This is the seventh day of my participation in the August More text Challenge. For details, see:August is more challenging
Today’s web site
aHR0cDovL21hdGNoLnl1YW5yZW54dWUuY29tL21hdGNoLzE=
This website is the website that some big guy builds rush pass
Bypass of the infinite Debugger
The debugger appears when you open the developer tool
Right-click the line number corresponding to the debugger and select Never Pause here to skip
Packet capture analysis and location
Skip the debugger and go through the network panel to find that the parameter we need to analyze is the m parameter of the following request
The parameter name only has one m, so direct retrieval will produce the following results, so give up the direct retrieval of the parameter to find the location.
So convert the idea and use the XHR breakpoint to find the parameter position
Find the following position where the m parameter is generated
There is no way to format it and see the corresponding logic, so copy it to the IDE for viewing
Locate M and see the following logic
The m here is obtained by adding the value of oo0O0 to window.f
Encryption analysis and implementation
Above we locate the generation position of m, here we need to analyze the expression of M oo0O0 and window.f
Look at the oo0O0
function oo0O0(mw) {
window.b = ' ';
for (var i = 0, len = window.a.length; i < len; i++) {
console.log(window.a[i]);
window.b += String[document.e + document.g](window.a[i][document.f + document.h]() - i - window.c)
}
var U = ['W5r5W6VdIHZcT8kU'.'WQ8CWRaxWQirAW=='];
var J = function (o, E) {
o = o - 0x0;
var N = U[o];
if (J['bSSGte'= = =undefined) {
var Y = function (w) {
var m = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=',
T = String(w)['replace'] (/ = + $/.' ');
var A = ' ';
for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++); ~W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4)? A +=String['fromCharCode'] (0xff & b >> (-0x2 * C & 0x6)) : 0x0) {
W = m['indexOf'](W)
}
return A
};
var t = function (w, m) {
var T = [], A = 0x0, C, b = ' ', W = ' ';
w = Y(w);
for (var R = 0x0, v = w['length']; R < v; R++) {
W += The '%' + ('00' + w['charCodeAt'](R)['toString'] (0x10))'slice'] (-0x2)
}
w = decodeURIComponent(W);
var l;
for (l = 0x0; l < 0x100; l++) {
T[l] = l
}
for (l = 0x0; l < 0x100; l++) {
A = (A + T[l] + m['charCodeAt'](l % m['length')) %0x100, C = T[l], T[l] = T[A], T[A] = C
}
l = 0x0, A = 0x0;
for (var L = 0x0; L < w['length']; L++) {
l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C = T[l], T[l] = T[A], T[A] = C, b += String['fromCharCode'](w['charCodeAt'](L) ^ T[(T[l] + T[A]) % 0x100])}return b
};
J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] =!!!!! []}var H = J['qlVPZg'][o];
return H === undefined ? (J['TUDBIJ'= = =undefined && (J['TUDBIJ'] =!!!!! []), N = J['luAabU'](N, E), J['qlVPZg'][o] = N) : N = H, N
};
eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
return ' '
}
Copy the codeRun the copy directly in the console, and the result is null
Then the value of m is determined by window.f, which is not found in the logic.
However, every time oo0O0 is run, the value of window.f changes, so the problem is still in oo0O0, so further analysis of oo0O0 logic
The following line of code is executed before oo0O0 returns an empty string
eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
Copy the codeExecute atob(window[‘b’]) to get the following list of logic
This includes window.f
Combining J and U in oo0O0 gives J(‘0x0’, ‘]dQW’) and J(‘0x1’, ‘GTu! ‘) as follows
So the original code
eval(atob(window['b'])[J('0x0'.']dQW')](J('0x1'.'GTu! '), '\x27' + mw + '\x27'));
Copy the codeCan be equivalent to
// Atob (window['b'])
eval('... hex_md5(mwqqppz)'.replace('mwqqppz'.'\x27' + mw + '\x27'));
Copy the codeSo the encryption here is done by hiding the hex_MD5 principal encryption logic in the Base64 encoding, then replacing the key arguments with string substitution, and then executing eval
Great, better than the average commercial site
Well, that’s all for today’s article. See you next time