Problem Description
Ready to work
First, set your browser to prohibit js loaded mode:
Once again, we go to the site associated with the request when he can not see the content after the js dynamic loading.
Forward reasoning
For script code inside, the first paragraph is a call to eval function. The second line is the code of a large section, the first section of the code copied out first, the console can be replaced console.log as eval.
We'll run the results copied down:
var dynamicurl="/WZWSREL2dvdXRvbmdqaWFvbGl1LzExMzQ1Ni8xMTM0NjkvMTEwNDAvaW5kZXgxLmh0bWw=";
var wzwsquestion="{H0Od9evT@es_";
var wzwsfactor="5967";
var wzwsmethod="WZWS_METHOD";
var wzwsparams="WZWS_PARAMS";
It appears to be several variables defined in the js.
We did a second segment of code js landscaping,
to find what js landscaping site:
Just select another, copy the code into the second paragraph:
The code is stored in a new format js file:
look at where var _0x56ae ..., define a function, not difficult to find, this function has repeatedly been called a very experienced throughout the code.
In fact, this is a function of a reduction of the string. Regardless of the specific implementation first, we just know that you can call it achieve a certain function.
How do you verify it? Is to copy the function to the console, we define such a reduction in function js environment.
Try to call it:
being given that a variable is not defined. Global search this variable, all variables found to be a defined array:
we will also be placed in this array js environment:
execute got the string after the conversion again:
search throughout the js code and function converted to the corresponding results of character string.
Process more complicated, I am eleven search to replace.
替换完成后,整个的结构就清晰很多了。 然后我们从底部开始看最终被调用的一个函数:
该函数首先定义了一个映射,我们将其复制到控制台。 变量非常地不能见名知意,但是基本意思都很明确。 例如, 第一个键值对是将 传入的某个函数执行; 第二个是将第二个参数传入第一个函数参数中运行…
那么将 var _0xb14971 = _0x532424’hwQpj’;
翻译过来就是执行: _0x344cd4()
全局搜索找个这个函数定义:
没有输入参数,将其复制到控制台进行运行:
报了一个 wzwsquestion is not defined. 全局搜索 wzwsquestion
是我们运行第一段 js 代码得到的一个结果变量:
将其加入控制台 js 运行环境中再次执行:
还是少一个变量,继续加入:
执行成功:
那么我们就可以对相应的位置进行替换了:
接下来我们继续, var _0x10ace8 = _0x532424’lYfvS’ 翻译过来就是:
_0x412a72(“WZWS_CONFIRM_PREFIX_LABEL7014930”)
… (剩下的流程省略掉 )
最后,我们得到了:
然后我们回到最初,拿到初始请求之后的第二个重定向请求:
对比一下基本上是一致的,我们也可以就此推测 window[‘location’] 就是在做一个重定向。
接下来我们就可以反向去推导 js 了 。
更新时间: 2020-01-18
