A brief analysis of the process and principle of a certain number encryption

Others 2020-09-18 18:51:20 views: null

After gnawing for so long, I have basically touched a certain number of routines. I am indeed a master of China's anti-climbing world. I feel that I have gained a lot. Here is a brief record of the analysis results.
Note: There are different versions of a certain number on different websites, and the process is slightly different. The process here may not be applicable to other websites.

Tools and information

Front-end process

  1. Request a page and return a response; if there is a valid FSSBBIl1UgzbN7N80T cookie value generated before, please bring it with you when requesting.

  2. The response html contains the following key data:

    • <meta id="9DhefwqGPrzGxEp9hPaoag">The content of the element, this is the encrypted data, which contains the string mapping table, global method mapping table, encryption and decryption algorithm keys, etc.; note that some websites have different meta.id
    • <script r="m">Among the elements, one is an external js link, and the other contains a boot JS code segment, which is called bootstrap.js later. This code is generated dynamically and is different for each request.
  3. If the response contains the cookie of FSSBBIl1UgzbN7N80T, save it and it will be used when updating this cookie later

  4. The previous external js link is actually static and can be obtained and saved in advance. The key code inside is:
    $_ts.FxJzG50F = '......';

    • The value of this FxJzG50F is the encrypted core JS code segment, which is called main.js later.
    • The strange thing here is that although the encrypted content is fixed, the variable names, method names, and method order in the decrypted JS are random!

  5. Executing bootstrap.js includes the following key steps:

    1. Assign common values ​​and common methods to global variables to confuse hackers, such as _$wy = window; _$wG = undefined; _$a1 = String.prototype.charAt
    2. Get the meta content in the page and decrypt it in several steps. This will add a bunch of global variables and global methods to the window, including all constant string mappings
    3. Get the value of window.$_ts.FxJzG50F and combine the data in meta to generate the core JS code, namely main.js

  6. To execute main.js, there are too many steps here, let's list some key ones:

    • Continue to decrypt some key data from meta
    • Hook on the following events to record user behavior:
      mouse events, touch screen events, keyboard events, input events, scrolling events, accelerator events, screen orientation change events, battery charging events, window hide/show events
    • In addition, the hook functions of key presses, clicks, scrolling and other events will also update the cookie value of FSSBBIl1UgzbN7N80T
    • Hook in the following network request related objects or methods to automatically add the MmEwMD parameter when the request is initiated:
      ActiveXObject, XMLHttpRequest, Request, fetch, HTMLFormElement.submit
    • Key method detection, testing whether several methods such as eval have been replaced with non-native versions
    • Add a frequently executed timer, its function is to detect whether the debugger statement is effective, if it is effective, it means that a hacker is debugging
    • Check the features of automation frameworks such as selenium, webdriver, PhantomJS, HeadlessChrome, etc.
    • Check browser type, collect browser characteristics, collect renderer characteristics
    • Perform WebGL 3D rendering test, perform Canvas 2D rendering test, the test results are not actually used at present, but it is not ruled out that other websites will use this data to identify browser fingerprints
    • Add a 50-second timer, which is used to update the cookie value of FSSBBIl1UgzbN7N80T
    • The first update of the FSSBBIl1UgzbN7N80T cookie value

FSSBBIl1UgzbN7N80T cookie value content

  • This is the core of a certain number of encryption. Every request, regardless of GET, POST, or XHR, will carry this cookie
  • The value of this cookie is the encrypted content of a lot of data. I won’t go into details here. At least it contains the browser characteristics and user behavior data collected earlier. A simple forgery of User-Agent certainly cannot be bypassed.
  • The previous FSSBBIl1UgzbN7N80T value will be verified and reused before the update

  • According to its content, a certain number of backends can know which browser the request comes from, what behavior the user has before clicking the link, etc., so they can do:

    • Verify that a large number of requests originate from browsers with the same characteristics
    • Selectively disable certain browsers
    • Poison the source of suspicious user behavior

MmEwMD parameter content

  • This parameter will only be used in XHR, form submission and other occasions. It feels that it has the same function as FSSBBIl1UgzbN7N80T. I am not sure whether a certain number of backends will really strictly verify its content.
  • The main part of the content is the same as FSSBBIl1UgzbN7N80T, and the summary value of the URL will be connected in front

Guess you like

Origin blog.csdn.net/zhangge3663/article/details/108402637
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com