This is the seventh day of my participation in the August More text Challenge. For details, see:August is more challenging

Today’s web site

aHR0cDovL21hdGNoLnl1YW5yZW54dWUuY29tL21hdGNoLzE=

This website is the website that some big guy builds rush pass

Bypass of the infinite Debugger

The debugger appears when you open the developer tool

Right-click the line number corresponding to the debugger and select Never Pause here to skip

Packet capture analysis and location

Skip the debugger and go through the network panel to find that the parameter we need to analyze is the m parameter of the following request

The parameter name only has one m, so direct retrieval will produce the following results, so give up the direct retrieval of the parameter to find the location.

So convert the idea and use the XHR breakpoint to find the parameter position

Find the following position where the m parameter is generated

There is no way to format it and see the corresponding logic, so copy it to the IDE for viewing

Locate M and see the following logic

The m here is obtained by adding the value of oo0O0 to window.f

Encryption analysis and implementation

Above we locate the generation position of m, here we need to analyze the expression of M oo0O0 and window.f

Look at the oo0O0

function oo0O0(mw) {
    window.b = ' ';
    for (var i = 0, len = window.a.length; i < len; i++) {
        console.log(window.a[i]);
        window.b += String[document.e + document.g](window.a[i][document.f + document.h]() - i - window.c)
    }
    var U = ['W5r5W6VdIHZcT8kU'.'WQ8CWRaxWQirAW=='];
    var J = function (o, E) {
        o = o - 0x0;
        var N = U[o];
        if (J['bSSGte'= = =undefined) {
            var Y = function (w) {
                var m = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=',
                    T = String(w)['replace'] (/ = + $/.' ');
                var A = ' ';
                for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++); ~W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4)? A +=String['fromCharCode'] (0xff & b >> (-0x2 * C & 0x6)) : 0x0) {
                    W = m['indexOf'](W)
                }
                return A
            };
            var t = function (w, m) {
                var T = [], A = 0x0, C, b = ' ', W = ' ';
                w = Y(w);
                for (var R = 0x0, v = w['length']; R < v; R++) {
                    W += The '%' + ('00' + w['charCodeAt'](R)['toString'] (0x10))'slice'] (-0x2)
                }
                w = decodeURIComponent(W);
                var l;
                for (l = 0x0; l < 0x100; l++) {
                    T[l] = l
                }
                for (l = 0x0; l < 0x100; l++) {
                    A = (A + T[l] + m['charCodeAt'](l % m['length')) %0x100, C = T[l], T[l] = T[A], T[A] = C
                }
                l = 0x0, A = 0x0;
                for (var L = 0x0; L < w['length']; L++) {
                    l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C = T[l], T[l] = T[A], T[A] = C, b += String['fromCharCode'](w['charCodeAt'](L) ^ T[(T[l] + T[A]) % 0x100])}return b
            };
            J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] =!!!!! []}var H = J['qlVPZg'][o];
        return H === undefined ? (J['TUDBIJ'= = =undefined && (J['TUDBIJ'] =!!!!! []), N = J['luAabU'](N, E), J['qlVPZg'][o] = N) : N = H, N
    };
    eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
    return ' '
}
Copy the code

Run the copy directly in the console, and the result is null

Then the value of m is determined by window.f, which is not found in the logic.

However, every time oo0O0 is run, the value of window.f changes, so the problem is still in oo0O0, so further analysis of oo0O0 logic

The following line of code is executed before oo0O0 returns an empty string

eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
Copy the code

Execute atob(window[‘b’]) to get the following list of logic

This includes window.f

Combining J and U in oo0O0 gives J(‘0x0’, ‘]dQW’) and J(‘0x1’, ‘GTu! ‘) as follows

So the original code

eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
Copy the code

Can be equivalent to

// Atob (window['b'])
eval('... hex_md5(mwqqppz)'.replace('mwqqppz'.'\x27' + mw + '\x27'));
Copy the code

So the encryption here is done by hiding the hex_MD5 principal encryption logic in the Base64 encoding, then replacing the key arguments with string substitution, and then executing eval

Great, better than the average commercial site

Well, that’s all for today’s article. See you next time