一次简单的先知社区js逆向记录

admin 2023年3月12日20:51:37评论23 views字数 6596阅读21分59秒阅读模式

一、简述

至去年10月起,先知平台公开了文章发表时ip归属地,迫于工作不饱和,抓点数据来看看师傅们最近在干啥

一次简单的先知社区js逆向记录

二、处理反爬

直接发起requests请求,大概一分钟后开始返回js代码,脚本不具备执行环境无法计算出对应结果,网站存在js反爬

一次简单的先知社区js逆向记录

随后花了亿点点时间梳理逻辑,整个js流程大致分三个块:

  1. 数组还原

  2. 数组解密

  3. cookie生成

3.1 数组还原

首先一个自执行函数,对大数组_0x4818做头出尾进操作348次

  • array["push"](array["shift"]());

(function (_0x4c97f0, _0x1742fd) {
var _0x4db1c = function (_0x48181e) {
while (--_0x48181e) {
_0x4c97f0["push"](_0x4c97f0["shift"]()); // 头出尾进
}
};
var _0x3cd6c6 = function () {
var _0xb8360b = {
...
"getCookie": function (_0x4a11fe, _0x189946) {
...
var _0x52d57c = function (_0x105f59, _0x3fd789) {
_0x105f59(++_0x3fd789); // _0x4db1c(++347)
};
_0x52d57c(_0x4db1c, _0x1742fd);
}
};
};
})(_0x4818, 347);

一次简单的先知社区js逆向记录

得到还原乱序后的数组

// 还原前
var _0x4818 = ["csKHwqMI", "ZsKJwr8VeAsy", "UcKiN8O/wplwMA==", "JR8CTg==", "YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==",
"w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG", "fwVmI1AtwplaY8Otw5cNfSgpw6M=", "OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6",
"U8K5LcOtwpV0EMOkw47DrMOX", "HMO2woHCiMK9SlXClcOoC1k=", "asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d",
"wqImMT0tw6RNw5k=", "DMKcU0JmUwUv", "VjHDlMOHVcONX3fDicKJHQ==",
"wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV", "dzd2w5bDm3jDpsK3wpY=",
"w4PDgcKXwo3CkcKLwr5qwrY=", "wrJOTcOQWMOg", "wqTDvcOjw447wr4=", "w5XDqsKhMF1/", "wrAyHsOfwppc", "J3dVPcOxLg==",
"wrdHw7p9Zw==", "w4rDo8KmNEw=", "IMKAUkBt", "w6bDrcKQwpVHwpNQwqU=", "d8OsWhAUw7YzwrU=", "wqnCksOeezrDhw==",
"UsKnIMKWV8K/", "w4zDocK8NUZv", "c8OxZhAJw6skwqJj", "PcKIw4nCkkVb", "KHgodMO2VQ==", "wpsmwqvDnGFq",
"wqLDt8Okw4c=", "w7w1w4PCpsO4wqA=", "wq9FRsOqWMOq", "byBhw7rDm34=", "LHg+S8OtTw==", "wqhOw715dsOH",
"U8O7VsO0wqvDvcKuKsOqX8Kr", "Yittw5DDnWnDrA==", "YMKIwqUUfgIk", "aB7DlMODTQ==", "wpfDh8Orw6kk",
"w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==",
"wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==", "NwV+", "w7HDrcKtwpJawpZb",
"wpQswqvDiHpuw6I=", "YMKUwqMJZQ==", "KH1VKcOqKsK1", "fQ5sFUkkwpI=", "wrvCrcOBR8Kk", "M3w0fQ==",
"w6xXwqPDvMOFwo5d"];

// 还原后
var _0x4818 = ['wqImMT0tw6RNw5k=', 'DMKcU0JmUwUv', 'VjHDlMOHVcONX3fDicKJHQ==',
'wqhBH8Knw4TDhSDDgMOdwrjCncOWwphhN8KCGcKqw6dHAU5+wrg2JcKaw4IEJcOcwrRJwoZ0wqF9YgAV', 'dzd2w5bDm3jDpsK3wpY=',
'w4PDgcKXwo3CkcKLwr5qwrY=', 'wrJOTcOQWMOg', 'wqTDvcOjw447wr4=', 'w5XDqsKhMF1/', 'wrAyHsOfwppc', 'J3dVPcOxLg==',
'wrdHw7p9Zw==', 'w4rDo8KmNEw=', 'IMKAUkBt', 'w6bDrcKQwpVHwpNQwqU=', 'd8OsWhAUw7YzwrU=', 'wqnCksOeezrDhw==',
'UsKnIMKWV8K/', 'w4zDocK8NUZv', 'c8OxZhAJw6skwqJj', 'PcKIw4nCkkVb', 'KHgodMO2VQ==', 'wpsmwqvDnGFq',
'wqLDt8Okw4c=', 'w7w1w4PCpsO4wqA=', 'wq9FRsOqWMOq', 'byBhw7rDm34=', 'LHg+S8OtTw==', 'wqhOw715dsOH',
'U8O7VsO0wqvDvcKuKsOqX8Kr', 'Yittw5DDnWnDrA==', 'YMKIwqUUfgIk', 'aB7DlMODTQ==', 'wpfDh8Orw6kk',
'w7vCqMOrY8KAVk5OwpnCu8OaXsKZP3DClcKyw6HDrQ==',
'wow+w6vDmHpsw7Rtwo98LC7CiG7CksORT8KlW8O5wr3Di8OTHsODeHjDmcKlJsKqVA==', 'NwV+', 'w7HDrcKtwpJawpZb',
'wpQswqvDiHpuw6I=', 'YMKUwqMJZQ==', 'KH1VKcOqKsK1', 'fQ5sFUkkwpI=', 'wrvCrcOBR8Kk', 'M3w0fQ==',
'w6xXwqPDvMOFwo5d', 'csKHwqMI', 'ZsKJwr8VeAsy', 'UcKiN8O/wplwMA==', 'JR8CTg==',
'YsOnbSEQw7ozwqZKesKUw7kwX8ORIQ==', 'w7oVS8OSwoPCl3jChMKhw6HDlsKXw4s/YsOG', 'fwVmI1AtwplaY8Otw5cNfSgpw6M=',
'OcONwrjCqsKxTGTChsOjEWE8PcOcJ8K6', 'U8K5LcOtwpV0EMOkw47DrMOX', 'HMO2woHCiMK9SlXClcOoC1k=',
'asKIwqMDdgMuPsOKBMKcwrrCtkLDrMKBw64d'];

一次简单的先知社区js逆向记录

3.2 数组解密

此时_0x4818数组内容依旧不可读,还要再经过_0x55f3rc4解密处理

var _0x55f3 = function (_0x4c97f0, _0x1742fd) {
var _0x4c97f0 = parseInt(_0x4c97f0, 16);
var _0x48181e = _0x4818[_0x4c97f0];
...
if (_0x55f3["data"][_0x4c97f0] === undefined) {
...
_0x48181e = _0x55f3["rc4"](_0x48181e, _0x1742fd); // rc4解密
_0x55f3["data"][_0x4c97f0] = _0x48181e; // _0x55f3["data"]数组赋值
} else {
_0x48181e = _0x55f3["data"][_0x4c97f0];
}
return _0x48181e;
};

if (function () {
...
var _0x5b6351 = _0x3a394d(this, function () {
var _0x46cbaa = Function(_0x55f3("0x22", "&hZY") + _0x55f3("0x23", "aH*N") + ");");
var _0x1766ff = function () {};
var _0x9b5e29 = _0x46cbaa();
_0x9b5e29[_0x55f3("0x26", "aH*N")]["log"] = _0x1766ff;
_0x9b5e29[_0x55f3("0x29", "V%YR")][_0x55f3("0x2a", "P^Eq")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2c", "lgM0")][_0x55f3("0x2d", "L$(D")] = _0x1766ff;
_0x9b5e29[_0x55f3("0x2f", "CZc8")][_0x55f3("0x30", "Wu6%")] = _0x1766ff;
});
_0x5b6351();
...
}()) {
document[_0x55f3("0x33", "V%YR")](_0x55f3("0x34", "yApz"), l, false);
} else {
document[_0x55f3("0x36", "yApz")](_0x55f3("0x37", "L$(D"), l);
}

一次简单的先知社区js逆向记录

一次简单的先知社区js逆向记录

得到真正的数组_0x55f3["data"]

_0x55f3["data"] = {
"1": "_phantom",
"3": "3000176000856006061501533003690027800375",
"5": "prototype",
"6": "hexXor",
"20": "unsbox",
"25": "unsbox",
"33": "apply",
"34": "return (function() ",
"35": "{}.constructor("return this")( )",
"38": "console",
"41": "console",
"42": "error",
"44": "console",
"45": "warn",
"47": "console",
"48": "info",
"51": "addEventListener",
"52": "DOMContentLoaded"
}

3.3 cookie生成

最后调用unsbox()hexXor(),生成arg2写入cookie

  • arg2 = arg1.unsbox().hexXor("3000176000856006061501533003690027800375");

  • document.cookie = acw_sc__v2 + "=" + arg2;

var arg1 = '2F526E76D908955D2065FE39FACBFD626530F9B0';
var l = function () {
while (window[_0x55f3("0x1", "XMW^")] || window["__phantomas"]) {};
var _0x5e8b26 = _0x55f3("0x3", "jS1Y");
String[_0x55f3("0x5", "n]fR")][_0x55f3("0x6", "Pg54")] = function (_0x4e08d8) { //hexXor函数
var _0x5a5d3b = "";
for (var _0xe89588 = 0; _0xe89588 < this[_0x55f3("0x8", ")hRc")] && _0xe89588 < _0x4e08d8[_0x55f3("0xa",
"jE&^")]; _0xe89588 += 2) {
var _0x401af1 = parseInt(this[_0x55f3("0xb", "V2KE")](_0xe89588, _0xe89588 + 2), 16);
var _0x105f59 = parseInt(_0x4e08d8[_0x55f3("0xd", "XMW^")](_0xe89588, _0xe89588 + 2), 16);
var _0x189e2c = (_0x401af1 ^ _0x105f59)[_0x55f3("0xf", "W1FE")](16);
if (_0x189e2c[_0x55f3("0x11", "MGrv")] == 1) {
_0x189e2c = "0" + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
};
String["prototype"][_0x55f3("0x14", "Z*DM")] = function () { //unsbox函数
var _0x4b082b = [15, 35, 29, 24, 33, 16, 1, 38, 10, 9, 19, 31, 40, 27, 22, 23, 25, 13, 6, 11, 39, 18,
20, 8, 14, 21, 32, 26, 2, 30, 7, 4, 17, 5, 3, 28, 34, 37, 12, 36];
var _0x4da0dc = [];
var _0x12605e = "";
for (var _0x20a7bf = 0; _0x20a7bf < this["length"]; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0; _0x217721 < _0x4b082b[_0x55f3("0x16", "aH*N")]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc["join"]("");
return _0x12605e;
};
var _0x23a392 = arg1[_0x55f3("0x19", "Pg54")](); // arg1.unsbox()
arg2 = _0x23a392[_0x55f3("0x1b", "z5O&")](_0x5e8b26); // _0x23a392.hexXor(_0x5e8b26)
setTimeout("reload(arg2)", 2); // setCookie
};

function setCookie(name, value) {
var expiredate = new Date();
expiredate.setTime(expiredate.getTime() + 3600000);
document.cookie = name + "=" + value + ";expires=" + expiredate.toGMTString() + ";max-age=3600;path=/";
}

function reload(x) {
setCookie("acw_sc__v2", x);
document.location.reload();
}

一次简单的先知社区js逆向记录

3.4 脚本实现

一次简单的先知社区js逆向记录

三、师傅们的动态

2022年10月13日-2023年2月23日,收集到技术文章共162条数据

一次简单的先知社区js逆向记录

3.1 作者

师傅们混身都是肝,LeeH师傅平均10天干完一篇文章

top10作者


一次简单的先知社区js逆向记录

top3作者 - 月度发文

一次简单的先知社区js逆向记录

3.2 地区

什么?我也是四川的,那没事了

各地区 - 总发文

一次简单的先知社区js逆向记录

top3地区 - 月度发文

一次简单的先知社区js逆向记录

3.3 内容

安全研究终究是大趋势,java安全和漏洞分析霸榜

一次简单的先知社区js逆向记录

top20 - 高频词

一次简单的先知社区js逆向记录

top20内容 - 四川

一次简单的先知社区js逆向记录

top20内容 - 广东

一次简单的先知社区js逆向记录

top20内容 - 北京

一次简单的先知社区js逆向记录

四、总结

一次简单的先知社区js逆向记录


五、参考

原文于:https://xz.aliyun.com/t/12238#toc-4原文作者:Ainrm

一次简单的先知社区js逆向记录 点击下方小卡片或扫描下方二维码观看更多技术文章一次简单的先知社区js逆向记录

一次简单的先知社区js逆向记录

师傅们点赞、转发、在看就是最大的支持

原文始发于微信公众号(猪猪谈安全):一次简单的先知社区js逆向记录

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月12日20:51:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   一次简单的先知社区js逆向记录http://cn-sec.com/archives/1597941.html

发表评论

匿名网友 填写信息