js逆向求助

krystal

本帖最后由 krystal 于 2024-2-1 16:08 编辑

整不出来啊各位好哥哥帮忙看一下（金币奉上）🤡

网站地址：https://www.jsjiami.com/
触发条件：

逆向接口：https://www.jsjiami.com/auth_v_1_0/v7/js/js_obfuscator.json
干了一天没出来的参数：sojsonData

---

关键加密位置

李恒道

var _0x58b14a = (Math.random() * 100).toString(32);
    var _0x40fdd5 = so.trim(so("#source").val()); //代码
const result="js|" + _0x58b14a + "|" + _0x40fdd5.length

key在
            t.prototype.getKey = function (t) {
                if (!this.key) {
                    if (this.key = new it, t && "[object Function]" === {}.toString.call(t)) return void this.key.generateAsync(this.default_key_size, this.default_public_exponent, t);
                    this.key.generate(this.default_key_size, this.default_public_exponent)
                }
                return this.key
            }
size 1024
public 010001
取加密后算出
0bb81715e88746562c30593eab993e0937a97cb1748cec427d7cfefa06353dff9c86444cb28e972e5bfc10629327bbc7382ca86fe331b046acff12a65e02c37f4d0e03b7ddaff9b9bdc08e02ab8930783bb3db8cf0999d8af6a70cbe2dc9a1d386020d186e8b85538959fdd965c1e3abeece75d8a963ffc70c93bcbe5de217f7
走一层位运算
    function c(t) {
        var e, i, r = "";
        for (e = 0; e + 3 <= t.length; e += 3) i = parseInt(t.substring(e, e + 3), 16), r += h.charAt(i >> 6) + h.charAt(63 & i);
        for (e + 1 == t.length ? (i = parseInt(t.substring(e, e + 1), 16), r += h.charAt(i << 2)) : e + 2 == t.length && (i = parseInt(t.substring(e, e + 2), 16), r += h.charAt(i >> 2) + h.charAt((3 & i) << 4)); 0 < (3 & r.length);) r += "=";
        return r
    }

王一之

好像有通杀的，但是我不知道，等大佬来解答

李恒道

标准ob，先用babel走ast解掉混淆，剩下直接覆盖本地文件无脑调就行了
也不建议用这个
直接用ob官方库比这个更好

krystal

李恒道 发表于 2024-2-1 16:35
标准ob，先用babel走ast解掉混淆，剩下直接覆盖本地文件无脑调就行了
也不建议用这个
直接用ob官方库比这个 ...

gg真快 我哭死

李恒道

https://github.com/search?q=repo ... Async&type=code
库有点像这个

李恒道

krystal 发表于 2024-2-1 16:38
gg真快 我哭死

写太多了
感兴趣可以正经看一下ast解混淆的那本书
然后多看一些其他大佬的ast代码
熟悉了之后普通ob几乎秒开
-------------------------------------------------
我刚开始入门好像就是搞得他家ast

krystal

李恒道 发表于 2024-2-1 16:46
写太多了
感兴趣可以正经看一下ast解混淆的那本书
然后多看一些其他大佬的ast代码

好的好的

青龙

AST狗都不玩
但是我玩

krystal

李恒道 发表于 2024-2-1 16:35
标准ob，先用babel走ast解掉混淆，剩下直接覆盖本地文件无脑调就行了
也不建议用这个
直接用ob官方库比这个 ...

1. import axios from "axios";
   
2. import qs from "qs";
   
3. import querystring from "querystring";
   
4. import { JSEncrypt } from "./lib/JSEncrypt";
   
5. 
   
6. var encrypt = new JSEncrypt();
   
7. encrypt.setPublicKey(
   
8.   "-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCM2eQ5SNpL7Lbv9Uh6UPY/kk5Hpm1fwjPriMd2n3aACGQKus3L3xYnsd67BThXFh7+khiTZ0Ixm9HX03EbS8N6oggeoordvWN6oIS75RRhJFqHZhCdf18W27FmOoBp5tlQXPt0z7tdi3KG4D+4464tsbyybvESDCG3yWVeK0HB9wIDAQAB-----END PUBLIC KEY-----"
   
9. );
   
10. let urlParam = (Math.random() * 100).toString(32);
    
11. let source = 'console.log("Hello")'.replace(/(^\s*)|(\s*$)/g, "");
    
12. let result = "js|" + urlParam + "|" + source.length;
    
13. 
    
14. var sojsondata = encrypt.encrypt(result);
    
15. 
    
16. let sojsonhost = encrypt.encrypt("www.jsjiami.com" + "|" + +Date.now());
    
17. 
    
18. function request(urlParam, source, sojsondata, sojsonhost) {
    
19.   var data = querystring.stringify({
    
20.     source,
    
21.     rotateStringArrayEnabled: "true",
    
22.     compact: "true",
    
23.     controlFlowFlattening: "true",
    
24.     deadCodeInjection: "true",
    
25.     imark: "true",
    
26.     basic: "true",
    
27.     controlFlowFlatteningThreshold: "0.7",
    
28.     deadCodeInjectionThreshold: "0.5",
    
29.     stringArrayEncoding: "rc4",
    
30.     stringArrayThreshold: "0.7",
    
31.     allRename: "false",
    
32.     selfDefending: "false",
    
33.     platform: "0",
    
34.     stringArrayShuffle: "true",
    
35.     splitStrings: "true",
    
36.     stringArrayStorageItemNum: "3",
    
37.     stringArrayStorageItemNum: "3",
    
38.     simplify: "true",
    
39.     numbersToExpressions: "true",
    
40.     best: "true",
    
41.     niub: "false",
    
42.     autojs: "false",
    
43.     encodeVersion: "jsjiami.com.v7",
    
44.     basicName: "1",
    
45.     selenium: "0",
    
46.     unicodeEscapeSequence: "false",
    
47.     debugProtection: "false",
    
48.     disableConsoleOutput: "false",
    
49.     domains: "",
    
50.     reservedStrings: "",
    
51.     reservedNames: "",
    
52.   });
    
53. 
    
54.   let url =
    
55.     "https://www.jsjiami.com/auth_v_1_0/v7/js/js_obfuscator.json?v=" + urlParam;
    
56. 
    
57.   var config = {
    
58.     method: "POST",
    
59. 
    
60.     headers: {
    
61.       authority: "www.jsjiami.com",
    
62.       method: "POST",
    
63.       scheme: "https",
    
64.       Accept: "application/json, text/javascript, */*; q=0.01",
    
65.       path: "/auth_v_1_0/v7/js/js_obfuscator.json?v=" + urlParam,
    
66. 
    
67.       "accept-language": "zh-CN,zh;q=0.9",
    
68.       "cache-control": "max-age=0",
    
69.       origin: "https://www.jsjiami.com",
    
70.       pragma: "no-cache",
    
71.       referer: "https://www.jsjiami.com/",
    
72.       "sec-ch-ua":
    
73.         '"Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"',
    
74.       "sec-ch-ua-mobile": "?0",
    
75.       "sec-ch-ua-platform": '"Windows"',
    
76.       "sec-fetch-dest": "empty",
    
77.       "sec-fetch-mode": "cors",
    
78.       "sec-fetch-site": "same-origin",
    
79.       Cookie:
    
80.         "Hm_lvt_75b5ae4b288fcf7d181cec6859c9754f=1706764075,1706770756,1706779344,1706838286; Hm_lpvt_75b5ae4b288fcf7d181cec6859c9754f=1706838286",
    
81.       sojsondata,
    
82.       sojsonhost,
    
83.       "user-agent":
    
84.         "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
    
85.       "x-requested-with": "XMLHttpRequest",
    
86.       "content-type": "application/x-www-form-urlencoded",
    
87.     },
    
88.     data,
    
89.     url,
    
90.   };
    
91. 
    
92.   axios(config)
    
93.     .then(function (response) {
    
94.       console.log(response.data);
    
95.     })
    
96.     .catch(function (error) {
    
97.       console.log(error);
    
98.     });
    
99. }
    
100. request(urlParam, source, sojsondata, sojsonhost);
     

复制代码