警告:该随笔内容仅用于合法范围下的学习,不得用于任何商业和非法用途,不得未经授权转载,否则后果自负。
首先是需要解密的网站:https://www.aqistudy.cn/historydata/monthdata.php?city=%E5%8C%97%E4%BA%AC,在这个网址尝试按鼠标右键/F12会跳出禁止调试对话框。因此为了进入F12界面,可以右键后再按f12.
然而该网站会检测到f12的打开,并立即改写网页内容。而在f12里面,会频繁跳出debugger,只能查出一段含有["constructor"]("debugger")())的混淆后的SOURCE代码,如下(后面我会我用省略号省去大多数加密后的枯燥的内容)
var debugflag = false;
document.onkeydown = function() {
if ((e.ctrlKey) && (e.keyCode == 83)) {
alert("检测到非法调试,CTRL + S被管理员禁用");
return false;
}
}
document.onkeydown = function() {
var e = window.event || arguments[0];
if (e.keyCode == 123) {
alert("检测到非法调试,F12被管理员禁用");
return false;
}
}
document.oncontextmenu = function() {
alert('检测到非法调试,右键被管理员禁用');
return false;
}
!function () {
if (window.outerWidth - window.innerWidth > 210 ||
window.outerHeight - window.innerHeight > 210) {
$('#body').html('检测到非法调试, 请关闭调试终端后刷新本页面重试!<br/>Welcome for People, Not Welcome for Machine!<br/>');
debugflag = true;
}
const handler = setInterval(() => {
if (window.outerWidth - window.innerWidth > 210 ||
window.outerHeight - window.innerHeight > 210) {
$('#body').html('检测到非法调试, 请关闭调试终端后刷新本页面重试!<br/>Welcome for People, Not Welcome for Machine!<br/>');
debugflag = true;
}
const before = new Date();
(function() {}
["constructor"]("debugger")())
const after = new Date();
const cost = after.getTime() - before.getTime();
if (cost > 50) {
debugflag = true;
document.write('检测到非法调试, 请关闭调试终端后刷新本页面重试!<br/>');
document.write("Welcome for People, Not Welcome for Machine!<br/>");
}
}, 2000)
}();
所以无法得知产生debugger的根本源码在哪儿。
经过一番折腾,最终猜测https://www.aqistudy.cn/historydata/resource/js/deJvi1NlJdQpH.min.js?t=1631459101这个代码就是要找的。代码内容如下:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2(0(0(\'1\')))',3,3,'dweklxde|WT省略号XA5|eval'.split('|'),0,{}))
这是一段超长的代码,连我的油猴编辑器都变卡了。现在分析一下简化后的代码(把eval去掉了):
(function ANM(p, a, c, k, e, d) {
e = function(c) {
return c
};
if (!''.replace(/^/, String)) {
while (c--) {
d[c] = k[c] || c
}
k = [function(e) {
return d[e]
}];
e = function() {
return '\\w+'
};
c = 1
};
while (c--) {
if (k[c]) {
p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
}
}
return p
})('2(0(0(\'1=\')))', 3, 3, 'dweklxde|WT省略号Dk|eval'.split('|'), 0, {})
这是一个传入6个形参的匿名函数,定义后就立即执行(传入实参,实例化)。经过在StackOverflow上的检索,我知道了if (!''.replace(/^/, String)) 的作用,大致是判断replace在当前浏览器的兼容性如何的,这不是重点,当下还是解密为重。把原来的密文传入后,运行的结果为:
"eval(dweklxde(dweklxde('WT省略号Dk=')))"
代码中再次出现了eval,此外还出现了两次dweklxde这段申必代码。故我在网站全套源码里检索了这个申必代码,并惊喜的发现了其定义:
function dweklxde(tsdx){
var b=new Base64();
return b.decode(tsdx)
}
把eval去掉后,在原网页控制台执行dweklxde(dweklxde(残余的密文)),得到了以下输出:
const askhMzDQ7qNo = "aTtcZsDM6Q4W30w5";//AESkey,可自定义
const asium9nuSIrA = "bf4STpo4157Vwqwb";//密钥偏移量IV,可自定义
const ackDrdNRViAM = "dbxOAFBzWKAtR7G8";//AESkey,可自定义
const aciyyIkBh3oq = "fNEcReKtHOhYss8e";//密钥偏移量IV,可自定义
const dskcfiXeCyq7 = "h2cTaMqHmG86zGgs";//DESkey,可自定义
const dsiRXgqLSp5I = "xbnl4T59FFDkdlBc";//密钥偏移量IV,可自定义
const dckUcY5kLrAk = "oihJrNyLdihbAQpu";//DESkey,可自定义
const dcihFBYD1foW = "pGOltTq5bcJfOBBY";//密钥偏移量IV,可自定义
const aes_local_key = 'emhlbnFpcGFsbWtleQ==';
const aes_local_iv = 'emhlbnFpcGFsbWl2';
var BASE64 = {
encrypt: function(text) {
var b = new Base64();
return b.encode(text);
},
decrypt: function(text) {
var b = new Base64();
return b.decode(text);
}
};
var DES = {
encrypt: function(text, key, iv){
var secretkey = (CryptoJS.MD5(key).toString()).substr(0, 16);
var secretiv = (CryptoJS.MD5(iv).toString()).substr(24, 8);
secretkey = CryptoJS.enc.Utf8.parse(secretkey);
secretiv = CryptoJS.enc.Utf8.parse(secretiv);
var result = CryptoJS.DES.encrypt(text, secretkey, {
iv: secretiv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return result.toString();
},
decrypt: function(text, key, iv){
var secretkey = (CryptoJS.MD5(key).toString()).substr(0, 16);
var secretiv = (CryptoJS.MD5(iv).toString()).substr(24, 8);
secretkey = CryptoJS.enc.Utf8.parse(secretkey);
secretiv = CryptoJS.enc.Utf8.parse(secretiv);
var result = CryptoJS.DES.decrypt(text, secretkey, {
iv: secretiv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return result.toString(CryptoJS.enc.Utf8);
}
};
var AES = {
encrypt: function(text, key, iv) {
var secretkey = (CryptoJS.MD5(key).toString()).substr(16, 16);
var secretiv = (CryptoJS.MD5(iv).toString()).substr(0, 16);
// console.log('real key:', secretkey);
// console.log('real iv:', secretiv);
secretkey = CryptoJS.enc.Utf8.parse(secretkey);
secretiv = CryptoJS.enc.Utf8.parse(secretiv);
var result = CryptoJS.AES.encrypt(text, secretkey, {
iv: secretiv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return result.toString();
},
decrypt: function(text, key, iv) {
var secretkey = (CryptoJS.MD5(key).toString()).substr(16, 16);
var secretiv = (CryptoJS.MD5(iv).toString()).substr(0, 16);
secretkey = CryptoJS.enc.Utf8.parse(secretkey);
secretiv = CryptoJS.enc.Utf8.parse(secretiv);
var result = CryptoJS.AES.decrypt(text, secretkey, {
iv: secretiv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return result.toString(CryptoJS.enc.Utf8);
}
};
var localStorageUtil = {
save: function(name, value) {
var text = JSON.stringify(value);
text = BASE64.encrypt(text);
text = AES.encrypt(text, aes_local_key, aes_local_iv);
try {
localStorage.setItem(name, text);
} catch (oException) {
if (oException.name === 'QuotaExceededError') {
console.log('Local limit exceeded');
localStorage.clear();
localStorage.setItem(name, text);
}
}
},
check: function(name) {
return localStorage.getItem(name);
},
getValue: function(name) {
var text = localStorage.getItem(name);
var result = null;
if (text) {
text = AES.decrypt(text, aes_local_key, aes_local_iv);
text = BASE64.decrypt(text);
result = JSON.parse(text);
}
return result;
},
remove: function(name) {
localStorage.removeItem(name);
}
};
// console.log('base64', BASE64.encrypt('key'));
function dAel1E5FtZ8(pf5OVah) {
pf5OVah = DES.decrypt(pf5OVah, dskcfiXeCyq7, dsiRXgqLSp5I);
return pf5OVah;
}
function dcLpsq6sB7(pf5OVah) {
pf5OVah = AES.decrypt(pf5OVah, askhMzDQ7qNo, asium9nuSIrA);
return pf5OVah;
}
function gEE7JrZUSW45M88T(key, period) {
if (typeof period === 'undefined') {
period = 0;
}
var d = DES.encrypt(key);
d = BASE64.encrypt(key);
var data = localStorageUtil.getValue(key);
if (data) { // 判断是否过期
const time = data.time;
const current = new Date().getTime();
if (new Date().getHours() >= 0 && new Date().getHours() < 5 && period > 1) {
period = 1;
}
if (current - (period * 60 * 60 * 1000) > time) { // 更新
data = null;
}
// 防止1-5点用户不打开页面,跨天的情况
if (new Date().getHours() >= 5 && new Date(time).getDate() !== new Date().getDate() && period === 24) {
data = null;
}
}
return data;
}
function oshxcxc8Lo(obj) {
var newObject = {};
Object.keys(obj).sort().map(function(key){
newObject[key] = obj[key];
});
return newObject;
}
function dhv7s6TfbwDPIepj215O(data) {
data = BASE64.decrypt(data);
data = DES.decrypt(data, dskcfiXeCyq7, dsiRXgqLSp5I);
data = AES.decrypt(data, askhMzDQ7qNo, asium9nuSIrA);
data = BASE64.decrypt(data);
return data;
}
var pNOZW4pEhNH = (function(){
function oshxcxc8Lo(obj){
var newObject = {};
Object.keys(obj).sort().map(function(key){
newObject[key] = obj[key];
});
return newObject;
}
return function(mOAJWRjCd, oyNl2g){
var aRT5 = '3945282e47e176b3af7c4cf62edf0cf5';
var cXlfM = 'WEB';
var t1PYHUr = new Date().getTime();
var pf5OVah = {
appId: aRT5,
method: mOAJWRjCd,
timestamp: t1PYHUr,
clienttype: cXlfM,
object: oyNl2g,
secret: hex_md5(aRT5 + mOAJWRjCd + t1PYHUr + cXlfM + JSON.stringify(oshxcxc8Lo(oyNl2g)))
};
pf5OVah = BASE64.encrypt(JSON.stringify(pf5OVah));
pf5OVah = DES.encrypt(pf5OVah, dckUcY5kLrAk, dcihFBYD1foW);
return pf5OVah;
};
})();
function spRLIQarqGIFjayN1z(mOAJWRjCd, o8WGj0NwLH, c6yqLt8Q0, pVBXfIU) {
const krya = hex_md5(mOAJWRjCd + JSON.stringify(o8WGj0NwLH));
const dqlC4 = gEE7JrZUSW45M88T(krya, pVBXfIU);
if (!dqlC4) {
var pf5OVah = pNOZW4pEhNH(mOAJWRjCd, o8WGj0NwLH);
$.ajax({
url: 'api/historyapi.php',
data: { hHUxtR6cG: pf5OVah },
type: "post",
success: function (dqlC4) {
dqlC4 = dhv7s6TfbwDPIepj215O(dqlC4);
oyNl2g = JSON.parse(dqlC4);
if (oyNl2g.success) {
if (pVBXfIU > 0) {
oyNl2g.result.time = new Date().getTime();
localStorageUtil.save(krya, oyNl2g.result);
}
c6yqLt8Q0(oyNl2g.result);
} else {
console.log(oyNl2g.errcode, oyNl2g.errmsg);
}
}
});
} else {
c6yqLt8Q0(dqlC4);
}
}
虽然现在看不懂解密后的代码什么意思,但是感觉很厉害的样子!
真是悲剧啊,刚解密了前几天的代码,今儿一看,又更新了新的密文。
我现在掌握的最新情报是,这个网页每隔600秒就变更一次该加密的js文件,而且我已经发现了3种不同的加密模式(但解密后的密文根本上都和这个一致)
