Python爬蟲進階 | 漫畫櫃加密分析

此次文章是補以前文章提到的eval加密 -- 漫畫櫃

以前寫文章簡單介紹了常見的JS混淆：

juejin.im/post/5d841e…

查看請求

打開控制檯,隨意點擊一本漫畫,進入到正文頁面,查看請求:

能夠很容易看到這裏有個md5的參數值是加密的。

定位加密位置

這裏有兩種定位方法: 第一種面向老手,先翻一遍請求,網頁源碼能夠迅速定位。

第二種就是按照以前的文章提到的分析流程,咱們分析一遍,雖然麻煩點會走彎路可是適合新手:

沒有看過的朋友能夠點擊下面的文章連接回顧一下:

先搜索一下關鍵字,這裏加密的參數是md5,因此試試下面這幾種搜索關鍵詞:

md5:
md5 :
md5=
md5 =
md5
複製代碼

搜索結果以下:

經過關鍵字搜索沒有獲得想要的結果,按照以前文章提到的流程到這裏就卡住了。

不過咱們看到上面請求裏還有另外一參數cid,既然都是請求參數,那麼md5這個參數多是和他一塊兒提交的,咱們能夠試試搜索cid關鍵詞試試。

搜索cid這個參數結果以下:

果真有點東西,咱們點進第一個文件,搜索下有多少和cid這個參數相關搜索項,檢索以後有18項相關,經過分析代碼,很快咱們定位到下圖的代碼,打上斷點從新加載看看是否能進入咱們的斷點位置:

果真成功進入斷點了,可是好像並無咱們想要得md5參數,這個時候好像又卡住了。

不過很快咱們經過查看左側堆棧信息找到了md5參數的位置:

這裏vm的代碼又是經過下面這段代碼生成的:

這開頭,不就是熟悉的eval加密嗎。

到這裏就定位到解密的地方了,可是這段eval代碼又是在哪呢？

發現左側有.html的標識,搜索是搜不到了,咱們就看看這個頁面的源代碼吧,發現右鍵是進入下一頁漫畫,因此經過控制檯的Doc選項卡看看,經過格式化代碼咱們找到了上面的eval代碼。

window["\x65\x76\x61\x6c"](function(p, a, c, k, e, d) {
                e = function(c) {
                    return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
                }
                ;
                if (!''.replace(/^/, String)) {
                    while (c--)
                        d[e(c)] = k[c] || e(c);
                    k = [function(e) {
                        return d[e]
                    }
                    ];
                    e = function() {
                        return '\\w+'
                    }
                    ;
                    c = 1;
                }
                ;while (c--)
                    if (k[c])
                        p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);
                return p;
            }('I.H({"G":4,"J":"M","L":"4.2","K":B,"A":"z","C":["F.2.3","E.2.3","D.2.3","N.2.3","X.2.3","W.2.3","V.2.3","Y.2.3","11.2.3","10.2.3","Z.2.3","Q.2.3","P.2.3","O.2.3","R.2.3","U.2.3","T.2.3","S.2.3","d.2.3","c.2.3","b.2.3","e.2.3","h.2.3","g.2.3","f.2.3","a.2.3","5.2.3","6.2.3","8.2.3","7.2.3","9.2.3","i.2.3","u.2.3","t.2.3","s.2.3","v.2.3","y.2.3","x.2.3","w.2.3","r.2.3","m.2.3","k.2.3","j.2.3","n.2.3","q.2.3","p.2.3","o.2.3","12.2.3","1E.2.3","1D.2.3","1C.2.3","1F.2.3","1I.2.3","1H.2.3","1G.2.3","1x.2.3","1w.2.3","1v.2.3","1y.2.3","1B.2.3","1A.2.3","1z.2.3","1V.2.3","1S.2.3","1T.2.3","1R.2.3","1W.2.3","1U.2.3","1L.2.3","1M.2.3","1J.2.3","1K.2.3","1P.2.3","1Q.2.3","1N.2.3","1O.2.3","1c.2.3","1b.2.3","1a.2.3","1d.2.3","1g.2.3","1f.2.3","1e.2.3","15.2.3","14.2.3","13.2.3","16.2.3"],"19":18,"17":1q,"1p":"/1o/l/1r/1u/","1t":1,"1s":"","1j":1i,"1h":0,"1k":{"1n":"1m"}}).1l();', 62, 121, 'D7BWAcHNgdwUwEbmARgJwHYAcwAMAmANgIz3wwJwLVwGZcytq966UyBWAws3A93OgINBTdGRQF8ZACwEOZevhll8BWi0m1puGWpkbdkvSF18ZAg7pW7iM0rq4ye1xyxpyWc2grr1aNtp+LFy0LrRMtGgsFBEsxLSkgDTegoDuysAAxgB2AIYAtnCohBgyCgBmAJYANnAAznjCdA2SBA18gsAIFQAmwBV5kAAiOQAuOcAAygCyABKduQWZPZ3gFRnAgOr+gJGqgATyDaw2KPQoh2pHeCiSKDongr4oFChUKMQPF1wvDcS4DrhcuC4zH8GhRcM8+JcGjRJA0mLhoroKDIqFguFgXFg5Ki8Fh6JiccQsKQallgCMAE4AV0KlSyFVqAAs4L0fkwMAiMBRsHgMMROTyaEwcWpcTjJFgdHCsOxwOS4AA3ACSvReJR4WTgAA8RsrgLUqsBZXBFXSRsAspSAII5S0AYRm3QAYgANDJYABagwmAHkYOSKuTupbgHlugpwLUZaMGcAicAqgyAF6dKoAewyAGsAPoZda1MYjSn1Dp/CgcKgcYgcBwcLiVvDlv4IwiSQg6b4ths0YgNvgcSw0Lh4ZG6BH9v46DhyWsN+hThtqDiGUEYASrn7tpiEZs0Cg8uQYXyHn4uDBqDDL+glPCELiEFyEeiEGzPgG+YoAqhtgGGe8AjBAA=='['\x73\x70\x6c\x69\x63']('\x7c'), 0, {}))
複製代碼

解密過程

咱們來捋一捋整個過程,首先網站加載頁面,執行了這段eval,解密了參數裏的一堆密文,以後根據參數請求具體內容,那咱們逆向只要拿到頁面的代碼,用execjs執行這段代碼不就能拿到md5值直接請求了嗎。

可是把這段代碼直接複製到eval解密裏好像並無用,我感受應該和末尾的加密參數有關,通過測試這段參數雖然長得和Base64很像但並非base64加密,我又卡住了,因此我求助了大佬。

通過 @ 悅來客棧的老闆 的提點我嘗試了下果真是這段是這段代碼有問題:

通過解密運行的結果就是咱們在vm中看到的結果了:

到這裏就簡單了,請求網頁的代碼,使用正則替換代碼裏的密文,使用execjs執行這段代碼就能夠獲得md5值,再使用這個md5值就能夠請求了。

結束總結

此次的解密文章寫的比較囉嗦,雖然整個加密比較簡單,可是本身在這整個過程也踩了很多坑,走了很多彎路。

JS逆向是細緻活,須要大膽假設,當心求證,耐心調試,同時在逆向過程當中卡住了須要求助的時候也不要很差意思。把本身思考的結果、遇到的問題描述清楚附上小小的紅包和大佬聊聊,會有意想不到的驚喜。

共勉~