Title URL: https://match.yuanrenxue.com/match/2
This article is relatively novice-oriented, and the boss may feel that it is more ink-stained. If there is any mistake, please point it out.
The full text is hand in hand with the code to supplement the environment, almost including most of the pits that may be stepped on.
Tuhao Channel:
https://download.csdn.net/download/weixin_45608294/85427606?spm=1001.2014.3001.5503 
https://download.csdn.net/download/weixin_45608294/85427606?spm=1001.2014.3001.5503 But the suggestion is still my own Buckle it with your hands, Below is the text
The title requirement of this question is to obtain the heat value of the first five pages and calculate the cumulative sum. First, capture the packet and look at the data request method
It can be seen that there is only one get request for requesting data. The topic of this question is dynamic cookie. From the actual request, it can also be seen that m is the encrypted parameter, so the key to completing this question is how to obtain m.
Clear the cache and reload the interface and encounter an infinite debugger, just right-click to disable the breakpoint. refresh page
You can see two identical requests, but one has no cookie, no response, and no setcookie in the response header, and the other has cookie m and it happens to be the content of several sides of the web page. It can be seen from this that the value of cookie m is generated by js after the first request.
Use postman to try to send the first get request
It can be seen that the js code is put into the html document in the form of a script tag, which further verifies the conjecture that the cookie is generated by js. Once you know the approximate location, you can start looking for specific codes.
Find the event monitoring breakpoint in the source code tab, check the script, so that it will automatically break when encountering js, clear the cookie saved in the browser, and refresh the interface
The page was successfully broken, but you can see that the code here is different from the one received by postman, click to continue running
Successfully came to the code verified by postman. After formatting, I tried to find the location where the cookie was generated. I found that the code was seriously confused and could only be debugged dynamically.
Now enter the hook cookie code in the console (here I am manually hooking in the console, if conditions permit, you can also use browser plug-ins such as oil monkey script or fiddler plug-ins to hook),
(function () {
Object.defineProperty(document, 'cookie', {
set: function (val) {
debugger;
return val;
},
});
})();
After hooking, let the webpage continue to run, and successfully break at the location where the cookie is generated
At this time, m has been generated, but the generated location can be found through the call stack.
After formatting the code, you can see that the location where the cookie is generated is in the super long code of line 4922
document[$dbsm_0x42c3(qqLQOq, iOiqII) + $dbsm_0x42c3(q1IoqQ, QQlLlq)] = _0x5500bb['\x4e\x74\x44' + '\x72\x43'](_0x5500bb[$dbsm_0x42c3(qqqQoq, oqQiiO) + '\x6d\x65'](_0x5500bb[$dbsm_0x42c3(Ioo0ql, olq0Oq) + '\x6d\x65'](_0x5500bb[$dbsm_0x42c3(qOIqQi, OOqIQi) + '\x72\x44'](_0x5500bb[$dbsm_0x42c3(Q1qoqQ, lILOOq) + '\x72\x44'](_0x5500bb[$dbsm_0x42c3(qOO1Q0, oiqlQQ) + '\x72\x44'](Ql1OO0, _0x5500bb['\x7a\x76\x67' + '\x6c\x77'](_0x3c9ca8)), Qoqq0I), _0x5500bb[$dbsm_0x42c3(iqOiQ0, QOiq0Q) + '\x47\x6b'](_0x313b78, _0x160e3a)), lOo0QQ), _0x160e3a), _0x5500bb[$dbsm_0x42c3(qiOOiO, liQIoQ) + '\x4e\x5a']),
Put a long string of codes on the right side of the equal sign into the console to check, and you can confirm that the long string of codes is where m is generated.
Taking a closer look at the structure of this large pair of codes, it can be seen that although it is very long, it is also spliced by parts.
Disassemble the code to get the following results
_0x5500bb['\x4e\x74\x44' + '\x72\x43'](_0x5500bb[$dbsm_0x42c3(qqqQoq, oqQiiO) + '\x6d\x65']
(_0x5500bb[$dbsm_0x42c3(Ioo0ql, olq0Oq) + '\x6d\x65']
(_0x5500bb[$dbsm_0x42c3(qOIqQi, OOqIQi) + '\x72\x44']
(_0x5500bb[$dbsm_0x42c3(Q1qoqQ, lILOOq) + '\x72\x44']
(_0x5500bb[$dbsm_0x42c3(qOO1Q0, oiqlQQ) + '\x72\x44']
(Ql1OO0, _0x5500bb['\x7a\x76\x67' + '\x6c\x77'](_0x3c9ca8)), Qoqq0I),
_0x5500bb[$dbsm_0x42c3(iqOiQ0, QOiq0Q) + '\x47\x6b']
(_0x313b78, _0x160e3a)), lOo0QQ), _0x160e3a),
_0x5500bb[$dbsm_0x42c3(qiOOiO, liQIoQ) + '\x4e\x5a'])As you can see, the thing that appears the most is _0x5500bb
Through the console verification, we can see that this _0x5500bb contains many strings and functions, which means that the above codes are all calling the functions in it.
Then you only need to verify what is inside, and you can find the generation position of m.
Use the console to simply restore the content to facilitate subsequent observation, and the following results are obtained
_0x5500bb['NtDrC'](_0x5500bb['KGBme']
=(_0x5500bb['KGBme']
(_0x5500bb['mQKrD']
(_0x5500bb['mQKrD']
(_0x5500bb['mQKrD']
(Ql1OO0, _0x5500bb['zvglw'](_0x3c9ca8)), Qoqq0I),
_0x5500bb['wWbGk']
(_0x313b78, _0x160e3a)), lOo0QQ), _0x160e3a),
_0x5500bb['TfZNZ'])It can be seen that this is a big nesting doll of functions, and then verify them one by one
It can be seen that the result of the last called function is the last part of the cookie, while _0x160e3a is a timestamp (_0x313b78, _0x160e3a) and the result is still a timestamp, while _0x5500bb['wWbGk'](_0x313b78, _0x160e3a ) is the first half of the cookie. Remember what kind of cookie you found earlier?
From the above, we can conclude that
Cookie = _0x5500bb['wWbGk'](_0x313b78,_0x160e3a)+lOo0QQ+_0x160e3aThen look at what this wWbGk is through the console
It turned out to be a function with two parameters, which is to use the first parameter to call the second parameter. Simplifying the above equation further
Cookie = _0x313b78(_0x160e3a)+"|"+_0x160e3a
// _0x160e3a为时间戳
//此时值为: 1653183600000After finding the generation logic, you can start to supplement the environment Dafa.
Here I use Pycharm with NodeJs plug-in installed for debugging. Of course, it is free to choose according to personal preference.
Here it is prompted that _0x313b78 is not found, let's go to the console to see how it is defined
You can see that this is a function, search to find its location in the source code, extract it completely, and debug js again.
It is also prompted that _0x5500bb is not defined, and then you only need to repeat the above steps, and if there is no definition, go to the source code to find it and buckle it.
There is another little trick that needs attention here, that is, when you put the deducted code into your own js file, pay attention to which line it prompts for not defined line, find it and put it in front of the function where that line is located That's it. Blindly putting it at the beginning of the file may sometimes make mistakes.
Here you can see that _0x5500bb is a large list, and its essence is the above _0x443ddb, so the line to be assigned here is deducted from the entire _0x443ddb above.
After the completion, it started to prompt that it was undefined. After confirming what it is through the console, continue to make up.
There is a garbled character here that is not defined. Go to the console to see what it is and find an error. But don’t panic, search the source code first
It can be seen that this thing is defined in a self-executing function. In order to prevent unnecessary variable pollution, I adhere to the principle of making up for what is missing. Here I only deduct this large string of garbled characters and make up for it, not the whole function. buckle. When buckling, I also found that this series of defined garbled codes happened to be connected to the previously added code headers, and the extracted codes were also spelled together with the original appearance. (This does not conflict with the previously mentioned putting the extracted code in front of the error line)
run debug again
There is a new undefined, and continue to start deducting and supplementing.
After completing a large array, I suddenly found that NodeJs reported an error and couldn't run? When encountering this problem, take out the entire code and put it in a real browser to debug it first.
Open a new tab to open the developer tools to avoid accidents in the previous tabs used to supplement the environment.
Find the code segment in the source code tab (if you can’t find it, you can click the >> to the right and then enter the code segment), create a new code segment and copy all the code you just extracted into it.
In order to facilitate debugging, we add a debugger to the front of all codes, that is, the first line, to manually execute the code.
Right-click on the code segment to run the code, successfully enter the debug state, and then click the button to execute one function at a time.
Before I clicked a few times, when I got to the garbled code, suddenly the whole tab page was stuck, and the developer tools could not be operated. I can basically confirm that the problem is here.
Refresh the newly created tab to return to the developer tools. Delete the debugger on the first line and re-add it in front of the garbled characters. Re-run the code segment, and after entering the debug state, click to enter the function call to further check the error.
Click and click and you will find that when the execution reaches this point, it enters an endless loop, and you can't get out no matter what. This is why NodeJs executes the error report.
Looking up the source code, you can see that as long as you come to this function, you will inevitably enter this infinite loop, so we must find a way to bypass it.
It can be seen from the code and the call stack that there is an if statement in the WjJIeN function. If !Boolean(~_0x4859ef) is true, it will return a _0x4859ef, and if it is false, this infinite loop function will be called.
So we need to make this Boolean value true, but this Boolean value is determined by judging the parameters. It can be seen from the calling relationship that this parameter is provided by the previous function.
It is already obvious from the analysis here that whether to enter this infinite loop is determined by _0x3fba94 in the vnuqco function. And it is determined by the following ternary expression
_0x2940ac['test'](this['XxpyjG']['toString']()) ? --this['yHmSUE'][0x1] : --this['yHmSUE'][0x0];Use the console to verify the expression of the judgment
It can be seen that the test method of _0x2940ac is called. If you look at the previous code carefully, you will find that this _0x2940ac is actually a defined regular expression, and the detected content happens to be the function definition above.
The content of the regular expression is as follows:
/\w+ *\(\) *{\w+ *['|"].+['|"];? *}/It is to use this regular expression to match the function code of XxpyjG defined above. If the match is successful, return true otherwise return false.
In fact, if you understand regular expressions after all, you should be able to see that this expression is to verify whether the code has been formatted. I am here to verify in the console
When debugging, it is false by default, but after deleting the spaces and line breaks generated by the formatting code, it becomes true after matching again.
After modifying the function definition, clear all debuggers and breakpoints. Try to run the script again, be sure to clean up all the newlines and extra spaces (the one after the return is not counted) in the function definition here, you can refer to my picture.
The system prompts that something is undefined, instead of being stuck directly, indicating that the formatting test just now has passed.
At this time, after modifying the js file in Pycharm correspondingly, debug it
It also prompts undefined, no problem. Continue to repeat the previous steps to prepare for the deduction code supplementary environment.
But if you take a closer look at this time, you will find that there is a defined _0x313b78 above the error line of code? How can it be prompted that there is no definition? In fact, here is because there is a comma at the end of the long string of codes added earlier, we change it to a semicolon at the end of the statement and debug it.
Passed successfully, but reported a new undefined. But why can't I seem to find the content of this error? In fact, it is caused by the above string being transcoded. You can find the specific content according to the line number of the error and the original code above the error prompt.
After finding it, check what it is in the console
It can be seen that this is the KNqZI function in _0x5500bb called.
Put the code in the browser for debugging using the previous method of formatting detection
You can see that the function is undefined, and the function called inside is also different from the original version.
It can be seen from the comparison that all parameters are consistent, so the problem can only be found in $dbsm_0x42c3
Here you can see that although this function has been supplemented, the parameter of the above self-executing function is this function.
In fact, this is a relatively common confusion routine. A large array stores the hexadecimal function name, and then there is a decryption function that appears very frequently in the code (here is $dbsm_0x42c3). In addition to the decryption function, there is another The shift function used to restore the hexadecimal string (that is, the above parameter is the self-executing function of the decryption function).
When the decryption function was supplemented last time, the shift function was not supplemented, so the content decrypted by the decryption function was wrong (garbled characters), and naturally the correct function could not be found, and the function would be reported as undefined.
The solution is very simple, just add the shift function.
Pass it successfully, and then continue to deduct the code to supplement the environment.
When complementing the shift function, you need to pay attention to the existence of formatting detection. If you are interested in knowing the specific reasons, you can refer to the method of formatting detection last time. If you are too lazy to debug, you can directly compress the shift function, and then add it.
After completing the shift function, there will be a lot of functions that need to be supplemented one by one. Be patient and refer to the previous method of supplementing the environment, which will not be explained in detail here.
When it is added to _0x1316f4, you may find that when debugging the js file, node will always execute it. In fact, this is because you added the last self-executing brackets when you deducted the code. In essence, this should be a function.
When supplementing the environment, pay attention to keeping it consistent with the original version. If you are unclear, you can check it in the console of the debugger.
On the way to make up the environment, you may encounter the following errors:
It is suggested that this is because the properties of the browser are used, and we do not have this environment when using NodeJs. We only need to add it at the beginning of the file. The environment code is as follows:
window = global;
window.navigator = {};At the end of the supplement, you will find that the program runs directly to the end
This shows that the environment has been filled almost. Take a look at the console.log below
Another undefined is reported, but this error is indeed console.log. It seems that the above environment code has changed the console.log to prevent debugging. We save the console.log at the very beginning of the file and then call the one we saved for debugging.
Successfully print out the value of m.
So far, the entire supplementary environment has been completed, and then you only need to call this js to get the value of m