某某盘搜加密混淆速通

lianguhong

本文仅供学习交流使用，如有侵权，联系我删除。

网址：aHR0cHM6Ly93d3cubm1tZS54eXov

先帝创业未半。。。


解决方法：
永不在此暂停，注意当debugger住时已经晚了，直接页面'about:blank'，所以要先勾上script断点，在图中debugger断住前断住勾上永不在此暂停，弊端：刷新就要重复当前步骤
替换响应，使用python的mitmproxy


发现凡是链接位置都是javascript;;,后面的data-url一眼顶真，'=='盲猜是base解密url




先看复制链接这个加密，发现并不对，可能修改过或者在解密前做了其他操作


点击后解密复制在了剪贴板，所以目标可以选择找click事件或copy函数，点击Elements点击事件监听器


进入后指向这个文件的这个方法，直接下断点，看到这些变量命名就像回到家一样，自己也尝试实现过
简单例子：
混淆StringLiteral：win['document'] => win[d] => win[F('?','?')]
混淆BinaryExpression：a + b => F('?','?') + F('?','?') => O[F('?','?')](F('?','?'),F('?','?'))



不解混淆，直接跳过混淆的对象赋值和各种赋值，在if分支后面下断点运行直接到最后一个else，这种混淆除了进入解密算法前大部分分支都是无意义的



不像解密算法该有的样子，那就是还在准备调用前跳转，不用一个一个用鼠标去选查看混淆前上什么，直接无脑步入步出

这个就是自己计算取真实代码，步出再步入


开始拼接复制的部分文本，我们要的是链接解密，步出步入


到达最高城 理塘 ，看函数名就知道到达理塘了，并且参数刚好是要解密的字符串，估计网站作者没充钱，藏了又跟没藏一样，算法很短，for循环里的if分支也是假的，直接走最后一个else分支，流程base64解密 ->跟固定字符串异或 ->base64解密 = 明文


结果

[Python] 纯文本查看 复制代码

import base64
def atob(string):
    return base64.b64decode(string.encode()).decode()

def decrypt(string, res=''):
    temp = atob(string)
    for i in range(len(temp)):
        res += chr(ord(temp[i]) ^ ord("nmmeccpan"[i % 9]))
    return atob(res)

print(decrypt('DyU/VQArPVciF1QaPDRXBTgDKB03LTYWKVNXGiFeKBUuKAVfDTUJFy1QABc9KTc6BFMbGQAmLDU4DlNSIyYNQQ4lAQgzJAZaISkKWA=='))
#https://pan.baidu.com/s/1wuqwk7zoHfVkLbhpWRM5Hg?pwd=8888

还有另一个加密链接，本来看不看无所谓，但是传入解密代码它报错耶，这不能忍，这个密文链接是点击跳转另一个页面，直接hook window.open = (e) => {debugger}运行，查看e值

结果：python直接请求 url = location.origin + '/open/other/' + 那串不是密文的密文 直接跳转


完结
分析时间  <  写文章时间

alanhays

简单解密了一下

[Asm] 纯文本查看 复制代码

var mcl = {
  'Cache': {
    'put': function (_0x227ab3, _0x284223, _0x45dc19) {
      try {
        if (!localStorage) return !1;
        if (!_0x45dc19 || isNaN(_0x45dc19)) _0x45dc19 = 60;
        localStorage["setItem"](_0x227ab3, JSON["stringify"]({
          'val': _0x284223,
          'exp': new Date() - 1 + 1000 * _0x45dc19
        }));
      } catch (_0x5a50f8) {}
    },
    'get': function (_0x352237) {
      try {
        if ('IDPys' === 'FZjsz') try {
          if (!_0x243576) return !1;

          var _0x50a19a = _0x5f2297['getItem'](_0x3cb1e7),
              _0x5bf47e = _0xb18cfb["parse"](_0x50a19a);

          return _0x5bf47e ? new _0x6bf9cc() - 1 > _0x5bf47e["exp"] ? (this["remove"](_0x4c13fc), '') : _0x5bf47e["val"] : null;
        } catch (_0x2b1022) {
          return this["remove"](_0x480c69), null;
        } else {
          if (!localStorage) return !1;

          var _0x221f1f = localStorage["getItem"](_0x352237),
              _0x21545e = JSON['parse'](_0x221f1f);

          return _0x21545e ? new Date() - 1 > _0x21545e["exp"] ? (this["remove"](_0x352237), '') : _0x21545e['val'] : null;
        }
      } catch (_0x4b08d8) {
        return this["remove"](_0x352237), null;
      }
    },
    'remove': function (_0x2a1d88) {
      if (!localStorage) return !1;
      localStorage['removeItem'](_0x2a1d88);
    },
    'clear': function () {
      if (!localStorage) return !1;
      localStorage["clear"]();
    }
  }
},
    nmb = "//cdn.leeleo.vip/mcsou/" + window["location"]['hostname'],
    vue = $("<script></script>");
vue["attr"]('src', nmb), $('body')['append'](vue);
;

function nmdecode(_0x521b99) {
  var _0xdde676 = "nmmeccpan",
      _0x2d777a = base64_decode(_0x521b99),
      _0x39e3c7 = _0xdde676['length'],
      _0x646c97 = '';

  for (var _0x55c027 = 0; _0x55c027 < _0x2d777a["length"]; _0x55c027++) {
    if ("KLtIN" !== "KLtIN") {
      if (!_0x2a80d4) return !1;

      var _0x3c1380 = _0x56dead["getItem"](_0x23bd46),
          _0x1106c6 = _0x5422ce["parse"](_0x3c1380);

      return _0x1106c6 ? new _0xdac26a() - 1 > _0x1106c6["exp"] ? (this["remove"](_0x5abd28), '') : _0x1106c6["val"] : null;
    } else {
      var _0x4a773f = _0x55c027 % _0x39e3c7;

      _0x646c97 += String['fromCharCode'](_0x2d777a["charCodeAt"](_0x55c027) ^ _0xdde676['charCodeAt'](_0x4a773f));
    }
  }

  return base64_decode(_0x646c97);
}

function base64_decode(_0x422286) {
  var _0x4ea37b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
      _0x55875e,
      _0x534d43,
      _0x1149a8,
      _0x25303a,
      _0x2f3b8e,
      _0x21e4d1,
      _0x5a10e4,
      _0x5bc19c,
      _0x42c868 = 0,
      _0x144cb4 = 0,
      _0x4102bf = '',
      _0x6f2f21 = [];

  if (!_0x422286) return _0x422286;
  _0x422286 += '';

  do {
    _0x25303a = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x2f3b8e = _0x4ea37b["indexOf"](_0x422286['charAt'](_0x42c868++)), _0x21e4d1 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5a10e4 = _0x4ea37b['indexOf'](_0x422286["charAt"](_0x42c868++)), _0x5bc19c = _0x25303a << 18 | _0x2f3b8e << 12 | _0x21e4d1 << 6 | _0x5a10e4, _0x55875e = _0x5bc19c >> 16 & 255, _0x534d43 = _0x5bc19c >> 8 & 255, _0x1149a8 = _0x5bc19c & 255;

    if (_0x21e4d1 == 64) {
      if ('NomcL' === "Ecner") {
        _0x2e48d8[_0x5ef731++] = _0x49e41a["fromCharCode"](_0x1c8514, _0x3652b6);
      } else {
        _0x6f2f21[_0x144cb4++] = String['fromCharCode'](_0x55875e);
      }
    } else {
      if (_0x5a10e4 == 64) {
        _0x6f2f21[_0x144cb4++] = String['fromCharCode'](_0x55875e, _0x534d43);
      } else {
        _0x6f2f21[_0x144cb4++] = String["fromCharCode"](_0x55875e, _0x534d43, _0x1149a8);
      }
    }
  } while (_0x42c868 < _0x422286["length"]);

  return _0x4102bf = _0x6f2f21["join"](''), _0x4102bf;
}

$("#Top")['on']("click", ".block", function () {
  var _0x3f232b = $(this)["text"]();

  $("#Word")["val"](_0x3f232b), window["location"]["href"] = "/s/1/" + _0x3f232b, function (_0x5eed23, _0x46676a, _0x5bd905) {
    return _0x5eed23(_0x46676a, _0x5bd905);
  }(showDefault, "正在努力加载中 · · ·", 2);
}), $('.open')["click"](function () {
  var _0x55b38b = $(this)['data']('url'),
      _0x1d4919 = $(this)["data"]('code'),
      _0x29078c = $(this)['data']('id'),
      _0x110680 = new ClipboardJS(".open", {
    'text': function () {
      if ('MNbRd' !== "qBcaL") return _0x1d4919;else _0xe98139("反馈成功！", 2), _0x52f6a1["Cache"]["put"]('fankui_' + _0x270df7, 'ok', 24 * 60 * 60);
    }
  });

  _0x110680['on']("success", function (_0x3b56c5) {
    (function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
      return _0x15fae8(_0x1c3cf8, _0x1e7409);
    })(showDefault, '复制密码成功，正在打开…', 2);
  }), function (_0x15fae8, _0x1c3cf8, _0x1e7409) {
    return _0x15fae8(_0x1c3cf8, _0x1e7409);
  }(setTimeout, function () {
    window['open']("/open/" + _0x29078c + '/' + _0x55b38b);
  }, 500);
}), $(".copy")["click"](function () {
  if ($(this)["data"]('type') == "quark") {
    if ("hvnth" !== "aXdFD") var _0x2f24a7 = nmdecode($(this)["data"]("url"));else {
      var _0x4184f7 = _0x19e0cd("#Word")["val"]();

      if (!_0x4184f7) return function (_0x315f58, _0x4090f6, _0x4e248f) {
        return _0x315f58(_0x4090f6, _0x4e248f);
      }(_0x5c3598, "搜索关键字不能为空！", 1), ![];else _0x54725e["location"]['href'] = "/s/1/" + _0x4184f7, function (_0x55e6f2, _0x3477dc, _0x54ac45) {
        return _0x55e6f2(_0x3477dc, _0x54ac45);
      }(_0x4cacb1, "正在努力加载中 · · ·", 2);
    }
  } else var _0x2f24a7 = "【橘子盘搜nmme.one】标题：" + $(this)["data"]('title') + "，链接：" + nmdecode($(this)["data"]('url')) + "，提取码：" + $(this)['data']('code');

  ;

  var _0x4def6e = new ClipboardJS(".copy", {
    'text': function () {
      return _0x2f24a7;
    }
  });

  _0x4def6e['on']('success', function (_0x5d9d5e) {
    showDefault("复制成功，打开网盘APP即可保存！", 2);
  }), _0x4def6e['on']("error", function (_0x475835) {});
}), $(".fankui")['click'](function () {
  var _0x4267c6 = $(this)['data']('id');

  if (mcl["Cache"]["get"]('fankui_' + _0x4267c6) !== 'ok') {
    if ("hzbpX" === 'HEDja') {
      _0x4e47fb["custom"]({
        'title': '&#9786;&nbsp;' + _0x6e0b0b,
        'html': '',
        'duration': _0x138137 * 1000
      });
    } else {
      $['ajax']({
        'url': "/a/fankui",
        'type': "post",
        'dataType': 'json',
        'data': {
          'id': _0x4267c6
        },
        'success': function (_0x5c159d) {
          if ("ZIUTo" !== "wvCnC") {
            if (_0x5c159d["code"] == 200) (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
              return _0x1d26d3(_0x1af288, _0x36bb8e);
            })(showDefault, '反馈成功！', 2), mcl["Cache"]["put"]('fankui_' + _0x4267c6, 'ok', 24 * 60 * 60);else {
              if ('MIxIH' === "MIxIH") (function (_0x1d26d3, _0x1af288, _0x36bb8e) {
                return _0x1d26d3(_0x1af288, _0x36bb8e);
              })(showDefault, "反馈失败！", 2);else var _0x49e3b4 = "【橘子盘搜nmme.one】标题：" + _0xb1b8a4(this)["data"]("title") + "，链接：" + _0x478300(_0x1b6690(this)["data"]("url")) + '，提取码：' + _0x27950b(this)['data']("code");
            }
          } else {
            var _0x13d16b = 'nmmeccpan',
                _0x233608 = _0x15cc89(_0x42d080),
                _0x1b528f = _0x13d16b["length"],
                _0x50ec6f = '';

            for (var _0x4ca100 = 0; _0x4ca100 < _0x233608['length']; _0x4ca100++) {
              var _0x527860 = _0x4ca100 % _0x1b528f;

              _0x50ec6f += _0x35ca6a["fromCharCode"](_0x233608["charCodeAt"](_0x4ca100) ^ _0x13d16b["charCodeAt"](_0x527860));
            }

            return _0x30472b(_0x50ec6f);
          }
        }
      });
    }
  } else {
    (function (_0xa72f59, _0x2d66f4, _0x5a832d) {
      return _0xa72f59(_0x2d66f4, _0x5a832d);
    })(showDefault, "您已反馈，请耐心等待修复！", 2);
  }
});
var toast = new auiToast();

function showDefault(_0x3cc937, _0x3301bd) {
  toast['custom']({
    'title': "&#9786;&nbsp;" + _0x3cc937,
    'html': '',
    'duration': _0x3301bd * 1000
  });
}

$('#ThisForm')["keydown"](function () {
  if (event["keyCode"] == 13) {
    if ("UmQky" === "UmQky") return $("#Search")["click"](), ![];else _0x54ad19("复制密码成功，正在打开…", 2);
  }
}), $("#Search")["click"](function () {
  var _0x48d11d = $("#Word")['val']();

  if (!_0x48d11d) return showDefault('搜索关键字不能为空！', 1), ![];else window["location"]["href"] = "/s/1/" + _0x48d11d, function (_0x17e523, _0x480f82, _0x509c3f) {
    return _0x17e523(_0x480f82, _0x509c3f);
  }(showDefault, "正在努力加载中 · · ·", 2);
});

helian147

搜影视剧还不错

cxclj520

支持支持楼主

lshanu

虽然看不懂，但总得支持一下

zxcv75429

感谢分享

lee_qian

谢谢楼主分享

sorryzzital

真是厉害呢，我看见这些代码，完全没有头绪！

hello12

不错很有用0

JDawLai

感谢楼主，支持继续产出更多优质内容

aa2923821a

我来学习啦！感谢分享