bouml 逆向分析c++_JS逆向之漫画柜
這次文章是補之前文章提到的eval加密
之前簡單介紹了常見的JS混淆:JS逆向常見混淆總結
里面提到的第一種混淆就是這次要分析的主角,這里分析的網站是「漫畫柜」
查看請求
打開控制臺,隨意點擊一本漫畫,進入到正文頁面,查看請求:
可以很容易看到這里有個md5的參數值是加密的。
定位加密位置
這里有兩種定位方法:
第一種面向老手,先翻一遍請求,網頁源碼可以迅速定位。
第二種就是按照之前的文章提到的分析流程,我們分析一遍,雖然麻煩點會走彎路但是適合新手:
沒有看過的朋友可以點擊下面的文章鏈接回顧一下:實戰案例淺析JS加密 - 基礎總結篇
先搜索一下關鍵字,這里加密的參數是md5,所以試試下面這幾種搜索關鍵詞:
1md5:2md5?:
3md5=
4md5?=
5md5
搜索結果如下:
通過關鍵字搜索沒有得到想要的結果,按照之前文章提到的流程到這里就卡住了。
不過我們看到上面請求里還有另一參數cid,既然都是請求參數,那么md5這個參數可能是和他一起提交的,我們可以試試搜索cid關鍵詞試試。
搜索cid這個參數結果如下:
果然有點東西,我們點進第一個文件,搜索下有多少和cid這個參數相關搜索項,檢索之后有18項相關,通過分析代碼,很快我們定位到下圖的代碼,打上斷點重新加載看看是否能進入我們的斷點位置:
果然成功進入斷點了,但是好像并沒有我們想要得md5參數,這個時候好像又卡住了。
不過很快我們通過查看右側堆棧信息找到了md5參數的位置:
這里vm的代碼又是通過下面這段代碼生成的:
這開頭,不就是熟悉的eval加密嗎。
到這里就定位到解密的地方了,但是這段eval代碼又是在哪呢?
發現左側有.html的標識,搜索是搜不到了,我們就看看這個頁面的源代碼吧,發現右鍵是進入下一頁漫畫,所以通過控制臺的Doc選項卡看看,通過格式化代碼我們找到了上面的eval代碼。
1window["\x65\x76\x61\x6c"](function(p,?a,?c,?k,?e,?d)?{2????????????????e?=?function(c)?{
3????????????????????return?(c?""?:?e(parseInt(c?/?a)))?+?((c?=?c?%?a)?>?35???String.fromCharCode(c?+?29)?:?c.toString(36))
4????????????????}
5????????????????;
6????????????????if?(!''.replace(/^/,?String))?{
7????????????????????while?(c--)
8????????????????????????d[e(c)]?=?k[c]?||?e(c);
9????????????????????k?=?[function(e)?{
10????????????????????????return?d[e]
11????????????????????}
12????????????????????];
13????????????????????e?=?function()?{
14????????????????????????return?'\\w+'
15????????????????????}
16????????????????????;
17????????????????????c?=?1;
18????????????????}
19????????????????;while?(c--)
20????????????????????if?(k[c])
21????????????????????????p?=?p.replace(new?RegExp('\\b'?+?e(c)?+?'\\b','g'),?k[c]);
22????????????????return?p;
23????????????}('I.H({"G":4,"J":"M","L":"4.2","K":B,"A":"z","C":["F.2.3","E.2.3","D.2.3","N.2.3","X.2.3","W.2.3","V.2.3","Y.2.3","11.2.3","10.2.3","Z.2.3","Q.2.3","P.2.3","O.2.3","R.2.3","U.2.3","T.2.3","S.2.3","d.2.3","c.2.3","b.2.3","e.2.3","h.2.3","g.2.3","f.2.3","a.2.3","5.2.3","6.2.3","8.2.3","7.2.3","9.2.3","i.2.3","u.2.3","t.2.3","s.2.3","v.2.3","y.2.3","x.2.3","w.2.3","r.2.3","m.2.3","k.2.3","j.2.3","n.2.3","q.2.3","p.2.3","o.2.3","12.2.3","1E.2.3","1D.2.3","1C.2.3","1F.2.3","1I.2.3","1H.2.3","1G.2.3","1x.2.3","1w.2.3","1v.2.3","1y.2.3","1B.2.3","1A.2.3","1z.2.3","1V.2.3","1S.2.3","1T.2.3","1R.2.3","1W.2.3","1U.2.3","1L.2.3","1M.2.3","1J.2.3","1K.2.3","1P.2.3","1Q.2.3","1N.2.3","1O.2.3","1c.2.3","1b.2.3","1a.2.3","1d.2.3","1g.2.3","1f.2.3","1e.2.3","15.2.3","14.2.3","13.2.3","16.2.3"],"19":18,"17":1q,"1p":"/1o/l/1r/1u/","1t":1,"1s":"","1j":1i,"1h":0,"1k":{"1n":"1m"}}).1l();',?62,?121,?'D7BWAcHNgdwUwEbmARgJwHYAcwAMAmANgIz3wwJwLVwGZcytq966UyBWAws3A93OgINBTdGRQF8ZACwEOZevhll8BWi0m1puGWpkbdkvSF18ZAg7pW7iM0rq4ye1xyxpyWc2grr1aNtp+LFy0LrRMtGgsFBEsxLSkgDTegoDuysAAxgB2AIYAtnCohBgyCgBmAJYANnAAznjCdA2SBA18gsAIFQAmwBV5kAAiOQAuOcAAygCyABKduQWZPZ3gFRnAgOr+gJGqgATyDaw2KPQoh2pHeCiSKDongr4oFChUKMQPF1wvDcS4DrhcuC4zH8GhRcM8+JcGjRJA0mLhoroKDIqFguFgXFg5Ki8Fh6JiccQsKQallgCMAE4AV0KlSyFVqAAs4L0fkwMAiMBRsHgMMROTyaEwcWpcTjJFgdHCsOxwOS4AA3ACSvReJR4WTgAA8RsrgLUqsBZXBFXSRsAspSAII5S0AYRm3QAYgANDJYABagwmAHkYOSKuTupbgHlugpwLUZaMGcAicAqgyAF6dKoAewyAGsAPoZda1MYjSn1Dp/CgcKgcYgcBwcLiVvDlv4IwiSQg6b4ths0YgNvgcSw0Lh4ZG6BH9v46DhyWsN+hThtqDiGUEYASrn7tpiEZs0Cg8uQYXyHn4uDBqDDL+glPCELiEFyEeiEGzPgG+YoAqhtgGGe8AjBAA=='['\x73\x70\x6c\x69\x63']('\x7c'),?0,?{}))
解密過程
我們來捋一捋整個過程,首先網站加載頁面,執行了這段eval,解密了參數里的一堆密文,之后根據參數請求具體內容,那我們逆向只要拿到頁面的代碼,用execjs執行這段代碼不就能拿到md5值直接請求了嗎。
但是把這段代碼直接復制到eval解密里好像并沒有用,我感覺應該和末尾的加密參數有關,經過測試這段參數雖然長得和Base64很像但并不是base64加密,我又卡住了,所以我求助了大佬。
經過 @ 悅來客棧的老板 的提點我嘗試了下果然是這段代碼有問題:
經過解密替換,運行的結果就是我們在vm中看到的結果了:
到這里就簡單了,請求網頁的代碼,使用正則替換代碼里的密文,使用execjs執行這段代碼就可以得到md5值,再使用這個md5值就可以請求了。
總結
這次的解密文章寫的比較啰嗦,雖然整個加密比較簡單,但是自己在這整個過程也踩了不少坑,走了不少彎路。
JS逆向是細致活,需要大膽假設,小心求證,耐心調試,同時在逆向過程中卡住了需要求助的時候也不要不好意思。把自己思考的結果、遇到的問題描述清楚附上小小的紅包和大佬聊聊,會有意想不到的驚喜。
共勉~
總結
以上是生活随笔為你收集整理的bouml 逆向分析c++_JS逆向之漫画柜的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: rf中resourceid_解决VC++
- 下一篇: s3c2440移植MQTT