Rui number 5 decryption
First look at the request, the request returns 202 with a high probability (Rui number 3,4). Returning 412 is the Rui number 5
You can also look at the suffix value MmEwMD=4xxxxx
, which is the 4th generation Swiss number bX3Xf9nD=5xxxxx
and the 5th generation Swiss number
The difference is that there are 1-2 infinite debuggers on the 4 belt, just pass this directly, and there will be a fake cookie, 5 belt does not
1. The meta content will change dynamically for each request (it will be used when eval is executed to the second layer of js code)
2. The external link js, the content is fixed, and the self-executing function will decrypt the file content to generate the JS source code required for eval execution
3. Self-executing function, the logic will not change, but the name will change, mainly to decrypt the external chain JS content, add some attributes to the window such as $_ts, which will be used in vm;
As shown in the figure below, the JS source is displayed in VM+数字
the form of , which means that these JS codes are loaded into the engine later.
1. First find the regular entry called by the vm entry call: \S{4} = \S{4}[\S{4}[\d{2}]](\S{4}, \S{4})
2. Go into hookcooki and find the initial location of the cookie
Regular entry of cookie initial position: return \S{4}[.+] + \S{4} + \S{4}(\S{4}(\S{4}, \S{4}))
3. Find the entry to generate cookie function
Create a breakpoint, and then analyze the generation logic of the 4 parameters in the log break
The first parameter represents the Swiss number version, no need to analyze
The second parameter, the next log break, generate location
Find the logic of generating parameters, which is to generate 4 parameters from true and false timestamps, generate a 16-bit array, perform XOR operation, and convert it into a string
16-bit array generation logic, regular entry; \S{4} = \S{4}([\S{4}, \S{4}, \S{4}, \S{4}])
The third parameter generates a positional regular entry; return \S{4}[\S{4}[\d+]][\S{4}[\d+]][\S{4}[\d+]]([ ], \S{4});
Split the 128-bit large array into a large array after removing null values (core key)
The parameter position of the third parameter, regular entry \S{4}[\S{4}[\d+]](\S{4}, \S{4}.length - \S{4});
Here is to remove the null value of the 128 array
After a few more analyzes here, it is found that 0, 1, 6, and 7 need to find out the logic. If other parameters are fixed, just deduct them.
Create a 128-bit empty array, the following indicates the starting position 0
The generation logic of 128[0], _ 5 x is the window. 5x is the window.5 x is win in d o w . _ts, the assignment layer code will be given later, this is the parameter of window.$_ts to generate a 16-bit array, which is part of the 128[0]20-bit array
Here is to take out the four values of window.$_ts to generate a 4-bit array, which is part of 128[0]
[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-HhbtoCpl-1679590866003) (Ruishu 5 decryption.assets/image-20230323232152704.png)]
Here, 16-bit arrays are spliced with 4-bit arrays to generate 20-bit arrays of 128[0]. The difficulty lies in the 4-bit arrays. The order of the 4-bit arrays and the mapping of values are very important, and the mapping relationship needs to be analyzed. When you deduct the code, you will find that the 4 values of window.$_ts are 4 parameters. At this time, you need to analyze the 20-bit parameters with the stack to find the corresponding relationship. Personally, this is the most difficult and troublesome
128[1] array, where _$gM is the previous timestamp difference (note here, the interpolation here is the same as the second parameter, and the parameter assignment needs to be fixed)
128[6] bits, find the entry
Follow up in the next log section for analysis, and share the skills in the next section
First, a 16-bit array is generated, just deduct it
Intercept the first 4 digits of the 16-bit array to generate 128[6]
128[7] bits, it needs to be followed several times, there is no skill, I will give it directly, the process I followed,
Find it in the log section here, analyze and find where the value is assigned, set a breakpoint, follow up with a single step, and enter the branch loop to follow
It’s very messy here, big and small branches, just follow here a few more times, look at the output below, the function can be simply deducted, this string needs to find the generation logic is actually! []https://img-blog.csdnimg. cn/42600e1a343c4c9ba09d0188988a56ea.png)
The value assigned here can be deducted
The parameters are found
The last parameter below is a splicing of two 16-bit arrays.
Breakpoint in and follow
Generate a 32-bit array
Extract a 16-bit array from the 32-bit array, which is the first 16-bit array in the fourth parameter
second 16-bit array
Generate a 32-bit array, the parameters are complete, a bit messy, let's analyze it in detail below
The following is the analysis of the assignment layer
Define two arrays. The following is to assign values to the arrays. The key is to be commonly used in the future.
Assign value to window.$_ts and clear it. When deducting the code, just delete it
When reading the content and deducting the code, just fill in it directly
The mapping relationship of the 20-bit key function, the last four bits of 128[0] will be used
KaTeX parse error: Expected group after '_' at position 4: 5x._̲ hT = $dY[ KaTeX parse error: Expected group after '_' at position 4: 5x._̲ hT]( KaTeX parse error: Expected group after ' _' at position 5: p2, _̲ gM); here is the generation logic of 4 parameters, just understand it, and it will be used in the supplementary environment
I can't use this pure deduction algorithm, just understand it
This branch generates a 4-bit array, acting as the 6th bit is 128[6]
The true and false time stamp generated by this branch, I am too lazy to show the picture,
The assignment layer analysis is completed
Reverse analysis, the following are the key points
_window.ts initial value, and window.js initial value through index.js, and _window through index.js.ts initial value ,and after in d e x . j swin d o w ._ts value
content reading, calculation, vm entry
The two large arrays above
A padded 20-bit function (generates a 4-bit array key in 128[0])
A branch that generates the 6th digit array, just replace the deducted code after the branch
The branch of the timestamp (involving the second parameter, and 128[1] array)
128-bit array
32 bit array
The following is part of the key code of the buckle
need to replace
It needs to be replaced when the button is used to operate the content
These are the previously assigned window. $_ts need to be replaced, the 20th place may be pitted, the function needs to be loaded twice before it can be released, or it will display empty
last point to share
The premise of the instrumentation output is that before each target value is generated, log down, and then wait for the execution to output the log results and then analyze
The first parameter in this figure is the main branch, the second is the branch, and the latter two are the parameters that need to be analyzed. The advantage of this is that sometimes it follows
You will not be able to find yourself in that position and it will be easy to get lost, so that it will not be messy, so it is best for you to learn to use Watch in the next paragraph
'Index 1_ KaTeX parse error: Expected group after '_' at position 5: ZX',_̲ ZX,'Index 2 _ KaTeX parse error: Expected group after '_' at position 6: qQ', _̲ qQ,'Target 1 KaTeX parse error: Expected group after '_' at position 6: lI', _̲ lI,'reference', $lE()
The log is broken, don't try to save trouble, write it clearly so that it will not be messy, it is best to get a reference value, it can be a timestamp or something, so that you can know whether you are in the main branch, so you won't lose track of it
It is recommended that in the incognito mode, the script and the logic in the VM remain unchanged, but the name will change. At this time, it is best to fix a set for local analysis, which is convenient for deducting codes.