這次文章是補之前文章提到的eval加密

之前簡單介紹了常見的JS混淆:JS逆向常見混淆總結

里面提到的第一種混淆就是這次要分析的主角,這里分析的網站是「漫畫柜」

查看請求

打開控制臺,隨意點擊一本漫畫,進入到正文頁面,查看請求:

可以很容易看到這里有個md5的參數(shù)值是加密的。

定位加密位置

這里有兩種定位方法:
第一種面向老手,先翻一遍請求,網頁源碼可以迅速定位。

第二種就是按照之前的文章提到的分析流程,我們分析一遍,雖然麻煩點會走彎路但是適合新手:

沒有看過的朋友可以點擊下面的文章鏈接回顧一下:實戰(zhàn)案例淺析JS加密 - 基礎總結篇

先搜索一下關鍵字,這里加密的參數(shù)是md5,所以試試下面這幾種搜索關鍵詞:

1md5:
2md5?:
3md5=
4md5?=
5md5

搜索結果如下:

通過關鍵字搜索沒有得到想要的結果,按照之前文章提到的流程到這里就卡住了。

不過我們看到上面請求里還有另一參數(shù)cid,既然都是請求參數(shù),那么md5這個參數(shù)可能是和他一起提交的,我們可以試試搜索cid關鍵詞試試。

搜索cid這個參數(shù)結果如下:

果然有點東西,我們點進第一個文件,搜索下有多少和cid這個參數(shù)相關搜索項,檢索之后有18項相關,通過分析代碼,很快我們定位到下圖的代碼,打上斷點重新加載看看是否能進入我們的斷點位置:

果然成功進入斷點了,但是好像并沒有我們想要得md5參數(shù),這個時候好像又卡住了。

不過很快我們通過查看右側堆棧信息找到了md5參數(shù)的位置:

這里vm的代碼又是通過下面這段代碼生成的:

這開頭,不就是熟悉的eval加密嗎。

到這里就定位到解密的地方了,但是這段eval代碼又是在哪呢？

發(fā)現(xiàn)左側有.html的標識,搜索是搜不到了,我們就看看這個頁面的源代碼吧,發(fā)現(xiàn)右鍵是進入下一頁漫畫,所以通過控制臺的Doc選項卡看看,通過格式化代碼我們找到了上面的eval代碼。

1window["\x65\x76\x61\x6c"](function(p,?a,?c,?k,?e,?d)?{
2????????????????e?=?function(c)?{
3????????????????????return?(c?""?:?e(parseInt(c?/?a)))?+?((c?=?c?%?a)?>?35???String.fromCharCode(c?+?29)?:?c.toString(36))
4????????????????}
5????????????????;
6????????????????if?(!''.replace(/^/,?String))?{
7????????????????????while?(c--)
8????????????????????????d[e(c)]?=?k[c]?||?e(c);
9????????????????????k?=?[function(e)?{
10????????????????????????return?d[e]
11????????????????????}
12????????????????????];
13????????????????????e?=?function()?{
14????????????????????????return?'\\w+'
15????????????????????}
16????????????????????;
17????????????????????c?=?1;
18????????????????}
19????????????????;while?(c--)
20????????????????????if?(k[c])
21????????????????????????p?=?p.replace(new?RegExp('\\b'?+?e(c)?+?'\\b','g'),?k[c]);
22????????????????return?p;
23????????????}('I.H({"G":4,"J":"M","L":"4.2","K":B,"A":"z","C":["F.2.3","E.2.3","D.2.3","N.2.3","X.2.3","W.2.3","V.2.3","Y.2.3","11.2.3","10.2.3","Z.2.3","Q.2.3","P.2.3","O.2.3","R.2.3","U.2.3","T.2.3","S.2.3","d.2.3","c.2.3","b.2.3","e.2.3","h.2.3","g.2.3","f.2.3","a.2.3","5.2.3","6.2.3","8.2.3","7.2.3","9.2.3","i.2.3","u.2.3","t.2.3","s.2.3","v.2.3","y.2.3","x.2.3","w.2.3","r.2.3","m.2.3","k.2.3","j.2.3","n.2.3","q.2.3","p.2.3","o.2.3","12.2.3","1E.2.3","1D.2.3","1C.2.3","1F.2.3","1I.2.3","1H.2.3","1G.2.3","1x.2.3","1w.2.3","1v.2.3","1y.2.3","1B.2.3","1A.2.3","1z.2.3","1V.2.3","1S.2.3","1T.2.3","1R.2.3","1W.2.3","1U.2.3","1L.2.3","1M.2.3","1J.2.3","1K.2.3","1P.2.3","1Q.2.3","1N.2.3","1O.2.3","1c.2.3","1b.2.3","1a.2.3","1d.2.3","1g.2.3","1f.2.3","1e.2.3","15.2.3","14.2.3","13.2.3","16.2.3"],"19":18,"17":1q,"1p":"/1o/l/1r/1u/","1t":1,"1s":"","1j":1i,"1h":0,"1k":{"1n":"1m"}}).1l();',?62,?121,?'D7BWAcHNgdwUwEbmARgJwHYAcwAMAmANgIz3wwJwLVwGZcytq966UyBWAws3A93OgINBTdGRQF8ZACwEOZevhll8BWi0m1puGWpkbdkvSF18ZAg7pW7iM0rq4ye1xyxpyWc2grr1aNtp+LFy0LrRMtGgsFBEsxLSkgDTegoDuysAAxgB2AIYAtnCohBgyCgBmAJYANnAAznjCdA2SBA18gsAIFQAmwBV5kAAiOQAuOcAAygCyABKduQWZPZ3gFRnAgOr+gJGqgATyDaw2KPQoh2pHeCiSKDongr4oFChUKMQPF1wvDcS4DrhcuC4zH8GhRcM8+JcGjRJA0mLhoroKDIqFguFgXFg5Ki8Fh6JiccQsKQallgCMAE4AV0KlSyFVqAAs4L0fkwMAiMBRsHgMMROTyaEwcWpcTjJFgdHCsOxwOS4AA3ACSvReJR4WTgAA8RsrgLUqsBZXBFXSRsAspSAII5S0AYRm3QAYgANDJYABagwmAHkYOSKuTupbgHlugpwLUZaMGcAicAqgyAF6dKoAewyAGsAPoZda1MYjSn1Dp/CgcKgcYgcBwcLiVvDlv4IwiSQg6b4ths0YgNvgcSw0Lh4ZG6BH9v46DhyWsN+hThtqDiGUEYASrn7tpiEZs0Cg8uQYXyHn4uDBqDDL+glPCELiEFyEeiEGzPgG+YoAqhtgGGe8AjBAA=='['\x73\x70\x6c\x69\x63']('\x7c'),?0,?{}))

解密過程

我們來捋一捋整個過程,首先網站加載頁面,執(zhí)行了這段eval,解密了參數(shù)里的一堆密文,之后根據(jù)參數(shù)請求具體內容,那我們逆向只要拿到頁面的代碼,用execjs執(zhí)行這段代碼不就能拿到md5值直接請求了嗎。

但是把這段代碼直接復制到eval解密里好像并沒有用,我感覺應該和末尾的加密參數(shù)有關,經過測試這段參數(shù)雖然長得和Base64很像但并不是base64加密,我又卡住了,所以我求助了大佬。

經過 @ 悅來客棧的老板 的提點我嘗試了下果然是這段代碼有問題:

經過解密替換,運行的結果就是我們在vm中看到的結果了:

到這里就簡單了,請求網頁的代碼,使用正則替換代碼里的密文,使用execjs執(zhí)行這段代碼就可以得到md5值,再使用這個md5值就可以請求了。

總結

這次的解密文章寫的比較啰嗦,雖然整個加密比較簡單,但是自己在這整個過程也踩了不少坑,走了不少彎路。

JS逆向是細致活,需要大膽假設,小心求證,耐心調試,同時在逆向過程中卡住了需要求助的時候也不要不好意思。把自己思考的結果、遇到的問題描述清楚附上小小的紅包和大佬聊聊,會有意想不到的驚喜。

共勉~

總結

以上是生活随笔為你收集整理的bouml 逆向分析c++_JS逆向之漫画柜的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。