可以发现,当点击的时候,执行了一个函数,visit(),接着目标就是寻找到这个函数。
在这里找到了这个函数。visit函数又执行了一个strdecode()的函数,下面目标转换,寻找strdecode()函数:
ctrl+F 全局搜索,
上面的函数,又缺少了一个Gword的变量,这个变量经过寻找,在标签中找到了,
接下来目标再次切换,对js函数加密进行重构:
var Gword = " [email protected]"
function visit(url) {
var newTab = window.open('about:blank'); //新建一个标签对象
if(Gword!='') url = strdecode(url); //如果Gword不等于空,则跳转的url等于strdecode函数的返回值
// var newTab = window.open(url);
newTab.location.href = url; //设置标签对象的地址为上面的url(不是参数)
//newTab.location.reload(true);
}
function strdecode(string) {
string = base64decode(string); //base64解码string参数,string参数的值就是上面代码中的那段base64编码后的内容
key = Gword; //key赋值为上面的邮箱[email protected]
len = key.length; //邮箱的长度
code = '';
for (i = 0; i < string.length; i++) {//循环{string变量长度}次
var k = i % len;//k = i 余 len
var n = string.charCodeAt(i) ^ key.charCodeAt(k);//string[i]的ascii数字 ^ key[k]的ascii数字
code += String.fromCharCode()//ascii数字到字母(num)
}
return base64decode(code)//最后将code进行base64解码,即为最终的地址
}
因为我们只用到strdecode()函数,所以一层一层剥出来,可以重构出这样一个新的js:
var Gword = " [email protected]"
// JavaScript Document
function strdecode(string) {
string = base64decode(string);
key = Gword+'ok ';
len = key.length;
code = '';
for (i = 0; i < string.length; i++) {
var k = i % len;
code += String.fromCharCode(string.charCodeAt(i) ^ key.charCodeAt(k))
}
return base64decode(code)
}
var base64DecodeChars = new Array(-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1);
function base64decode(str) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while (i < len) {
do {
c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff]
} while (i < len && c1 == -1);
if (c1 == -1) break;
do {
c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff]
} while (i < len && c2 == -1);
if (c2 == -1) break;
out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61) return out;
c3 = base64DecodeChars[c3]
} while (i < len && c3 == -1);
if (c3 == -1) break;
out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));
do {
c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61) return out;
c4 = base64DecodeChars[c4]
} while (i < len && c4 == -1);
if (c4 == -1) break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4)
}
return out
}
然后进行execjs模拟调用即可:import execjs
def get_js():
f = open("./gg1.js", 'r', encoding='utf-8')
line = f.readline()
htmlstr = ''
while line:
htmlstr = htmlstr + line
line = f.readline()
return htmlstr
jsstr = get_js()
# print(jsstr)
ctx = execjs.compile(jsstr)
# 'QSQ7XggEHBUhXUdGBwZYAAp4ZhQlAyU2ETBYBRBHWl8JXABW' 这个参数为url的参数
url_visit = ['QSQ7XggEHBUhXUdGBwZYAAp4ZhQlAyU2ETBYBRBHWl8JXABW','QSQ7XggIPlUhFktBOlwkFiZabRkwNhtxEA47XCh5KRUMNzlMQxVcGzEYIhU','QSQ7XggIPlUhFktALgZYGg93TBYNLV5wEVAsGREcLQAPXRNIQwtUUw','QSQ7XggIPlUhFktALhZYHA93bhwwNgQ1ETQ4GREcLQAPXRNIQwZRFzsXPRkIJx5vLjskFQ','QSQ7XggEHBUhXUdGBwZYAAp4ZhQlAyU2ETBYBRBHWl8JXABW','QSQ7XggIPlUhFktBOlwkFiZabRkwNhtxEA47XCh5KRUMNzlMQxVcGzEYIhU','QSQ7XggIPlUhFktALgZYGg93TBYNLV5wEVAsGQ','QSQ7XggIPlUhFktALhZYHA93bhwwNgQ1ETQ4GQ','QSQ7XggEHBUhXRYfOV04GjJ4UF0KAz1zKTQnFRN2MQMOFl5VejQ4GA==']
for x in url_visit:
print(ctx.call('strdecode', x))参数为:
运行之后,结果为:
难点:关键参数的寻找,重构js的时候要把不用的参数删掉。