前言
这是一道js 混淆的简单题,下面我们来看看如何进行逆向它,最后拿到数据
思路
拿到题目,查看数据请求携带参数
直接搜索特殊关键字定位 m、| 发现都不行
那么定位到request请求跟踪参数来源
进去发现混淆过,那么去混淆看下
重要参数一览无余
断点下,在控制台打印我们需要的参数
windows.f发现为
这个值和发送请求的值一样。了解到window.f 就是我们需要去求的值
但是我们搜索window.f却没有。那么我们知道肯定js 混淆后替换了或怎么样了
那么我们看下参数进过了哪些传递到了那里
原来是从这个地方来的,这里有个带<script>标签的js
这时候我们需要将源码全下载下来。放到webStorm分析。
查看eval()。发现有两处比较可疑
eval(atob(window['b'])[J('0x0',']dQW')](J('0x1','GTu!'),'\x27'+mw+'\x27'));return''}
第一个发现使用了atob() 函数这个函数是用于解码使用 base-64 编码的字符串。
控制台执行
atob(window['b'])发现字符串代码
J('0x0', ']dQW')
J('0x1', 'GTu!')
'\x27' + mw + '\x27
发现J 未定义
我们查找J 发现就在上一段代码。其实就是中
执行这段代码在控制台
之后发现
那么还原这段代码就是
eval(atob(window['b'])["replace"])("mwqqppz", 'mw');再简化
eval(atob(window['b']).replace("mwqqppz", 'mw'));懂了就是将
atob(window['b']) 字符串中的替换'mwqqppz' 替换为’mv‘那么尝试解密下内容
atob(window['b'])
IDE 里面美化分析一波
发现 window.f 内容是hex_md5(mwqqppz);
mwqqppz是不是特别熟悉。就是上面会替换 mw的那个地方
但是mwqqppz到底是什么值呢,这个不得而知。
我们回过去在看
mv 就是oo0O0(mw) 的一个形参
先看下mv 是什么吧,先弄清楚oo0O0函数在哪被调用了不就清楚了
发现里面调用了。解密下
发现参数是
Date.parse(new Date()) + 100000000 的字符串那么回到原来这段代码就能知道含义了
eval(atob(window['b']).replace("mwqqppz", 'mw'));就是将window['b'] 的代码中的mwqqppz替换为mw。mw是 Date.parse(new Date()) + 100000000 的字符串那么mwqqppz也就是那个mv的时间戳字符串
好了。所有的谜题都解决了
我们知道之前
c67463479cac28f59ab163b50006a46c丨1628864679
我们执行下之前hex_md5(mwqqppz); 的函数看与结果是否一样
还是之前的时间戳
完全一致
最后解题
js 代码求解
'use strict';
/** @type {number} */
var hexcase = 0;
/** @type {string} */
var b64pad = "";
/** @type {number} */
var chrsz = 16;
/**
* @param {string} s
* @return {?}
*/
function hex_md5(s) {
return binl2hex(core_md5(str2binl(s), s.length * chrsz));
}
/**
* @param {string} s
* @return {?}
*/
function b64_md5(s) {
return binl2b64(core_md5(str2binl(s), s.length * chrsz));
}
/**
* @param {string} s
* @return {?}
*/
function str_md5(s) {
return binl2str(core_md5(str2binl(s), s.length * chrsz));
}
/**
* @param {string} key
* @param {string} data
* @return {?}
*/
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data));
}
/**
* @param {string} key
* @param {string} data
* @return {?}
*/
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data));
}
/**
* @param {string} key
* @param {string} data
* @return {?}
*/
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data));
}
/**
* @return {?}
*/
function md5_vm_test() {
return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";
}
/**
* @param {!Object} x
* @param {number} len
* @return {?}
*/
function core_md5(x, len) {
x[len >> 5] |= 128 << len % 32;
/** @type {number} */
x[(len + 64 >>> 9 << 4) + 14] = len;
/** @type {number} */
var a = 1732584193;
/** @type {number} */
var b = -271733879;
/** @type {number} */
var c = -1732584194;
/** @type {number} */
var d = 271733878;
/** @type {number} */
var i = 0;
for (; i < x.length; i = i + 16) {
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = md5_ff(a, b, c, d, x[i + 0], 7, -680976936);
d = md5_ff(d, a, b, c, x[i + 1], 12, -389564586);
c = md5_ff(c, d, a, b, x[i + 2], 17, 606105819);
b = md5_ff(b, c, d, a, x[i + 3], 22, -1044525330);
a = md5_ff(a, b, c, d, x[i + 4], 7, -176418897);
d = md5_ff(d, a, b, c, x[i + 5], 12, 1200080426);
c = md5_ff(c, d, a, b, x[i + 6], 17, -1473231341);
b = md5_ff(b, c, d, a, x[i + 7], 22, -45705983);
a = md5_ff(a, b, c, d, x[i + 8], 7, 1770035416);
d = md5_ff(d, a, b, c, x[i + 9], 12, -1958414417);
c = md5_ff(c, d, a, b, x[i + 10], 17, -42063);
b = md5_ff(b, c, d, a, x[i + 11], 22, -1990404162);
a = md5_ff(a, b, c, d, x[i + 12], 7, 1804660682);
d = md5_ff(d, a, b, c, x[i + 13], 12, -40341101);
c = md5_ff(c, d, a, b, x[i + 14], 17, -1502002290);
b = md5_ff(b, c, d, a, x[i + 15], 22, 1236535329);
a = md5_gg(a, b, c, d, x[i + 1], 5, -165796510);
d = md5_gg(d, a, b, c, x[i + 6], 9, -1069501632);
c = md5_gg(c, d, a, b, x[i + 11], 14, 643717713);
b = md5_gg(b, c, d, a, x[i + 0], 20, -373897302);
a = md5_gg(a, b, c, d, x[i + 5], 5, -701558691);
d = md5_gg(d, a, b, c, x[i + 10], 9, 38016083);
c = md5_gg(c, d, a, b, x[i + 15], 14, -660478335);
b = md5_gg(b, c, d, a, x[i + 4], 20, -405537848);
a = md5_gg(a, b, c, d, x[i + 9], 5, 568446438);
d = md5_gg(d, a, b, c, x[i + 14], 9, -1019803690);
c = md5_gg(c, d, a, b, x[i + 3], 14, -187363961);
b = md5_gg(b, c, d, a, x[i + 8], 20, 1163531501);
a = md5_gg(a, b, c, d, x[i + 13], 5, -1444681467);
d = md5_gg(d, a, b, c, x[i + 2], 9, -51403784);
c = md5_gg(c, d, a, b, x[i + 7], 14, 1735328473);
b = md5_gg(b, c, d, a, x[i + 12], 20, -1921207734);
a = md5_hh(a, b, c, d, x[i + 5], 4, -378558);
d = md5_hh(d, a, b, c, x[i + 8], 11, -2022574463);
c = md5_hh(c, d, a, b, x[i + 11], 16, 1839030562);
b = md5_hh(b, c, d, a, x[i + 14], 23, -35309556);
a = md5_hh(a, b, c, d, x[i + 1], 4, -1530992060);
d = md5_hh(d, a, b, c, x[i + 4], 11, 1272893353);
c = md5_hh(c, d, a, b, x[i + 7], 16, -155497632);
b = md5_hh(b, c, d, a, x[i + 10], 23, -1094730640);
a = md5_hh(a, b, c, d, x[i + 13], 4, 681279174);
d = md5_hh(d, a, b, c, x[i + 0], 11, -358537222);
c = md5_hh(c, d, a, b, x[i + 3], 16, -722881979);
b = md5_hh(b, c, d, a, x[i + 6], 23, 76029189);
a = md5_hh(a, b, c, d, x[i + 9], 4, -640364487);
d = md5_hh(d, a, b, c, x[i + 12], 11, -421815835);
c = md5_hh(c, d, a, b, x[i + 15], 16, 530742520);
b = md5_hh(b, c, d, a, x[i + 2], 23, -995338651);
a = md5_ii(a, b, c, d, x[i + 0], 6, -198630844);
d = md5_ii(d, a, b, c, x[i + 7], 10, 11261161415);
c = md5_ii(c, d, a, b, x[i + 14], 15, -1416354905);
b = md5_ii(b, c, d, a, x[i + 5], 21, -57434055);
a = md5_ii(a, b, c, d, x[i + 12], 6, 1700485571);
d = md5_ii(d, a, b, c, x[i + 3], 10, -1894446606);
c = md5_ii(c, d, a, b, x[i + 10], 15, -1051523);
b = md5_ii(b, c, d, a, x[i + 1], 21, -2054922799);
a = md5_ii(a, b, c, d, x[i + 8], 6, 1873313359);
d = md5_ii(d, a, b, c, x[i + 15], 10, -30611744);
c = md5_ii(c, d, a, b, x[i + 6], 15, -1560198380);
b = md5_ii(b, c, d, a, x[i + 13], 21, 1309151649);
a = md5_ii(a, b, c, d, x[i + 4], 6, -145523070);
d = md5_ii(d, a, b, c, x[i + 11], 10, -1120210379);
c = md5_ii(c, d, a, b, x[i + 2], 15, 718787259);
b = md5_ii(b, c, d, a, x[i + 9], 21, -343485551);
a = safe_add(a, olda);
b = safe_add(b, oldb);
c = safe_add(c, oldc);
d = safe_add(d, oldd);
}
return Array(a, b, c, d);
}
/**
* @param {number} q
* @param {number} a
* @param {number} b
* @param {number} x
* @param {number} s
* @param {number} t
* @return {?}
*/
function md5_cmn(q, a, b, x, s, t) {
return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s), b);
}
/**
* @param {number} a
* @param {number} b
* @param {number} c
* @param {number} d
* @param {undefined} x
* @param {number} s
* @param {number} t
* @return {?}
*/
function md5_ff(a, b, c, d, x, s, t) {
return md5_cmn(b & c | ~b & d, a, b, x, s, t);
}
/**
* @param {number} a
* @param {number} b
* @param {number} c
* @param {number} d
* @param {undefined} x
* @param {number} s
* @param {number} t
* @return {?}
*/
function md5_gg(a, b, c, d, x, s, t) {
return md5_cmn(b & d | c & ~d, a, b, x, s, t);
}
/**
* @param {number} a
* @param {number} b
* @param {number} c
* @param {number} d
* @param {undefined} x
* @param {number} s
* @param {number} t
* @return {?}
*/
function md5_hh(a, b, c, d, x, s, t) {
return md5_cmn(b ^ c ^ d, a, b, x, s, t);
}
/**
* @param {number} a
* @param {number} b
* @param {number} c
* @param {number} d
* @param {undefined} x
* @param {number} s
* @param {number} t
* @return {?}
*/
function md5_ii(a, b, c, d, x, s, t) {
return md5_cmn(c ^ (b | ~d), a, b, x, s, t);
}
/**
* @param {string} key
* @param {string} data
* @return {?}
*/
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz);
}
/** @type {!Array} */
var ipad = Array(16);
/** @type {!Array} */
var d = Array(16);
/** @type {number} */
var i = 0;
for (; i < 16; i++) {
/** @type {number} */
ipad[i] = bkey[i] ^ 909522486;
/** @type {number} */
d[i] = bkey[i] ^ 1549556828;
}
var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz);
return core_md5(d.concat(hash), 512 + 128);
}
/**
* @param {number} x
* @param {number} y
* @return {?}
*/
function safe_add(x, y) {
/** @type {number} */
var c = (x & 65535) + (y & 65535);
/** @type {number} */
var len = (x >> 16) + (y >> 16) + (c >> 16);
return len << 16 | c & 65535;
}
/**
* @param {number} num
* @param {number} cnt
* @return {?}
*/
function bit_rol(num, cnt) {
return num << cnt | num >>> 32 - cnt;
}
/**
* @param {string} str
* @return {?}
*/
function str2binl(str) {
/** @type {!Array} */
var bin = Array();
/** @type {number} */
var mask = (1 << chrsz) - 1;
/** @type {number} */
var i = 0;
for (; i < str.length * chrsz; i = i + chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << i % 32;
}
return bin;
}
/**
* @param {!Object} bin
* @return {?}
*/
function binl2str(bin) {
/** @type {string} */
var str = "";
/** @type {number} */
var mask = (1 << chrsz) - 1;
/** @type {number} */
var i = 0;
for (; i < bin.length * 32; i = i + chrsz) {
/** @type {string} */
str = str + String.fromCharCode(bin[i >> 5] >>> i % 32 & mask);
}
return str;
}
/**
* @param {!Object} binarray
* @return {?}
*/
function binl2hex(binarray) {
/** @type {string} */
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
/** @type {string} */
var str = "";
/** @type {number} */
var i = 0;
for (; i < binarray.length * 4; i++) {
/** @type {string} */
str = str + (hex_tab.charAt(binarray[i >> 2] >> i % 4 * 8 + 4 & 15) + hex_tab.charAt(binarray[i >> 2] >> i % 4 * 8 & 15));
}
return str;
}
/**
* @param {!Object} binarray
* @return {?}
*/
function binl2b64(binarray) {
/** @type {string} */
var raw_composed_type = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
/** @type {string} */
var str = "";
/** @type {number} */
var i = 0;
for (; i < binarray.length * 4; i = i + 3) {
/** @type {number} */
var e = (binarray[i >> 2] >> 8 * (i % 4) & 255) << 16 | (binarray[i + 1 >> 2] >> 8 * ((i + 1) % 4) & 255) << 8 | binarray[i + 2 >> 2] >> 8 * ((i + 2) % 4) & 255;
/** @type {number} */
var j = 0;
for (; j < 4; j++) {
if (i * 8 + j * 6 > binarray.length * 32) {
str = str + b64pad;
} else {
/** @type {string} */
str = str + raw_composed_type.charAt(e >> 6 * (3 - j) & 63);
}
}
}
return str;
}
function get_windos_f() {
var timestamp = Date.parse(new Date()) + 100000000;
console.log(timestamp);
// var res = 1628863165000;
// console.log(res);
console.log(hex_md5(timestamp.toString()));
var obj = {};
obj.res1 = hex_md5(timestamp.toString());
obj.res2 = (timestamp/1000).toString();
return obj
}
// var timestamp = Date.parse(new Date()) + 100000000;
// console.log(timestamp);
//
//
// // var res = 1628863165000;
// // console.log(res);
// console.log(hex_md5(timestamp.toString()));
python 求解
import requests
import execjs
import time
headers = {
'authority': 'match.yuanrenxue.com',
'sec-ch-ua': '"Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"',
'accept': 'application/json, text/javascript, */*; q=0.01',
'dnt': '1',
'x-requested-with': 'XMLHttpRequest',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'yuanrenxue.project',
'sec-fetch-site': 'same-origin',
'sec-fetch-mode': 'cors',
'sec-fetch-dest': 'empty',
'referer': 'https://match.yuanrenxue.com/match/1',
'accept-language': 'zh-CN,zh;q=0.9,en;q=0.8',
'cookie': 'Hm_lvt_c99546cf032aaa5a679230de9a95c7db=1628664095; no-alert3=true; Hm_lvt_0362c7a08a9a04ccf3a8463c590e1e2f=1628664332; m=bff0873b5164fa7c64b08d88344343b7|1628669372000; Hm_lvt_9bcbda9cbf86757998a2339a0437208e=1628670722; Hm_lpvt_9bcbda9cbf86757998a2339a0437208e=1628677301; Hm_lpvt_0362c7a08a9a04ccf3a8463c590e1e2f=1628763084; Hm_lpvt_c99546cf032aaa5a679230de9a95c7db=1628821487',
}
file = "./windows_f结果.js"
def get_result():
sum = 0
num = 0
ctx = execjs.compile(open(file).read())
res = ctx.call('get_windos_f')
for i in range(1, 6):
params = (
('m', '{0}\u4E28{1}'.format(res['res1'], res['res2'])),
('page', i)
)
response = requests.get('https://match.yuanrenxue.com/api/match/1', headers=headers,params=params).json()
for j in response.get('data'):
num += 1
sum += j["value"]
print(sum)
time.sleep(1)
avg = sum / num
return avg
res = get_result()
print("结果:"+str(res))
# 4700.0
