从JS加密的HTML文件中提取PDF文件
本帖最后由 看门猫 于 2021-7-20 14:47 编辑今天帮别人下载个文件,跟我说是个PDF文件,结果下载完发现是个这样的文件
然后我用微软的新版edge浏览器可以直接打开。发过去后,跟我说打不开,我知道对方电脑知识比较差,所以试着还原出PDF给她看,但是在浏览器里右键没有菜单,Ctrl+P打印也没有内容,直接后缀改为.pdf,不行,直接拖到PDF阅读器和Word里面打开都不行,显示是下面这样不知什么乱七八糟的
然后来论坛搜了一下,发现也有人有类似的问题,是去年的事情了
好像也没有解决,于是还是自己试试吧
用文本编辑器打开这个html文件,发现里面是把Ctrl+s,Ctrl+p,F12都屏蔽了,不过发现了下面的数据
看了下 PDFData 里这个字符串有41865288个字符,应该就是原始的PDF文件了,别的地方就是类似阅读器一样的东西,控制加密的,将这个字符串存到一个新的文件中,进行Base64解码,Linux下面直接有base64这个命令,然而我是Windows,百度了一下发现也有类似的命令,是CertUtil,在powershell环境下可以用,格式如下
certutil -decode infile outfile
然后得到一个29.9 MB的PDF文件,打开一看,还需要密码。。。PDF也是加密过的,淦
这里我真搞不定了,然后网上搜了一下发现有人碰到同样的问题,上图中那个encode_version那一行就是存的加密信息,然而悲催的是,网上那个大神碰到的是sojson.v5加密,他直接找到个在线js解密网站就解出了密码,我这个是jsjiami.com.v5,解出来的信息还是不行,看不出密码,看来这些加密的人也在进步啊,找到jsjiami这个网站,号称是最牛js加密,我这个小白实在是没法了。抱着最后一丝希望,我把网上那个大神解出来的密码填进去试了一下,竟然是对的,哈哈哈,看来他们只是升级了加密方法,却没有改密码,这是我没想到的。
最后把这段加密过的代码放上来,有厉害的大神能解密的,可以试试
var encode_version = 'jsjiami.com.v5', hipig = '__0xac064',__0xac064=['wpXDuHHCpsOjLQ==','w6fDvMKLJ8O4w4F8HQU=','w53Dv3HCp8Olc8ODWQ==','GG4EesO+OTxAwoglw6wnw4zCicKfwo5Vw7Vgw44cwpfCpCQowpXCi8K4','wpXDqsOywp7Dpw==','wq3DssKpwqXDuQ==','CsOQwrI9YRRY','ejopw4/DtsKfR2LDlRc=','QXR1wp9NMg==','w6lHMsKI','wpTDuGDCuMOhJsKS','FBPDmQ==','w53DuMO/woTDtsKNOkw=','wpPDs3TCscOmLMKZEBU=','dMOIw7I=','54ml5py95Y+s77+0Uynkv67lr63mnoblvY7nqJTvvbvovIPorIbmlJTmjZ/miLnkuLrnmLzltbTkv5U=','5YuW6Zuv54ml5p6B5Y+i7723YxvkvanlrZ/mnY/lv5vnq5M=','VVI7IBI=','w6xSKcKLwqgkasK+WMOqYx/CjsOiFsKBMcORNsKNwpQgWDXClBDDjMKR','G8OcwoDCkm0=','czZlJmM=','wrbCunAnwog=','aicqw47DgcKCSmnDsw==','bsKvwoZJPH8m','Mi5ew7pMw5I=','esONw6RBw5k=','w6HDgGLDmWHCigU=','EGoefMKwMA==','wpQTw6Q=','M8K4wprCsSk=','wqXDtMKwwpvDoi0Bwr3CnynDncKkwrho','WTbDmMKGwrc=','wpgPw7Rrw7h+w4Q=','bCNnKGN/','BXNjwqpYTw==','wr7DvcKSwqjDgA==','wpHDilfDkcOkw7LCv8OIRsKM','SsKZw4N7CQ==','w6XDv3PDjEM=','eMK3wq5Uw7g=','w4DDnsKBEw==','woDDh0XDk8OIw7PCqMOITcKrw58s','CMKgwpE=','SEbCqsKZ','FjHDvMOgwoErwoYs','wqRZw7k=','6L635Zux5L6U5oOh77+/','bClu','5Yqi5L6Q5q+i5pex77+B','5oGZ5Y6O5Lm15q2t5bq46Zi06K2Z77yB','w43Dm8KDCsKhCytk'];(function(_0x189fe7,_0x321225){var _0x1e7814=function(_0x586cec){while(--_0x586cec){_0x189fe7['push'](_0x189fe7['shift']());}};_0x1e7814(++_0x321225);}(__0xac064,0xc1));var _0x4146=function(_0x356db0,_0x19e83c){_0x356db0=_0x356db0-0x0;var _0xfcb912=__0xac064;if(_0x4146['initialized']===undefined){(function(){var _0x25c818=typeof window!=='undefined'?window:typeof process==='object'&&typeof require==='function'&&typeof global==='object'?global:this;var _0x2db4fe='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x25c818['atob']||(_0x25c818['atob']=function(_0x4f007e){var _0x13f62b=String(_0x4f007e)['replace'](/=+$/,'');for(var _0xef15ef=0x0,_0x1d6e04,_0x511588,_0x588e62=0x0,_0x1aceaa='';_0x511588=_0x13f62b['charAt'](_0x588e62++);~_0x511588&&(_0x1d6e04=_0xef15ef%0x4?_0x1d6e04*0x40+_0x511588:_0x511588,_0xef15ef++%0x4)?_0x1aceaa+=String['fromCharCode'](0xff&_0x1d6e04>>(-0x2*_0xef15ef&0x6)):0x0){_0x511588=_0x2db4fe['indexOf'](_0x511588);}return _0x1aceaa;});}());var _0x4d53f6=function(_0x32dee5,_0x36d12b){var _0xa9b695=[],_0x56d6bc=0x0,_0x3dae33,_0x266bd5='',_0x3a3f36='';_0x32dee5=atob(_0x32dee5);for(var _0x557d69=0x0,_0xcd99aa=_0x32dee5['length'];_0x557d69<_0xcd99aa;_0x557d69++){_0x3a3f36+='%'+('00'+_0x32dee5['charCodeAt'](_0x557d69)['toString'](0x10))['slice'](-0x2);}_0x32dee5=decodeURIComponent(_0x3a3f36);for(var _0x25856d=0x0;_0x25856d<0x100;_0x25856d++){_0xa9b695=_0x25856d;}for(_0x25856d=0x0;_0x25856d<0x100;_0x25856d++){_0x56d6bc=(_0x56d6bc+_0xa9b695+_0x36d12b['charCodeAt'](_0x25856d%_0x36d12b['length']))%0x100;_0x3dae33=_0xa9b695;_0xa9b695=_0xa9b695;_0xa9b695=_0x3dae33;}_0x25856d=0x0;_0x56d6bc=0x0;for(var _0x41643a=0x0;_0x41643a<_0x32dee5['length'];_0x41643a++){_0x25856d=(_0x25856d+0x1)%0x100;_0x56d6bc=(_0x56d6bc+_0xa9b695)%0x100;_0x3dae33=_0xa9b695;_0xa9b695=_0xa9b695;_0xa9b695=_0x3dae33;_0x266bd5+=String['fromCharCode'](_0x32dee5['charCodeAt'](_0x41643a)^_0xa9b695[(_0xa9b695+_0xa9b695)%0x100]);}return _0x266bd5;};_0x4146['rc4']=_0x4d53f6;_0x4146['data']={};_0x4146['initialized']=!![];}var _0x16cb50=_0x4146['data'];if(_0x16cb50===undefined){if(_0x4146['once']===undefined){_0x4146['once']=!![];}_0xfcb912=_0x4146['rc4'](_0xfcb912,_0x19e83c);_0x4146['data']=_0xfcb912;}else{_0xfcb912=_0x16cb50;}return _0xfcb912;};var htmlobj=$({'url':'http://39.104.67.211:8002/api/retrieve/chinese_read?read_token='+read_token,'async':![]});var data=htmlobj;var msg=data;var num=data;console(_0x4146('0x6','*5dB'),msg);console(_0x4146('0x8','hL3U'),num);if(msg=='查询成功'){alert(_0x4146('0x9','Zr4M'));var DEFAULT_URL='';var pdfUrl=document(0x1);if(null==pdfUrl||''==pdfUrl){var BASE64_MARKER=_0x4146('0xd','qPv5');var preFileId='';var pdfAsDataUri=_0x4146('0xe','z*sM')+PDFData;var pdfAsArray=convertDataURIToBinary(pdfAsDataUri);DEFAULT_URL=pdfAsArray;function convertDataURIToBinary(_0x199de2){var _0x23ce75={'busWz':function _0x12bb0c(_0x150639,_0x34f7a6){return _0x150639+_0x34f7a6;}};var _0x242bff='0|4|3|2|6|1|5'('|'),_0x200204=0x0;while(!![]){switch(_0x242bff){case'0':var _0x4d8629=_0x23ce75(_0x199de2(BASE64_MARKER),BASE64_MARKER['length']);continue;case'1':for(i=0x0;i<_0x5bdad4;i++){_0x5314ee=_0x4fbb5d(i)&0xff;}continue;case'2':var _0x5bdad4=_0x4fbb5d;continue;case'3':var _0x4fbb5d=window(_0x4afd6d);continue;case'4':var _0x4afd6d=_0x199de2['substring'](_0x4d8629)(/[\n\r]/g,'');continue;case'5':return _0x5314ee;case'6':var _0x5314ee=new Uint8Array(new ArrayBuffer(_0x5bdad4));continue;}break;}}}}else{alert('您阅读的时间已经到期,如果想继续观看,请使用阅读码联系管理员!阅读码�'+read_token);};(function(_0x37d3e0,_0xeb5847,_0x126c12){var _0x463375={'ftwOU':function _0x44e7ac(_0x4a718e,_0x4667ba){return _0x4a718e!==_0x4667ba;},'oXBiz':_0x4146('0x16','eB*$'),'OTFgr':_0x4146('0x17','reoE'),'TbKrA':function _0x57e90a(_0x1c600b,_0x51858a){return _0x1c600b+_0x51858a;},'KojaT':_0x4146('0x18','qPv5'),'VklwI':function _0x202761(_0x480c74,_0x500c0c){return _0x480c74===_0x500c0c;},'xKisK':_0x4146('0x19','EkKt'),'qzHZC':function _0x34f705(_0x25b99c,_0x174de6){return _0x25b99c<_0x174de6;},'yJUUP':function _0x425d01(_0x1be7fb,_0x48fbdd){return _0x1be7fb&_0x48fbdd;},'UEbaB':function _0x4c7c07(_0x45b648,_0x14be40){return _0x45b648+_0x14be40;},'mQupZ':_0x4146('0x1a','7k%*'),'gtKOZ':_0x4146('0x1b','Llzb')};_0x126c12='al';try{if(_0x463375['ftwOU'](_0x463375,_0x463375['oXBiz'])){var _0x866f47=_0x463375['OTFgr'];var _0x28bda5='';var _0x787dab=_0x463375['TbKrA'](_0x4146('0x1d','T$TS'),PDFData);var _0x243553=_0x338e58(_0x787dab);DEFAULT_URL=_0x243553;function _0x338e58(_0x3dd78e){var _0x21dc7c={'vMkBj':'6|4|3|5|2|1|0','dkbDI':function _0xc6e3a6(_0x5608ce,_0x5d5ac1){return _0x5608ce<_0x5d5ac1;},'deOpg':function _0x38164e(_0x300369,_0x3c9c5a){return _0x300369&_0x3c9c5a;},'FFdAZ':function _0x294700(_0xcb0dc2,_0x215eb3){return _0xcb0dc2+_0x215eb3;}};var _0x1a3f6b=_0x21dc7c('|'),_0x383437=0x0;while(!![]){switch(_0x1a3f6b){case'0':return _0xb0b3aa;case'1':for(i=0x0;_0x21dc7c['dkbDI'](i,_0x2cee80);i++){_0xb0b3aa=_0x21dc7c(_0x3addb1['charCodeAt'](i),0xff);}continue;case'2':var _0xb0b3aa=new Uint8Array(new ArrayBuffer(_0x2cee80));continue;case'3':var _0x3addb1=window['atob'](_0x4504fc);continue;case'4':var _0x4504fc=_0x3dd78e(_0x592b62)(/[\n\r]/g,'');continue;case'5':var _0x2cee80=_0x3addb1;continue;case'6':var _0x592b62=_0x21dc7c(_0x3dd78e(_0x866f47),_0x866f47);continue;}break;}}}else{_0x126c12+=_0x4146('0x27','Zr4M');_0xeb5847=encode_version;if(!(typeof _0xeb5847!==_0x463375['KojaT']&&_0x463375(_0xeb5847,_0x4146('0x29','*91K')))){if(_0x463375['VklwI']('lFb',_0x463375)){var _0x47f933=dataURI(BASE64_MARKER)+BASE64_MARKER;var _0x343c1f=dataURI['substring'](_0x47f933)(/[\n\r]/g,'');var _0x13ddf2=window['atob'](_0x343c1f);var _0x534d1f=_0x13ddf2')];var _0x2e92d5=new Uint8Array(new ArrayBuffer(_0x534d1f));for(i=0x0;_0x463375(i,_0x534d1f);i++){_0x2e92d5=_0x463375['yJUUP'](_0x13ddf2(i),0xff);}return _0x2e92d5;}else{_0x37d3e0(_0x463375('删除',_0x463375));}}}}catch(_0x2dd699){_0x37d3e0(_0x463375);}}(window));;encode_version = 'jsjiami.com.v5';
上面这段就是附件里的代码
更新文件链接: https://pan.baidu.com/s/1T3ekSFio8w22KBOvRVe04w 提取码: n8c5 nullable 发表于 2021-7-21 08:35
之前有一个论坛里面求解密pdf网页的帖子,那会儿我也没细看,大概记得这种通过js加密的html好像也就是通过 ...
我整个了PDF转码后自己套进去他那个HTML文件中,发现用edge打开后就是正常文字,虽然右键没有菜单,但是文字确实是可以选中Ctrl+C复制出来的,并没有被转成图片 wss0823 发表于 2021-7-22 09:22
感觉这个js的主要作用是混淆网页,PDF文件并没有收到复写,还是原来的文件。
正解,我整个了PDF转码后自己套进去他那个HTML文件中,发现用edge打开后就是正常文字,虽然右键没有菜单,但是文字确实是可以选中Ctrl+C复制出来的,并没有被转成图片 还要CB币???:'(weeqw lj5366477 发表于 2021-7-19 19:44
还要CB币???
不好意思,新手第一次发帖,不知道怎么设置附件免费,我又重新编辑了一下,把附件中的代码贴出来了了{:1_896:} 膜拜大神,好厉害 为啥不把html的源文件发出来。。。。 感谢楼主分享! HTML文件呢?
强势围观 之前有一个论坛里面求解密pdf网页的帖子,那会儿我也没细看,大概记得这种通过js加密的html好像也就是通过把每一页pdf转成了图片,然后限制浏览器打开图片之类的办法来控制可否访问和密码访问的 多谢分享,学习一下~