JS逆向|使用express框架開啟服務并替換加密字符串
在閱讀本文之前請確保電腦已安裝好Node.js.
express,根據(jù)其Github上的描述,是一個:
Fast, unopinionated, minimalist web framework for node.
其Github地址:
https://github.com/expressjs/express
根據(jù)其Readme文檔,安裝:
npm install express
保存演示code:
const express = require('express')
const app = express()
app.get('/', function (req, res) {
res.send('Hello World')
})
app.listen(3000)
然后運行(控制臺下輸入node xxx.js),并打開瀏覽器,輸入:
http://127.0.0.1:3000/
并回車,得到瀏覽器上的結果:
當然,這僅僅是個簡單的例子,還需要了解function (req, res)的用途,上面的代碼稍微改一下:
app.get('/', function (req, res) {
console.log(req.query);??//只增加這一行,看看打印結果
res.send('Hello World')
})
在瀏覽器上輸入如下URL,并回車:
http://127.0.0.1:3000/?sign=123456
查看命令行下的結果:
這樣就清楚了,直接構造參數(shù),然后用res.send返回結果。
繼續(xù)沿用上一篇文章的代碼,將 大數(shù)組 +?位移函數(shù) + 解密函數(shù)的代碼添加進來,并構造參數(shù),如下:
const express = require('express')
const app = express()
var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
(function(_0xf486e7, _0x2075d7) {
var _0x5c3a18 = function(_0x5b65b1) {
while (--_0x5b65b1) {
_0xf486e7['push'](_0xf486e7['shift']());
}
};
_0x5c3a18(++_0x2075d7);
}(_0x2075, 0xa4));
var _0x5c3a = function(_0xf486e7, _0x2075d7) {
_0xf486e7 = _0xf486e7 - 0x0;
var _0x5c3a18 = _0x2075[_0xf486e7];
if (_0x5c3a['vEVEZj'] === undefined) {
(function() {
var _0x2e1ca4;
try {
var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
_0x2e1ca4 = _0x28e173();
} catch (_0x16acc9) {
_0x2e1ca4 = window;
}
var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
_0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
var _0x5e030c = '';
for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
_0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
_0x29200e = _0x16f958['indexOf'](_0x29200e);
}
return _0x5e030c;
}
);
}());
var _0x3acf89 = function(_0x593a19, _0xfee22e) {
var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
_0x593a19 = atob(_0x593a19);
for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
_0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
}
_0x593a19 = decodeURIComponent(_0xbdd0c6);
var _0x1a120c;
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x1b5349[_0x1a120c] = _0x1a120c;
}
for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
}
_0x1a120c = 0x0;
_0x4ddb21 = 0x0;
for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
_0x1a120c = (_0x1a120c + 0x1) % 0x100;
_0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
_0x28ed27 = _0x1b5349[_0x1a120c];
_0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
_0x1b5349[_0x4ddb21] = _0x28ed27;
_0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
}
return _0x4b4996;
};
_0x5c3a['HKkhxp'] = _0x3acf89;
_0x5c3a['eabUGz'] = {};
_0x5c3a['vEVEZj'] = !![];
}
var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
if (_0x5b65b1 === undefined) {
if (_0x5c3a['vszZjY'] === undefined) {
_0x5c3a['vszZjY'] = !![];
}
_0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
_0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
} else {
_0x5c3a18 = _0x5b65b1;
}
return _0x5c3a18;
};
app.get('/', function (req, res) {
//req.query?=?{callback:"_0x5c3a('0x8',?'CwZq')"}
let callback = req.query.callback;
let?value?=?eval(callback);?//直接eval計算傳遞進來的解密函數(shù)及參數(shù)
console.log(callback,value);
res.send(value) //結果
})
app.listen(3000)
在node下運行后,在瀏覽器上進行簡單的測試:
http://127.0.0.1:3000/?callback=_0x5c3a('0x8', 'CwZq')
回車后的結果:
這樣,我們就可以用requests庫進行請求,代碼如下:
reg?=?re.compile(r"_0x5c3a\([\s\S]{12,14}'\)")
results?=?reg.findall(code)?#?code是所有混淆代碼
for result in results:
params?=?{"callback":result}?#構造參數(shù)
r?=?requests.get("http://127.0.0.1:3000/",params?=?params)?#請求
print (result,r.text) #打印結果
code = code.replace(result,"'" + r.text + "'") #全局替換
結果如下:
和上一篇文章的結果一致,但效果明顯要好很多,特別是在處理多個這樣的調(diào)用時,其性能不是一個量級,因此在這里建議,卸載掉電腦上的pyexecjs在這個庫吧,反正也沒再更新了。
不過這里在使用get時,遇到了一個坑,就是當提交的參數(shù)里面包含特殊字符時(比如'&'),可能會解析錯誤,因此建議使用post方式,可自行百度相關教程。
Express
版權聲明:本文內(nèi)容由網(wǎng)絡用戶投稿,版權歸原作者所有,本站不擁有其著作權,亦不承擔相應法律責任。如果您發(fā)現(xiàn)本站中有涉嫌抄襲或描述失實的內(nèi)容,請聯(lián)系我們jiasou666@gmail.com 處理,核實后本網(wǎng)站將在24小時內(nèi)刪除侵權內(nèi)容。
相關文章
