【web_逆向13】ob混淆及实战

什么是ob混淆?

  • OB 混淆和变量名混淆是常用的代码混淆技术。
  • OB 混淆是指在代码中添加一些无用的代码和函数,以增加代码的复杂度和难以理解性,从而增加代码的保护性。
  • 变量名混淆是指将变量名替换为无意义的字符串,增加代码的难度和防止代码的逆向分析。

ob混淆的特点

  • 它会把常规的所有的.操作处理成[]操作
  • 把所有的字符串进行加密处理. 进行统一管理, 同时提供字符串解密函数
  • 对数组进行打乱. 同时提供可以还原该数组的算法

实战

  • 1、获取电影年度排行榜数据:https://www.xxx.com.cn/BoxOffice/BO/Year/index.html
  • 2、经过分析,数据不在页面源代码;于是切换到Fetch/XHR,经过调试,发现返回的数据被加密了
  • 3、加密入口
  • 4、经过分析,加密数据大概率是由:JSON.parse(JSON.parse(webInstace.shell(e)))解密
  • 5、验证,console中将接口返回的加密数据,放到JSON.parse(webInstace.shell(e))中验证
  • 6、注意:由于此处是三元表达式,我们在滑动鼠标显示参数值的时候会运行代码,最好在console中输入函数,进入加密函数
  • 7、扣取此处代码
    var _0x4da59e = {
        'bUIIa': function _0x2a2af9(_0x779387, _0x4a4fec) {
            return _0x779387 + _0x4a4fec;
        }
    };
    var _0x9843d3 = function(_0x29d556, _0xcc6df, _0x3d7020) {
        if (0x0 == _0xcc6df)
            return _0x29d556[_0x2246('0x254', '4VZ$')](_0x3d7020);
        var _0x48914b;
        _0x48914b = '' + _0x29d556[_0x2246('0x255', 'GL3Q')](0x0, _0xcc6df);
        return _0x48914b += _0x29d556['substr'](_0x4da59e[_0x2246('0x256', 'DK[&')](_0xcc6df, _0x3d7020));
    };
    this[_0x2246('0x257', 'nArV')] = function(_0xa0c834) {
        var _0x51eedc = {
            'pKENi': function _0x2f627(_0x5b6f5a, _0x440924) {
                return _0x5b6f5a === _0x440924;
            },
            'wnfPa': 'ZGz',
            'VMmle': '7|1|8|9|5|2|3|6|0|4',
            'GKWFf': function _0x1a4e13(_0x40cfde, _0x16f3c2) {
                return _0x40cfde == _0x16f3c2;
            },
            'MUPgQ': function _0x342f0d(_0x19038b, _0x4004d6) {
                return _0x19038b >= _0x4004d6;
            },
            'hLXma': function _0x55adaf(_0x45a871, _0x161bdf) {
                return _0x45a871 + _0x161bdf;
            },
            'JdOlO': function _0x13e00a(_0x5899a9, _0x4bb34d) {
                return _0x5899a9 + _0x4bb34d;
            },
            'qrTpg': function _0x1198fb(_0x55b317, _0x22e1db, _0x1b091a) {
                return _0x55b317(_0x22e1db, _0x1b091a);
            },
            'pdmMk': function _0xe2b022(_0x4af286, _0x4c2fd4) {
                return _0x4af286 - _0x4c2fd4;
            },
            'xVKWW': function _0x1094a3(_0x5f3627, _0x2a0ac5, _0x3ad2e5) {
                return _0x5f3627(_0x2a0ac5, _0x3ad2e5);
            }
        };
        if (_0x51eedc[_0x2246('0x258', '@1Ws')](_0x2246('0x259', 'E&PI'), _0x51eedc['wnfPa'])) {
            this['_append'](a);
            return this[_0x2246('0x25a', 'GL3Q')]();
        } else {
            var _0x492a62 = _0x51eedc[_0x2246('0x25b', '&59Q')][_0x2246('0x25c', ')q#9')]('|')
              , _0x356b01 = 0x0;
            while (!![]) {
                switch (_0x492a62[_0x356b01++]) {
                case '0':
                    _0x554c90 = _grsa_JS[_0x2246('0x25d', 'E&PI')]['decrypt']({
                        'ciphertext': _grsa_JS['enc'][_0x2246('0x25e', 'sy^o')]['parse'](_0xa0c834)
                    }, _0x2cf8ae, {
                        'iv': _0x554c90,
                        'mode': _grsa_JS[_0x2246('0x16c', 'O^50')][_0x2246('0x25f', 'Who^')],
                        'padding': _grsa_JS[_0x2246('0x260', '7IfV')][_0x2246('0x261', 'E&PI')]
                    })[_0x2246('0x1c', 'yY#5')](_grsa_JS['enc'][_0x2246('0x262', ']2BX')]);
                    continue;
                case '1':
                    if (_0x51eedc[_0x2246('0x263', 'Jsmq')](null, _0xa0c834) || _0x51eedc[_0x2246('0x264', '!2eC')](0x10, _0xa0c834['length']))
                        return _0xa0c834;
                    continue;
                case '2':
                    _0xa0c834 = _0x9843d3(_0xa0c834, _0x2cf8ae, 0x8);
                    continue;
                case '3':
                    _0x2cf8ae = _grsa_JS[_0x2246('0x265', 'RQ2o')][_0x2246('0x266', '3j7z')][_0x2246('0x267', 'RQ2o')](_0x554c90);
                    continue;
                case '4':
                    return _0x554c90[_0x2246('0x268', 'cs*4')](0x0, _0x51eedc[_0x2246('0x269', 'MVsm')](_0x554c90[_0x2246('0x26a', '0J6f')]('}'), 0x1));
                case '5':
                    _0x554c90 = _0xa0c834[_0x2246('0x26b', 'UwHa')](_0x2cf8ae, 0x8);
                    continue;
                case '6':
                    _0x554c90 = _grsa_JS[_0x2246('0x26c', '4VZ$')]['Utf8']['parse'](_0x554c90);
                    continue;
                case '7':
                    if (!navigator || !navigator[_0x2246('0x26d', '0I#o')])
                        return '';
                    continue;
                case '8':
                    var _0x554c90 = _0x51eedc[_0x2246('0x26e', 'Yb4P')](_0x51eedc[_0x2246('0x26f', 'BQ5p')](parseInt, _0xa0c834[_0x51eedc[_0x2246('0x270', 'Z2VK')](_0xa0c834['length'], 0x1)], 0x10), 0x9)
                      , _0x2cf8ae = _0x51eedc[_0x2246('0x271', 'yY#5')](parseInt, _0xa0c834[_0x554c90], 0x10);
                    continue;
                case '9':
                    _0xa0c834 = _0x9843d3(_0xa0c834, _0x554c90, 0x1);
                    continue;
                }
                break;
            }
        }
    }
  • 8、逐步解析
    • 8.1:_0x51eedc,花指令--将一些简单表达式封装成了函数或者属性
    • 8.2:将所有的_0x2246()函数替换
    • 8.3:将所有的_0x51eedc[]还原
    • 8.4:如果是函数,扣取源代码;如果是函数参数,使用简单的a、b等代替;最后的还原效果
var CryptoJS = require('crypto-js');

var func = function(a, b, c) {
    if (0 == b)
        return a['substr'](c);
    var ret;
    ret = '' + a['substr'](0, b);
    return ret += a['substr'](b + c);
};

var shell = function(data) {
    // if (!navigator || !navigator['userAgent'])
    //     return '';
    // if (false || false)
    //     return data;

    var a = parseInt(data[data['length'] -1], 16) + 9
        , b = parseInt(data[a], 16);

    data = func(data, a, 1);
    a = data['substr'](b, 8);
    data = func(data, b, 8);

    b = CryptoJS['enc']['Utf8']['parse'](a);
    a = CryptoJS['enc']['Utf8']['parse'](a);
    a = CryptoJS['DES']['decrypt']({
        'ciphertext': CryptoJS['enc']['Hex']['parse'](data)
    }, b, {
        'iv': a,
        'mode': CryptoJS['mode']['ECB'],
        'padding': CryptoJS['pad']['Pkcs7']
    })['toString'](CryptoJS['enc']['Utf8']);
    return a['substring'](0, a['lastIndexOf']('}')+1);
    };

  function fn(s) {
      return JSON.parse(shell(s))
  }

  //试跑代码
  s = '接口中返回的加密数据'
  console.log(shell(s));
  • 9、试跑以上代码
  • 10、支持,解密过程全部完整

完整代码实现

  • js版本
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding='utf-8')
import execjs
import requests
session = requests.session()

session.headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}

f = open("01_en数据库.js", mode="r", encoding="utf-8")
js = execjs.compile(f.read())
f.close()


def get_movie_info_by_year(year):
    url = "https://www.xxxx.com.cn/API/GetData.ashx"
    data = {
        "year": year,
        "MethodName": "BoxOffice_GetYearInfoData",
    }

    resp = session.post(url, data=data)
    return js.call("fn", resp.text)


if __name__ == '__main__':
    for i in range(2008, 2024):
        print(get_movie_info_by_year(i))
  • 2、完全python实现
from Crypto.Cipher import DES
from Crypto.Util.Padding import unpad
import binascii
import json
import requests

"""
var func = function(a, b, c) {
    if (0x0 == b)
        return a['substr'](c);
    var ret;
    ret = '' + a['substr'](0x0, b);
    return ret += a['substr']((b+ c));
};

"""


def func(a, b, c):
    if 0 == b:
        return a[c:]    # a['substr'](c)   # substring
    ret = str(a[0: b])
    ret += a[b + c:]
    return ret


def shell(data):
    """
    if ((null == data) || 16 >= data['length'])
        return data;

    var a = parseInt(data[data['length']- 1], 16) + 9;
    var b = parseInt(data[a], 16);

    data = func(data, a, 1);

    a = data['substr'](b, 8);
    data = func(data, b, 8);
    """
    if data is None or len(data) <= 16:
        return data
    a = int(data[-1], 16) + 9
    b = int(data[a], 16)  # 取出來某一个数字
    data = func(data, a, 1)  # 从data中截取一段东西

    a = data[b: b+8]  # 从data中获取到了8个字符串

    data = func(data, b, 8)  # # 从data中截取一段东西

    des = DES.new(key=a.encode("utf-8"), mode=DES.MODE_ECB)
    ming_bs = des.decrypt(binascii.a2b_hex(data))  # 把 字符串还原成字节
    # 去掉填充
    ming_bs = unpad(ming_bs, 8)

    s = ming_bs.decode("utf-8")
    return s[:s.rindex("}")+1]


def fn(data):
    ret = shell(data)
    return json.loads(ret)


def get_movie_info_by_year(year):
    for i in range(10):  # 为了重试的.
        try:
            url = "https://www.xxxx.com.cn/API/GetData.ashx"
            data = {
                "year": year,
                "MethodName": "BoxOffice_GetYearInfoData",
            }
            resp = session.post(url, data=data)
            return fn(resp.text)
        except Exception as e:
            print("本次解密有问题")


if __name__ == '__main__':
    session = requests.session()

    session.headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
    }
    for i in range(2008, 2024):
        print(get_movie_info_by_year(i))

  • 3、注意点
    • 由于hex字符串在python与javascript中会稍有不同,例如:0123df在python总可能显示为:123df,会将第一位0去掉,所有需要在解析时加入循环与try处理
posted @ 2023-08-27 11:44  Tony_xiao  阅读(1413)  评论(0编辑  收藏  举报