Today, we continue to analyze and then the last, last time we say eval dynamic running out onto the main page easy to debug, but we see that he is confused over this period of
Recursively + + simple flat confused
There are first obfuscation tool can achieve this effect, I also wrote a confused ast based tool, pull away, and we look at him this is an array of ways to read the string, when in search of the source
We found him initialized position,
Because he is a dynamic analysis of the array, we just need to get the members of his array into the herd,
In fact, I see here is very confused, this is not even encrypted string, naked ah.
Then we assign our array of strings after manually copy it to confuse a js Restore tool I wrote a look
No pressure, reduction instant, automatic calculation scope tool replacement. We then paste it into notepad to see
So look at it basically all of his things out, everything is ready, he sent commissioning, we put out to restore js replace up, how to replace it, it is to analyze yesterday's ret = eval (pseudo-code for this direct copy up on the line, which would also facilitate debugging. debugger we forgot to deal with, after refreshing skip Well, then we saw this
Then the spirit of the test, I set a seven or eight times, found a problem
Did not pull the latest from the server and then the page I was saved with the js is still working properly, because he has two, the next we try
If this direct fixed js error, not fixed properly encrypted, which is a big head, because this is a piece of encrypted string of whatever he is anyway we will have a decryption us first no matter what.
Up to now we can fix debug js decryption out his first layer, because we all know he's url is the hook too, that is, anti-climb and business are separate, so we do not need to refresh the page to let him go breakpoints, we can
We simulated the interface in one of his console and press enter
Request has been successful, and we see him submit part
Here to explain is arbitrary url, because he is the hook of the ajax api and he can not limit any url, we can use breakpoints xhr
Click the plus sign we set up his request url contains the specified string will break down
$.get("/tmrpToken.token")
Enter then the console
Off in the local real submit url, we see that he is this.send
我们看到他的this就是XMLHttpRequest 对象,看到他的url已经完全计算好了
顺着堆栈看,我们先看send,点进去我们把断点下到这里,因为他的变量之类的是根据作用域算的,复杂的话从头来算比较好,上层变量有可能会重叠
,下好断点我们在重新提交一次
第二次提交我们可以看到非常干净,我们按f10单步走
走到这一行我们发现url出现了
非常清楚他在231这个对象,我们往上看
他在这个函数执行完就有了我们进去这个函数下断点看看
我们f10单步发现他直接最后了,再进去这个函数继续_$7e
传入三个参数
继续单步
又一个_$p5,继续
还是三个参数一样,然后有个Function,我们抠出来看下
new一个函数然后传进去三个参数,还是这三个参数
生成一个参数一调用参数二方法,传入参数三我们看下这三个参数
我们可以直接这样
打印出位置我们双击进去
断点进去之后我们看
这个函数没有什么蹊跷,继续走下去
this._$oM = arguments[1] = _$ok(arguments[1])[0];
隐藏的很深啊
我们跟进去这个函数
然后我们单步发现他走到这里就有结果了我们看下它穿的参数
姑且认为参数2有用,我们看下参数2那里出来的
参数2我们看下他的参数
var _$s2 = _$HW(_$59(_$qt("/tmrpToken.token")));
我们看看
_$qt
编码剩下的不管他是什么 函数,到时候直接扣就行了,我们只分析
到现在我们看到了_$HW,_$59,_$6p这三个是加密用的,至于内部逻辑,先不管,先测试下能不能加密
把他单独拿出来,然后写一个加密函数
function url_encry(_$di){
var _$s2 = hm._$HW(hm._$59(encodeURIComponent("/tmrpToken.token")));
return hm._$6p(769, 0, _$s2, _$di);
}
现在看来我们思路没有错,分析逻辑和加密逻辑是没问题的,好了
篇幅有限,分析解密留着下次讲解,慢慢吸收这次的
