, 每次返回的结果都不相同 + + (65536 * (1 + Math[$_BFBDL(75)]()) | 0)[$_BFBDL(396)](16)[$_BFBDL(476)](1) + "dfeb" + (65536 * (1 + Math[$_BFBDL(75)]()) | 0)[$_BFBDL(396)](16)[$_BFBDL(476)](1) + "1c6c" + (65536 * (1 + Math[$_BFBDL(75)]()) | 0)[$_BFBDL(396)](16)[$_BFBDL(476)](1) + "0764" + + \ No newline at end of file