spider/js_reverse
1
0
Fork 0
mirror of https://github.com/luzhisheng/js_reverse.git synced 2025-04-21 00:25:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

猿人学第5题-js 混淆-乱码增强-补环境-atob

Browse Source
This commit is contained in:
luzhisheng 2023-03-09 11:36:43 +08:00
parent 155d772906
commit ac0d00d79b
17 changed files with 92 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
猿人学第5题-js 混淆-乱码增强/RM4hZBv0dDon443M.js → 猿人学第5题-js 混淆-乱码增强-补环境-atob/RM4hZBv0dDon443M.js
View File

@ -3,20 +3,17 @@ window = global;
_0x4e96b4 = window;
global.Buffer = global.Buffer || require('buffer').Buffer;
if (typeof btoa === 'undefined') {
global.btoa = function (str) {
return new Buffer.from(str).toString('base64');
};
}
if (typeof atob === 'undefined') {
global.atob = function (b64Encoded) {
return new Buffer.from(b64Encoded, 'base64').toString();
};
}
function RM4hZBv0dDon443M(pr, dada_time){
_$Ww = CryptoJS['enc']['Utf8']['parse'](pr['toString']());
_0x4e96b4['_$qF'] = CryptoJS['enc']['Utf8']['parse'](_0x4e96b4['btoa'](dada_time)['slice'](0, 16));
@ -27,28 +24,12 @@ function RM4hZBv0dDon443M(pr, dada_time){
return _0x29dd83['toString']()
}
// pr = [
// "b2148c31fb09c98f90ce78424d6cdd58",
// "3be88c860ec6fc7e4e33fe7a167d02dd",
// "0be14faf5221bbdefdede418b077ca60",
// "9c2b5781ba44e92f5e4b3f4d7951b899",
// "08aca52cf82f1e26cc1f4dd35db9795e"
// ];
// dada_time = "1678253268764";
// console.log(RM4hZBv0dDon443M(pr, dada_time));
function RM4hZBv0dDon443M_f(pr_list, dada_time) {
return{
"cookie_m": pr_list[4],
"cookie_RM4": RM4hZBv0dDon443M(pr_list, dada_time),
"m": _$yw,
"f": _$Wa
}
}
module.exports =
{
RM4hZBv0dDon443M_f
};
pr = [
"b2148c31fb09c98f90ce78424d6cdd58",
"3be88c860ec6fc7e4e33fe7a167d02dd",
"0be14faf5221bbdefdede418b077ca60",
"9c2b5781ba44e92f5e4b3f4d7951b899",
"08aca52cf82f1e26cc1f4dd35db9795e"
];
dada_time = "1678253268764";
console.log(RM4hZBv0dDon443M(pr, dada_time));

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
猿人学第5题-js 混淆-乱码增强-补环境-atob/img/9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

13
猿人学第5题-js 混淆-乱码增强/main.py → 猿人学第5题-js 混淆-乱码增强-补环境-atob/main.py
View File

@ -13,6 +13,8 @@ def sign():
def challenge5(encrypt_params, page_num):
print(encrypt_params)
print(page_num)
url = "https://match.yuanrenxue.com/api/match/5?page=%s" % page_num
params = {
"m": encrypt_params['m'],
@ -22,10 +24,10 @@ def challenge5(encrypt_params, page_num):
RM4hZBv0dDon443M = encrypt_params['cookie_RM4']
session = requests.session()
headers = {
"user-agent": "yuanrenxue.project",
'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie': f'sessionid=lrdqq6irmhyoy2ingpso9l3uzschqw1s; m={cookie_m}; RM4hZBv0dDon443M={RM4hZBv0dDon443M}'
'cookie': f'sessionid=3axwe2ne7zbkyzija9wcf7b8yha0sy6o; m={cookie_m}; RM4hZBv0dDon443M={RM4hZBv0dDon443M}'
}
print(headers)
session.headers = headers
response = requests.get(url, headers=headers, params=params)
return response.json()
@ -33,14 +35,17 @@ def challenge5(encrypt_params, page_num):
def run():
data_num = 0
data_num_list = []
for page in range(1, 6):
res = sign()
response_json = challenge5(res, page)
data_list = response_json.get('data')
print(data_list)
for data in data_list:
data_num += int(data.get('value'))
print(data_num)
data_num_list.append(int(data.get('value')))
data_num_list.sort()
print(data_num_list)
print(sum(data_num_list[-5:]))
if __name__ == '__main__':

6
猿人学第5题-js 混淆-乱码增强/pr.js → 猿人学第5题-js 混淆-乱码增强-补环境-atob/pr.js
View File

@ -1501,7 +1501,6 @@ window.$_zw.push([]);
window.$_zw.push(1678268345000);
window.$_zw.push(1678268345000);
window.$_zw.push(setInterval);
console.log(window.$_zw.length);
_0x4e96b4 = window;
_0x4e96b4['_$tT'] = -172015004;
@ -1683,7 +1682,7 @@ function _0x474032(_0x233f82, _0xe2ed33, _0x3229f9) {
return _0xe2ed33 ? _0x3229f9 ? v(_0xe2ed33, _0x233f82) : y(_0xe2ed33, _0x233f82) : _0x3229f9 ? _0x41873d(_0x233f82) : _0x37614a(_0x233f82);
}
// _$Wa = 1678290902000;
// _$Wa = 1;
// console.log(_0x474032(_$Wa));
function RM4hZBv0dDon443M(pr, dada_time){
@ -1704,6 +1703,9 @@ function getCookie() {
pr['push'](_0x474032(_$Wa))
}
_$yw = new Date()['valueOf']().toString();
_0x4e96b4['_$tT'] = -660478335;
_0x4e96b4['_$Jy'] = -405537848;
_0x4e96b4['_$6_'] = -389564586;
pr['push'](_0x474032(_$yw));
cookie_m = pr[4];
cookie_RM4 = RM4hZBv0dDon443M(pr, _$yw);

70
猿人学第5题-js 混淆-乱码增强-补环境-atob/readme.md Normal file
View File

@ -0,0 +1,70 @@
## 知识点 atob魔改的md5环境指纹crypto-jshook cookie
### 解题
网上有2篇介绍的文章但最最关键的点都没有写出来
直接说明了主要破解cookie中的`m=``RM4hZBv0dDon443M=`
![图片](../img/1.png)
油猴插件`hook cookie`
![图片](../img/2.png)
很容易就找到`RM4hZBv0dDon443M=`加密点
![图片](../img/3.png)
调试内存栈,就会发现`_0x4e96b4['_$ss']`是加密位置
![图片](../img/4.png)
全局搜索`_0x4e96b4['_$`找到赋值位置
![图片](../img/5.png)
仔细观察这断代码是不是`crypto-js`加密mode是`ECB`padding是`Pkcs7`
_$Ww = _$Tk[_$UH[0x2db]][_$UH[0x2dc]][_$UH[0xff]](_0x4e96b4['_$pr'][_$UH[0x1f]]()),
_0x29dd83 = _$Tk['A' + _$UH[0x32d]][_$UH[0x337] + _$UH[0x336]](_$Ww, _0x4e96b4[_0xc77418('0x6', 'OCbs')], {
'mode': _$Tk[_$UH[0x339] + _$UH[0x33a]][_$UH[0x2e5]],
'padding': _$Tk[_$UH[0x33b]][_$UH[0x33c] + _$UH[0x33d]]
}),
_0x4e96b4['_$' + _$UH[0x348][0x1] + _$UH[0x353][0x1]] = _0x29dd83[_$UH[0x1f]]();
![图片](../img/6.png)
通过上面的代码就需要找到`_0x4e96b4['_$pr']``_0x4e96b4[_0xc77418('0x6', 'OCbs')]`
这里的`_0x4e96b4[_0xc77418('0x6', 'OCbs')]`改写成`_0x4e96b4["_$qF"]`
![图片](../img/9.png)
全局搜索找到`_0x4e96b4['_$qF']`这样能确定的是CryptoJS加密密钥是时间戳
![图片](../img/10.png)
在看看`_0x4e96b4['_$pr']`加密值,是数组
![图片](../img/11.png)
尝试写死2个参数一点点扣代码改写
![图片](../img/7.png)
其中`btoa``atob`是需要自己补的node中没有`btoa``atob`函数
结果输出
![图片](../img/8.png)
pr = [
"b2148c31fb09c98f90ce78424d6cdd58",
"3be88c860ec6fc7e4e33fe7a167d02dd",
"0be14faf5221bbdefdede418b077ca60",
"9c2b5781ba44e92f5e4b3f4d7951b899",
"08aca52cf82f1e26cc1f4dd35db9795e"
];
dada_time = "1678253268764";

0
猿人学第5题-js 混淆-乱码增强/server.js → 猿人学第5题-js 混淆-乱码增强-补环境-atob/server.js
View File

4
猿人学第5题-js 混淆-乱码增强/readme.md
View File

@ -1,4 +0,0 @@
## 知识点