吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4494|回复: 29
收起左侧

[Web逆向] 某某盘搜加密混淆速通

[复制链接]
lianguhong 发表于 2023-4-27 16:29
本帖最后由 lianguhong 于 2023-4-27 16:58 编辑

本文仅供学习交流使用,如有侵权,联系我删除。

网址:aHR0cHM6Ly93d3cubm1tZS54eXov

先帝创业未半。。。
e4f658ffece563e93ae9cc28c1ae545.png

解决方法:
永不在此暂停,注意当debugger住时已经晚了,直接页面'about:blank',所以要先勾上script断点,在图中debugger断住前断住勾上永不在此暂停,弊端:刷新就要重复当前步骤
替换响应,使用python的mitmproxy
7a0d8cc4a35ab0d8e03595cd17e9d73.png

发现凡是链接位置都是javascript;;,后面的data-url一眼顶真,'=='盲猜是base解密url
fa9714d0418d69bdddc6c8f7d27957f.png
27c3227b7beb071a90d0f79cccffb87.png
b71e919c32a8f8e1dc66b550f117193.png

先看复制链接这个加密,发现并不对,可能修改过或者在解密前做了其他操作
289be6f408e880ebed36369011152fb.png

点击后解密复制在了剪贴板,所以目标可以选择找click事件或copy函数,点击Elements点击事件监听器
ee952a1b424000ff6ed8901d75e1ed3.png

进入后指向这个文件的这个方法,直接下断点,看到这些变量命名就像回到家一样,自己也尝试实现过
简单例子:
混淆StringLiteral:win['document'] => win[d] => win[F('?','?')]
混淆BinaryExpression:a + b => F('?','?') + F('?','?') => O[F('?','?')](F('?','?'),F('?','?'))
eb268d72a9c1ea959e550323d000900.png
cf3dea76d3eec4c4e9979fa00233049.png

不解混淆,直接跳过混淆的对象赋值和各种赋值,在if分支后面下断点运行直接到最后一个else,这种混淆除了进入解密算法前大部分分支都是无意义的
f97a8906644e24ae28a8856aa1bf4fc.png
9d88a295092def197833b95e7046f56.png

不像解密算法该有的样子,那就是还在准备调用前跳转,不用一个一个用鼠标去选查看混淆前上什么,直接无脑步入步出
0c6c33d7ad4a56e87dbcbbc26dd8600.png
这个就是自己计算取真实代码,步出再步入
82211650bf89e709d92c94daea3cbe0.png

开始拼接复制的部分文本,我们要的是链接解密,步出步入
7d8fc3d299b1c591ae7216162a9e703.png

到达最高城 理塘 ,看函数名就知道到达理塘了,并且参数刚好是要解密的字符串,估计网站作者没充钱,藏了又跟没藏一样,算法很短,for循环里的if分支也是假的,直接走最后一个else分支,流程base64解密 ->跟固定字符串异或 ->base64解密 = 明文
013b9d239550214a912bb5f01ad0b7a.png
9fdd029de832e14c4ac912ece2922c2.png
结果
[Python] 纯文本查看 复制代码
import base64
def atob(string):
    return base64.b64decode(string.encode()).decode()

def decrypt(string, res=''):
    temp = atob(string)
    for i in range(len(temp)):
        res += chr(ord(temp[i]) ^ ord("nmmeccpan"[i % 9]))
    return atob(res)

print(decrypt('DyU/VQArPVciF1QaPDRXBTgDKB03LTYWKVNXGiFeKBUuKAVfDTUJFy1QABc9KTc6BFMbGQAmLDU4DlNSIyYNQQ4lAQgzJAZaISkKWA=='))
#https://pan.baidu.com/s/1wuqwk7zoHfVkLbhpWRM5Hg?pwd=8888


还有另一个加密链接,本来看不看无所谓,但是传入解密代码它报错耶,这不能忍,这个密文链接是点击跳转另一个页面,直接hook window.open = (e) => {debugger}运行,查看e值
cbaf21b0b8408470da9170506f8b6a9.png
结果:python直接请求 url = location.origin + '/open/other/' + 那串不是密文的密文 直接跳转
fbdc1b372e793cd6a890213b91b8e7b.png

完结
分析时间  <  写文章时间

免费评分

参与人数 13吾爱币 +18 热心值 +12 收起 理由
笙若 + 1 + 1 谢谢@Thanks!
dlyuang + 1 + 1 谢谢@Thanks!
bingshuir + 1 + 1 我很赞同!
5omggx + 1 + 1 用心讨论,共获提升!
涛之雨 + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
抱歉、 + 1 谢谢@Thanks!
yequ1124 + 1 热心回复!
Yangzaipython + 1 + 1 用心讨论,共获提升!
开心熊猫741 + 1 + 1 热心回复!
sorryzzital + 1 + 1 谢谢@Thanks!
lee_qian + 1 + 1 谢谢@Thanks!
helian147 + 1 + 1 热心回复!
李玉风我爱你 + 1 + 1 我很赞同!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

alanhays 发表于 2023-4-28 12:01
简单解密了一下
[Asm] 纯文本查看 复制代码
var mcl = {
  'Cache': {
    'put': function (_0x227ab3, _0x284223, _0x45dc19) {
      try {
        if (!localStorage) return !1;
        if (!_0x45dc19 || isNaN(_0x45dc19)) _0x45dc19 = 60;
        localStorage["setItem"](_0x227ab3, JSON["stringify"]({
          'val': _0x284223,
          'exp': new Date() - 1 + 1000 * _0x45dc19
        }));
      } catch (_0x5a50f8) {}
    },
    'get': function (_0x352237) {
      try {
        if ('IDPys' === 'FZjsz') try {
          if (!_0x243576) return !1;

          var _0x50a19a = _0x5f2297['getItem'](_0x3cb1e7),
              _0x5bf47e = _0xb18cfb["parse"](_0x50a19a);

          return _0x5bf47e ? new _0x6bf9cc() - 1 > _0x5bf47e["exp"] ? (this["remove"](_0x4c13fc), '') : _0x5bf47e["val"] : null;
        } catch (_0x2b1022) {
          return this["remove"](_0x480c69), null;
        } else {
          if (!localStorage) return !1;

          var _0x221f1f = localStorage["getItem"](_0x352237),
              _0x21545e = JSON['parse'](_0x221f1f);

          return _0x21545e ? new Date() - 1 > _0x21545e["exp"] ? (this["remove"](_0x352237), '') : _0x21545e['val'] : null;
        }
      } catch (_0x4b08d8) {
        return this["remove"](_0x352237), null;
      }
    },
    'remove': function (_0x2a1d88) {
      if (!localStorage) return !1;
      localStorage['removeItem'](_0x2a1d88);
    },
    'clear': function () {
      if (!localStorage) return !1;
      localStorage["clear"]();
    }
  }
},
    nmb = "//cdn.leeleo.vip/mcsou/" + window["location"]['hostname'],
    vue = $("<script></script>");
vue["attr"]('src', nmb), $('body')['append'](vue);
;

function nmdecode(_0x521b99) {
  var _0xdde676 = "nmmeccpan",
      _0x2d777a = base64_decode(_0x521b99),
      _0x39e3c7 = _0xdde676['length'],
      _0x646c97 = '';

  for (var _0x55c027 = 0; _0x55c027 < _0x2d777a["length"]; _0x55c027++) {
    if ("KLtIN" !== "KLtIN") {
      if (!_0x2a80d4) return !1;

      var _0x3c1380 = _0x56dead["getItem"](_0x23bd46),
          _0x1106c6 = _0x5422ce["parse"](_0x3c1380);

      return _0x1106c6 ? new _0xdac26a() - 1 > _0x1106c6["exp"] ? (this["remove"](_0x5abd28), '') : _0x1106c6["val"] : null;
    } else {
      var _0x4a773f = _0x55c027 % _0x39e3c7;

      _0x646c97 += String['fromCharCode'](_0x2d777a["charCodeAt"](_0x55c027) ^ _0xdde676['charCodeAt'](_0x4a773f));
    }
  }

  return base64_decode(_0x646c97);
}

function base64_decode(_0x422286) {
  var _0x4ea37b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
      _0x55875e,
      _0x534d43,
      _0x1149a8,
      _0x25303a,
      _0x2f3b8e,
      _0x21e4d1,
      _0x5a10e4,
      _0x5bc19c,
      _0x42c868 = 0,
      _0x144cb4 = 0,
      _0x4102bf = '',
      _0x6f2f21 = [];

  if (!_0x422286) return _0x422286;
  _0x422286 += '';

  do {
    _0x25303a = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x2f3b8e = _0x4ea37b["indexOf"](_0x422286['charAt'](_0x42c868++)), _0x21e4d1 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5a10e4 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5bc19c = _0x25303a << 18 | _0x2f3b8e << 12 | _0x21e4d1 << 6 | _0x5a10e4, _0x55875e = _0x5bc19c >> 16 & 255, _0x534d43 = _0x5bc19c >> 8 & 255, _0x1149a8 = _0x5bc19c & 255;

    if (_0x21e4d1 == 64) {
      if ('NomcL' === "Ecner") {
        _0x2e48d8[_0x5ef731++] = _0x49e41a["fromCharCode"](_0x1c8514, _0x3652b6);
      } else {
        _0x6f2f21[_0x144cb4++] = String['fromCharCode'](_0x55875e);
      }
    } else {
      if (_0x5a10e4 == 64) {
        _0x6f2f21[_0x144cb4++] = String['fromCharCode'](_0x55875e, _0x534d43);
      } else {
        _0x6f2f21[_0x144cb4++] = String["fromCharCode"](_0x55875e, _0x534d43, _0x1149a8);
      }
    }
  } while (_0x42c868 < _0x422286["length"]);

  return _0x4102bf = _0x6f2f21["join"](''), _0x4102bf;
}

$("#Top")['on']("click", ".block", function () {
  var _0x3f232b = $(this)["text"]();

  $("#Word")["val"](_0x3f232b), window["location"]["href"] = "/s/1/" + _0x3f232b, function (_0x5eed23, _0x46676a, _0x5bd905) {
    return _0x5eed23(_0x46676a, _0x5bd905);
  }(showDefault, "正在努力加载中 · · ·", 2);
}), $('.open')["click"](function () {
  var _0x55b38b = $(this)['data']('url'),
      _0x1d4919 = $(this)["data"]('code'),
      _0x29078c = $(this)['data']('id'),
      _0x110680 = new ClipboardJS(".open", {
    'text': function () {
      if ('MNbRd' !== "qBcaL") return _0x1d4919;else _0xe98139("反馈成功!", 2), _0x52f6a1["Cache"]["put"]('fankui_' + _0x270df7, 'ok', 24 * 60 * 60);
    }
  });

  _0x110680['on']("success", function (_0x3b56c5) {
    (function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
      return _0x15fae8(_0x1c3cf8, _0x1e7409);
    })(showDefault, '复制密码成功,正在打开…', 2);
  }), function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
    return _0x15fae8(_0x1c3cf8, _0x1e7409);
  }(setTimeout, function () {
    window['open']("/open/" + _0x29078c + '/' + _0x55b38b);
  }, 500);
}), $(".copy")["click"](function () {
  if ($(this)["data"]('type') == "quark") {
    if ("hvnth" !== "aXdFD") var _0x2f24a7 = nmdecode($(this)["data"]("url"));else {
      var _0x4184f7 = _0x19e0cd("#Word")["val"]();

      if (!_0x4184f7) return function (_0x315f58, _0x4090f6, _0x4e248f) {
        return _0x315f58(_0x4090f6, _0x4e248f);
      }(_0x5c3598, "搜索关键字不能为空!", 1), ![];else _0x54725e["location"]['href'] = "/s/1/" + _0x4184f7, function (_0x55e6f2, _0x3477dc, _0x54ac45) {
        return _0x55e6f2(_0x3477dc, _0x54ac45);
      }(_0x4cacb1, "正在努力加载中 · · ·", 2);
    }
  } else var _0x2f24a7 = "【橘子盘搜nmme.one】标题:" + $(this)["data"]('title') + ",链接:" + nmdecode($(this)["data"]('url')) + ",提取码:" + $(this)['data']('code');

  ;

  var _0x4def6e = new ClipboardJS(".copy", {
    'text': function () {
      return _0x2f24a7;
    }
  });

  _0x4def6e['on']('success', function (_0x5d9d5e) {
    showDefault("复制成功,打开网盘APP即可保存!", 2);
  }), _0x4def6e['on']("error", function (_0x475835) {});
}), $(".fankui")['click'](function () {
  var _0x4267c6 = $(this)['data']('id');

  if (mcl["Cache"]["get"]('fankui_' + _0x4267c6) !== 'ok') {
    if ("hzbpX" === 'HEDja') {
      _0x4e47fb["custom"]({
        'title': '&#9786;&nbsp;' + _0x6e0b0b,
        'html': '',
        'duration': _0x138137 * 1000
      });
    } else {
      $['ajax']({
        'url': "/a/fankui",
        'type': "post",
        'dataType': 'json',
        'data': {
          'id': _0x4267c6
        },
        'success': function (_0x5c159d) {
          if ("ZIUTo" !== "wvCnC") {
            if (_0x5c159d["code"] == 200) (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
              return _0x1d26d3(_0x1af288, _0x36bb8e);
            })(showDefault, '反馈成功!', 2), mcl["Cache"]["put"]('fankui_' + _0x4267c6, 'ok', 24 * 60 * 60);else {
              if ('MIxIH' === "MIxIH") (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
                return _0x1d26d3(_0x1af288, _0x36bb8e);
              })(showDefault, "反馈失败!", 2);else var _0x49e3b4 = "【橘子盘搜nmme.one】标题:" + _0xb1b8a4(this)["data"]("title") + ",链接:" + _0x478300(_0x1b6690(this)["data"]("url")) + ',提取码:' + _0x27950b(this)['data']("code");
            }
          } else {
            var _0x13d16b = 'nmmeccpan',
                _0x233608 = _0x15cc89(_0x42d080),
                _0x1b528f = _0x13d16b["length"],
                _0x50ec6f = '';

            for (var _0x4ca100 = 0; _0x4ca100 < _0x233608['length']; _0x4ca100++) {
              var _0x527860 = _0x4ca100 % _0x1b528f;

              _0x50ec6f += _0x35ca6a["fromCharCode"](_0x233608["charCodeAt"](_0x4ca100) ^ _0x13d16b["charCodeAt"](_0x527860));
            }

            return _0x30472b(_0x50ec6f);
          }
        }
      });
    }
  } else {
    (function (_0xa72f59, _0x2d66f4, _0x5a832d) {
      return _0xa72f59(_0x2d66f4, _0x5a832d);
    })(showDefault, "您已反馈,请耐心等待修复!", 2);
  }
});
var toast = new auiToast();

function showDefault(_0x3cc937, _0x3301bd) {
  toast['custom']({
    'title': "&#9786;&nbsp;" + _0x3cc937,
    'html': '',
    'duration': _0x3301bd * 1000
  });
}

$('#ThisForm')["keydown"](function () {
  if (event["keyCode"] == 13) {
    if ("UmQky" === "UmQky") return $("#Search")["click"](), ![];else _0x54ad19("复制密码成功,正在打开…", 2);
  }
}), $("#Search")["click"](function () {
  var _0x48d11d = $("#Word")['val']();

  if (!_0x48d11d) return showDefault('搜索关键字不能为空!', 1), ![];else window["location"]["href"] = "/s/1/" + _0x48d11d, function (_0x17e523, _0x480f82, _0x509c3f) {
    return _0x17e523(_0x480f82, _0x509c3f);
  }(showDefault, "正在努力加载中 · · ·", 2);
});
helian147 发表于 2023-4-27 20:40
cxclj520 发表于 2023-4-27 19:07
lshanu 发表于 2023-4-27 20:15
虽然看不懂,但总得支持一下
zxcv75429 发表于 2023-4-27 20:37
感谢分享
lee_qian 发表于 2023-4-27 20:43

谢谢楼主分享

免费评分

参与人数 1吾爱币 -15 违规 +1 收起 理由
风之暇想 -15 + 1 请勿灌水,提高回帖质量是每位会员应尽的义务!

查看全部评分

sorryzzital 发表于 2023-4-27 20:50
真是厉害呢,我看见这些代码,完全没有头绪!
hello12 发表于 2023-4-27 21:17
不错很有用0
JDawLai 发表于 2023-4-27 22:13
感谢楼主,支持继续产出更多优质内容
aa2923821a 发表于 2023-4-28 08:51
我来学习啦!感谢分享
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-24 00:11

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表