python爬虫 - js逆向解密之破解js混淆函数eval加密函数function(p, a, c, k, e, d)

Eeyhan

前言

想要目标网址的朋友私信哈(博客园私信即可,不用加微信、关注公众号、转发朋友圈、朋友圈集赞满等等的无聊操作,没有那些套路哈)。

 

分析

这次也是一个国外的代理网站,打开查看:

 

 

 

 

 

 

 

是的,它也是对端口做了加密,这里的rf034其实就是实际的端口,但是并没有直接显示出来,而是通过一段js实现的

 

 

 

 那么这段js在哪呢?直接全文检索:

 

 

 点开这个c8ae6的js,点击格式化后查看:

 

 

 

源码

eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? \'\' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!\'\'.replace(/^/, String)) {
        while (c--) {
            d[e(c)] = k[c] || e(c)
        }
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return \'\\w+\'
        }
        ;
        c = 1
    }
    ;while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp(\'\\b\' + e(c) + \'\\b\',\'g\'), k[c])
        }
    }
    return p
}(\'$(1b).1a(19(){$(\\'.17\\').0(18);$(\\'.1c\\').0(1d);$(\\'.1h\\').0(1g);$(\\'.1f\\').0(1e);$(\\'.16\\').0(15);$(\\'.X\\').0(W);$(\\'.V\\').0(T);$(\\'.U\\').0(Y);$(\\'.Z\\').0(14);$(\\'.13\\').0(12);$(\\'.10\\').0(11);$(\\'.1i\\').0(1j);$(\\'.1B\\').0(1A);$(\\'.1z\\').0(1x);$(\\'.1y\\').0(1C);$(\\'.1D\\').0(1H);$(\\'.1G\\').0(1F);$(\\'.1E\\').0(1w);$(\\'.1v\\').0(1o);$(\\'.1n\\').0(1m);$(\\'.1k\\').0(1l);$(\\'.1p\\').0(1q);$(\\'.1u\\').0(1t);$(\\'.1s\\').0(1r);$(\\'.S\\').0(K);$(\\'.j\\').0(i);$(\\'.h\\').0(f);$(\\'.g\\').0(k);$(\\'.l\\').0(p);$(\\'.o\\').0(n);$(\\'.m\\').0(e);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(q);$(\\'.R\\').0(r);$(\\'.J\\').0(I);$(\\'.G\\').0(H);$(\\'.L\\').0(M);$(\\'.Q\\').0(P);$(\\'.O\\').0(N);$(\\'.F\\').0(E);$(\\'.w\\').0(v);$(\\'.u\\').0(s);$(\\'.t\\').0(x);$(\\'.y\\').0(D);$(\\'.C\\').0(B);$(\\'.z\\').0(A);$(\\'.1I\\').0(3r);$(\\'.1J\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(2V);$(\\'.2W\\').0(30);$(\\'.2Z\\').0(2Y);$(\\'.2X\\').0(2P);$(\\'.2O\\').0(2G);$(\\'.2F\\').0(2E);$(\\'.2C\\').0(2D);$(\\'.2H\\').0(2I);$(\\'.2N\\').0(2M);$(\\'.2L\\').0(2J);$(\\'.2K\\').0(31);$(\\'.32\\').0(3k);$(\\'.3j\\').0(3i);$(\\'.3g\\').0(3h);$(\\'.3l\\').0(3m);$(\\'.3q\\').0(3p);$(\\'.3o\\').0(3n);$(\\'.3f\\').0(3e);$(\\'.37\\').0(36);$(\\'.35\\').0(33);$(\\'.34\\').0(38);$(\\'.39\\').0(3d);$(\\'.3c\\').0(3b);$(\\'.3a\\').0(2B);$(\\'.2A\\').0(22);$(\\'.21\\').0(20);$(\\'.1Y\\').0(1Z);$(\\'.23\\').0(24);$(\\'.28\\').0(27);$(\\'.26\\').0(25);$(\\'.1X\\').0(1W);$(\\'.1O\\').0(1N);$(\\'.1M\\').0(1K);$(\\'.1L\\').0(1P);$(\\'.1Q\\').0(1V);$(\\'.1U\\').0(1T);$(\\'.1R\\').0(1S);$(\\'.29\\').0(2a);$(\\'.2t\\').0(2s);$(\\'.2r\\').0(2p);$(\\'.2q\\').0(2u);$(\\'.2v\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2w\\').0(2o);$(\\'.2n\\').0(2f);$(\\'.2e\\').0(2d);$(\\'.2b\\').0(2c);$(\\'.2g\\').0(2h);$(\\'.2m\\').0(2l);$(\\'.2k\\').0(2i);$(\\'.2j\\').0(2U)});\', 62, 214, \'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743\'.split(\'|\'), 0, {}))

 

 

这段代码,说实话乍一看确实费劲,我搜了下有关function(p, a, c, k, e, d) 加密的:

 

 

 

还挺多的,但是我点进去一个一个看,大部分的文章感觉内容都很类似,然后,都在说可以把最后的return改成:

其实这个eval(function(p,a,c,k,e,d){}))中自带解码函数e(). while(c--){if(k[c]){p=p.replace(new RegExp(\'\\b\'+e(c)+\'\\b\',\'g\'),k[c])}}return p while循环产生的每个p就是解码后的函数代码,我们删掉源码中的return p,不用将结果返回, 而是直接输出在一个文本区域中,如document.getElementById(”textareaID”).innerText=p

 

我尝试着改了,保存成一个html文件

 

 

 

用浏览器打开,这些也确实就是实际的端口

 

 

 

用刚才的搜rf034也确实是源码上的3128端口对上:

 

 

还有种方法,用浏览器自带的解混淆工具:

 

 

 

 

然后把我下面圈住的地方,勾选上,再刷新页面即可

 

 

 

 

以上的方法是针对某些在代码本身有加密混淆的代码,比如这个博客里的:点我,这里面的案例也是用的这个函数来加密代码,用以上方法确实能把实际的js转义出来。

 

 

但是,是的,讨厌的“但是”出现了

 

我们这里的,其实代码本身并没有加密,为什么这么说,我新开一个标签页,在console里粘贴这段代码:

 

 

 回车,卧槽,报错了,没事,它提示的意思是浏览器不能执行eval的,因为方式一些xss攻击之类

 

 

 

把eval删了再看:

 

 

 

回车,结果也直接就出现了,所以,代码本身是没有做加密的

 

 

 

这里的加密是对数据的加密,因为我发现,我刷新一次页面,只要这个代理网站上的代理有更新,它后面传的参数就会做相应的改变:这一堆参数

$(1b).1a(19(){$(\\'.17\\').0(18);$(\\'.1c\\').0(1d);$(\\'.1h\\').0(1g);$(\\'.1f\\').0(1e);$(\\'.16\\').0(15);$(\\'.X\\').0(W);$(\\'.V\\').0(T);$(\\'.U\\').0(Y);$(\\'.Z\\').0(14);$(\\'.13\\').0(12);$(\\'.10\\').0(11);$(\\'.1i\\').0(1j);$(\\'.1B\\').0(1A);$(\\'.1z\\').0(1x);$(\\'.1y\\').0(1C);$(\\'.1D\\').0(1H);$(\\'.1G\\').0(1F);$(\\'.1E\\').0(1w);$(\\'.1v\\').0(1o);$(\\'.1n\\').0(1m);$(\\'.1k\\').0(1l);$(\\'.1p\\').0(1q);$(\\'.1u\\').0(1t);$(\\'.1s\\').0(1r);$(\\'.S\\').0(K);$(\\'.j\\').0(i);$(\\'.h\\').0(f);$(\\'.g\\').0(k);$(\\'.l\\').0(p);$(\\'.o\\').0(n);$(\\'.m\\').0(e);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(q);$(\\'.R\\').0(r);$(\\'.J\\').0(I);$(\\'.G\\').0(H);$(\\'.L\\').0(M);$(\\'.Q\\').0(P);$(\\'.O\\').0(N);$(\\'.F\\').0(E);$(\\'.w\\').0(v);$(\\'.u\\').0(s);$(\\'.t\\').0(x);$(\\'.y\\').0(D);$(\\'.C\\').0(B);$(\\'.z\\').0(A);$(\\'.1I\\').0(3r);$(\\'.1J\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(2V);$(\\'.2W\\').0(30);$(\\'.2Z\\').0(2Y);$(\\'.2X\\').0(2P);$(\\'.2O\\').0(2G);$(\\'.2F\\').0(2E);$(\\'.2C\\').0(2D);$(\\'.2H\\').0(2I);$(\\'.2N\\').0(2M);$(\\'.2L\\').0(2J);$(\\'.2K\\').0(31);$(\\'.32\\').0(3k);$(\\'.3j\\').0(3i);$(\\'.3g\\').0(3h);$(\\'.3l\\').0(3m);$(\\'.3q\\').0(3p);$(\\'.3o\\').0(3n);$(\\'.3f\\').0(3e);$(\\'.37\\').0(36);$(\\'.35\\').0(33);$(\\'.34\\').0(38);$(\\'.39\\').0(3d);$(\\'.3c\\').0(3b);$(\\'.3a\\').0(2B);$(\\'.2A\\').0(22);$(\\'.21\\').0(20);$(\\'.1Y\\').0(1Z);$(\\'.23\\').0(24);$(\\'.28\\').0(27);$(\\'.26\\').0(25);$(\\'.1X\\').0(1W);$(\\'.1O\\').0(1N);$(\\'.1M\\').0(1K);$(\\'.1L\\').0(1P);$(\\'.1Q\\').0(1V);$(\\'.1U\\').0(1T);$(\\'.1R\\').0(1S);$(\\'.29\\').0(2a);$(\\'.2t\\').0(2s);$(\\'.2r\\').0(2p);$(\\'.2q\\').0(2u);$(\\'.2v\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2w\\').0(2o);$(\\'.2n\\').0(2f);$(\\'.2e\\').0(2d);$(\\'.2b\\').0(2c);$(\\'.2g\\').0(2h);$(\\'.2m\\').0(2l);$(\\'.2k\\').0(2i);$(\\'.2j\\').0(2U)});\', 62, 214, \'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743\'.split(\'|\'), 0, {}

 

所以,此时,我们还是得从代码逻辑上下手,一点点的分析:

先看这个,这个e

 

 

 

它实际在干嘛呢,其实这个函数才是核心的加密,

 

 

 

a是啥,再回看下函数function(p, a, c, k, e, d),然后我们传的参数:

\'$(1b).1a(19(){$(\\'.17\\').0(18);$(\\'.1c\\').0(1d);$(\\'.1h\\').0(1g);$(\\'.1f\\').0(1e);$(\\'.16\\').0(15);$(\\'.X\\').0(W);$(\\'.V\\').0(T);$(\\'.U\\').0(Y);$(\\'.Z\\').0(14);$(\\'.13\\').0(12);$(\\'.10\\').0(11);$(\\'.1i\\').0(1j);$(\\'.1B\\').0(1A);$(\\'.1z\\').0(1x);$(\\'.1y\\').0(1C);$(\\'.1D\\').0(1H);$(\\'.1G\\').0(1F);$(\\'.1E\\').0(1w);$(\\'.1v\\').0(1o);$(\\'.1n\\').0(1m);$(\\'.1k\\').0(1l);$(\\'.1p\\').0(1q);$(\\'.1u\\').0(1t);$(\\'.1s\\').0(1r);$(\\'.S\\').0(K);$(\\'.j\\').0(i);$(\\'.h\\').0(f);$(\\'.g\\').0(k);$(\\'.l\\').0(p);$(\\'.o\\').0(n);$(\\'.m\\').0(e);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(q);$(\\'.R\\').0(r);$(\\'.J\\').0(I);$(\\'.G\\').0(H);$(\\'.L\\').0(M);$(\\'.Q\\').0(P);$(\\'.O\\').0(N);$(\\'.F\\').0(E);$(\\'.w\\').0(v);$(\\'.u\\').0(s);$(\\'.t\\').0(x);$(\\'.y\\').0(D);$(\\'.C\\').0(B);$(\\'.z\\').0(A);$(\\'.1I\\').0(3r);$(\\'.1J\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(2V);$(\\'.2W\\').0(30);$(\\'.2Z\\').0(2Y);$(\\'.2X\\').0(2P);$(\\'.2O\\').0(2G);$(\\'.2F\\').0(2E);$(\\'.2C\\').0(2D);$(\\'.2H\\').0(2I);$(\\'.2N\\').0(2M);$(\\'.2L\\').0(2J);$(\\'.2K\\').0(31);$(\\'.32\\').0(3k);$(\\'.3j\\').0(3i);$(\\'.3g\\').0(3h);$(\\'.3l\\').0(3m);$(\\'.3q\\').0(3p);$(\\'.3o\\').0(3n);$(\\'.3f\\').0(3e);$(\\'.37\\').0(36);$(\\'.35\\').0(33);$(\\'.34\\').0(38);$(\\'.39\\').0(3d);$(\\'.3c\\').0(3b);$(\\'.3a\\').0(2B);$(\\'.2A\\').0(22);$(\\'.21\\').0(20);$(\\'.1Y\\').0(1Z);$(\\'.23\\').0(24);$(\\'.28\\').0(27);$(\\'.26\\').0(25);$(\\'.1X\\').0(1W);$(\\'.1O\\').0(1N);$(\\'.1M\\').0(1K);$(\\'.1L\\').0(1P);$(\\'.1Q\\').0(1V);$(\\'.1U\\').0(1T);$(\\'.1R\\').0(1S);$(\\'.29\\').0(2a);$(\\'.2t\\').0(2s);$(\\'.2r\\').0(2p);$(\\'.2q\\').0(2u);$(\\'.2v\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2w\\').0(2o);$(\\'.2n\\').0(2f);$(\\'.2e\\').0(2d);$(\\'.2b\\').0(2c);$(\\'.2g\\').0(2h);$(\\'.2m\\').0(2l);$(\\'.2k\\').0(2i);$(\\'.2j\\').0(2U)});\',
 62, 
 214, 
 \'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743\'.split(\'|\'), 
 0, 
 {}

那么,p就是:

\'$(1b).1a(19(){$(\\'.17\\').0(18);$(\\'.1c\\').0(1d);$(\\'.1h\\').0(1g);$(\\'.1f\\').0(1e);$(\\'.16\\').0(15);$(\\'.X\\').0(W);$(\\'.V\\').0(T);$(\\'.U\\').0(Y);$(\\'.Z\\').0(14);$(\\'.13\\').0(12);$(\\'.10\\').0(11);$(\\'.1i\\').0(1j);$(\\'.1B\\').0(1A);$(\\'.1z\\').0(1x);$(\\'.1y\\').0(1C);$(\\'.1D\\').0(1H);$(\\'.1G\\').0(1F);$(\\'.1E\\').0(1w);$(\\'.1v\\').0(1o);$(\\'.1n\\').0(1m);$(\\'.1k\\').0(1l);$(\\'.1p\\').0(1q);$(\\'.1u\\').0(1t);$(\\'.1s\\').0(1r);$(\\'.S\\').0(K);$(\\'.j\\').0(i);$(\\'.h\\').0(f);$(\\'.g\\').0(k);$(\\'.l\\').0(p);$(\\'.o\\').0(n);$(\\'.m\\').0(e);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(q);$(\\'.R\\').0(r);$(\\'.J\\').0(I);$(\\'.G\\').0(H);$(\\'.L\\').0(M);$(\\'.Q\\').0(P);$(\\'.O\\').0(N);$(\\'.F\\').0(E);$(\\'.w\\').0(v);$(\\'.u\\').0(s);$(\\'.t\\').0(x);$(\\'.y\\').0(D);$(\\'.C\\').0(B);$(\\'.z\\').0(A);$(\\'.1I\\').0(3r);$(\\'.1J\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(2V);$(\\'.2W\\').0(30);$(\\'.2Z\\').0(2Y);$(\\'.2X\\').0(2P);$(\\'.2O\\').0(2G);$(\\'.2F\\').0(2E);$(\\'.2C\\').0(2D);$(\\'.2H\\').0(2I);$(\\'.2N\\').0(2M);$(\\'.2L\\').0(2J);$(\\'.2K\\').0(31);$(\\'.32\\').0(3k);$(\\'.3j\\').0(3i);$(\\'.3g\\').0(3h);$(\\'.3l\\').0(3m);$(\\'.3q\\').0(3p);$(\\'.3o\\').0(3n);$(\\'.3f\\').0(3e);$(\\'.37\\').0(36);$(\\'.35\\').0(33);$(\\'.34\\').0(38);$(\\'.39\\').0(3d);$(\\'.3c\\').0(3b);$(\\'.3a\\').0(2B);$(\\'.2A\\').0(22);$(\\'.21\\').0(20);$(\\'.1Y\\').0(1Z);$(\\'.23\\').0(24);$(\\'.28\\').0(27);$(\\'.26\\').0(25);$(\\'.1X\\').0(1W);$(\\'.1O\\').0(1N);$(\\'.1M\\').0(1K);$(\\'.1L\\').0(1P);$(\\'.1Q\\').0(1V);$(\\'.1U\\').0(1T);$(\\'.1R\\').0(1S);$(\\'.29\\').0(2a);$(\\'.2t\\').0(2s);$(\\'.2r\\').0(2p);$(\\'.2q\\').0(2u);$(\\'.2v\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2w\\').0(2o);$(\\'.2n\\').0(2f);$(\\'.2e\\').0(2d);$(\\'.2b\\').0(2c);$(\\'.2g\\').0(2h);$(\\'.2m\\').0(2l);$(\\'.2k\\').0(2i);$(\\'.2j\\').0(2U)});\'

a就是62

c就是214,

k就是:

\'html|r1cad|53959|34273|r382f|36681|r16ec|r5f55|44612|r0799|r91df|34560|r4732|60530|59144|8004|r6d76|rfbab|3256|r5288|9991|r27a0|r5349|39371|r1907|34403|38525|3888|8380|rb67c|r82c8|48678|ra4dc|8197|rc1ac|r4403|31475|49602|r58e6|83|2222|r0484|rc90e|1081|1080|r961e|46385|r6572|8118|42119|r1dc7|48146|r11c6|r6c92|rd155|80|rbf49|r1dfd|999|r3872|8081|rf034|r6689|60604|37699|r25ee|3128|8090|r371e|r91de|8080|function|ready|document|r0e8d|38009|55443|rbfa3|8088|rd420|ra882|32231|rba5d|63141|45521|rfc3a|41878|rc6c6|51680|443|r9a25|31932|r1b07|r11b4|60731|808|r281f|r2329|53281|r99d5|59152|rf640|r7ec7|9999|re54b|65205|rf04b|r3629|32439|rab5c|rfec2|32161|rc143|55693|r2e4b|r34a8|33326|53438|r0938|8889|58893|r9bcd|r7f6f|50330|45729|r96d2|45730|r87fc|35953|45381|r183f|37444|r5b53|rbe71|61657|r148b|1993|32916|r0e0a|41621|rd26e|40282|42967|r79d3|re62d|8085|r8b97|rf3b1|54256|33855|r6cbb|r85ac|56315|r63b2|31280|r6b29|r8f7e|45295|r8bce|48241|rc9e2|48687|r411f|3150|60792|r1274|47385|r62f2|56644|45282|rf56a|r6953|47615|r8166|rae36|30716|39589|r0e11|r9760|8686|54675|58888|r22cd|rd8eb|45944|ra76c|47247|42928|r75b5|47744|rd2c9|r1f65|47548|rcb82|30640|rddf2|ra051|48995|ra854|48625|61954|rac92|r1c73|4645|52271|r69ad|54018|rccd3|43631|23500|r34e5|9001|rb9b6|61743\'.split(\'|\')

e就是0,

d就是{}

补充下,我刚才说刷新下页面,它代理有更新传的参数就会变,指的就是传的这几个值

 

好继续,把没有的参数补齐:

 

 

 

 

e还是没定义,仔细看代码,它作了递归调用,那就单独定义下e吧:

 

 

 

120的结果是1W,那么我觉得,它就是对这些数字作了字段映射

继续看下面的代码:

 

 

 其实,这个if会永远成立的,所以里面的代码一定会执行的,不信看:

 

 

 

后面的while就把多次生成值然后给传入的d,也就是{},最后的d会生成什么暂时放一放,后面会说,再看下面一段代码:

 

 

 

不用多说吧,就算看不懂,猜也能猜到,最后肯定是上面做的字段映射出来的值替换会去,用正则表达式匹配

 

 

好,下面我们打断点看下:

 

我点完刷新,返现js文件名都变了,白打断点了,那就只能拼手速了,打上断点立即测,等它网站没更新时及时断点上:

 

 

 这次断上了,来一个一个看:

 

 

 

同时右边有个scope,可以看到此时此刻出现的值的变化:

 

 

 

没过一会儿,就看到d已经生成好了,就是一些字段映射关系:

 

 

 

 

同时我们这边另外开一个新标签,然后把函数部分取出来,命名为test:

 

 

 

然后,把现在最新的值传入看看:

 

 

 结果:

"$(document).ready(function(){$(\'.r807f\').html(8080);$(\'.rb109\').html(38009);$(\'.rd750\').html(47464);$(\'.r8c9f\').html(3128);$(\'.r66cd\').html(999);$(\'.r714b\').html(8081);$(\'.r6998\').html(80);$(\'.r3317\').html(37699);$(\'.r88ff\').html(8889);$(\'.r0e7c\').html(35709);$(\'.r381f\').html(44938);$(\'.r7b20\').html(55830);$(\'.r9210\').html(33630);$(\'.rc328\').html(59152);$(\'.r748f\').html(53281);$(\'.r80a1\').html(65205);$(\'.r0980\').html(39553);$(\'.ra38b\').html(40098);$(\'.r3d23\').html(45521);$(\'.r8954\').html(55443);$(\'.rbb9f\').html(60684);$(\'.ra699\').html(3256);$(\'.r4003\').html(8027);$(\'.re4a5\').html(8013);$(\'.r6a12\').html(42648);$(\'.r208f\').html(34403);$(\'.r663d\').html(39371);$(\'.r77b9\').html(59144);$(\'.ra35a\').html(36681);$(\'.rf763\').html(34273);$(\'.rbb68\').html(53959);$(\'.r49a9\').html(55472);$(\'.rc520\').html(52479);$(\'.rf4dc\').html(65238);$(\'.r6843\').html(34560);$(\'.r16c4\').html(44612);$(\'.r1236\').html(38525);$(\'.r8b75\').html(3888);$(\'.re9c8\').html(8118);$(\'.r55a5\').html(1081);$(\'.rcb1e\').html(8888);$(\'.rd8ca\').html(42119);$(\'.r46a3\').html(48146);$(\'.rce32\').html(42134);$(\'.r6293\').html(48678);$(\'.r17e7\').html(51489);$(\'.r58c3\').html(8380);$(\'.r63c2\').html(8197);$(\'.red22\').html(8082);$(\'.r7c86\').html(54621);$(\'.reb81\').html(53879);$(\'.re6f2\').html(55033);$(\'.rdc1a\').html(83);$(\'.rf90c\').html(8181);$(\'.r4ba9\').html(58689);$(\'.rf248\').html(31475);$(\'.rd097\').html(8686);$(\'.rdf85\').html(41258);$(\'.r21d4\').html(61743);$(\'.r64b3\').html(58888);$(\'.r6214\').html(3129);$(\'.rfb6a\').html(37717);$(\'.raad6\').html(31409);$(\'.redc6\').html(30716);$(\'.rd7d1\').html(9999);$(\'.r7191\').html(47385);$(\'.r9071\').html(60792);$(\'.r76d5\').html(8090);$(\'.r04e3\').html(56644);$(\'.rd4da\').html(3150);$(\'.r0d33\').html(47045);$(\'.r70b3\').html(42580);$(\'.raaec\').html(45282);$(\'.r5275\').html(54018);$(\'.reea3\').html(42928);$(\'.rbee8\').html(43631);$(\'.r5ce3\').html(52271);$(\'.r4a5f\').html(9001);$(\'.r7eed\').html(54555);$(\'.re614\').html(23500);$(\'.rfb5f\').html(42033);$(\'.r4b68\').html(47548);$(\'.r4629\').html(47744);$(\'.r8fef\').html(48687);$(\'.r0f3b\').html(49044);$(\'.rc7b8\').html(49086);$(\'.r0804\').html(50330);$(\'.rec04\').html(43947);$(\'.r4ec6\').html(56218);$(\'.r6789\').html(51008);$(\'.r691e\').html(35659);$(\'.r3dc1\').html(37979);$(\'.rd20a\').html(35953);$(\'.rc192\').html(30032);$(\'.rf209\').html(48017);$(\'.r5eaf\').html(32439);$(\'.rb991\').html(44887);$(\'.r17b7\').html(55693);$(\'.ra22d\').html(61124);$(\'.r5a9d\').html(36506);$(\'.r6f4a\').html(3142);$(\'.r0fea\').html(3141);$(\'.ra083\').html(3162);$(\'.r8e28\').html(33855);$(\'.r25e4\').html(33128);$(\'.r5a26\').html(43326);$(\'.r0a26\').html(38554);$(\'.rcc76\').html(46877);$(\'.rf834\').html(44530);$(\'.rbb88\').html(54675)});"

此时,我们用来对比下,最开始传入的参数是:

 

\'$(1d).1c(1b(){$(\\'.19\\').0(1a);$(\\'.1e\\').0(1f);$(\\'.1k\\').0(1j);$(\\'.1i\\').0(1g);$(\\'.1h\\').0(18);$(\\'.17\\').0(Z);$(\\'.Y\\').0(X);$(\\'.V\\').0(W);$(\\'.10\\').0(11);$(\\'.16\\').0(15);$(\\'.14\\').0(12);$(\\'.13\\').0(1l);$(\\'.1m\\').0(1F);$(\\'.1E\\').0(1D);$(\\'.1B\\').0(1C);$(\\'.1G\\').0(1H);$(\\'.1M\\').0(1L);$(\\'.1K\\').0(1I);$(\\'.1J\\').0(1A);$(\\'.1z\\').0(1r);$(\\'.1q\\').0(1p);$(\\'.1n\\').0(1o);$(\\'.1s\\').0(1t);$(\\'.1y\\').0(1x);$(\\'.1w\\').0(1u);$(\\'.U\\').0(1N);$(\\'.L\\').0(j);$(\\'.i\\').0(h);$(\\'.f\\').0(g);$(\\'.k\\').0(l);$(\\'.q\\').0(p);$(\\'.o\\').0(m);$(\\'.e\\').0(r);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(n);$(\\'.T\\').0(s);$(\\'.K\\').0(J);$(\\'.H\\').0(I);$(\\'.M\\').0(N);$(\\'.S\\').0(R);$(\\'.Q\\').0(O);$(\\'.P\\').0(G);$(\\'.F\\').0(x);$(\\'.w\\').0(v);$(\\'.t\\').0(u);$(\\'.y\\').0(z);$(\\'.E\\').0(D);$(\\'.C\\').0(A);$(\\'.B\\').0(1v);$(\\'.3B\\').0(1O);$(\\'.30\\').0(2Z);$(\\'.2X\\').0(2Y);$(\\'.32\\').0(33);$(\\'.38\\').0(37);$(\\'.36\\').0(34);$(\\'.35\\').0(2W);$(\\'.2V\\').0(2N);$(\\'.2M\\').0(2L);$(\\'.2J\\').0(2K);$(\\'.2O\\').0(2P);$(\\'.2U\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(39);$(\\'.3a\\').0(3t);$(\\'.3s\\').0(3r);$(\\'.3p\\').0(3q);$(\\'.3u\\').0(3v);$(\\'.3A\\').0(3z);$(\\'.3y\\').0(3w);$(\\'.3x\\').0(3o);$(\\'.3n\\').0(3f);$(\\'.3e\\').0(3d);$(\\'.3b\\').0(3c);$(\\'.3g\\').0(3h);$(\\'.3m\\').0(3l);$(\\'.3k\\').0(3i);$(\\'.3j\\').0(2I);$(\\'.2H\\').0(27);$(\\'.26\\').0(25);$(\\'.23\\').0(24);$(\\'.28\\').0(29);$(\\'.2e\\').0(2d);$(\\'.2c\\').0(2a);$(\\'.2b\\').0(22);$(\\'.21\\').0(1T);$(\\'.1S\\').0(1R);$(\\'.1P\\').0(1Q);$(\\'.1U\\').0(1V);$(\\'.20\\').0(1Z);$(\\'.1Y\\').0(1W);$(\\'.1X\\').0(2f);$(\\'.2g\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2v\\').0(2w);$(\\'.2A\\').0(2B);$(\\'.2G\\').0(2F);$(\\'.2E\\').0(2C);$(\\'.2D\\').0(2u);$(\\'.2t\\').0(2l);$(\\'.2k\\').0(2j);$(\\'.2h\\').0(2i);$(\\'.2m\\').0(2n);$(\\'.2s\\').0(2r);$(\\'.2q\\').0(2o);$(\\'.2p\\').0(31)});\', 62, 224, \'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9\'.split(\'|\'), 0, {}

 

关键点

 

上面两个,对比,发现除了一些符号啊,括号,引号,其他的都被替换成了jquery语句,然后,利用eval,执行就可以通过类名去把值给改成实际的端口号,很妙对吧,顺便一说,这种方式都是好几年前的了,不过现在还是有很多在用。

 

那么也就是说上面的1d就等于document,1c等于ready,1b就是function了,就用这两个作为对比看下,去d变量里去找找,就刚才的打断点的右边scope下的d变量:

 

 

 果然对上了,也就是说,所谓的加密也就这么回事了。

 

 

用代码实现

 

现在我们要用python代码来处理,怎么处理呢,其实这里才是本篇文章的重点也是关键部分,其实,有经验的朋友,可能也就分分钟就能走到以上的部分了。

 

 

好,我们用execjs执行看看:

import execjs

js = """eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? \'\' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!\'\'.replace(/^/, String)) {
        while (c--) {
            d[e(c)] = k[c] || e(c)
        }
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return \'\\w+\'
        }
        ;
        c = 1
    }
    ;while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp(\'\\b\' + e(c) + \'\\b\',\'g\'), k[c])
        }
    }
    return p
}(\'$(1d).1c(1b(){$(\\'.19\\').0(1a);$(\\'.1e\\').0(1f);$(\\'.1k\\').0(1j);$(\\'.1i\\').0(1g);$(\\'.1h\\').0(18);$(\\'.17\\').0(Z);$(\\'.Y\\').0(X);$(\\'.V\\').0(W);$(\\'.10\\').0(11);$(\\'.16\\').0(15);$(\\'.14\\').0(12);$(\\'.13\\').0(1l);$(\\'.1m\\').0(1F);$(\\'.1E\\').0(1D);$(\\'.1B\\').0(1C);$(\\'.1G\\').0(1H);$(\\'.1M\\').0(1L);$(\\'.1K\\').0(1I);$(\\'.1J\\').0(1A);$(\\'.1z\\').0(1r);$(\\'.1q\\').0(1p);$(\\'.1n\\').0(1o);$(\\'.1s\\').0(1t);$(\\'.1y\\').0(1x);$(\\'.1w\\').0(1u);$(\\'.U\\').0(1N);$(\\'.L\\').0(j);$(\\'.i\\').0(h);$(\\'.f\\').0(g);$(\\'.k\\').0(l);$(\\'.q\\').0(p);$(\\'.o\\').0(m);$(\\'.e\\').0(r);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(n);$(\\'.T\\').0(s);$(\\'.K\\').0(J);$(\\'.H\\').0(I);$(\\'.M\\').0(N);$(\\'.S\\').0(R);$(\\'.Q\\').0(O);$(\\'.P\\').0(G);$(\\'.F\\').0(x);$(\\'.w\\').0(v);$(\\'.t\\').0(u);$(\\'.y\\').0(z);$(\\'.E\\').0(D);$(\\'.C\\').0(A);$(\\'.B\\').0(1v);$(\\'.3B\\').0(1O);$(\\'.30\\').0(2Z);$(\\'.2X\\').0(2Y);$(\\'.32\\').0(33);$(\\'.38\\').0(37);$(\\'.36\\').0(34);$(\\'.35\\').0(2W);$(\\'.2V\\').0(2N);$(\\'.2M\\').0(2L);$(\\'.2J\\').0(2K);$(\\'.2O\\').0(2P);$(\\'.2U\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(39);$(\\'.3a\\').0(3t);$(\\'.3s\\').0(3r);$(\\'.3p\\').0(3q);$(\\'.3u\\').0(3v);$(\\'.3A\\').0(3z);$(\\'.3y\\').0(3w);$(\\'.3x\\').0(3o);$(\\'.3n\\').0(3f);$(\\'.3e\\').0(3d);$(\\'.3b\\').0(3c);$(\\'.3g\\').0(3h);$(\\'.3m\\').0(3l);$(\\'.3k\\').0(3i);$(\\'.3j\\').0(2I);$(\\'.2H\\').0(27);$(\\'.26\\').0(25);$(\\'.23\\').0(24);$(\\'.28\\').0(29);$(\\'.2e\\').0(2d);$(\\'.2c\\').0(2a);$(\\'.2b\\').0(22);$(\\'.21\\').0(1T);$(\\'.1S\\').0(1R);$(\\'.1P\\').0(1Q);$(\\'.1U\\').0(1V);$(\\'.20\\').0(1Z);$(\\'.1Y\\').0(1W);$(\\'.1X\\').0(2f);$(\\'.2g\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2v\\').0(2w);$(\\'.2A\\').0(2B);$(\\'.2G\\').0(2F);$(\\'.2E\\').0(2C);$(\\'.2D\\').0(2u);$(\\'.2t\\').0(2l);$(\\'.2k\\').0(2j);$(\\'.2h\\').0(2i);$(\\'.2m\\').0(2n);$(\\'.2s\\').0(2r);$(\\'.2q\\').0(2o);$(\\'.2p\\').0(31)});\', 62, 224, \'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9\'.split(\'|\'), 0, {}))

"""

com = execjs.eval(js)
print(com)

 

一执行,报错了,卧槽:

 

 

 

我非常确定我没有改代码,ctrl+c,ctrl+v的,好,那我用js2py呢,还是报错:

 

 

 

 

我用node环境呢,首先确实是有安装node的:

 

 

 

还是没戏

 

 

 

 

那我稍微改下吧,把eval删了,改成立即执行函数,还是不行:

 

 

 

 

 

 

 

好,那我再改下,改成定义函数,之后再传入值调用函数吧:

import execjs
import js2py

js = """function test(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? \'\' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!\'\'.replace(/^/, String)) {
        while (c--) {
            d[e(c)] = k[c] || e(c)
        }
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return \'\\w+\'
        }
        ;
        c = 1
    }
    ;while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp(\'\\b\' + e(c) + \'\\b\',\'g\'), k[c])
        }
    }
    return p
}
"""
# import os
# os.environ["EXECJS_RUNTIME"] = "node"
# com = execjs.eval(js)
com = js2py.eval_js(js)
print(com(\'$(1d).1c(1b(){$(\\'.19\\').0(1a);$(\\'.1e\\').0(1f);$(\\'.1k\\').0(1j);$(\\'.1i\\').0(1g);$(\\'.1h\\').0(18);$(\\'.17\\').0(Z);$(\\'.Y\\').0(X);$(\\'.V\\').0(W);$(\\'.10\\').0(11);$(\\'.16\\').0(15);$(\\'.14\\').0(12);$(\\'.13\\').0(1l);$(\\'.1m\\').0(1F);$(\\'.1E\\').0(1D);$(\\'.1B\\').0(1C);$(\\'.1G\\').0(1H);$(\\'.1M\\').0(1L);$(\\'.1K\\').0(1I);$(\\'.1J\\').0(1A);$(\\'.1z\\').0(1r);$(\\'.1q\\').0(1p);$(\\'.1n\\').0(1o);$(\\'.1s\\').0(1t);$(\\'.1y\\').0(1x);$(\\'.1w\\').0(1u);$(\\'.U\\').0(1N);$(\\'.L\\').0(j);$(\\'.i\\').0(h);$(\\'.f\\').0(g);$(\\'.k\\').0(l);$(\\'.q\\').0(p);$(\\'.o\\').0(m);$(\\'.e\\').0(r);$(\\'.c\\').0(5);$(\\'.4\\').0(3);$(\\'.1\\').0(2);$(\\'.6\\').0(d);$(\\'.7\\').0(b);$(\\'.a\\').0(8);$(\\'.9\\').0(n);$(\\'.T\\').0(s);$(\\'.K\\').0(J);$(\\'.H\\').0(I);$(\\'.M\\').0(N);$(\\'.S\\').0(R);$(\\'.Q\\').0(O);$(\\'.P\\').0(G);$(\\'.F\\').0(x);$(\\'.w\\').0(v);$(\\'.t\\').0(u);$(\\'.y\\').0(z);$(\\'.E\\').0(D);$(\\'.C\\').0(A);$(\\'.B\\').0(1v);$(\\'.3B\\').0(1O);$(\\'.30\\').0(2Z);$(\\'.2X\\').0(2Y);$(\\'.32\\').0(33);$(\\'.38\\').0(37);$(\\'.36\\').0(34);$(\\'.35\\').0(2W);$(\\'.2V\\').0(2N);$(\\'.2M\\').0(2L);$(\\'.2J\\').0(2K);$(\\'.2O\\').0(2P);$(\\'.2U\\').0(2T);$(\\'.2S\\').0(2Q);$(\\'.2R\\').0(39);$(\\'.3a\\').0(3t);$(\\'.3s\\').0(3r);$(\\'.3p\\').0(3q);$(\\'.3u\\').0(3v);$(\\'.3A\\').0(3z);$(\\'.3y\\').0(3w);$(\\'.3x\\').0(3o);$(\\'.3n\\').0(3f);$(\\'.3e\\').0(3d);$(\\'.3b\\').0(3c);$(\\'.3g\\').0(3h);$(\\'.3m\\').0(3l);$(\\'.3k\\').0(3i);$(\\'.3j\\').0(2I);$(\\'.2H\\').0(27);$(\\'.26\\').0(25);$(\\'.23\\').0(24);$(\\'.28\\').0(29);$(\\'.2e\\').0(2d);$(\\'.2c\\').0(2a);$(\\'.2b\\').0(22);$(\\'.21\\').0(1T);$(\\'.1S\\').0(1R);$(\\'.1P\\').0(1Q);$(\\'.1U\\').0(1V);$(\\'.20\\').0(1Z);$(\\'.1Y\\').0(1W);$(\\'.1X\\').0(2f);$(\\'.2g\\').0(2z);$(\\'.2y\\').0(2x);$(\\'.2v\\').0(2w);$(\\'.2A\\').0(2B);$(\\'.2G\\').0(2F);$(\\'.2E\\').0(2C);$(\\'.2D\\').0(2u);$(\\'.2t\\').0(2l);$(\\'.2k\\').0(2j);$(\\'.2h\\').0(2i);$(\\'.2m\\').0(2n);$(\\'.2s\\').0(2r);$(\\'.2q\\').0(2o);$(\\'.2p\\').0(31)});\', 62, 224, \'html|r16c4|44612|34560|r6843|65238|r1236|r8b75|8118|r55a5|re9c8|3888|rf4dc|38525|rc520|ra35a|36681|59144|r77b9|39371|rf763|34273|55472|1081|r49a9|53959|rbb68|52479|8888|r7c86|54621|8082|red22|8197|reb81|53879|83|rf90c|rdc1a|55033|re6f2|r63c2|8380|r46a3|48146|42119|rd8ca|r663d|rce32|42134|51489|r58c3|r17e7|48678|r6293|rcb1e|r208f|r3317|37699|80|r6998|8081|r88ff|8889|44938|r7b20|r381f|35709|r0e7c|r714b|999|r807f|8080|function|ready|document|rb109|38009|3128|r66cd|r8c9f|47464|rd750|55830|r9210|ra699|3256|60684|rbb9f|55443|r4003|8027|42648|8181|r6a12|8013|re4a5|r8954|45521|r748f|53281|59152|rc328|33630|r80a1|65205|40098|r3d23|ra38b|39553|r0980|34403|58689|r3dc1|37979|35659|r691e|51008|rd20a|35953|48017|r5eaf|rf209|30032|rc192|r6789|56218|r0f3b|49044|48687|r8fef|47744|rc7b8|49086|43947|r4ec6|rec04|50330|r0804|32439|rb991|r5a26|43326|33128|r25e4|33855|r0a26|38554|44530|rbb88|rf834|46877|rcc76|r8e28|3162|ra22d|61124|55693|r17b7|44887|r5a9d|36506|3141|ra083|r0fea|3142|r6f4a|r4629|47548|redc6|30716|31409|raad6|37717|rd7d1|9999|60792|r76d5|r9071|47385|r7191|rfb6a|3129|rd097|8686|31475|rf248|54675|rdf85|41258|58888|r6214|r64b3|61743|r21d4|8090|r04e3|r4a5f|9001|52271|r5ce3|43631|r7eed|54555|42033|r4b68|rfb5f|23500|re614|rbee8|42928|r0d33|47045|3150|rd4da|56644|r70b3|42580|54018|reea3|r5275|45282|raaec|r4ba9\'.split(\'|\'), 0, {}))

 

结果有误

 

执行结果:

 

 

 

 

 

这结果有点不对啊,跟我们预期的不一样,我换成execjs也一样:

 

 

 

这里就很邪门,看这结果,说白了,就没替换成功,d没生成,我在这里面加了一行打印,发现d其实是有的,那一定在某个地方没有正常进入:

 

 

 

 

我把一些判断条件直接去掉看看,发现还是如此:

 

 

 

 

 

找到原因 

 

 

我分析了很久,最后找到关键点了,execjs和js2py都不识别【RegExp】对象,测试验证:

 

 

 

 

 

在浏览器的终端里,确实是正常执行的:

 

 

 

 

 

 

找出这个原因的中间过程就省略了,在这里展示篇幅就很长了,把后面的正则表达式匹配的改下:

p = p.replace(new RegExp(\'\\b\' + e(c) + \'\\b\',\'g\'), k[c])

改成:

 

p = p.replace(/\w+/g, k[c])

 

上面的e(c),经打断点调试,发现其实就是这段:

 

 

 换句话,此时的e(c)就是\\w+,所以就不多说了,改了之后执行看看,这结果,成功了!!!!

 

跟调试工具的结果对比,就看前面几个,r807f和rb109就知道,确实是对的,没毛病

 

 

 

 

 

用execj和js2py都是可以的:

 

当然,你如果看懂了这段js的逻辑,你用python改写下逻辑,然后调用执行也是可以的,这里就不展示了

 

  

如果你硬要问了是怎么发现的吗? 那可是一把辛酸一把泪啊,你知道我调试这个,我一行行代码一个一个去调试,测了多久吗,不说了哈,这个过程是枯燥费神的,结果是美好的。

 

那么后续就是去请求这个代理网站,找到那个js文件,刷新一下它又变了

 

 

 

 

那就从源码里定位,用xpath的兄弟元素定位

 

 

 

 

 

 

然后把源码搞下来,然后执行完去源码里把我们需要的数据跳转和替换即可,然后这里肯定是没法用exec和eval函数的,别看别人的有eval,像上面这些$(\'.r807f\').html(8080),这可是js里的jquery特有的写法,所以,要用python写就是一个数据处理了,要嘛用正则替换,要嘛就简单的字符串操作了,后续的过程就不展示了,无非就是一个时间问题了。 

 

 

结语

搞定之后你就发现挺简单的,没搞定的时候就总觉得很难,急躁,谁知道execjs和js2py不能处理正则对象啊,那么根据这个,以后遇到类似的有用对象操作的,就可以替换一下了。

顺便说一句,如果有那种对js的代码做了加密的,那无非也就多个步骤,去把代码解密了再分析

 

分类:

技术点:

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode