This is the fourth day of my participation in the August More text Challenge. For details, see:August is more challenging
Today’s web site
aHR0cHM6Ly9wYXNzcG9ydC5nb2pveS5jb20vbG9naW4=
The difficulty of the article of the public number is not progressively increasing/decreasing, what to write, so it is like opening a blind box, maybe the article is very dry.
The debug
This site is analyzing the parameter encryption logic of the page submission, so first open the developer tool to capture packets
When you open the captured packet, you will be prompted to enter the debugger
There are many methods to bypass the debugger. Right-click and set Never Pause Here
The setup looks like this
Then click the blue arrow on the right
Encryption positioning
Enter the mobile phone and password to submit through the debugger, and you can see the following request under Network
Although the submitted Form Data has no keywords, the search is impossible to search, using XHR and analysis of the call stack method can locate.
It opens at Initiator
After the first entry, hit the breakpoint, and then submit the data again
You can see that the L is already generated here
So you go up the stack, and you go down here
This is where we’re going to submit the parameters, but the t here contains the parameters that we’re going to submit, so I’m going to put a breakpoint here
Release the breakpoint, resubmit, and it breaks on the post line
In this case, no good data is generated in T, and s is the data submitted on the page
That’s why the encryption is generated next, so it’s going to be a step down from here, probably one step and then a few more
You’ll see the following logic
As I mentioned in my previous article, a lot of the operations before the request are done in this interceptors
So it breaks down here
And then you just go ahead and break it in the 750 row
Let’s see what happens when we run it
So the logic of encryption is in this Q
And that’s going to be this s function
Encryption analysis
When you enter the Q function, the code is ugly, so first copy the code locally and see the overall structure
You can see that S is wrapped in one! Function (){}(), which is a list of self-executing functions
So we need to run this separately
We tried to run this self-executing code directly locally, but got an error
The error was caught in the code, but we don’t know why, so we just drop the try… What’s the catch
Run the prompt this.b again is not a method
So further debugging is needed to find that when called in code, the a in this.b is the following string
This string format is not familiar, it is obvious that this. B is atOB in window, so we need to complete the logic of this. In some article I have listed how to complete, you can click the blue word below to review
[link]
Let’s just copy and paste the logic
Change the code to
# this.abv = [this]["filter"]["constructor"]("return this")()[this.b](a || b >> d)
this.abv = xazxBase64.decode(a || b >> d)
Copy the code
If you run it again, the domain is not defined
Domain, you know what it is, under document identifies the current site
I just took a generic environment head and ran it
The results are in, but there seems to be a glitch. The code keeps stopping
So let’s go ahead and find this position
I’m using setInterval to call the debugger
“
The setInterval() method provided on the window and working interface repeatedly calls a function or executes a piece of code with a fixed time delay between each call.
I can just delete this code and it will work
It’s good to mend the environment
Now some people ask me not to fix the environment, so how to do?
So let’s go back to where the domain was detected
Find out where the error was reported, and you can see that the code logic is in a large for loop expression
The pseudocode is as follows
for(var i = 0, o = 18; I < [a lump of code]; I++){method body}Copy the codeSo you can only debug the breakpoint step by step
It’s kind of gross. There’s a debugger
Just delete it and continue debugging
Since then, I have been prompted that the domain is not defined. Now how do I complete it?
I debug this code on the web page and find that the result is a fixed value, as follows
But if I replace it with a fixed 18, the for loop will look like this
for(var i = 0, o = 18; i < 18; I++){method body}Copy the codeThe body of this method is our test, including the debugger and the domain
Well, why don’t we just skip the code, because we’ve figured out the logic and there’s no encryption logic that’s all about detection
Here we directly change the logic of the loop to
for(var i = 0, o = 18; i < 0; I++){method body}Copy the codeJust let the code skip it
Follow the above idea, modify, and see the output of the result
Ps: Remember to comment setInterval
Well, that’s all for now. See you next time