某某盘搜加密混淆速通

lianguhong 发表于 2023-4-27 16:29

本帖最后由 lianguhong 于 2023-4-27 16:58 编辑

本文仅供学习交流使用，如有侵权，联系我删除。

网址：aHR0cHM6Ly93d3cubm1tZS54eXov

先帝创业未半。。。

解决方法：
永不在此暂停，注意当debugger住时已经晚了，直接页面'about:blank'，所以要先勾上script断点，在图中debugger断住前断住勾上永不在此暂停，弊端：刷新就要重复当前步骤
替换响应，使用python的mitmproxy

发现凡是链接位置都是javascript;;,后面的data-url一眼顶真，'=='盲猜是base解密url

先看复制链接这个加密，发现并不对，可能修改过或者在解密前做了其他操作

点击后解密复制在了剪贴板，所以目标可以选择找click事件或copy函数，点击Elements点击事件监听器

进入后指向这个文件的这个方法，直接下断点，看到这些变量命名就像回到家一样，自己也尝试实现过
简单例子：
混淆StringLiteral：win['document'] => win => win
混淆BinaryExpression：a + b => F('?','?') + F('?','?') => O(F('?','?'),F('?','?'))

不解混淆，直接跳过混淆的对象赋值和各种赋值，在if分支后面下断点运行直接到最后一个else，这种混淆除了进入解密算法前大部分分支都是无意义的

不像解密算法该有的样子，那就是还在准备调用前跳转，不用一个一个用鼠标去选查看混淆前上什么，直接无脑步入步出

这个就是自己计算取真实代码，步出再步入

开始拼接复制的部分文本，我们要的是链接解密，步出步入

到达最高城理塘，看函数名就知道到达理塘了，并且参数刚好是要解密的字符串，估计网站作者没充钱，藏了又跟没藏一样，算法很短，for循环里的if分支也是假的，直接走最后一个else分支，流程base64解密 ->跟固定字符串异或 ->base64解密 = 明文

结果
import base64
def atob(string):
return base64.b64decode(string.encode()).decode()

def decrypt(string, res=''):
temp = atob(string)
for i in range(len(temp)):
res += chr(ord(temp) ^ ord("nmmeccpan"))
return atob(res)

print(decrypt('DyU/VQArPVciF1QaPDRXBTgDKB03LTYWKVNXGiFeKBUuKAVfDTUJFy1QABc9KTc6BFMbGQAmLDU4DlNSIyYNQQ4lAQgzJAZaISkKWA=='))
#https://pan.baidu.com/s/1wuqwk7zoHfVkLbhpWRM5Hg?pwd=8888

还有另一个加密链接，本来看不看无所谓，但是传入解密代码它报错耶，这不能忍，这个密文链接是点击跳转另一个页面，直接hook window.open = (e) => {debugger}运行，查看e值

结果：python直接请求 url = location.origin + '/open/other/' + 那串不是密文的密文直接跳转

完结
分析时间<写文章时间

alanhays 发表于 2023-4-28 12:01

简单解密了一下
var mcl = {
'Cache': {
'put': function (_0x227ab3, _0x284223, _0x45dc19) {
   try {
   if (!localStorage) return !1;
   if (!_0x45dc19 || isNaN(_0x45dc19)) _0x45dc19 = 60;
   localStorage["setItem"](_0x227ab3, JSON["stringify"]({
      'val': _0x284223,
      'exp': new Date() - 1 + 1000 * _0x45dc19
   }));
   } catch (_0x5a50f8) {}
},
'get': function (_0x352237) {
   try {
   if ('IDPys' === 'FZjsz') try {
      if (!_0x243576) return !1;

      var _0x50a19a = _0x5f2297['getItem'](_0x3cb1e7),
         _0x5bf47e = _0xb18cfb["parse"](_0x50a19a);

      return _0x5bf47e ? new _0x6bf9cc() - 1 > _0x5bf47e["exp"] ? (this["remove"](_0x4c13fc), '') : _0x5bf47e["val"] : null;
   } catch (_0x2b1022) {
      return this["remove"](_0x480c69), null;
   } else {
      if (!localStorage) return !1;

      var _0x221f1f = localStorage["getItem"](_0x352237),
         _0x21545e = JSON['parse'](_0x221f1f);

      return _0x21545e ? new Date() - 1 > _0x21545e["exp"] ? (this["remove"](_0x352237), '') : _0x21545e['val'] : null;
   }
   } catch (_0x4b08d8) {
   return this["remove"](_0x352237), null;
   }
},
'remove': function (_0x2a1d88) {
   if (!localStorage) return !1;
   localStorage['removeItem'](_0x2a1d88);
},
'clear': function () {
   if (!localStorage) return !1;
   localStorage["clear"]();
}
}
},
nmb = "//cdn.leeleo.vip/mcsou/" + window["location"]['hostname'],
vue = $("<script></script>");
vue["attr"]('src', nmb), $('body')['append'](vue);
;

function nmdecode(_0x521b99) {
var _0xdde676 = "nmmeccpan",
   _0x2d777a = base64_decode(_0x521b99),
   _0x39e3c7 = _0xdde676['length'],
   _0x646c97 = '';

for (var _0x55c027 = 0; _0x55c027 < _0x2d777a["length"]; _0x55c027++) {
if ("KLtIN" !== "KLtIN") {
   if (!_0x2a80d4) return !1;

   var _0x3c1380 = _0x56dead["getItem"](_0x23bd46),
      _0x1106c6 = _0x5422ce["parse"](_0x3c1380);

   return _0x1106c6 ? new _0xdac26a() - 1 > _0x1106c6["exp"] ? (this["remove"](_0x5abd28), '') : _0x1106c6["val"] : null;
} else {
   var _0x4a773f = _0x55c027 % _0x39e3c7;

   _0x646c97 += String['fromCharCode'](_0x2d777a["charCodeAt"](_0x55c027) ^ _0xdde676['charCodeAt'](_0x4a773f));
}
}

return base64_decode(_0x646c97);
}

function base64_decode(_0x422286) {
var _0x4ea37b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
   _0x55875e,
   _0x534d43,
   _0x1149a8,
   _0x25303a,
   _0x2f3b8e,
   _0x21e4d1,
   _0x5a10e4,
   _0x5bc19c,
   _0x42c868 = 0,
   _0x144cb4 = 0,
   _0x4102bf = '',
   _0x6f2f21 = [];

if (!_0x422286) return _0x422286;
_0x422286 += '';

do {
_0x25303a = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x2f3b8e = _0x4ea37b["indexOf"](_0x422286['charAt'](_0x42c868++)), _0x21e4d1 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5a10e4 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5bc19c = _0x25303a << 18 | _0x2f3b8e << 12 | _0x21e4d1 << 6 | _0x5a10e4, _0x55875e = _0x5bc19c >> 16 & 255, _0x534d43 = _0x5bc19c >> 8 & 255, _0x1149a8 = _0x5bc19c & 255;

if (_0x21e4d1 == 64) {
   if ('NomcL' === "Ecner") {
   _0x2e48d8 = _0x49e41a["fromCharCode"](_0x1c8514, _0x3652b6);
   } else {
   _0x6f2f21 = String['fromCharCode'](_0x55875e);
   }
} else {
   if (_0x5a10e4 == 64) {
   _0x6f2f21 = String['fromCharCode'](_0x55875e, _0x534d43);
   } else {
   _0x6f2f21 = String["fromCharCode"](_0x55875e, _0x534d43, _0x1149a8);
   }
}
} while (_0x42c868 < _0x422286["length"]);

return _0x4102bf = _0x6f2f21["join"](''), _0x4102bf;
}

$("#Top")['on']("click", ".block", function () {
var _0x3f232b = $(this)["text"]();

$("#Word")["val"](_0x3f232b), window["location"]["href"] = "/s/1/" + _0x3f232b, function (_0x5eed23, _0x46676a, _0x5bd905) {
return _0x5eed23(_0x46676a, _0x5bd905);
}(showDefault, "正在努力加载中 · · ·", 2);
}), $('.open')["click"](function () {
var _0x55b38b = $(this)['data']('url'),
   _0x1d4919 = $(this)["data"]('code'),
   _0x29078c = $(this)['data']('id'),
   _0x110680 = new ClipboardJS(".open", {
'text': function () {
   if ('MNbRd' !== "qBcaL") return _0x1d4919;else _0xe98139("反馈成功！", 2), _0x52f6a1["Cache"]["put"]('fankui_' + _0x270df7, 'ok', 24 * 60 * 60);
}
});

_0x110680['on']("success", function (_0x3b56c5) {
(function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
   return _0x15fae8(_0x1c3cf8, _0x1e7409);
})(showDefault, '复制密码成功，正在打开…', 2);
}), function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
return _0x15fae8(_0x1c3cf8, _0x1e7409);
}(setTimeout, function () {
window['open']("/open/" + _0x29078c + '/' + _0x55b38b);
}, 500);
}), $(".copy")["click"](function () {
if ($(this)["data"]('type') == "quark") {
if ("hvnth" !== "aXdFD") var _0x2f24a7 = nmdecode($(this)["data"]("url"));else {
   var _0x4184f7 = _0x19e0cd("#Word")["val"]();

   if (!_0x4184f7) return function (_0x315f58, _0x4090f6, _0x4e248f) {
   return _0x315f58(_0x4090f6, _0x4e248f);
   }(_0x5c3598, "搜索关键字不能为空！", 1), ![];else _0x54725e["location"]['href'] = "/s/1/" + _0x4184f7, function (_0x55e6f2, _0x3477dc, _0x54ac45) {
   return _0x55e6f2(_0x3477dc, _0x54ac45);
   }(_0x4cacb1, "正在努力加载中 · · ·", 2);
}
} else var _0x2f24a7 = "【橘子盘搜nmme.one】标题：" + $(this)["data"]('title') + "，链接：" + nmdecode($(this)["data"]('url')) + "，提取码：" + $(this)['data']('code');

;

var _0x4def6e = new ClipboardJS(".copy", {
'text': function () {
   return _0x2f24a7;
}
});

_0x4def6e['on']('success', function (_0x5d9d5e) {
showDefault("复制成功，打开网盘APP即可保存！", 2);
}), _0x4def6e['on']("error", function (_0x475835) {});
}), $(".fankui")['click'](function () {
var _0x4267c6 = $(this)['data']('id');

if (mcl["Cache"]["get"]('fankui_' + _0x4267c6) !== 'ok') {
if ("hzbpX" === 'HEDja') {
   _0x4e47fb["custom"]({
   'title': '☺ ' + _0x6e0b0b,
   'html': '',
   'duration': _0x138137 * 1000
   });
} else {
   $['ajax']({
   'url': "/a/fankui",
   'type': "post",
   'dataType': 'json',
   'data': {
      'id': _0x4267c6
   },
   'success': function (_0x5c159d) {
      if ("ZIUTo" !== "wvCnC") {
         if (_0x5c159d["code"] == 200) (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
         return _0x1d26d3(_0x1af288, _0x36bb8e);
         })(showDefault, '反馈成功！', 2), mcl["Cache"]["put"]('fankui_' + _0x4267c6, 'ok', 24 * 60 * 60);else {
         if ('MIxIH' === "MIxIH") (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
            return _0x1d26d3(_0x1af288, _0x36bb8e);
         })(showDefault, "反馈失败！", 2);else var _0x49e3b4 = "【橘子盘搜nmme.one】标题：" + _0xb1b8a4(this)["data"]("title") + "，链接：" + _0x478300(_0x1b6690(this)["data"]("url")) + '，提取码：' + _0x27950b(this)['data']("code");
         }
      } else {
         var _0x13d16b = 'nmmeccpan',
            _0x233608 = _0x15cc89(_0x42d080),
            _0x1b528f = _0x13d16b["length"],
            _0x50ec6f = '';

         for (var _0x4ca100 = 0; _0x4ca100 < _0x233608['length']; _0x4ca100++) {
         var _0x527860 = _0x4ca100 % _0x1b528f;

         _0x50ec6f += _0x35ca6a["fromCharCode"](_0x233608["charCodeAt"](_0x4ca100) ^ _0x13d16b["charCodeAt"](_0x527860));
         }

         return _0x30472b(_0x50ec6f);
      }
   }
   });
}
} else {
(function (_0xa72f59, _0x2d66f4, _0x5a832d) {
   return _0xa72f59(_0x2d66f4, _0x5a832d);
})(showDefault, "您已反馈，请耐心等待修复！", 2);
}
});
var toast = new auiToast();

function showDefault(_0x3cc937, _0x3301bd) {
toast['custom']({
'title': "☺ " + _0x3cc937,
'html': '',
'duration': _0x3301bd * 1000
});
}

$('#ThisForm')["keydown"](function () {
if (event["keyCode"] == 13) {
if ("UmQky" === "UmQky") return $("#Search")["click"](), ![];else _0x54ad19("复制密码成功，正在打开…", 2);
}
}), $("#Search")["click"](function () {
var _0x48d11d = $("#Word")['val']();

if (!_0x48d11d) return showDefault('搜索关键字不能为空！', 1), ![];else window["location"]["href"] = "/s/1/" + _0x48d11d, function (_0x17e523, _0x480f82, _0x509c3f) {
return _0x17e523(_0x480f82, _0x509c3f);
}(showDefault, "正在努力加载中 · · ·", 2);
});

helian147 发表于 2023-4-27 20:40

搜影视剧还不错

cxclj520 发表于 2023-4-27 19:07

支持支持楼主

lshanu 发表于 2023-4-27 20:15

虽然看不懂，但总得支持一下

zxcv75429 发表于 2023-4-27 20:37

感谢分享

lee_qian 发表于 2023-4-27 20:43

谢谢楼主分享

sorryzzital 发表于 2023-4-27 20:50

真是厉害呢，我看见这些代码{:1_908:}，完全没有头绪！

hello12 发表于 2023-4-27 21:17

不错很有用0

JDawLai 发表于 2023-4-27 22:13

感谢楼主，支持继续产出更多优质内容

aa2923821a 发表于 2023-4-28 08:51

我来学习啦！感谢分享

页: [1] 2 3 4

吾爱破解 - 52pojie.cn's Archiver

某某盘搜加密混淆速通