Dou音滑块日志分析

记得加入我们的学习群：961566389

点击链接加入群聊：[https://h5.qun.qq.com/s/62P0xwrCNO](https://h5.qun.qq.com/s/62P0xwrCNO)

1.插桩-打印日志

获取背景和滑块的图片的接口一看没啥参数需要逆向的

验证的接口body参数需要进行逆向，直接看启动器，找到合适的位置插桩，最终定位到产生body参数的vmp位置：

其次在下面的apply调用的地方都加上日志输出：

直接拖动一下，保留日志到本地进行分析

2.分析日志

这次我是直接从头往后分析，没有逆推，具体情况具体分析。

func:  ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 
caleed,two args-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]} 
["{\"modified_img_width\":340,\"id\":\"e5e6bb223a3eafcfff268cf2b4fdc84475b09731\",\"mode\":\"slide\",\"KSQ\":[{\"x\":0,\"y\":86,\"relative_time\":125},{\"x\":11,\"y\":86,\"relative_time\":160},{\"x\":22,\"y\":86,\"relative_time\":196},{\"x\":31,\"y\":86,\"relative_time\":233},{\"x\":35,\"y\":86,\"relative_time\":271},{\"x\":36,\"y\":86,\"relative_time\":310},{\"x\":37,\"y\":86,\"relative_time\":346},{\"x\":37,\"y\":86,\"relative_time\":384}],\"jg2KgnF\":{\"AJeQfbTvl\":{\"x\":369,\"y\":351,\"time\":1716706984604},\"Ovx9sZrnP\":{\"x\":59,\"y\":327,\"time\":1716707288030},\"tUZ1hw\":[{\"x\":363,\"y\":355,\"time\":1716707287607},{\"x\":192,\"y\":366,\"time\":1716707287643},{\"x\":143,\"y\":369,\"time\":1716707287678},{\"x\":141,\"y\":369,\"time\":1716707287863},{\"x\":127,\"y\":367,\"time\":1716707287900},{\"x\":91,\"y\":355,\"time\":1716707287939},{\"x\":66,\"y\":337,\"time\":1716707287977},{\"x\":59,\"y\":328,\"time\":1716707288015},{\"x\":58,\"y\":326,\"time\":1716707288057},{\"x\":58,\"y\":325,\"time\":1716707288092},{\"x\":57,\"y\":319,\"time\":1716707288138},{\"x\":56,\"y\":314,\"time\":1716707288175},{\"x\":56,\"y\":312,\"time\":1716707288209},{\"x\":56,\"y\":312,\"time\":1716707288399},{\"x\":67,\"y\":312,\"time\":1716707288435},{\"x\":78,\"y\":312,\"time\":1716707288471},{\"x\":87,\"y\":312,\"time\":1716707288507},{\"x\":91,\"y\":312,\"time\":1716707288543},{\"x\":92,\"y\":312,\"time\":1716707288584},{\"x\":93,\"y\":312,\"time\":1716707288620},{\"x\":93,\"y\":312,\"time\":1716707288658}],\"jiLYUQ\":[],\"ugl\":[{\"x\":56,\"y\":312,\"time\":1716707288289,\"t\":0},{\"x\":56,\"y\":312,\"time\":1716707288414,\"t\":0},{\"x\":78,\"y\":312,\"time\":1716707288485,\"t\":0},{\"x\":91,\"y\":312,\"time\":1716707288560,\"t\":0},{\"x\":93,\"y\":312,\"time\":1716707288635,\"t\":0}]},\"env\":{\"canvas_hash\":\"f93ed480ebf91e8b3db9a\\",\"webgl_hash\":\"1f429dbe59a0c1370378ef\",\"font_hash\":\"1ba6bb535aebaf57631321298f5bf6e215d4347f75e15d394f0e3cdcb803ffe445cd942923787a306e3e2d07392e43853b43ad797cb8ab46\",\"audio_hash\":124.047657808103,\"time_offset\":-480,\"time_zone\":\"Asia/Shanghai\",\"languages\":[\"zh-CN\"],\"plugins\":[\"PDF Viewer\",\"Chrome PDF Viewer\",\"Chromium PDF Viewer\",\"Microsoft Edge PDF Viewer\",\"WebKit built-in PDF\"],\"platform\":\"MacIntel\",\"max_touch_points\":0,\"webdriver\":false,\"touch_actions\":[],\"mouse_actions\":[\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\",\"1,1\"],\"device\":{\"model\":\"Macintosh\",\"vendor\":\"Apple\"},\"os\":{\"name\":\"Mac OS\",\"version\":\"10.15.7\"},\"browser\":{\"name\":\"Chrome\",\"version\":\"125.0.0.0\"},\"engine\":{\"name\":\"Blink\",\"version\":\"125.0.0.0\"},\"gpu\":{\"vendor\":\"Google Inc. (ATI Technologies Inc.)\",\"renderer\":\"ANGLE (ATI Technologies Inc., AMD Radeon Pro 560X OpenGL Engine, OpenGL 4.1)\"},\"resolution\":\"1680,1050\",\"browser_size\":\"1680,1050\",\"page_size\":\"1680,963\",\"captcha_origin\":\"0,0\",\"captcha_size\":\"380, 384\",\"mask_time\":171669208153662,\"loading_time\":1716692082536,\"ready_time\":1716692083010},\"a\":41}"] 
res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]}

定位到js源码处：

是sha512的update函数，传入参数见上日志，包含了轨迹、env信息。

接着：

func:  

ƒ (){var t=n,r=new em;r.putBytes(c.bytes());var a=s["fullM"+t(219)+t(216)+"th"][s[t(245)+"essageLength"].length-1]+s["messa"+t(212)+"gthSize"]&s["block"+t(203)+"h"]-1;r.putBytes(eI.substr(0,s[t(195)+t(… caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":2716,"fullMessageLength":[0,0,0,2716],"messageLengthSize":16,"messageLength128":[0,0,0,2716]} 

[] 

res-> 
{"data":"‡žPŽ\n\u001bªò
òvŒ\u001elÇ!nÅ·ˆ\u0005z\u0017ÿ¦Lf¥\u001580—îvÎ\u0019±õÛ\u0005ç@Ä6±\u0007<&Rôë=z\u0016|CD(U€\u001d€.","read":0,"_constructedStringLength":64}

定位到js是digest函数，就是将刚才的数据进行digest操作。

接着：

func:  

ƒ (){for(var e=Hg,t="",n=this.read;n<this[e(205)].length;++n){var r=this.data["charC"+e(224)](n);r<16&&(t+="0"),t+=r.toString(16)} return t} caleed,

two args-> 

{"data":"‡žPŽ\n\u001bªò
òvŒ\u001elÇ!nÅ·ˆ\u0005z\u0017ÿ¦Lf¥\u001580—îvÎ\u0019±õÛ\u0005ç@Ä6±\u0007<&Rôë=z\u0016|CD(U€\u001d€.","read":0,"_constructedStringLength":64} 

[] 

res-> "879e508e0a1baaf285f2768c1e6cc7216ec5b788057a17ffa64c66a515383097ee76ce19b1f5db05e740c436b1073c2652f4adeb3d7a167c43442855801d802e"

定位到原js是tohex().

接着：

func:  
ƒ Wg(e){for(var t=Jg,n="",r=0;r<e[t(494)+"h"];r++){n+=e[t(481)+t(457)](r)["toStr"+t(458)](16)}return n} caleed,

two args-> 

null 

["{\"modified_img_width\":340,\"id\":\"e5e6bb223a3eafcfff268cf2b4fdc84475b09731\",\"mode\":\"slide\",\"KSQ\":[{\"x\":0,\"y\":86,\"relative_time\":125},{\"x\":11,\"y\":86,\"relative_time\":160},{\"x\":22,\"y\":86,\"relative_time\":196}.....省略一些] 

res-> "7b226d6f6469666965645f696d675f7769647468223a3334302c226964223a2265356536626232323361336561666366666632363863663262346664633834343735623039373331222c226d6f6465223a22736c696465222c224b5351223a5b7b2278223a302c2279223a38362c2272656c61746976655f74696d65223a3132357d2c7b2278223a31312c2279223a38362c2272656c61746976655f74696d65223a3136307......省略一些"

定位到js处是将字符串的charcode转成16进制字符串。

接着：

captcha.js:1 func:  ƒ random() { [native code] } caleed,two args-> {} [] res-> 0.11919045665764205
captcha.js:1 t-> 99 p-> 3 m-> [] b-> [null,null,0,0.11919045665764205,null]
captcha.js:1 t-> 102 p-> 4 m-> [] b-> [null,null,0,0.11919045665764205,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]]
captcha.js:1 t-> 105 p-> 4 m-> [] b-> [null,null,0,0.11919045665764205,62]
captcha.js:1 t-> 106 p-> 3 m-> [] b-> [null,null,0,7.389808312773807,62]
captcha.js:1 t-> 107 p-> 2 m-> [] b-> [null,null,7,7.389808312773807,62]
captcha.js:1 t-> 110 p-> 1 m-> [] b-> [null,null,7,7.389808312773807,62]
captcha.js:1 t-> 113 p-> 2 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],7.389808312773807,62]
captcha.js:1 t-> 116 p-> 3 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],7,62]
captcha.js:1 t-> 117 p-> 2 m-> [] b-> [null,null,"7",7,62]
captcha.js:1 t-> 120 p-> 3 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4"],62]
captcha.js:1 t-> 123 p-> 4 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4"],30]
captcha.js:1 t-> 124 p-> 1 m-> [] b-> [null,null,"7",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],30]
captcha.js:1 t-> 127 p-> 3 m-> [] b-> [null,null,[[true],true,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],30,7],4,30]
captcha.js:1 t-> 128 p-> 2 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 129 p-> 1 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 79 p-> 1 m-> [] b-> [null,null,30,4,30]
captcha.js:1 t-> 82 p-> 2 m-> [] b-> [null,null,31,4,30]
captcha.js:1 t-> 84 p-> 3 m-> [] b-> [null,null,31,32,30]
captcha.js:1 t-> 85 p-> 2 m-> [] b-> [null,null,true,32,30]
captcha.js:1 t-> 88 p-> 1 m-> [] b-> [null,null,true,32,30]
captcha.js:1 t-> 90 p-> 2 m-> [] b-> [null,null,0,32,30]
captcha.js:1 t-> 93 p-> 3 m-> [] b-> [null,null,0,{},30]
captcha.js:1 t-> 94 p-> 4 m-> [] b-> [null,null,0,{},{}]
captcha.js:1 t-> 97 p-> 4 m-> [] b-> [null,null,0,{},null]
captcha.js:1 func function slice() { [native code] } called,args-> 5 5 res-> []
captcha.js:1 func:  ƒ random() { [native code] } caleed,two args-> {} [] res-> 0.4641664592050647
captcha.js:1 t-> 99 p-> 3 m-> [] b-> [null,null,0,0.4641664592050647,null]
captcha.js:1 t-> 102 p-> 4 m-> [] b-> [null,null,0,0.4641664592050647,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]]
captcha.js:1 t-> 105 p-> 4 m-> [] b-> [null,null,0,0.4641664592050647,62]
captcha.js:1 t-> 106 p-> 3 m-> [] b-> [null,null,0,28.778320470714014,62]
captcha.js:1 t-> 107 p-> 2 m-> [] b-> [null,null,28,28.778320470714014,62]
captcha.js:1 t-> 110 p-> 1 m-> [] b-> [null,null,28,28.778320470714014,62]
captcha.js:1 t-> 113 p-> 2 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],28.778320470714014,62]
captcha.js:1 t-> 116 p-> 3 m-> [] b-> [null,null,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],28,62]
captcha.js:1 t-> 117 p-> 2 m-> [] b-> [null,null,"S",28,62]
captcha.js:1 t-> 120 p-> 3 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],62]
captcha.js:1 t-> 123 p-> 4 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7"],31]
captcha.js:1 t-> 124 p-> 1 m-> [] b-> [null,null,"S",["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31]
captcha.js:1 t-> 127 p-> 3 m-> [] b-> [null,null,[[true],true,["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31,28],4,31]
captcha.js:1 t-> 128 p-> 2 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 129 p-> 1 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 79 p-> 1 m-> [] b-> [null,null,31,4,31]
captcha.js:1 t-> 82 p-> 2 m-> [] b-> [null,null,32,4,31]
captcha.js:1 t-> 84 p-> 3 m-> [] b-> [null,null,32,32,31]
captcha.js:1 t-> 85 p-> 2 m-> [] b-> [null,null,false,32,31]
captcha.js:1 t-> 132 p-> 1 m-> [] b-> [null,null,false,32,31]
captcha.js:1 t-> 135 p-> 2 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],32,31]
captcha.js:1 t-> 136 p-> 3 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],31]
captcha.js:1 t-> 139 p-> 3 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],null,31]
captcha.js:1 t-> 142 p-> 4 m-> [] b-> [null,null,["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"],null,""]
captcha.js:1 func function slice() { [native code] } called,args-> 4 5 res-> [""]
captcha.js:1 func:  ƒ join() { [native code] } caleed,two args-> ["L","2","t","0","s","e","F","q","O","w","K","d","i","2","g","L","B","o","m","5","U","z","f","V","4","b","3","m","2","4","7","S"] [""] res-> "L2t0seFqOwKdi2gLBom5UzfV4b3m247S"
captcha.js:1 t-> 144 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,""]
captcha.js:1 t-> 147 p-> 4 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"5BXnjhnQRpCcczSq4xKfN5kGCOU1CgQs",null,null,null,null],1]
captcha.js:1 t-> 148 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 149 p-> 1 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 152 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 309 p-> 2 m-> [] b-> [null,null,"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]

产生32位长度的包含大小写数字的字符串。

接着：

func:  
ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 
caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":32,"fullMessageLength":[0,0,0,32],"messageLengthSize":16,"messageLength128":[0,0,0,32]} 

["L2t0seFqOwKdi2gLBom5UzfV4b3m247S"] 

res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":32,"fullMessageLength":[0,0,0,32],"messageLengthSize":16,"messageLength128":[0,0,0,32]}

这个也是传入32位字符串sha512进行update。

接着也一样进行digest、tohex 操作,的到：

824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f6

captcha.js:1 t-> 224 p-> 1 m-> [] b-> ["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f6","8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4e...","L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]
captcha.js:1 t-> 225 p-> 0 m-> [] b-> ["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f68f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dcdcbfd86e5","8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4e...","L2t0seFqOwKdi2gLBom5UzfV4b3m247S",[[],"L2t0seFqOwKdi2gLBom5UzfV4b3m247S",null,null,null,null],1]

一看，突然出现了个8f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dcdc...字符串和我们上面产生的824b10....进行了拼接。

这个可能是固定的salt哦，毕竟他是和随机产上的salt进行拼接。

接着：

func:  
ƒ Ug(e){var t=Jg,n="";return e[t(482)](/[\da-f]{2}/gi)[t(471)+"ch"]((function(e){var r=t;if("ZpPAZ"!==r(490)){return _0x1066c5[r(484)+"ing"]()[r(476)+"h"]("(((.+"+r(465)+"+$")[r(484)+"ing"]()[r(448)+r(… 
caleed,
two args-> 

null 

["824b10a5e1bc0d5d96d029fc91890ab86e4fa2bc4f6aa8dd89ddd3b1c7e3122facf061db6deb876fe5f224c5c2f8b31e09bb3c88910eba3deda162b5db0387f68f5711634f21ac9aa819d1cd6ba7b114e8e12a328280af677364c20e1489df3b972a53b13a24c7897ce426b40856756cbe754f768462a4eec4be6dc..."] 


res-> "‚K\u0010¥á¼\r]–Ð)ü‘‰\n¸nO¢¼Oj¨Ý‰ÝÓ±Çã\u0012/¬ðaÛmë‡oåò$ÅÂø³\u001e\t»<ˆ‘\u000eº=í¡bµÛ\u0003‡öW\u0011cO!¬š¨\u0019ÑÍk§±\u0014èá*2‚€¯gsdÂ\u000e\u0014‰ß;—*S±:$Ç‰|ä&´\bVul¾uOv„b¤îÄ¾mÍËý†å"

定位到原文：

    function Ug(e) {
        var t = Jg
          , n = "";
        return e[t(482)](/[\da-f]{2}/gi)[t(471) + "ch"]((function(e) {
            var r = t;
            if ("ZpPAZ" !== r(490)) {
                return _0x1066c5[r(484) + "ing"]()[r(476) + "h"]("(((.+" + r(465) + "+$")[r(484) + "ing"]()[r(448) + r(463) + "r"](_0x59eefd).search("(((.+" + r(465) + "+$")
            }
            n += String["fromC" + r(460) + "de"](parseInt(e, 16))
        }
        )),
        n
    }

一看关键的一行:

n += String["fromCode"](parseInt(e, 16))

明显做了hex转string。

接着：

func:  ƒ (e){var t=n,a=e[t(228)+"h"];s[t(243)+"geLen"+t(204)]+=a,a=[a/4294967296>>>0,a>>>0];for(var f=r.codYh(s["fullM"+t(219)+t(216)+"th"][t(228)+"h"],1);f>=0;--f){s["fullMessag"+t(216)+"th"][f]+=a[1],a[1]=a… 

caleed,two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]} 

["‚K\u0010¥á¼\r]–Ð)ü‘‰\n¸nO¢¼Oj¨Ý‰ÝÓ±Çã\u0012/¬ðaÛmë‡oåò$ÅÂø³\u001e\t»<ˆ‘\u000eº=í¡bµÛ\u0003‡öW\u0011cO!¬š¨\u0019ÑÍk§±\u0014èá*2‚€¯gsdÂ\u000e\u0014‰ß;—*S±:$Ç‰|ä&´\bVul¾uOv„b¤îÄ¾mÍËý†å"] 

res-> {"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]}

这是update。

接着：

func:  ƒ (){var t=n,r=new em;r.putBytes(c.bytes());var a=s["fullM"+t(219)+t(216)+"th"][s[t(245)+"essageLength"].length-1]+s["messa"+t(212)+"gthSize"]&s["block"+t(203)+"h"]-1;r.putBytes(eI.substr(0,s[t(195)+t(… caleed,

two args-> 

{"algorithm":"sha512","blockLength":128,"digestLength":64,"messageLength":128,"fullMessageLength":[0,0,0,128],"messageLengthSize":16,"messageLength128":[0,0,0,128]} 

[] 


res-> {"data":"“þ°Œm÷\u0006G\f\u000b»í7ó7Íô\u001a@ÆºP:0¡So
_Çºd›qÎÂ\u0006?\u0015\nÚ¶àù^¤\\£Ž‘©Nµð\u00164¦
Êp","read":0,"_constructedStringLength":64}

这是digest操作

func:  ƒ (){for(var e=Hg,t="",n=this.read;n<this[e(205)].length;++n){var r=this.data["charC"+e(224)](n);r<16&&(t+="0"),t+=r.toString(16)}return t} caleed,two args-> {"data":"“þ°Œm÷\u0006G\f\u000b»í7ó7Íô\u001a@ÆºP:0¡So
_Çºd›qÎÂ\u0006?\u0015\nÚ¶àù^¤\\£Ž‘©Nµð\u00164¦
Êp","read":0,"_constructedStringLength":64} [] res-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70"

这是tohex操作

接着：

captcha.js:1 func:  ƒ substring() { [native code] } caleed,two args-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70" [0,64] res-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"

取[0,64]子串操作。

接着：

captcha.js:1 func:  ƒ substring() { [native code] } caleed,two args-> "93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7ba649b7f8f71cec2063f150adab6e0f95ea45ca38e91a94eb5f01634a685ca70" [64,88] res-> "ba649b7f8f71cec2063f150a"

也是一样的,取[64,68]

接着：

[{"aesKey":"93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7","iv":"ba649b7f8f71cec2063f150a"},"ba649b7f8f71cec2063f150a",64,88,1]

发现得到了重要信息：AES KEY IV

ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args->

null 

["879e508e0a1baaf285f2768c1e6cc7216ec5b788057a17ffa64c66a515383097ee76ce19b1f5db05e740c436b1073c2652f4adeb3d7a167c43442855801d802e7b226d6f6469666965645f696d675f7769647468223a3334302c226964223a2265356536626232323361336561666366666632363863663262346664633834343735623039373331222c226d6f6465223a22736c696465222c224b5351223a5b7b2278223a302c2279223a38362c2272656c61746976655f74696d65223a3132357d2c7b2278223a31312c2279223a38362c2272656c61746976655f74696d65223a3136307d2c7b2278223a32322c2279223a38362c2272656c61746976655f74696d65223a3139367d2c7b2278223a33312c2279223a38362c2272656c61746976655f74696d65223a3233337d2c7b2278223a33352c2279223a38362c2272656c61746976655f74696d65223a3237317d2c7b2278223a33362c2279223a38362c2272656c61746976655f74696d65223a3331307d2c7b2278223a33372c2279223a38362c2272656c61746976655f74696d65223a3334367d2c7b2278..."] 


res-> {"0":135,"1":158,"2":80,"3":142,"4":10,"5":27,"6":170,"7":242,"8":133,"9":242,"10":118,"11":140,"12":30,"13":108,"14":199,"15":33,"16":110,"17":197,"18":183,"19":136,"20":5,"21":122,"22":23,"23":255,"24":166,"25":76,"26":102,"27":165,"28":21,"29":56,"30":48,"31":151,"32":238,"33":118,"34":206,"35":25,"36":177,"37":245,"38":219,"39":5,"40":231,"41":64,"42":196,"43":54,"44":177,"45":7,"46":60,"47":38,"48":82,"49":244,"50":173,"51":235,"52":61,"53":122,"54":22,"55":124,"56":67,"57":68,"58":40,"59...

定位到原文：

    function Yg(e) {
        var t = Jg;
        return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e) {
            return parseInt(e, 16)
        }
        )))
    }

16进制字符串转整数列表。这里为什么说是列表，是因为，我这里日志用的json.stringify打印出来的，所以看起来像字典，其实不是，是列表。

接着：

captcha.js:1 func function slice() { [native code] } called,args-> 5 6 res-> ["93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"]

captcha.js:1 

func:  ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args-> 

null 

["93feb08c6df706470c0bbb7fed37f337cd81f41a40c6ba503a30a1536f855fc7"] 


res-> {"0":147,"1":254,"2":176,"3":140,"4":109,"5":247,"6":6,"7":71,"8":12,"9":11,"10":187,"11":127,"12":237,"13":55,"14":243,"15":55,"16":205,"17":129,"18":244,"19":26,"20":64,"21":198,"22":186,"23":80,"24":58,"25":48,"26":161,"27":83,"28":111,"29":133,"30":95,"31":199}

把我们上面的AES的key转成了int列表。

接着：

captcha.js:1 func function slice() { [native code] } called,args-> 6 7 res-> ["ba649b7f8f71cec2063f150a"]


captcha.js:1 

func:  ƒ Yg(e){var t=Jg;return new Uint8Array(e.match(/[\da-f]{2}/gi)[t(468)]((function(e){return parseInt(e,16)})))} caleed,

two args-> 

null 

["ba649b7f8f71cec2063f150a"] 

res-> {"0":186,"1":100,"2":155,"3":127,"4":143,"5":113,"6":206,"7":194,"8":6,"9":63,"10":21,"11":10}

这个iv一样

接下来其实离我们最终解密已经不远了，下一篇中继续！！

记得加入我们的学习群：

记得加入我们的学习群：961566389

点击链接加入群聊：https://h5.qun.qq.com/s/62P0xwrCNO