@TOC
js分析
在滑动完成后,会请求【cap_union_new_verify】接口,其中有5个比较长的参数,看起来可能会有加密的,分别如下。
参数名 |
来源 |
ua |
|
sess |
|
collect |
|
eks |
|
vData |
|
那现在js看看这些参数是怎么来的,ua看名字很有可能是User-Agent的简写,把值直接放到base64解码,可以发现就是与请求的User-Agent一模一样。
sess 从【cap_union_prehandle】的请求返回的,而这个请求并没有其他的加密请求参数,那么sess就可以理解为是由服务器返回的。
接着直接搜索【collect】
发现只有两处,实际就是下面的js中
【collect】就是由【C()】得到,同时也带出了下面的【eks】参数由【R()】得到·,非常好。一次找到两个。
最后是vData,发现在下面的函数出现到,那么接下来动态调试看看。
可以看到C函数绑定的是getData函数,继续往里面走
里面调用的是g的函数,而这个已经是vmp的函数了,就不往下走了,接着很容易发现R函数绑定的是getEks函数,并且也会走到vmp内部
接着再往下,去到send下断点
发现send的时候,还没有vData参数,但是实际发出去的时候却有了,那么很有可能和某音一样重写了XMLHttpRequest的原型,那么查看一下是否被修改
发现确实被重写,同时也是指向了vmp的内部,那么现在总结一下参数的来源
参数名 |
来源 |
ua |
User-Agent的base64编码 |
sess |
前面请求返回 |
collect |
getData (jsvmp-tdc) |
eks |
getEks (jsvmp-tdc) |
vData |
XMLHttpRequest.prototype.send (jsvmp-slide) |
初步分析vmp结构
把tdc的js下载到本地,然后格式化阅读一下。
里面有一大段base64编码的字符串,以及一个大数组,这两个最终会解码成一个大数组,这个大数组就是包含字节码的数组,并传入【__TENCENT_CHAOS_VM】运行
经过一段分析,发现主要用到的是前四个参数
配合上面的一个子函数创建的指令,大概可以猜测到各个参数含义
参数 |
作用 |
1 |
pc寄存器 |
2 |
字节码数组 |
3 |
函数调用者 |
4 |
调用堆栈 |
这里我暂时写了小小的解释器,可以看到微量的函数逻辑
(function () {
function _0x7(_0x7_0) {
function _0x14(_0x14_0) {}
let tx_1 = new window["Object"]();
_0x14["m"] = _0x7_0;
_0x14["c"] = tx_1;
function _0x131(_0x131_0, _0x131_1, _0x131_2) {}
_0x14["d"] = _0x131;
function _0x1d2(_0x1d2_0) {}
_0x14["r"] = _0x1d2;
function _0x32f(_0x32f_0, _0x32f_1) {}
_0x14["t"] = _0x32f;
function _0x4e5(_0x4e5_0) {}
_0x14["n"] = _0x4e5;
function _0x571(_0x571_0, _0x571_1) {
let tx_2 = window["Object"]["prototype"]["hasOwnProperty"]["call"](_0x571_0, _0x571_1);
return tx_2;
}
_0x14["o"] = _0x571;
_0x14["p"] = "";
_0x14["s"] = 0;
let tx_3 = _0x14(0);
return tx_3;
}
let tx_4 = new window["Array"]();
function _0x608(_0x608_0, _0x608_1, _0x608_2) {
let tx_5 = new window["Object"]();
tx_5["info"] = window["window"]["QQVkQHQWOfMFNTXSYXlimJVnCGHWjNnK"];
let tx_6 = new window["Object"]();
try {
window["window"]["TDC"] = tx_6;
function _0x761() {
let tx_7 = _0x608_2(1);
let tx_8 = tx_7["getGuid"]();
tx_5["tokenid"] = tx_8;
return tx_5;
}
tx_6["getInfo"] = _0x761;
let tx_9 = _0x608_2(3);
tx_6["setData"] = tx_9["mSet"];
tx_6["clearTc"] = tx_9["mClear"];
tx_6["getData"] = tx_9["mGetData"];
let tx_10 = tx_9["mInit"]();
} catch (tx_11) {
try {
let tx_12 = _0x608_2(60);
let tx_13 = tx_12(tx_11);
function _0x6e6() {}
tx_6["getData"] = _0x6e6;
} catch (e) {
return undefined;
}
return undefined;
}
return undefined;
}
tx_4[0] = _0x608;
function _0x84c(_0x84c_0, _0x84c_1, _0x84c_2) {}
tx_4[1] = _0x84c;
function _0xb89(_0xb89_0, _0xb89_1, _0xb89_2) {}
tx_4[2] = _0xb89;
function _0x1022(_0x1022_0, _0x1022_1, _0x1022_2) {}
tx_4[3] = _0x1022;
function _0x19fd(_0x19fd_0, _0x19fd_1, _0x19fd_2) {}
tx_4[4] = _0x19fd;
function _0x1b81(_0x1b81_0, _0x1b81_1, _0x1b81_2) {}
tx_4[5] = _0x1b81;
function _0x1bb9(_0x1bb9_0, _0x1bb9_1) {}
tx_4[6] = _0x1bb9;
function _0x2758(_0x2758_0, _0x2758_1, _0x2758_2) {}
tx_4[7] = _0x2758;
function _0x2bd2(_0x2bd2_0, _0x2bd2_1, _0x2bd2_2) {}
tx_4[8] = _0x2bd2;
function _0x2c52(_0x2c52_0, _0x2c52_1, _0x2c52_2) {}
tx_4[9] = _0x2c52;
function _0x2d52(_0x2d52_0, _0x2d52_1, _0x2d52_2) {}
tx_4[10] = _0x2d52;
function _0x2dd4(_0x2dd4_0, _0x2dd4_1, _0x2dd4_2) {}
tx_4[11] = _0x2dd4;
function _0x2e46(_0x2e46_0, _0x2e46_1, _0x2e46_2) {}
tx_4[12] = _0x2e46;
function _0x309b(_0x309b_0, _0x309b_1, _0x309b_2) {}
tx_4[13] = _0x309b;
function _0x33d2(_0x33d2_0, _0x33d2_1, _0x33d2_2) {}
tx_4[14] = _0x33d2;
function _0x35f0(_0x35f0_0, _0x35f0_1, _0x35f0_2) {}
tx_4[15] = _0x35f0;
function _0x36b9(_0x36b9_0, _0x36b9_1, _0x36b9_2) {}
tx_4[16] = _0x36b9;
function _0x36ed(_0x36ed_0, _0x36ed_1, _0x36ed_2) {}
tx_4[17] = _0x36ed;
function _0x376f(_0x376f_0, _0x376f_1, _0x376f_2) {}
tx_4[18] = _0x376f;
function _0x3d18(_0x3d18_0, _0x3d18_1, _0x3d18_2) {}
tx_4[19] = _0x3d18;
function _0x3e8f(_0x3e8f_0, _0x3e8f_1, _0x3e8f_2) {}
tx_4[20] = _0x3e8f;
function _0x3f25(_0x3f25_0, _0x3f25_1, _0x3f25_2) {}
tx_4[21] = _0x3f25;
function _0x408b(_0x408b_0, _0x408b_1, _0x408b_2) {}
tx_4[22] = _0x408b;
function _0x40fb(_0x40fb_0, _0x40fb_1, _0x40fb_2) {}
tx_4[23] = _0x40fb;
function _0x41cc(_0x41cc_0, _0x41cc_1, _0x41cc_2) {}
tx_4[24] = _0x41cc;
function _0x4414(_0x4414_0, _0x4414_1, _0x4414_2) {}
tx_4[25] = _0x4414;
function _0x4812(_0x4812_0, _0x4812_1, _0x4812_2) {}
tx_4[26] = _0x4812;
function _0x49ff(_0x49ff_0, _0x49ff_1, _0x49ff_2) {}
tx_4[27] = _0x49ff;
function _0x5243(_0x5243_0, _0x5243_1, _0x5243_2) {}
tx_4[28] = _0x5243;
function _0x5364(_0x5364_0, _0x5364_1, _0x5364_2) {}
tx_4[29] = _0x5364;
function _0x555f(_0x555f_0, _0x555f_1, _0x555f_2) {}
tx_4[30] = _0x555f;
function _0x58fa(_0x58fa_0, _0x58fa_1, _0x58fa_2) {}
tx_4[31] = _0x58fa;
function _0x60f6(_0x60f6_0, _0x60f6_1, _0x60f6_2) {}
tx_4[32] = _0x60f6;
function _0x6487(_0x6487_0, _0x6487_1, _0x6487_2) {}
tx_4[33] = _0x6487;
function _0x6698(_0x6698_0, _0x6698_1, _0x6698_2) {}
tx_4[34] = _0x6698;
function _0x6a36(_0x6a36_0, _0x6a36_1, _0x6a36_2) {}
tx_4[35] = _0x6a36;
function _0x6dc0(_0x6dc0_0, _0x6dc0_1, _0x6dc0_2) {}
tx_4[36] = _0x6dc0;
function _0x8a18(_0x8a18_0, _0x8a18_1, _0x8a18_2) {}
tx_4[37] = _0x8a18;
function _0x8b72(_0x8b72_0, _0x8b72_1, _0x8b72_2) {}
tx_4[38] = _0x8b72;
function _0x8c13(_0x8c13_0, _0x8c13_1, _0x8c13_2) {}
tx_4[39] = _0x8c13;
function _0x8d47(_0x8d47_0, _0x8d47_1, _0x8d47_2) {}
tx_4[40] = _0x8d47;
function _0x8e28(_0x8e28_0, _0x8e28_1, _0x8e28_2) {}
tx_4[41] = _0x8e28;
function _0x8ec7(_0x8ec7_0, _0x8ec7_1, _0x8ec7_2) {}
tx_4[42] = _0x8ec7;
function _0x8f3d(_0x8f3d_0, _0x8f3d_1, _0x8f3d_2) {}
tx_4[43] = _0x8f3d;
function _0x90f3(_0x90f3_0, _0x90f3_1, _0x90f3_2) {}
tx_4[44] = _0x90f3;
function _0x928a(_0x928a_0, _0x928a_1, _0x928a_2) {}
tx_4[45] = _0x928a;
function _0x934a(_0x934a_0, _0x934a_1, _0x934a_2) {}
tx_4[46] = _0x934a;
function _0x94e0(_0x94e0_0, _0x94e0_1, _0x94e0_2) {}
tx_4[47] = _0x94e0;
function _0x9573(_0x9573_0, _0x9573_1, _0x9573_2) {}
tx_4[48] = _0x9573;
function _0x964a(_0x964a_0, _0x964a_1, _0x964a_2) {}
tx_4[49] = _0x964a;
function _0x9da5(_0x9da5_0, _0x9da5_1, _0x9da5_2) {}
tx_4[50] = _0x9da5;
function _0xa203(_0xa203_0, _0xa203_1, _0xa203_2) {}
tx_4[51] = _0xa203;
function _0xa38f(_0xa38f_0, _0xa38f_1, _0xa38f_2) {}
tx_4[52] = _0xa38f;
function _0xa41f(_0xa41f_0, _0xa41f_1, _0xa41f_2) {}
tx_4[53] = _0xa41f;
function _0xa4b4(_0xa4b4_0, _0xa4b4_1, _0xa4b4_2) {}
tx_4[54] = _0xa4b4;
function _0xa627(_0xa627_0, _0xa627_1, _0xa627_2) {}
tx_4[55] = _0xa627;
function _0xa698(_0xa698_0, _0xa698_1, _0xa698_2) {}
tx_4[56] = _0xa698;
function _0xa852(_0xa852_0, _0xa852_1, _0xa852_2) {}
tx_4[57] = _0xa852;
function _0xa902(_0xa902_0, _0xa902_1, _0xa902_2) {}
tx_4[58] = _0xa902;
function _0xa9d5(_0xa9d5_0, _0xa9d5_1, _0xa9d5_2) {}
tx_4[59] = _0xa9d5;
function _0xab51(_0xab51_0, _0xab51_1, _0xab51_2) {}
tx_4[60] = _0xab51;
function _0xacd5(_0xacd5_0, _0xacd5_1, _0xacd5_2) {}
tx_4[61] = _0xacd5;
let tx_14 = _0x7(tx_4);
return undefined;
})();
此代码因为没有完整验证,仅供参考。
接着我还没发现原来解释器的指令数组是会变的,好家伙,这使得我需要重构部分逻辑才能继续往下走