Dou音滑块日志分析

news2024/11/16 5:54:07

记得加入我们的学习群:961566389

点击链接加入群聊:[https://h5.qun.qq.com/s/62P0xwrCNO](https://h5.qun.qq.com/s/62P0xwrCNO)

1.插桩-打印日志

image-20240526170308690

获取背景和滑块的图片的接口一看没啥参数需要逆向的


image-20240526170717122

验证的接口body参数需要进行逆向,直接看启动器,找到合适的位置插桩,最终定位到产生body参数的vmp位置:

image-20240526171033626

其次在下面的apply调用的地方都加上日志输出:

image-20240526171140262

直接拖动一下,保留日志到本地进行分析


2.分析日志

这次我是直接从头往后分析,没有逆推,具体情况具体分析。

func:  ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 
caleed,two args-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]} 
["{\"modified_img_width\":340,\"id\":\"e5e6bb223a3eafcfff268cf2b4fdc84475b09731\",\"mode\":\"slide\",\"KSQ\":[{\"x\":0,\"y\":86,\"relative_time\":125},{\"x\":11,\"y\":86,\"relative_time\":160},{\"x\":22,\"y\":86,\"relative_time\":196},{\"x\":31,\"y\":86,\"relative_time\":233},{\"x\":35,\"y\":86,\"relative_time\":271},{\"x\":36,\"y\":86,\"relative_time\":310},{\"x\":37,\"y\":86,\"relative_time\":346},{\"x\":37,\"y\":86,\"relative_time\":384}],\"jg2KgnF\":{\"AJeQfbTvl\":{\"x\":369,\"y\":351,\"time\":1716706984604},\"Ovx9sZrnP\":{\"x\":59,\"y\":327,\"time\":1716707288030},\"tUZ1hw\":[{\"x\":363,\"y\":355,\"time\":1716707287607},{\"x\":192,\"y\":366,\"time\":1716707287643},{\"x\":143,\"y\":369,\"time\":1716707287678},{\"x\":141,\"y\":369,\"time\":1716707287863},{\"x\":127,\"y\":367,\"time\":1716707287900},{\"x\":91,\"y\":355,\"time\":1716707287939},{\"x\":66,\"y\":337,\"time\":1716707287977},{\"x\":59,\"y\":328,\"time\":1716707288015},{\"x\":58,\"y\":326,\"time\":1716707288057},{\"x\":58,\"y\":325,\"time\":1716707288092},{\"x\":57,\"y\":319,\"time\":1716707288138},{\"x\":56,\"y\":314,\"time\":1716707288175},{\"x\":56,\"y\":312,\"time\":1716707288209},{\"x\":56,\"y\":312,\"time\":1716707288399},{\"x\":67,\"y\":312,\"time\":1716707288435},{\"x\":78,\"y\":312,\"time\":1716707288471},{\"x\":87,\"y\":312,\"time\":1716707288507},{\"x\":91,\"y\":312,\"time\":1716707288543},{\"x\":92,\"y\":312,\"time\":1716707288584},{\"x\":93,\"y\":312,\"time\":1716707288620},{\"x\":93,\"y\":312,\"time\":1716707288658}],\"jiLYUQ\":[],\"ugl\":[{\"x\":56,\"y\":312,\"time\":1716707288289,\"t\":0},{\"x\":56,\"y\":312,\"time\":1716707288414,\"t\":0},{\"x\":78,\"y\":312,\"time\":1716707288485,\"t\":0},{\"x\":91,\"y\":312,\"time\":1716707288560,\"t\":0},{\"x\":93,\"y\":312,\"time\":1716707288635,\"t\":0}]},\"env\":{\"canvas_hash\":\"f93ed480ebf91e8b3db9a\\",\"webgl_hash\":\"1f429dbe59a0c1370378ef\",\"font_hash\":\"1ba6bb535aebaf57631321298f5bf6e215d4347f75e15d394f0e3cdcb803ffe445cd942923787a306e3e2d07392e43853b43ad797cb8ab46\",\"audio_hash\":124.047657808103,\"time_offset\":-480,\"time_zone\":\"Asia/Shanghai\",\"languages\":[\"zh-CN\"],\"plugins\":[\"PDF Viewer\",\"Chrome PDF Viewer\",\"Chromium PDF Viewer\",\"Microsoft Edge PDF Viewer\",\"WebKit built-in PDF\"],\"platform\":\"MacIntel\",\"max_touch_points\":0,\"webdriver\":false,\"touch_actions\":[],\"mouse_actions\":[\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\"],\"device\":{\"model\":\"Macintosh\",\"vendor\":\"Apple\"},\"os\":{\"name\":\"Mac OS\",\"version\":\"10.15.7\"},\"browser\":{\"name\":\"Chrome\",\"version\":\"125.0.0.0\"},\"engine\":{\"name\":\"Blink\",\"version\":\"125.0.0.0\"},\"gpu\":{\"vendor\":\"Google Inc. (ATI Technologies Inc.)\",\"renderer\":\"ANGLE (ATI Technologies Inc., AMD Radeon Pro 560X OpenGL Engine, OpenGL 4.1)\"},\"resolution\":\"1680,1050\",\"browser_size\":\"1680,1050\",\"page_size\":\"1680,963\",\"captcha_origin\":\"0,0\",\"captcha_size\":\"380, 384\",\"mask_time\":171669208153662,\"loading_time\":1716692082536,\"ready_time\":1716692083010},\"a\":41}"] 
res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]}

定位到js源码处:

image-20240526172251237

是sha512的update函数,传入参数见上日志,包含了轨迹、env信息。

接着:

func:  

ƒ (){var t=n,r=new em;r.putBytes(c.bytes());var a=s["fullM"+t(219)+t(216)+"th"][s[t(245)+"essageLength"].length-1]+s["messa"+t(212)+"gthSize"]&s["block"+t(203)+"h"]-1;r.putBytes(eI.substr(0,s[t(195)+t(… caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]} 

[] 

res-> 
{"data":"‡žPŽ\n\u001bªò
òvŒ\u001elÇ!nÅ·ˆ\u0005z\u0017ÿ¦Lf¥\u001580—îvÎ\u0019±õÛ\u0005ç@Ä6±\u0007<&Rô­ë=z\u0016|CD(U€\u001d€.","read":0,"_constructedStringLength":64}

定位到js是digest函数,就是将刚才的数据进行digest操作。

接着:

func:  

ƒ (){for(var e=Hg,t="",n=this.read;n<this[e(205)].length;++n){var r=this.data["charC"+e(224)](n);r<16&&(t+="0"),t+=r.toString(16)} return t} caleed,

two args-> 

{"data":"‡žPŽ\n\u001bªò
òvŒ\u001elÇ!nÅ·ˆ\u0005z\u0017ÿ¦Lf¥\u001580—îvÎ\u0019±õÛ\u0005ç@Ä6±\u0007<&Rô­ë=z\u0016|CD(U€\u001d€.","read":0,"_constructedStringLength":64} 

[] 

res-> "879e508e0a1baaf285f2768c1e6cc7216ec5b788057a17ffa64c66a515383097ee76ce19b1f5db05e740c436b1073c2652f4adeb3d7a167c43442855801d802e"

定位到原js是tohex().

接着:

func:  
ƒ Wg(e){for(var t=Jg,n="",r=0;r<e[t(494)+"h"];r++){n+=e[t(481)+t(457)](r)["toStr"+t(458)](16)}return n} caleed,

two args-> 

null 

["{\"modified_img_width\":340,\"id\":\"e5e6bb223a3eafcfff268cf2b4fdc84475b09731\",\"mode\":\"slide\",\"KSQ\":[{\"x\":0,\"y\":86,\"relative_time\":125},{\"x\":11,\"y\":86,\"relative_time\":160},{\"x\":22,\"y\":86,\"relative_time\":196}.....省略一些] 

res-> "7b226d6f6469666965645f696d675f7769647468223a3334302c226964223a2265356536626232323361336561666366666632363863663262346664633834343735623039373331222c226d6f6465223a22736c696465222c224b5351223a5b7b2278223a302c2279223a38362c2272656c61746976655f74696d65223a3132357d2c7b2278223a31312c2279223a38362c2272656c61746976655f74696d65223a3136307......省略一些"

定位到js处是将字符串的charcode转成16进制字符串。

image-20240526173306214

接着:

captcha.js:1 func:  ƒ random() { [native code] } caleed,two args-> {} [] res-> 0.11919045665764205
captcha.js:1 t-> 99 p-> 3 m-> [] b-> [null,null,0,0.11919045665764205,null]
captcha.js:1 t-> 102 p-> 4 m-> [] b-> [null,null,0,0.11919045665764205,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]]
captcha.js:1 t-> 105 p-> 4 m-> [] b-> [null,null,0,0.11919045665764205,62]
captcha.js:1 t-> 106 p-> 3 m-> [] b-> [null,null,0,7.389808312773807,62]
captcha.js:1 t-> 107 p-> 2 m-> [] b-> [null,null,7,7.389808312773807,62]
captcha.js:1 t-> 110 p-> 1 m-> [] b-> [null,null,7,7.389808312773807,62]
captcha.js:1 t-> 113 p-> 2 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],7.389808312773807,62]
captcha.js:1 t-> 116 p-> 3 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],7,62]
captcha.js:1 t-> 117 p-> 2 m-> [] b-> [null,null,"7",7,62]
captcha.js:1 t-> 120 p-> 3 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4"],62]
captcha.js:1 t-> 123 p-> 4 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4"],30]
captcha.js:1 t-> 124 p-> 1 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],30]
captcha.js:1 t-> 127 p-> 3 m-> [] b-> [null,null,[[true],true,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],30,7],4,30]
captcha.js:1 t-> 128 p-> 2 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 129 p-> 1 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 79 p-> 1 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 82 p-> 2 m-> [] b-> [null,null,31,4,30]
captcha.js:1 t-> 84 p-> 3 m-> [] b-> [null,null,31,32,30]
captcha.js:1 t-> 85 p-> 2 m-> [] b-> [null,null,true,32,30]
captcha.js:1 t-> 88 p-> 1 m-> [] b-> [null,null,true,32,30]
captcha.js:1 t-> 90 p-> 2 m-> [] b-> [null,null,0,32,30]
captcha.js:1 t-> 93 p-> 3 m-> [] b-> [null,null,0,{},30]
captcha.js:1 t-> 94 p-> 4 m-> [] b-> [null,null,0,{},{}]
captcha.js:1 t-> 97 p-> 4 m-> [] b-> [null,null,0,{},null]
captcha.js:1 func function slice() { [native code] } called,args-> 5 5 res-> []
captcha.js:1 func:  ƒ random() { [native code] } caleed,two args-> {} [] res-> 0.4641664592050647
captcha.js:1 t-> 99 p-> 3 m-> [] b-> [null,null,0,0.4641664592050647,null]
captcha.js:1 t-> 102 p-> 4 m-> [] b-> [null,null,0,0.4641664592050647,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]]
captcha.js:1 t-> 105 p-> 4 m-> [] b-> [null,null,0,0.4641664592050647,62]
captcha.js:1 t-> 106 p-> 3 m-> [] b-> [null,null,0,28.778320470714014,62]
captcha.js:1 t-> 107 p-> 2 m-> [] b-> [null,null,28,28.778320470714014,62]
captcha.js:1 t-> 110 p-> 1 m-> [] b-> [null,null,28,28.778320470714014,62]
captcha.js:1 t-> 113 p-> 2 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],28.778320470714014,62]
captcha.js:1 t-> 116 p-> 3 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],28,62]
captcha.js:1 t-> 117 p-> 2 m-> [] b-> [null,null,"S",28,62]
captcha.js:1 t-> 120 p-> 3 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],62]
captcha.js:1 t-> 123 p-> 4 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],31]
captcha.js:1 t-> 124 p-> 1 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31]
captcha.js:1 t-> 127 p-> 3 m-> [] b-> [null,null,[[true],true,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31,28],4,31]
captcha.js:1 t-> 128 p-> 2 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 129 p-> 1 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 79 p-> 1 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 82 p-> 2 m-> [] b-> [null,null,32,4,31]
captcha.js:1 t-> 84 p-> 3 m-> [] b-> [null,null,32,32,31]
captcha.js:1 t-> 85 p-> 2 m-> [] b-> [null,null,false,32,31]
captcha.js:1 t-> 132 p-> 1 m-> [] b-> [null,null,false,32,31]
captcha.js:1 t-> 135 p-> 2 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],32,31]
captcha.js:1 t-> 136 p-> 3 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31]
captcha.js:1 t-> 139 p-> 3 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],null,31]
captcha.js:1 t-> 142 p-> 4 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],null,""]
captcha.js:1 func function slice() { [native code] } called,args-> 4 5 res-> [""]
captcha.js:1 func:  ƒ join() { [native code] } caleed,two args-> ["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"] [""] res-> "L2t0seFqOwKdi2gLBom5UzfV4b3m247S"
captcha.js:1 t-> 144 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,""]
captcha.js:1 t-> 147 p-> 4 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"5BXnjhnQRpCcczSq4xKfN5kGCOU1CgQs",null,null,null,null],1]
captcha.js:1 t-> 148 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 149 p-> 1 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 152 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 309 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]

产生32位长度的包含大小写数字的字符串。

接着:

func:  
ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 
caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":32,"fullMessageLength":[0,0,0,32],"messageLengthSize":16,"messageLength128":[0,0,0,32]} 

["L2t0seFqOwKdi2gLBom5UzfV4b3m247S"] 

res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":32,"fullMessageLength":[0,0,0,32],"messageLengthSize":16,"messageLength128":[0,0,0,32]}

这个也是传入32位字符串sha512进行update。

接着也一样进行digest、tohex 操作,的到:

824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f6

captcha.js:1 t-> 224 p-> 1 m-> [] b-> ["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f6","8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4e...","L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 225 p-> 0 m-> [] b-> ["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f68f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dcdcbfd86e5","8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4e...","L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]

一看,突然出现了个8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dcdc...字符串和我们上面产生的824b10....进行了拼接。

这个可能是固定的salt哦,毕竟他是和随机产上的salt进行拼接。

接着:

func:  
ƒ Ug(e){var t=Jg,n="";return e[t(482)](/[\da-f]{2}/gi)[t(471)+"ch"]((function(e){var r=t;if("ZpPAZ"!==r(490)){return _0x1066c5[r(484)+"ing"]()[r(476)+"h"]("(((.+"+r(465)+"+$")[r(484)+"ing"]()[r(448)+r(… 
caleed,
two args-> 

null 

["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f68f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dc..."] 


res-> "‚K\u0010¥á¼\r]–Ð)ü‘‰\n¸nO¢¼Oj¨Ý‰ÝÓ±Çã\u0012/¬ðaÛmë‡oåò$ÅÂø³\u001e\t»<ˆ‘\u000eº=í¡bµÛ\u0003‡öW\u0011cO!¬š¨\u0019ÑÍk§±\u0014èá*2‚€¯gsdÂ\u000e\u0014‰ß;—*S±:$lj|ä&´\bVul¾uOv„b¤îľmÍËý†å"

定位到原文:

    function Ug(e) {
        var t = Jg
          , n = "";
        return e[t(482)](/[\da-f]{2}/gi)[t(471) + "ch"]((function(e) {
            var r = t;
            if ("ZpPAZ" !== r(490)) {
                return _0x1066c5[r(484) + "ing"]()[r(476) + "h"]("(((.+" + r(465) + "+$")[r(484) + "ing"]()[r(448) + r(463) + "r"](_0x59eefd).search("(((.+" + r(465) + "+$")
            }
            n += String["fromC" + r(460) + "de"](parseInt(e, 16))
        }
        )),
        n
    }

一看关键的一行:

n += String["fromCode"](parseInt(e, 16))

明显做了hex转string。

接着:

func:  ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 

caleed,two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]} 

["‚K\u0010¥á¼\r]–Ð)ü‘‰\n¸nO¢¼Oj¨Ý‰ÝÓ±Çã\u0012/¬ðaÛmë‡oåò$ÅÂø³\u001e\t»<ˆ‘\u000eº=í¡bµÛ\u0003‡öW\u0011cO!¬š¨\u0019ÑÍk§±\u0014èá*2‚€¯gsdÂ\u000e\u0014‰ß;—*S±:$lj|ä&´\bVul¾uOv„b¤îľmÍËý†å"] 

res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]}

这是update。

接着:

func:  ƒ (){var t=n,r=new em;r.putBytes(c.bytes());var a=s["fullM"+t(219)+t(216)+"th"][s[t(245)+"essageLength"].length-1]+s["messa"+t(212)+"gthSize"]&s["block"+t(203)+"h"]-1;r.putBytes(eI.substr(0,s[t(195)+t(… caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]} 

[] 


res-> {"data":"“þ°Œm÷\u0006G\f\u000b»í7ó7́ô\u001a@ƺP:0¡So
_Ǻd›qÎÂ\u0006?\u0015\nÚ¶àù^¤\\£Ž‘©Nµð\u00164¦
Êp","read":0,"_constructedStringLength":64}

这是digest操作

func:  ƒ (){for(var e=Hg,t="",n=this.read;n<this[e(205)].length;++n){var r=this.data["charC"+e(224)](n);r<16&&(t+="0"),t+=r.toString(16)}return t} caleed,two args-> {"data":"“þ°Œm÷\u0006G\f\u000b»í7ó7́ô\u001a@ƺP:0¡So
_Ǻd›qÎÂ\u0006?\u0015\nÚ¶àù^¤\\£Ž‘©Nµð\u00164¦
Êp","read":0,"_constructedStringLength":64} [] res-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70"

这是tohex操作

接着:

captcha.js:1 func:  ƒ substring() { [native code] } caleed,two args-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70" [0,64] res-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"

取[0,64]子串操作。

接着:

captcha.js:1 func:  ƒ substring() { [native code] } caleed,two args-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70" [64,88] res-> "ba649b7f8f71cec2063f150a"

也是一样的,取[64,68]

接着:

[{"aesKey":"93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7","iv":"ba649b7f8f71cec2063f150a"},"ba649b7f8f71cec2063f150a",64,88,1]

发现得到了重要信息:AES KEY IV

ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args->

null 

["879e508e0a1baaf285f2768c1e6cc7216ec5b788057a17ffa64c66a515383097ee76ce19b1f5db05e740c436b1073c2652f4adeb3d7a167c43442855801d802e7b226d6f6469666965645f696d675f7769647468223a3334302c226964223a2265356536626232323361336561666366666632363863663262346664633834343735623039373331222c226d6f6465223a22736c696465222c224b5351223a5b7b2278223a302c2279223a38362c2272656c61746976655f74696d65223a3132357d2c7b2278223a31312c2279223a38362c2272656c61746976655f74696d65223a3136307d2c7b2278223a32322c2279223a38362c2272656c61746976655f74696d65223a3139367d2c7b2278223a33312c2279223a38362c2272656c61746976655f74696d65223a3233337d2c7b2278223a33352c2279223a38362c2272656c61746976655f74696d65223a3237317d2c7b2278223a33362c2279223a38362c2272656c61746976655f74696d65223a3331307d2c7b2278223a33372c2279223a38362c2272656c61746976655f74696d65223a3334367d2c7b2278..."] 


res-> {"0":135,"1":158,"2":80,"3":142,"4":10,"5":27,"6":170,"7":242,"8":133,"9":242,"10":118,"11":140,"12":30,"13":108,"14":199,"15":33,"16":110,"17":197,"18":183,"19":136,"20":5,"21":122,"22":23,"23":255,"24":166,"25":76,"26":102,"27":165,"28":21,"29":56,"30":48,"31":151,"32":238,"33":118,"34":206,"35":25,"36":177,"37":245,"38":219,"39":5,"40":231,"41":64,"42":196,"43":54,"44":177,"45":7,"46":60,"47":38,"48":82,"49":244,"50":173,"51":235,"52":61,"53":122,"54":22,"55":124,"56":67,"57":68,"58":40,"59...

定位到原文:

    function Yg(e) {
        var t = Jg;
        return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e) {
            return parseInt(e, 16)
        }
        )))
    }

16进制字符串转整数列表。这里为什么说是列表,是因为,我这里日志用的json.stringify打印出来的,所以看起来像字典,其实不是,是列表。

接着:

captcha.js:1 func function slice() { [native code] } called,args-> 5 6 res-> ["93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"]

captcha.js:1 

func:  ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args-> 

null 

["93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"] 


res-> {"0":147,"1":254,"2":176,"3":140,"4":109,"5":247,"6":6,"7":71,"8":12,"9":11,"10":187,"11":127,"12":237,"13":55,"14":243,"15":55,"16":205,"17":129,"18":244,"19":26,"20":64,"21":198,"22":186,"23":80,"24":58,"25":48,"26":161,"27":83,"28":111,"29":133,"30":95,"31":199}

把我们上面的AES的key转成了int列表。

接着:

captcha.js:1 func function slice() { [native code] } called,args-> 6 7 res-> ["ba649b7f8f71cec2063f150a"]


captcha.js:1 

func:  ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args-> 

null 

["ba649b7f8f71cec2063f150a"] 

res-> {"0":186,"1":100,"2":155,"3":127,"4":143,"5":113,"6":206,"7":194,"8":6,"9":63,"10":21,"11":10}

这个iv一样

接下来其实离我们最终解密已经不远了,下一篇中继续!!

记得加入我们的学习群:

记得加入我们的学习群:961566389

点击链接加入群聊:https://h5.qun.qq.com/s/62P0xwrCNO

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1698169.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Qt 界面上控件自适应窗体大小 - 随窗体缩放

Qt 界面上控件自适应窗体大小 - 随窗体缩放 引言一、在Qt Designer上设置二、参数详解三、参考链接 引言 添加布局&#xff0c;设置控件的minimumSize、maximumSize和sizePolicy可以使其跟随窗体进行自适应缩放 - 如上图所示。 一、在Qt Designer上设置 在代码中设置效果一致…

Slash后台管理系统代码阅读笔记 如何实现环形统计图表卡片?

目前&#xff0c;工作台界面的上半部分已经基本梳理完毕了。 接下来&#xff0c;我们看看这个环形图卡片是怎么实现的&#xff1f; 具体代码如下&#xff1a; {/*图表卡片*/} <Row gutter{[16, 16]} className"mt-4" justify"center">{/*环形图表…

Android BACK键和HOME键应用差异详解

文章目录 1、应用层分析1.1 BACK键功能实现 1.2 HOME键功能实现 1.3 BACK键与HOME键的区别 2、系统层分析2.1 BACK键的处理2.2 HOME键的处理2.3 代码分析BACK键HOME键BACK键的系统代码分析HOME键的系统代码分析BACK键HOME键 3、优缺点分析3.1 BACK键3.2 HOME键 4、项目中的使用…

ISCC2024个人挑战赛WP-迷失之门

&#xff08;非官方解&#xff0c;以下内容均互联网收集的信息和个人思路&#xff0c;仅供学习参考&#xff09; 迷失之门 方法一&#xff1a; IDA看一下 check函数逻辑 进入到check2函数 R键将ascii码转字符&#xff0c;写出逆向脚本 #include <stdio.h> #include &l…

【CCIE | 网络模拟器】部署 EVE-NG

目录 1. 环境准备2. 下载 EVE-NG 镜像3. 安装 EVE-NG 虚拟机3.1 创建 eve-ng 虚拟机3.2 选择存储3.3 定义虚拟机计算资源&#xff08;1&#xff09;开启CPU虚拟化功能&#xff08;2&#xff09;精简置备磁盘 3.4 检查虚拟机设置 4. 安装系统4.1 选择系统语言4.2 选择系统键盘类…

dubbo复习:(9)配置中心的大坑,并不能像spring cloud那样直接从配置中心读取自定义的配置

配置中心只是为 Dubbo 配置提供管理使用的&#xff08;比如配置服务超时时间等)。不要尝试通过Value类似的方式从dubbo 配置中心(比如nacos、zookeeper、Apollo)来获取数据 https://github.com/apache/dubbo/issues/11200可以在application.yml中主要写注册中心的配置&#xf…

OpenStack平台Glance管理

1. 规划节点 使用OpenStack平台节点规划。 IP主机名节点192.168.100.10controller控制节点192.168.100.20compute计算节点 2. 基础准备 使用实战案例-部署的OpenStack平台。 IP 主机名 节点 192.168.100.10 controller 控制节点 192.168.100.20 copute 计算节点 02 案例分…

卡特兰数-

是组合数学中一种常出现于各种计数问题中的数列。 一、简单介绍 卡特兰数是一个数列&#xff0c;其前几项为&#xff08;从第零项开始&#xff09; : 1, 1, 2, 5, 14, 42, 132, 429, 1430, 4862, 16796, 58786, 208012, 742900, 2674440, 9694845, 35357670, 129644790, 47763…

2024/5/26周报

文章目录 摘要Abstract文献阅读题目创新点方法网络架构LSTM 实验过程Data acquisitionData preprocessingAlgorithm parameter settingsModels evaluation 实验结果 深度学习ARIMA一、ARIMA模型的基本思想二、ARIMA模型的数学表达式三、差分过程 总结 摘要 本周阅读了一篇基于…

多线程(C++11)

多线程&#xff08;C&#xff09; 文章目录 多线程&#xff08;C&#xff09;前言一、std::thread类1.线程的创建1.1构造函数1.2代码演示 2.公共成员函数2.1 get_id()2.2 join()2.3 detach()2.4 joinable()2.5 operator 3.静态函数4.类的成员函数作为子线程的任务函数 二、call…

牛客网刷题 | BC98 线段图案

目前主要分为三个专栏&#xff0c;后续还会添加&#xff1a; 专栏如下&#xff1a; C语言刷题解析 C语言系列文章 我的成长经历 感谢阅读&#xff01; 初来乍到&#xff0c;如有错误请指出&#xff0c;感谢&#xff01; 描述 KiKi学习了循环&am…

网络应用层之(1)DHCPv6协议

网络应用层之(1)DHCPv6协议 Author: Once Day Date: 2024年5月26日 一位热衷于Linux学习和开发的菜鸟&#xff0c;试图谱写一场冒险之旅&#xff0c;也许终点只是一场白日梦… 漫漫长路&#xff0c;有人对你微笑过嘛… 全系列文章可参考专栏: 通信网络技术_Once-Day的博客-C…

20240526怎样将windows的屏幕复制到第二屏

百度&#xff1a;WIN10 第二显示器 COPY https://zhidao.baidu.com/question/761454546683111004.html 20240526怎样将windows的屏幕复制到第二屏  我来答 分享 举报 2个回答#热议# 海关有哪些禁运商品&#xff1f;查到后怎么办&#xff1f; 华硕服务 2022-07-05 百度认证:…

【找出第 K 大的异或坐标值】python

4层循环暴力超时 class Solution:def kthLargestValue(self, matrix: List[List[int]], k: int) -> int:nums[]for a in range(len(matrix)):for b in range(len(matrix[0])):num0for i in range(a1):for j in range(b1):num^matrix[i][j]nums.append(num)nums.sort()retu…

python web自动化(分布式测试Grid)

Grid介绍 Selenium Grid 是 Selenium 提供的⼀个⼯具&#xff0c;⽤于⽀持在多台计算机上并⾏运⾏测试。 它允许将测试分发到不同的机器和浏览器组合上&#xff0c;同时收集结果。 1.并⾏执⾏测试⽤例&#xff1a;在不同的机器上并⾏执⾏测试⽤例&#xff0c;从⽽加速整个测试过…

安卓自定义控件(视图、改造控件、通知Notification、界面绘制)

视图的构建过程 此节介绍一个视图的构建过程&#xff0c;包括&#xff1a;如何编写视图的构造方法&#xff0c;4个构造方法之间有什么区别&#xff1b;如何测量实体的实际尺寸&#xff0c;包含文本、图像、线性视图的测量方法&#xff1b;如何利用画笔绘制视图的界面&#xff…

千帆【API接入】自定义组件简明教程

千帆【API接入】自定义组件简明教程 大家好&#xff0c;我是 JavaRoom&#xff0c;今天来给大家做一个自定义API接入来是心啊遣返组件创建案例简明教学。 1.准备工作 1.1 一个不欠费的千帆账号 财务总览地址&#xff1a;https://console.bce.baidu.com/billing/#/account/i…

ionic关于@angular版本报错解决方案(有效)

最近学校要求使用ionicangular学习&#xff0c;但是出现下面问题&#xff0c;这里我就分享一个我亲测有效的解决方案&#xff0c;提供学习&#xff08;在VScode中&#xff09; npm error code ERESOLVE npm error ERESOLVE could not resolve npm error npm error While resol…

【调试笔记-20240526-Linux-在 OpenWrt-23.05 发行版上安装 cpolar】

调试笔记-系列文章目录 调试笔记-20240526-Linux-在 OpenWrt-23.05 发行版上安装 cpolar 文章目录 调试笔记-系列文章目录调试笔记-20240526-Linux-在 OpenWrt-23.05 发行版上安装 cpolar 前言一、调试环境操作系统&#xff1a;Windows 10 专业版调试环境调试目标 二、调试步骤…

1107 老鼠爱大米

solution 记录每组的最大值&#xff0c;并比较组间的最大值胖胖鼠~ #include<iostream> using namespace std; int main(){int n, m, ans, fat -1, x;scanf("%d%d", &n, &m);for(int i 0; i < n; i){ans -1;for(int j 0; j < m; j){scanf(…