破解JS加密:url unicode加密而已 

加密所在的地方:http://tool.chinaz.com/Tools/UrlCrypt.aspx?url=www.baidu.com
 结果:     http://%77%77%77%2E%62%61%69%64%75%2E%63%6F%6D/
 替换:http://\x77\x77\x77\x2E\x62\x61\x69\x64\x75\x2E\x63\x6F\x6D/
查看:在地址栏输入javascript:alert("\x68\x6C\x61\x64\x66\x28\x29\x3B\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20");

window.location.href='http://\x77\x77\x77\x2E\x62\x61\x69\x64\x75\x2E\x63\x6F\x6D/';

<script language="JavaScript">
window.location.href='\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x62\x61\x69\x64\x75\x2E\x63\x6F\x6D/';
</script>

加密后:%63%61%6F%62%75%67%2E%63%6F%6D

替换后:\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D

朋友发来一套盗用过来的DISCUZ模板,但打开网站会弹出提示框:Sorry!xxx.com,然后自动跳转到原开发者网站,通过搜索N次也没有找到代码写在何处。没办法了,谁让小明哥这样乐于助人呢,瞧瞧吧^_^。

本地安装DISCUZ,接着将模板文件架构好。输入:http://localhost/portal.php,没有任何提示,好小子估计没判断 localhost。好吧,换成:http://127.0.0.1/portal.php 试试,有了…

QQ截图20130406152312 破解JS加密:修改版权弹窗&&加载页面自动跳转

当我们单击确定的时候,将自动跳到开发者网站,悲痛呀!不过这样做就显然给我们留下入口,JS有多少种提示框弹出方式?试试最简单的Alert吧。于是搜索 alert,所有文件中,侥幸找到一个。

QQ截图20130406152552 破解JS加密:修改版权弹窗&&加载页面自动跳转

弹出源码:alert(_0xb200[10]),好吧,改成:alert('test'),刷新网页,哈哈~预期弹出:test,看来是找对地方了。

于是删除他的条件判断:

1
;if(obj[_0xb200[7]](_0xb200[8])==0||obj[_0xb200[7]](_0xb200[9])==0){}else{alert(_0xb200[10]);window[_0xb200[2]][_0xb200[0]]=_0xb200[11];};

在刷新网页,发现没任何弹窗和任何跳转了,这样就解决了问题,但如果也想像作者一样保护自己的“版权”,可以这样:

其中_0xb200[7]这样的形式,很显然是数组,看看开发者如何申明遍历的吧,本文件中搜索:_0xb200,找到了:

1
var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x35\x69\x32\x33\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x53\x69\x6E\x67\x63\x65\x72\x65\x2E\x4E\x65\x74","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x69\x6E\x67\x63\x65\x72\x65\x2E\x6E\x65\x74"];

我去,加密了!解密还是比较简单,让浏览器去做。于是小明哥在桌面新创建了 test.html 文件,写道:

1
2
3
4
5
6
<script type="text/javascript">
    var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x35\x69\x32\x33\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x53\x69\x6E\x67\x63\x65\x72\x65\x2E\x4E\x65\x74","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x69\x6E\x67\x63\x65\x72\x65\x2E\x6E\x65\x74"];
    for(var i =0; i < _0xb200.length; i++){
        alert(i +': '+ _0xb200[i]);
    }
</script>

运行 test.html 试试吧,结果输出:

0: location

1: replace

2: top

3: href

4: toLowerCase

5: substr

6: www.

7: indexOf

8: localhost

9:5i23.com

10:Sorry!Singcere.Net

11:  http://www.singcere.net

好小子,首先获得页面 URL,然后用 indexOf 截取判断,最后弹出消息和跳到指定网站!于是小明哥把数组下标为9的5i23.com修改为自己的网站URL,然后数组下标为11的目标网页修改自己成网站,将计就计,哈哈!

好吧,先找个转换工具把我们新的URL用十六进制加密,然后将百分号(%)替换成:\x

实战:caobug.com(数组 9)

工具:http://www.55la.cn/UrlCrypt/

加密后:%63%61%6F%62%75%67%2E%63%6F%6D

替换后:\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D

弹出信息也替换了(数组 10):

加密后:%53%6F%72%72%79%21%20%43%61%6F%62%75%67%2E%63%6F%6D

替换后:\x53\x6F\x72\x72\x79\x21\x20\x43\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D

侵权后跳转到(数组 11):

加密后:%77%77%77%2E%63%61%6F%62%75%67%2E%63%6F%6D(www.caobug.com)

替换后:\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D(http://www.caobug.com)

其中,\x20\x68\x74\x74\x70\x3A\x2F\x2F 表示:http://,有的工具无法转换,我们就自己添加上。

最终结果:

1
var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x43\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D"];

我们粘贴到 test.html,看下能否正常输出我们加密的字符串。

1
2
3
4
5
6
<scripttype="text/javascript">
    var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x43\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D"];
    for(var i =0; i < _0xb200.length; i++){
        alert(i +': '+ _0xb200[i]);
    }
</script>

输出结果:

0: location

1: replace

2: top

3: href

4: toLowerCase

5: substr

6: www.

7: indexOf

8: localhost

9: caobug.com

10: Sorry! Caobug.com

11:  http://www.caobug.com

哇塞,一次成功。我们到此就可以替换开发者提供的文件啦~

1
var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x35\x69\x32\x33\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x53\x69\x6E\x67\x63\x65\x72\x65\x2E\x4E\x65\x74","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x69\x6E\x67\x63\x65\x72\x65\x2E\x6E\x65\x74"];

替换成:

1
var _0xb200=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x70","\x68\x72\x65\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x73\x75\x62\x73\x74\x72","\x77\x77\x77\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74","\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x53\x6F\x72\x72\x79\x21\x20\x43\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D","\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x6F\x62\x75\x67\x2E\x63\x6F\x6D"];

最后成功了,我们使用 127.0.0.1 等其它域名访问都会弹出提示框,然后跳到 caobug.com 网站。

QQ截图20130406160147 破解JS加密:修改版权弹窗&&加载页面自动跳转

到这里,问题就解决了,也实现了我们的想法。假期结束了,还没睡够呢~

posted @ 2013-11-25 15:30  也许明天  阅读(14205)  评论(0编辑  收藏  举报