比赛网站的链接
http://match.yuanrenxue.com/list,比赛目前已经结束
题目序号 题目内容 是否完成 第一题 js 混淆 - 源码乱码 已完成 第二题 js 混淆 - 动态cookie 1 已完成 第三题 访问逻辑 - 推心置腹 已完成 第四题 雪碧图、样式干扰 已完成 第五题 js 混淆 - 乱码增强 已完成 第六题 js 混淆 - 回溯 第七题 动态字体,随风漂移 已完成 第八题 验证码 - 图文点选 已完成 第九题 js 混淆 - 动态cookie 2 第十题 js 混淆 - 重放攻击对抗
第一题【接口-查询参数-值加密】
开打题目后按f12,会出现setInterval函数,直接禁用断点,然后就可以继续执行了,f5刷新一下
在NetWork窗口可以查看到需要的数据来源于【
http://match.yuanrenxue.com/api/match/1】接口,而请求中有一个m参数是加密的,也就是说需要找到这个m参数的生成方法,那么在全局中搜索【api/match/1】
可以搜索到这个内容,复制这一段内的script代码进行格式化
其主要内容大概是这些
[JavaScript]
纯文本查看 复制代码window.url = '/api/match/1';request = function() { var timestamp = Date.parse(new Date()); var m = oo0O0(timestamp.toString()) + window.f; var list = { "page": window.page, "m": m + '丨' + timestamp / 1000 }; $.ajax({ url: window.url, dataType: "json", async: false, data: list, type: "GET", beforeSend: function(request) {}, })};
这里可以清楚的看到m参数是由oo0O0函数的结果加上window.f得到的,继续查找一下oo0O0函数
也是在当前的页面,只是在不同的script标签下,将这个script标签下的代码进行格式化可以得到下面
[JavaScript]
纯文本查看 复制代码function oo0O0(mw) { window.b = ''; for (var i = 0, len = window.a.length; i < len; i++) { console.log(window.a[i]); window.b += String[document.e + document.g](window.a[i][document.f + document.h]() - i - window.c) } var U = ['W5r5W6VdIHZcT8kU', 'WQ8CWRaxWQirAW==']; var J = function(o, E) { o = o - 0x0; var N = U[o]; if (J['bSSGte'] === undefined) { var Y = function(w) { var m = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=', T = String(w)['replace'](/=+$/, ''); var A = ''; for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++);~W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4) ? A += String['fromCharCode'](0xff & b >> (-0x2 * C & 0x6)) : 0x0) { W = m['indexOf'](W) } return A }; var t = function(w, m) { var T = [], A = 0x0, C, b = '', W = ''; w = Y(w); for (var R = 0x0, v = w['length']; R < v; R++) { W += '%' + ('00' + w['charCodeAt'](R)['toString'](0x10))['slice'](-0x2) } w = decodeURIComponent(W); var l; for (l = 0x0; l < 0x100; l++) { T[l] = l } for (l = 0x0; l < 0x100; l++) { A = (A + T[l] + m['charCodeAt'](l % m['length'])) % 0x100, C = T[l], T[l] = T[A], T[A] = C } l = 0x0, A = 0x0; for (var L = 0x0; L < w['length']; L++) { l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C = T[l], T[l] = T[A], T[A] = C, b += String['fromCharCode'](w['charCodeAt'](L) ^ T[(T[l] + T[A]) % 0x100]) } return b }; J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] = !! [] } var H = J['qlVPZg'][o]; return H === undefined ? (J['TUDBIJ'] === undefined && (J['TUDBIJ'] = !! []), N = J['luAabU'](N, E), J['qlVPZg'][o] = N) : N = H, N }; eval(atob(window['b'])[J('0x0', ']dQW')](J('0x1', 'GTu!'), '\x27' + mw + '\x27')); return ''}
这里有一点是这个oo0O0函数的返回值是一个空值,也就是说m的值完全由window.f决定。
尝试在控制台输出一下window.f
但是当我们执行一次oo0O0函数后,再输出window.f,这时候window.f被修改了
同时会输出一大堆乱码,那就说明oo0O0函数会修改window.f的值,下面详细看看oo0O0函数,其内部并没有出现window.f这个变量,但是在返回值前有一句比较特殊的代码
[JavaScript]
纯文本查看 复制代码eval(atob(window['b'])[J('0x0', ']dQW')](J('0x1', 'GTu!'), '\x27' + mw + '\x27'));
这里将window['b']的值进行base64解码后还进行了一些函数的传参运算,那么在控制台输出一下【atob(window['b'])】,看看是什么内容
输出后可以看到是一段script代码,将其进行格式化
[JavaScript]
纯文本查看 复制代码var hexcase = 0;var b64pad = "";var chrsz = 16;function hex_md5(a) { return binl2hex(core_md5(str2binl(a), a.length * chrsz))}function b64_md5(a) { return binl2b64(core_md5(str2binl(a), a.length * chrsz))}function str_md5(a) { return binl2str(core_md5(str2binl(a), a.length * chrsz))}function hex_hmac_md5(a, b) { return binl2hex(core_hmac_md5(a, b))}function b64_hmac_md5(a, b) { return binl2b64(core_hmac_md5(a, b))}function str_hmac_md5(a, b) { return binl2str(core_hmac_md5(a, b))}function md5_vm_test() { return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"}function core_md5(p, k) { p[k >> 5] |= 128 << ((k) % 32); p[(((k + 64) >>> 9) << 4) + 14] = k; var o = 1732584193; var n = -271733879; var m = -1732584194; var l = 271733878; for (var g = 0; g < p.length; g += 16) { var j = o; var h = n; var f = m; var e = l; o = md5_ff(o, n, m, l, p[g + 0], 7, -680976936); l = md5_ff(l, o, n, m, p[g + 1], 12, -389564586); m = md5_ff(m, l, o, n, p[g + 2], 17, 606105819); n = md5_ff(n, m, l, o, p[g + 3], 22, -1044525330); o = md5_ff(o, n, m, l, p[g + 4], 7, -176418897); l = md5_ff(l, o, n, m, p[g + 5], 12, 1200080426); m = md5_ff(m, l, o, n, p[g + 6], 17, -1473231341); n = md5_ff(n, m, l, o, p[g + 7], 22, -45705983); o = md5_ff(o, n, m, l, p[g + 8], 7, 1770035416); l = md5_ff(l, o, n, m, p[g + 9], 12, -1958414417); m = md5_ff(m, l, o, n, p[g + 10], 17, -42063); n = md5_ff(n, m, l, o, p[g + 11], 22, -1990404162); o = md5_ff(o, n, m, l, p[g + 12], 7, 1804660682); l = md5_ff(l, o, n, m, p[g + 13], 12, -40341101); m = md5_ff(m, l, o, n, p[g + 14], 17, -1502002290); n = md5_ff(n, m, l, o, p[g + 15], 22, 1236535329); o = md5_gg(o, n, m, l, p[g + 1], 5, -165796510); l = md5_gg(l, o, n, m, p[g + 6], 9, -1069501632); m = md5_gg(m, l, o, n, p[g + 11], 14, 643717713); n = md5_gg(n, m, l, o, p[g + 0], 20, -373897302); o = md5_gg(o, n, m, l, p[g + 5], 5, -701558691); l = md5_gg(l, o, n, m, p[g + 10], 9, 38016083); m = md5_gg(m, l, o, n, p[g + 15], 14, -660478335); n = md5_gg(n, m, l, o, p[g + 4], 20, -405537848); o = md5_gg(o, n, m, l, p[g + 9], 5, 568446438); l = md5_gg(l, o, n, m, p[g + 14], 9, -1019803690); m = md5_gg(m, l, o, n, p[g + 3], 14, -187363961); n = md5_gg(n, m, l, o, p[g + 8], 20, 1163531501); o = md5_gg(o, n, m, l, p[g + 13], 5, -1444681467); l = md5_gg(l, o, n, m, p[g + 2], 9, -51403784); m = md5_gg(m, l, o, n, p[g + 7], 14, 1735328473); n = md5_gg(n, m, l, o, p[g + 12], 20, -1921207734); o = md5_hh(o, n, m, l, p[g + 5], 4, -378558); l = md5_hh(l, o, n, m, p[g + 8], 11, -2022574463); m = md5_hh(m, l, o, n, p[g + 11], 16, 1839030562); n = md5_hh(n, m, l, o, p[g + 14], 23, -35309556); o = md5_hh(o, n, m, l, p[g + 1], 4, -1530992060); l = md5_hh(l, o, n, m, p[g + 4], 11, 1272893353); m = md5_hh(m, l, o, n, p[g + 7], 16, -155497632); n = md5_hh(n, m, l, o, p[g + 10], 23, -1094730640); o = md5_hh(o, n, m, l, p[g + 13], 4, 681279174); l = md5_hh(l, o, n, m, p[g + 0], 11, -358537222); m = md5_hh(m, l, o, n, p[g + 3], 16, -722881979); n = md5_hh(n, m, l, o, p[g + 6], 23, 76029189); o = md5_hh(o, n, m, l, p[g + 9], 4, -640364487); l = md5_hh(l, o, n, m, p[g + 12], 11, -421815835); m = md5_hh(m, l, o, n, p[g + 15], 16, 530742520); n = md5_hh(n, m, l, o, p[g + 2], 23, -995338651); o = md5_ii(o, n, m, l, p[g + 0], 6, -198630844); l = md5_ii(l, o, n, m, p[g + 7], 10, 11261161415); m = md5_ii(m, l, o, n, p[g + 14], 15, -1416354905); n = md5_ii(n, m, l, o, p[g + 5], 21, -57434055); o = md5_ii(o, n, m, l, p[g + 12], 6, 1700485571); l = md5_ii(l, o, n, m, p[g + 3], 10, -1894446606); m = md5_ii(m, l, o, n, p[g + 10], 15, -1051523); n = md5_ii(n, m, l, o, p[g + 1], 21, -2054922799); o = md5_ii(o, n, m, l, p[g + 8], 6, 1873313359); l = md5_ii(l, o, n, m, p[g + 15], 10, -30611744); m = md5_ii(m, l, o, n, p[g + 6], 15, -1560198380); n = md5_ii(n, m, l, o, p[g + 13], 21, 1309151649); o = md5_ii(o, n, m, l, p[g + 4], 6, -145523070); l = md5_ii(l, o, n, m, p[g + 11], 10, -1120210379); m = md5_ii(m, l, o, n, p[g + 2], 15, 718787259); n = md5_ii(n, m, l, o, p[g + 9], 21, -343485551); o = safe_add(o, j); n = safe_add(n, h); m = safe_add(m, f); l = safe_add(l, e) } return Array(o, n, m, l)}function md5_cmn(h, e, d, c, g, f) { return safe_add(bit_rol(safe_add(safe_add(e, h), safe_add(c, f)), g), d)}function md5_ff(g, f, k, j, e, i, h) { return md5_cmn((f & k) | ((~f) & j), g, f, e, i, h)}function md5_gg(g, f, k, j, e, i, h) { return md5_cmn((f & j) | (k & (~j)), g, f, e, i, h)}function md5_hh(g, f, k, j, e, i, h) { return md5_cmn(f ^ k ^ j, g, f, e, i, h)}function md5_ii(g, f, k, j, e, i, h) { return md5_cmn(k ^ (f | (~j)), g, f, e, i, h)}function core_hmac_md5(c, f) { var e = str2binl(c); if (e.length > 16) { e = core_md5(e, c.length * chrsz) } var a = Array(16), d = Array(16); for (var b = 0; b < 16; b++) { a[b] = e[b] ^ 909522486; d[b] = e[b] ^ 1549556828 } var g = core_md5(a.concat(str2binl(f)), 512 + f.length * chrsz); return core_md5(d.concat(g), 512 + 128)}function safe_add(a, d) { var c = (a & 65535) + (d & 65535); var b = (a >> 16) + (d >> 16) + (c >> 16); return (b << 16) | (c & 65535)}function bit_rol(a, b) { return (a << b) | (a >>> (32 - b))}function str2binl(d) { var c = Array(); var a = (1 << chrsz) - 1; for (var b = 0; b < d.length * chrsz; b += chrsz) { c[b >> 5] |= (d.charCodeAt(b / chrsz) & a) << (b % 32) } return c}function binl2str(c) { var d = ""; var a = (1 << chrsz) - 1; for (var b = 0; b < c.length * 32; b += chrsz) { d += String.fromCharCode((c[b >> 5] >>> (b % 32)) & a) } return d}function binl2hex(c) { var b = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var d = ""; for (var a = 0; a < c.length * 4; a++) { d += b.charAt((c[a >> 2] >> ((a % 4) * 8 + 4)) & 15) + b.charAt((c[a >> 2] >> ((a % 4) * 8)) & 15) } return d}function binl2b64(d) { var c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var f = ""; for (var b = 0; b < d.length * 4; b += 3) { var e = (((d[b >> 2] >> 8 * (b % 4)) & 255) << 16) | (((d[b + 1 >> 2] >> 8 * ((b + 1) % 4)) & 255) << 8) | ((d[b + 2 >> 2] >> 8 * ((b + 2) % 4)) & 255); for (var a = 0; a < 4; a++) { if (b * 8 + a * 6 > d.length * 32) { f += b64pad } else { f += c.charAt((e >> 6 * (3 - a)) & 63) } } } return f};window.f = hex_md5(mwqqppz)
在函数的最后可以看到window.f是通过hex_md5函数运算得到的
但是这里的【mwqqppz】变量并没有出现的地方,此时就往前看看上一段代码传入的是什么参数
可以看到这里有一些小混淆,此时将上面函数中出现的下方代码输入到控制台,并跟着输入【J('0x0', ']dQW')】和【J('0x1', 'GTu!')】
[JavaScript]
纯文本查看 复制代码 var U = ['W5r5W6VdIHZcT8kU', 'WQ8CWRaxWQirAW==']; var J = function(o, E) { o = o - 0x0; var N = U[o]; if (J['bSSGte'] === undefined) { var Y = function(w) { var m = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=', T = String(w)['replace'](/=+$/, ''); var A = ''; for (var C = 0x0, b, W, l = 0x0; W = T['charAt'](l++);~W && (b = C % 0x4 ? b * 0x40 + W : W, C++ % 0x4) ? A += String['fromCharCode'](0xff & b >> (-0x2 * C & 0x6)) : 0x0) { W = m['indexOf'](W) } return A }; var t = function(w, m) { var T = [], A = 0x0, C, b = '', W = ''; w = Y(w); for (var R = 0x0, v = w['length']; R < v; R++) { W += '%' + ('00' + w['charCodeAt'](R)['toString'](0x10))['slice'](-0x2) } w = decodeURIComponent(W); var l; for (l = 0x0; l < 0x100; l++) { T[l] = l } for (l = 0x0; l < 0x100; l++) { A = (A + T[l] + m['charCodeAt'](l % m['length'])) % 0x100, C = T[l], T[l] = T[A], T[A] = C } l = 0x0, A = 0x0; for (var L = 0x0; L < w['length']; L++) { l = (l + 0x1) % 0x100, A = (A + T[l]) % 0x100, C = T[l], T[l] = T[A], T[A] = C, b += String['fromCharCode'](w['charCodeAt'](L) ^ T[(T[l] + T[A]) % 0x100]) } return b }; J['luAabU'] = t, J['qlVPZg'] = {}, J['bSSGte'] = !! [] } var H = J['qlVPZg'][o]; return H === undefined ? (J['TUDBIJ'] === undefined && (J['TUDBIJ'] = !! []), N = J['luAabU'](N, E), J['qlVPZg'][o] = N) : N = H, N };
可以得到其解混淆后的两个值
还原一下就变成了
[JavaScript]
纯文本查看 复制代码eval(atob(window['b'])["replace"]("mwqqppz", '\x27' + mw + '\x27'));
这是就清楚了。将mwqqppz替换为我们传入的变量进行计算
此时只要将最后一句的
window.f = hex_md5(mwqqppz)
修改为
var mwqqppz = process.argv[2];
console.log(hex_md5(mwqqppz));
就可以给我们进行调用,修改好后另存为01.js
接下来就是简单的写一下接口调用的代码,其中的m值通过用nodejs调用js文件进行计算,需要先安装nodejs
[Python]
纯文本查看 复制代码import requestsimport timeimport osdef main(): money = 0 number = 0 ts = str(int(time.time())) nodejs = os.popen('node 01 '+ts+'000') m = nodejs.read().replace('\n', '') + '丨' + ts nodejs.close() for page in range(1, 6): url = 'http://match.yuanrenxue.com/api/match/1?page='+str(page)+'&m='+m response = requests.get(url).json() for each in response['data']: money += each['value'] number += 1 print(money) print(number) print(money // number) # 总价:235000 # 总数:50 # 均值:4700if __name__ == '__main__': main()
第二题【接口-请求头-值加密】
因为第二题是动态cookie,为了避免其他cookie的影响,所以使用浏览器的无痕模式进行调试,按f12并选中【Preserve log】
此时可以看到接口中的cookie有一个m参数是加密的
继续往前找到第二条数据出现过这个相同的值
但是当去到第一条数据的时候,就没有这个值了
而且这个点开【Preview】并没有任何内容,而且在响应头也没有set-cookie,那就说明这个页面里面有script代码设置了【document.cookie】的属性
此时关闭f12,使用Fiddler.exe进行抓包,此时可以看到第一次返回的是一段script代码
使用网页提供的ob混淆专解测试版V0.1,进行反混淆,因为代码比较长,只贴出核心代码
[JavaScript]
纯文本查看 复制代码 function _0x165f49(_0x3601cd, _0x44836c) { document["cookie"] = "m" + _0x53b25d() + "=" + _0xb4d4cd(_0x3601cd) + "|" + _0x3601cd + "; path=/"; location["reload"](); } function _0x19c5c1(_0x5d05a8, _0x3f4653) { return Date["parse"](new Date()); } _0x165f49(_0x19c5c1());
这里可以看到执行了_0x165f49函数,这里设置了document.cookie的值,并对页面重新加载
其中计算m参数的函数就是_0xb4d4cd函数,将这个函数复制出来,并复制出其调用到的函数,重新封装另存为02.js
[JavaScript]
纯文本查看 复制代码 qz = [10, 99, 111, 110, 115, 111, 108, 101, 32, 61, 32, 110, 101, 119, 32, 79, 98, 106, 101, 99, 116, 40, 41, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 32, 40, 115, 41, 32, 123, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 32, 40, 49, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 111, 114, 40, 105, 61, 48, 59, 105, 60, 49, 49, 48, 48, 48, 48, 48, 59, 105, 43, 43, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 105, 115, 116, 111, 114, 121, 46, 112, 117, 115, 104, 83, 116, 97, 116, 101, 40, 48, 44, 48, 44, 105, 41, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 10, 10, 125, 10, 99, 111, 110, 115, 111, 108, 101, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 91, 111, 98, 106, 101, 99, 116, 32, 79, 98, 106, 101, 99, 116, 93, 39, 10, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 46, 116, 111, 83, 116, 114, 105, 110, 103, 32, 61, 32, 39, 402, 32, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 32, 123, 32, 91, 110, 97, 116, 105, 118, 101, 32, 99, 111, 100, 101, 93, 32, 125, 39, 10]; function _0x38927c(_0x31c213, _0x15819d) { var _0x1ebfad = (65535 & _0x31c213) + (65535 & _0x15819d); return (_0x31c213 >> 16) + (_0x15819d >> 16) + (_0x1ebfad >> 16) << 16 | 65535 & _0x1ebfad; } function _0x42ea6b(_0x4311af, _0x1d26cb) { return _0x4311af << _0x1d26cb | _0x4311af >>> 32 - _0x1d26cb; } function _0x17df27(_0x149b94, _0x40ae03, _0x4c4c51, _0x896443, _0x2066e1, _0x339641) { return _0x38927c(_0x42ea6b(_0x38927c(_0x38927c(_0x40ae03, _0x149b94), _0x38927c(_0x896443, _0x339641)), _0x2066e1), _0x4c4c51); } function _0x4eb065(_0x4701be, _0x41f76b, _0x58a63e, _0x333b01, _0x1fac47, _0x37993e, _0xd21e0d) { return _0x17df27(_0x41f76b & _0x58a63e | ~_0x41f76b & _0x333b01, _0x4701be, _0x41f76b, _0x1fac47, _0x37993e, _0xd21e0d); } function _0x1f13e1(_0x29d2ad, _0x3bd4bc, _0xff4102, _0x3979c2, _0xd8d449, _0x78fa9b, _0xe01ea7) { return _0x17df27(_0x3bd4bc & _0x3979c2 | _0xff4102 & ~_0x3979c2, _0x29d2ad, _0x3bd4bc, _0xd8d449, _0x78fa9b, _0xe01ea7); } function _0x3e3606(_0x2ef909, _0x3bd8d3, _0x892bc5, _0x13c904, _0x2342a0, _0x35f109, _0x19c0e1) { return _0x17df27(_0x3bd8d3 ^ _0x892bc5 ^ _0x13c904, _0x2ef909, _0x3bd8d3, _0x2342a0, _0x35f109, _0x19c0e1); } function _0x3d2668(_0x4cd0a8, _0xe871c7, _0x5f0915, _0x10cf3a, _0x929107, _0x39dc73, _0x10c64e) { return _0x17df27(_0x5f0915 ^ (_0xe871c7 | ~_0x10cf3a), _0x4cd0a8, _0xe871c7, _0x929107, _0x39dc73, _0x10c64e); } function _0x2f0e92(_0x492976, _0x1ca955) { _0x492976[_0x1ca955 >> 5] |= 128 << _0x1ca955 % 32, _0x492976[14 + (_0x1ca955 + 64 >>> 9 << 4)] = _0x1ca955; if (qz) { var _0x2856ca, _0x56938f, _0x2632f2, _0x1fc011, _0x1b5b0b, _0x27964a = 1732584193, _0x5b3ae5 = -271733879, _0x529d7c = -1732584194, _0x4813f1 = 271733878; } else { var _0x2856ca, _0x56938f, _0x2632f2, _0x1fc011, _0x1b5b0b, _0x27964a = 0, _0x5b3ae5 = -0, _0x529d7c = -0, _0x4813f1 = 0; } for (_0x2856ca = 0; _0x2856ca < _0x492976["length"]; _0x2856ca += 16) _0x56938f = _0x27964a, _0x2632f2 = _0x5b3ae5, _0x1fc011 = _0x529d7c, _0x1b5b0b = _0x4813f1, _0x27964a = _0x4eb065(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca], 7, -680876936), _0x4813f1 = _0x4eb065(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 1], 12, -389564586), _0x529d7c = _0x4eb065(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 2], 17, 606105819), _0x5b3ae5 = _0x4eb065(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 3], 22, -1044525330), _0x27964a = _0x4eb065(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 4], 7, -176418897), _0x4813f1 = _0x4eb065(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 5], 12, 1200080426), _0x529d7c = _0x4eb065(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 6], 17, -1473231341), _0x5b3ae5 = _0x4eb065(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 7], 22, -45705983), _0x27964a = _0x4eb065(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 8], 7, 1770035416), _0x4813f1 = _0x4eb065(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 9], 12, -1958414417), _0x529d7c = _0x4eb065(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 10], 17, -42063), _0x5b3ae5 = _0x4eb065(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 11], 22, -1990404162), _0x27964a = _0x4eb065(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 12], 7, 1804603682), _0x4813f1 = _0x4eb065(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 13], 12, -40341101), _0x529d7c = _0x4eb065(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 14], 17, -1502882290), _0x5b3ae5 = _0x4eb065(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 15], 22, 1236535329), _0x27964a = _0x1f13e1(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 1], 5, -165796510), _0x4813f1 = _0x1f13e1(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 6], 9, -1069501632), _0x529d7c = _0x1f13e1(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 11], 14, 643717713), _0x5b3ae5 = _0x1f13e1(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca], 20, -373897302), _0x27964a = _0x1f13e1(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 5], 5, -701558691), _0x4813f1 = _0x1f13e1(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 10], 9, 38016083), _0x529d7c = _0x1f13e1(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 15], 14, -660478335), _0x5b3ae5 = _0x1f13e1(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 4], 20, -405537848), _0x27964a = _0x1f13e1(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 9], 5, 568446438), _0x4813f1 = _0x1f13e1(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 14], 9, -1019803690), _0x529d7c = _0x1f13e1(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 3], 14, -187363961), _0x5b3ae5 = _0x1f13e1(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 8], 20, 1163531501), _0x27964a = _0x1f13e1(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 13], 5, -1444681467), _0x4813f1 = _0x1f13e1(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 2], 9, -51403784), _0x529d7c = _0x1f13e1(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 7], 14, 1735328473), _0x5b3ae5 = _0x1f13e1(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 12], 20, -1926607734), _0x27964a = _0x3e3606(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 5], 4, -378558), _0x4813f1 = _0x3e3606(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 8], 11, -2022574463), _0x529d7c = _0x3e3606(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 11], 16, 1839030562), _0x5b3ae5 = _0x3e3606(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 14], 23, -35309556), _0x27964a = _0x3e3606(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 1], 4, -1530992060), _0x4813f1 = _0x3e3606(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 4], 11, 1272893353), _0x529d7c = _0x3e3606(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 7], 16, -155497632), _0x5b3ae5 = _0x3e3606(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 10], 23, -1094730640), _0x27964a = _0x3e3606(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 13], 4, 681279174), _0x4813f1 = _0x3e3606(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca], 11, -358537222), _0x529d7c = _0x3e3606(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 3], 16, -722521979), _0x5b3ae5 = _0x3e3606(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 6], 23, 76029189), _0x27964a = _0x3e3606(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 9], 4, -640364487), _0x4813f1 = _0x3e3606(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 12], 11, -421815835), _0x529d7c = _0x3e3606(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 15], 16, 530742520), _0x5b3ae5 = _0x3e3606(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 2], 23, -995338651), _0x27964a = _0x3d2668(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca], 6, -198630844), _0x4813f1 = _0x3d2668(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 7], 10, 1126891415), _0x529d7c = _0x3d2668(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 14], 15, -1416354905), _0x5b3ae5 = _0x3d2668(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 5], 21, -57434055), _0x27964a = _0x3d2668(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 12], 6, 1700485571), _0x4813f1 = _0x3d2668(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 3], 10, -1894986606), _0x529d7c = _0x3d2668(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 10], 15, -1051523), _0x5b3ae5 = _0x3d2668(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 1], 21, -2054922799), _0x27964a = _0x3d2668(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 8], 6, 1873313359), _0x4813f1 = _0x3d2668(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 15], 10, -30611744), _0x529d7c = _0x3d2668(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 6], 15, -1560198380), _0x5b3ae5 = _0x3d2668(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 13], 21, 1309151649), _0x27964a = _0x3d2668(_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1, _0x492976[_0x2856ca + 4], 6, -145523070), _0x4813f1 = _0x3d2668(_0x4813f1, _0x27964a, _0x5b3ae5, _0x529d7c, _0x492976[_0x2856ca + 11], 10, -1120210379), _0x529d7c = _0x3d2668(_0x529d7c, _0x4813f1, _0x27964a, _0x5b3ae5, _0x492976[_0x2856ca + 2], 15, 718787259), _0x5b3ae5 = _0x3d2668(_0x5b3ae5, _0x529d7c, _0x4813f1, _0x27964a, _0x492976[_0x2856ca + 9], 21, -343485441), _0x27964a = _0x38927c(_0x27964a, _0x56938f), _0x5b3ae5 = _0x38927c(_0x5b3ae5, _0x2632f2), _0x529d7c = _0x38927c(_0x529d7c, _0x1fc011), _0x4813f1 = _0x38927c(_0x4813f1, _0x1b5b0b); return [_0x27964a, _0x5b3ae5, _0x529d7c, _0x4813f1]; } function _0x5c0cba(_0x4b9003) { var _0x7b6654, _0x81a5a1 = []; for (_0x81a5a1[(_0x4b9003["length"] >> 2) - 1] = undefined, _0x7b6654 = 0; _0x7b6654 < _0x81a5a1["length"]; _0x7b6654 += 1) _0x81a5a1[_0x7b6654] = 0; var _0x4a7c5e = 8 * _0x4b9003["length"]; for (_0x7b6654 = 0; _0x7b6654 < _0x4a7c5e; _0x7b6654 += 8) _0x81a5a1[_0x7b6654 >> 5] |= (255 & _0x4b9003["charCodeAt"](_0x7b6654 / 8)) << _0x7b6654 % 32; return _0x81a5a1; } function _0x2498e1(_0xab1134) { var _0x5b6833, _0x2717db, _0x55f85f = "0123456789abcdef", _0xf7fa75 = ""; for (_0x2717db = 0; _0x2717db < _0xab1134["length"]; _0x2717db += 1) _0x5b6833 = _0xab1134["charCodeAt"](_0x2717db), _0xf7fa75 += _0x55f85f["charAt"](_0x5b6833 >>> 4 & 15) + _0x55f85f["charAt"](15 & _0x5b6833); return _0xf7fa75; } function _0x43808a(_0xcb333) { var _0x49e4a7, _0x530dde = "", _0x568ad8 = 32 * _0xcb333["length"]; for (_0x49e4a7 = 0; _0x49e4a7 < _0x568ad8; _0x49e4a7 += 8) _0x530dde += String["fromCharCode"](_0xcb333[_0x49e4a7 >> 5] >>> _0x49e4a7 % 32 & 255); return _0x530dde; } function _0x4094fc(_0x2be7d6) { return _0x1faf49(_0x102c73(_0x2be7d6)); } function _0x102c73(_0x4c0c42) { return unescape(encodeURIComponent(_0x4c0c42)); } function _0x1faf49(_0x5cf3e8) { return _0x43808a(_0x2f0e92(_0x5c0cba(_0x5cf3e8), 8 * _0x5cf3e8["length"])); } function _0x554c2e(_0x1bfaf7) { return _0x2498e1(_0x4094fc(_0x1bfaf7)); } function _0xb4d4cd(_0x3ed615) { return _0x554c2e(_0x3ed615); } var mwqqppz = process.argv[2]; console.log(_0x115b90(mwqqppz));
此时就可以给我们使用nodejs进行调用计算了
接下来编写请求的代码
[Python]
纯文本查看 复制代码import requestsimport timeimport osdef main(): sums = 0 ts = str(int(time.time()))+'000' nodejs = os.popen('node 02 '+ts) m = nodejs.read().replace('\n', '') + '|' + ts nodejs.close() headers = { 'cookie': 'm='+m, } for page in range(1, 6): url = 'http://match.yuanrenxue.com/api/match/2?page='+str(page) response = requests.get(url, headers=headers).json() for each in response['data']: sums += each['value'] print(sums) # 总和:248974if __name__ == '__main__': main()
第三题【接口-请求头】
第三题相对于前面两题就简单很多了,服务器检验的请求头的三个参数【Accept-Language】【Cookie】【Referer】自行多次测试可以发现
其中【Accept-Language】和【Referer】都是固定值,就没有什么好说的了
主要是【Cookie】里面的【sessionid】
因为有cookie的影响,依然是使用浏览器的无痕模式打开,并先选中【Preserve log】
这里可以看到sessionid的值,在全局中搜索sessionid的值
这里可以看到在
http://match.yuanrenxue.com/logo中首次出现这个值,那么整个逻辑就清楚了
首先访问
http://match.yuanrenxue.com/logo,在响应头中取得sessionid的值,然后带进接口请求
下面的python请求的代码,其中题目要求的是求出出现频率最高的数字
[Python]
纯文本查看 复制代码import requestsimport refrom collections import Counterdef main(): Registration = [] for page in range(1, 6): url = 'http://match.yuanrenxue.com/logo' headers = { 'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ko;q=0.6', 'Referer': 'http://match.yuanrenxue.com/match/3', } response = requests.post(url, headers=headers) sessionid = re.findall('(?<=sessionid=).+?(?=;)', response.headers['Set-Cookie'])[0] headers = { 'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ko;q=0.6', 'Cookie': 'sessionid='+sessionid, 'Referer': 'http://match.yuanrenxue.com/match/3', } url = 'http://match.yuanrenxue.com/api/match/3?page='+str(page) response = requests.get(url, headers=headers).json() for each in response['data']: Registration.append(each['value']) print(Counter(Registration)) print(Counter(Registration).most_common(1)[0][0]) # {8717: 7, 2838: 1, 7609: 1, 6923: 1, 5325: 1, 4118: 1, 8884: 1, 2680: 1, 3721: 1, 8490: 1, 3148: 1, 6025: 1, 8526: 1, 8529: 1, 6481: 1, 9489: 1, 6599: 1, 5500: 1, 185: 1, 8498: 1, 6102: 1, 9222: 1, 2008: 1, 9827: 1, 8224: 1, 2929: 1, 3762: 1, 567: 1, 672: 1, 9524: 1, 7159: 1, 986: 1, 505: 1, 6535: 1, 9491: 1, 3612: 1, 9095: 1, 7357: 1, 9307: 1, 5650: 1, 2109: 1, 23: 1, 2110: 1, 2792: 1} # 最高 8717if __name__ == '__main__': main()
第四题【响应-字体反爬-CSS反爬】
第四题接口没有设置任何反爬,直接获取数据即可
可以看到返回的是一个json,其中的info字段是一段html文本,格式化一下html代码,因为比较长,只复制小部分
[JavaScript]
纯文本查看 复制代码<td> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAACy0lEQVQ4EZ1UTWgTQRSeJNtsNyXbxmZF3BWkgpocRC9NDyYn8RD04A9YKKRUiCAV8VAPimg9VEE8KaV6Cg1YgxRyEAoePGgvaS+tCLYg7Sk5yBooW9Nk003i7My83c2mFnVZeN977/vem3m7M54jR4+j/324DqHcGrtVHTn3SxF13kx6kc6rmz3zs8KzvIvsaessD9dy98sK33SxiOtXP/ePprk1O+e1oZzaWXisOpS8ruPXB4y6lPiRyxoy+Oai2CMbLyfKInMCK2/l5ImDJ0/h9/DwVLio00RTjG09T4HEEo893TpDtoiQUJjqvzzptZa3lBXij8Iqk1SHRmsxhmlnuX41VqURfbVvImvVBpAXZpYE5iiVm5coJGI5rUdZJlDIcSWQOG0m1wPNd6JJOlEivn66wnia8Mn9PaDCgn9DY1ga2CVjM8WNqLzLwiUuA+QO6/tW6mJBsXHeREQswZRVtfOnsYtsaJAVDbJNLE42QIu0n2QbNr8NzZX84NeVYQwxOdxi3wgJqvV9gPVHa9bZr1OHcI2DkdEUFkcMa9kd9P0D/9TZXQqL3YtxU2xfsUdLgm2ddSliM/dAwRYEfdo6hli87oUxNHmYO5Da7IWwAb5PW6biZUuMRDsNNIeNiiDWuBUzbi67q1hkFFE24LixiMM0ozI71vqmf85MmGJPoWQdt9rIoIPvhIP1YxL1uza+0P+UDCyTD8Bx2x5K73mBoSvpikK1evD9E4qIGOWFQpEiJCW0F3FnR4LjtTuJHYK86pLwiuWZxHN7NgQz3744vfU61bIuuliqujhdZm210Mwk0+D92lfvWLb8MEbLk8r46jStwfMN1knvnR8X7y4yDyFfb18/c1bxziOtswN1dmq5Bme+8GNooTcPgvc+WkoMHGLsfV3ozm/2KIeQFGryHJ2cX1ODKx8O3LjW/e67U4mxY9muzF+4vwHPdM7J2FS8qwAAAABJRU5ErkJggg==" class="img_number 6c7ac088bd56d619f1bbcc2aee9facea" style="left: 11px;" /><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABUAAAAdCAIAAADKJrCsAAADAklEQVQ4EaWVX0hTURzHz7brzt30bqLcfNgN0kFtPZR7mgQqhASlPkx6MB98iBZICWL0IESISKZoSCBRSeKg7CHsQfNB7KF82faQ9aK9GBR3D3XFP9fadrY2u3fn/nZv2wyhy4V7fr/f9/M7v3POb2em4ydOov94mH+xXYPxy42J0zzBOJPTWYlsXY9yz+4xizEKmkrP7w3Gn/TuCDhbOv2XmtqL1lyo1PxdU7t3W/axjjKEWFQLpzGiGQ8gWMQ3jcg6TCrC887Jp+aIVi3yBtJ91/cuAI1QQf2BRPT+Fp8LE5Ef6mZfAKkjCHk9aOMzdZiN/oPHN7cpjOTq0UNgBQBYGRr5YLxZoMtj117aZ0rNbJwtNzbww62wZyI3OlGkLO3I866Uz5umKTejbKS0utib5zvTbi1q33xdrDvMA+fX5iHagcs4HFXVbbcSPYFfbj6R85sRYcUN+8KsbWzJmAt4H5/S3LJl2ZV9OL3VXkcMwizCcaE+3lOP2wNVnUEGNhfq5zm6eIRSB33TEsBWQrDyGhIRoen7Uui3S3NpfIZ3gMa1316XQqQ8POe6dKrGc+aY8taeF4beOGVNknX4d8e7qQHzA600eRIT56sbVVcGzRt5b8w00+/onXfCkhINHalcCcU8Mosr3O3VPKoP3g9wyyIA3mSfGgFTVyEuPGEymMahafRTOdgpQV2CxlskWBySmXXYXJDq39hHKwgJ79V5JO2X6aojjegvBepfjsEhOTLCkXibpG4v8JEIhsKSvuChCfx+AgdtkdUrAHgUYtckiiV9rfRsirNke87+1LwSu6C2eZ5H5kdRTot5d2ZH8jecnqVtaq9Zu17KNlfZRTWi8yjSz4VlaqfcHVsrDzJ+6FLkyQ6HtsdbYHKxcmiAnnHB/ddIVqZ+uGErEVL6X9VhDI2nGHLl837ujtZgFmdltVqH9nxj3n61NZxL8pjWn2EY9YWwmYhVE9cqxj6Ao/D+BX/XSPxqY1xQ/nnohU9sUsz+bs42GTL93VwF9QN/5O8fGRn4ilT2qk0AAAAASUVORK5CYII=" class="img_number 6c7ac088bd56d619f1bbcc2aee9facea" style="left: -11px;" /><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAADUElEQVQ4EZ1UX0hTURi/u7vbmV29ztwiuwvSQOYegj2kIqXlg5DkgxQlaInCVIiepKQgMss9ZEFQUlkPIZgz+gfiopDA5cMUApMYvejTBuVVi93m3dH96d57zrl3ExVpG7vf953f7/u+c7/fOYaDh0qp//0wWxBPd0vt9WsuOwQgqSxDEBXYoD+n7z4dyYIbsis7Ey8GV2scMAuDHRqGC0Z699z+oi0a862FxOETo69+HbMniM9AaEomGeWrhNIMJ7lPmKJ+05yIIDRBUtSNwZVKLqX6ZiFQ1FRb5DyyT/nVOvom83Az3ErP4DqPSVrleulei8gqUTo8ub+qyxjB6SlKNMz5LfO8ob4Myi0wdto+a/mg7F6rfHzDjvJB6/glAzIz/wPXcoMCCsRcjcgg5DZ+HUMjzN1Mkm7TAu4FbU1eIOSQaMQwc7pCJ+xsEfLMDIgipCPeXL4Vh193laA4G8bTImRqOCcYRo5YdwtWb6anB57/dqHgIvvYjyyNTBk6e20L6kBAydLQdGzAky5TMdUe+HZ66WyJ+lJg/msvmMGpsxXGN8V911ccQHslGIUfMO+T19rp04LanNWI+J0JJZiaKkkduAZCBjv1wHpz2KCNn6IyK/Opp8PLdbqwaQqaIJUEQBOsLO/CvouWl/h8aHuWhT32kzBzFiYONNXyxYo8i4pleU5Y1VmkgEPoH1trw/okbbcNrjaXklfSVXDhGZ0lz49gfNFSczK2V9YnK7md7Pg7WsQiKY+3V0jqzswhH3dFP3T6tiN+0OqzouPBVfztUbSgtl3RKjkQDOZOeXXCJivizQnhwyVWeuSJqOQ6HseobYWN8jAL5CqxO+S3qJI5sLGpyC7cNCYLUYDRtmTbTrykw4aXYVQ+SGrlkUULjnGxBs/2bE/czaFVWogQcuSRJYQpcXeHNsbsLM7EaMcf0mFe0CdfGGjOojFclmpE0gdSTaPhMDTPf9OVeKZ7bah/2cUizdNCoPDcE5msyzN95/1yc1k8o5wZQvU+ApAUlBdpuGjrOAUCCo4oTE7z2ccKJfTR0jiBJhn50sX3LsppCQdsLefNX5GXURkHKGfq6mWpoTxm5zYAhfoEMGoKzeaOPDS9+UFgylNvOzO6S/sfNQgekSrMrRAAAAAASUVORK5CYII=" class="img_number 6c7ac088bd56d619f1bbcc2aee9facea" style="left: 0px;" /><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABUAAAAcCAIAAAABemMJAAAAyElEQVQ4EWOUVVBjoAAw4dWr8Xfm3lf3b75ZHodLGQsuCYaovs/l3h/4QPKcOBUxYOqX/p+Y8y3J+6MM+1/c2uAySPrNA38nRXyxMPjGx/APLk+IAdcf921W9VuwayFamF8/4eST+cJOwACs4fdJYHO9lNlC9p8ENAOl4faDlDL/fM13cD1XUy/TUyAPZ5iDlMIAXP9eztwbXIdOwcSJpeH6nzIeAllKKsDqfxIMGdVPQmBhUToaflgChQSh0fAjIbCwKB3o8AMADiotC5QUM1oAAAAASUVORK5CYII=" class="img_number 6c7ac088bd56d619f1bbcc2aee9facea" style="left: 0px;" /></td>
可以看到主要有三个值,一个【src】是图片的base64编码文本,一个【class】是图片对应的类,一个【style】是图片对应的样式
每一个src对应唯一的一个数字图片,那么可以根据这个base64编码的文本判断是什么数字
那么类和样式有什么用呢?现在还不知道,那么在页面对着数字审查一下元素,看看页面的组成结构
此时可以看到,并不是多少位数,页面就有多少张数字图片。其中有一些多余的,其样式会被设置为【display: none;】,可以理解为不显示出来的意思
除去这个样式的,剩下数字的数量就可以与现实数字的数量一样了,那么怎么知道哪些是隐藏,哪些是不隐藏呢?
通过对比发现,返回的class数值中,【mg_number】后面的数字有两种,其中一种是全部隐藏,另外一种就是显示的图片,接下来就是要找怎么判断两种数字了
因为要添加【display: none;】属性,所以在全局中搜索【'display', 'none'】(备注:这里涉及一些html的知识)
可以看到搜索到两处都在同一个页面,那么格式化一下这个页面继续查找,在下面的图片中就可以找到我们需要的函数
这里使用的是ajax进行异步请求,主要看其中的success回调函数
[JavaScript]
纯文本查看 复制代码success: function(data) { datas = data.info; $('.number').text('').append(datas); var j_key = '.' + hex_md5(btoa(data.key + data.value).replace(/=/g, '')); $(j_key).css('display', 'none'); $('.img_number').removeClass().addClass('img_number') }
这里可以看到取响应体中【key】和【value】两个字段进行base64编码后去除等号计算md5
如果数值相等,那么这个图片就是一个不需要的图片,此时数量的问题就解决了
解决了数量问题,还有一个顺序问题。请求返回的图片顺序和显示的图片顺序并不相同,因为我们还遗漏了图片的【style】
可以看到其中的【style】有正数和负数,说明对排版进行了一些小小的操作
此时根据【style】的数值,对图片进行重新排序即可(备注:这里涉及一些html的知识)
到这里的时候,已经把数量和顺序的问题都解决了,下面编写代码请求,并还原数值
[Python]
纯文本查看 复制代码import requestsimport hashlibimport base64import redef main(): numbers = { 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAACy0lEQVQ4EZ1UTWgTQRSeJNtsNyXbxmZF3BWkgpocRC9NDyYn8RD04A9YKKRUiCAV8VAPimg9VEE8KaV6Cg1YgxRyEAoePGgvaS+tCLYg7Sk5yBooW9Nk003i7My83c2mFnVZeN977/vem3m7M54jR4+j/324DqHcGrtVHTn3SxF13kx6kc6rmz3zs8KzvIvsaessD9dy98sK33SxiOtXP/ePprk1O+e1oZzaWXisOpS8ruPXB4y6lPiRyxoy+Oai2CMbLyfKInMCK2/l5ImDJ0/h9/DwVLio00RTjG09T4HEEo893TpDtoiQUJjqvzzptZa3lBXij8Iqk1SHRmsxhmlnuX41VqURfbVvImvVBpAXZpYE5iiVm5coJGI5rUdZJlDIcSWQOG0m1wPNd6JJOlEivn66wnia8Mn9PaDCgn9DY1ga2CVjM8WNqLzLwiUuA+QO6/tW6mJBsXHeREQswZRVtfOnsYtsaJAVDbJNLE42QIu0n2QbNr8NzZX84NeVYQwxOdxi3wgJqvV9gPVHa9bZr1OHcI2DkdEUFkcMa9kd9P0D/9TZXQqL3YtxU2xfsUdLgm2ddSliM/dAwRYEfdo6hli87oUxNHmYO5Da7IWwAb5PW6biZUuMRDsNNIeNiiDWuBUzbi67q1hkFFE24LixiMM0ozI71vqmf85MmGJPoWQdt9rIoIPvhIP1YxL1uza+0P+UDCyTD8Bx2x5K73mBoSvpikK1evD9E4qIGOWFQpEiJCW0F3FnR4LjtTuJHYK86pLwiuWZxHN7NgQz3744vfU61bIuuliqujhdZm210Mwk0+D92lfvWLb8MEbLk8r46jStwfMN1knvnR8X7y4yDyFfb18/c1bxziOtswN1dmq5Bme+8GNooTcPgvc+WkoMHGLsfV3ozm/2KIeQFGryHJ2cX1ODKx8O3LjW/e67U4mxY9muzF+4vwHPdM7J2FS8qwAAAABJRU5ErkJggg==': '0', 'iVBORw0KGgoAAAANSUhEUgAAABUAAAAcCAIAAAABemMJAAAAyElEQVQ4EWOUVVBjoAAw4dWr8Xfm3lf3b75ZHodLGQsuCYaovs/l3h/4QPKcOBUxYOqX/p+Y8y3J+6MM+1/c2uAySPrNA38nRXyxMPjGx/APLk+IAdcf921W9VuwayFamF8/4eST+cJOwACs4fdJYHO9lNlC9p8ENAOl4faDlDL/fM13cD1XUy/TUyAPZ5iDlMIAXP9eztwbXIdOwcSJpeH6nzIeAllKKsDqfxIMGdVPQmBhUToaflgChQSh0fAjIbCwKB3o8AMADiotC5QUM1oAAAAASUVORK5CYII=': '1', 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAACO0lEQVQ4EWOUVVBjIBewoGqU/p+Y8z3a9puM6E92hn9gObafn9iuXeBe08u27AaqYgZGhM12Vd9aI97LsEP0oKkDcjnubhWOL2J6ipCBaU6c+q7c5Ss7QoL9508g5z87+y+EGAPTp5PiXnEsMP1MUCktJYhO5k/3RKZXyCqqi2noAZG4opNM01aBT1BV//jM308uhpsG0wwS+MS/uV5K35Ozaz1cmoHhKeP8Il6vVmGY/h+GLj+lofIwzT+fCDcF8OWtQNKGxHy6iGv6BQ6ogNKvJDTNNalc82FeQdKFYM64CNPM8EfGDCIOsxmhChfrCTPM5X/5lEjVrPmHD2ou2xOo74i2OUMJFHUg8InlGoTBQKRm6V++mj+gWp6yzCdJc8vU91rQBMR5Yh0bVC8xNicuehOtCU1nP6/zlSyC6WVAyxhwcQhD+l/L1LfRcAd/Eu7MZkOKUNyapb1+T656bSj6F2rga+GmcLS0gEOzT8OX1sj3sLhhAqW/OI5lSJaCTcTUjOZULDkR7jc0zba/17UjO1VoXht38za4ajQGsmbbX1v7XmvxQQoD5tcXREvCWQ+hqUfhwjVL/1mO0Ml1fqFQUBsjikosHJjmxPYPFlA7OU+0CkciIhOLJpgQJHma/Ugy/w4WYn2ylUidQOVgzebx32Ugpv3k3VxE0LUwiyGa3aRhOeY180G4FGEG2M+ivL+hKmVer7hJWBMDA/8adb5SsM1/RWFJiRh9SGogAYYkQAoTVuiTogeuFgCpiqrSY0PgFgAAAABJRU5ErkJggg==': '2', 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAACpElEQVQ4EWOUVVBjIBewoGiUNvtbkPPNXvM7H99PdojMT/ZPr7lPbONs6mV6iqIWyGGE2/y/dtGHaPMvUD3o6ph+PhGckM014wayBDO/gDCY3/55oetnmDvYfv5k+fuX5S/LfxaG/2Dp/yx83228WT9tY73wGa6fCc4CMz4J7Jol7aUurqEnBkLq0hGtonc/MUMV8b0t7/uDpAGhmfH1SUkvU970XqbrSPInF3G4BIid/wkVYjf4XouQhTv7Bvu2RUz3EBJIrM9MX43+esn/Bgsx/vzEtfYiRBZu81MGjMBE6N9ygx1mN0KQgQGuGVkQk/2akXzN0ga/+KAmsj1ZBDebKJv/1+l/heq4zjEBrpcYZ2cseusm8w+shWdXLxtS0MCSBcI4GMvc+a+990832w/KfH/BYlwnegTTD8OkQTSq5u7tj0OUkKUhbJZP9wQ7CzmWoaRNoBRhPzP9fM355DUjOyzEkMxG1fzzJzsSgqTKf+yin7XMX9UtfnZx+88oaSS9SLkKWRTGlv4fHPEjKfCzligsml8LN4VzzYcGGiJLwjRgoxNnvyu3+wrOrUyvD0mapUIcjOpsbBpBYvNTBQ8+gSj9J2r+vQyqjjjNwEKj6SI3VAv7d8MICJNYzQxPfyIpZSNRszQ7JJEBtTH9fIOsWZoBJQogUijk/3J48v7JfmIbsuacz+tX/vbBbYBP32dY8mb4dIFjBtRcqEf+ixq8mLz9/br2P3YaKDZqBv6euf3NZO+PsJJYaGklrEhDSdvsXwyDviwMYmL4yQpNE+y/2RngXmVg+Mm/Jpu7C5GtIDafYkcUkUDV7D/ZIQihk/nTPdHqML5SlFyFlMKCi3+EuHzTkv7Nx/4L5nT2n59Y717nWjOFff4pmBiCRtKMECSWBQDfGNuYxLjW9gAAAABJRU5ErkJggg==': '3', 'iVBORw0KGgoAAAANSUhEUgAAABUAAAAbCAIAAAAcf1OxAAABhElEQVQ4EWOUVVBjIAhqN7xM0vwFVsZ5olUkchFcBxOchZsR+M0XqhlTDWH9/7vTPoliaoSKENIvXfzNV+k3Tu0MBPT/7Yn4wI5bNwN+/XZTP1nw/QNq//ma+xN2U/DYb/uz1eULWBfPwW0c2LXjtv9/d9UHGZAmpteH+NOf4NCOS795+2dfJXCEfxKc3oDHkVilzH61en8EBxvH+RVc85/ishzkOky5/92N75XBun9e58/txVSALIKh3w7u8p/8m9vY8NkNMgdNv+2P1iCIy9nubuUtPYVsFVY2sn7pP8v73oLDnOHndcH4SkasOlAFkfQntn+ApBaGT8Kd2QRdDjEHpt+u/VO5+XewGOeJyfjDHNkFYP3Scd8mQ73N+mSrMFL2RlaKlQ3Ub/tzYclbPrDsz3uC1UXEeBthlmzjCc7//xnIQpzHW2D+RxhIGouF4edP5p8/8eZxkIl/2dn/gE1mYvjJ+hNqB/PPX4xElZ8Mcd8uVkPCiIzyE2obVopS/w91/QDSPZdPKmG8AQAAAABJRU5ErkJggg==': '4', 'iVBORw0KGgoAAAANSUhEUgAAABUAAAAcCAIAAAABemMJAAAB+ElEQVQ4EWOUVVBjoACwIOv9uefmK2VkAWzsTyel9OOYYTJMMAaQ9vrHh8QjjomsX+Q/O3GakFShuB8m/km4yZRrPoyHl0a2X/MPZe6HW/SJeRecTYCBZH+U9C+o4l8MTwlog0sj6UcE3k9GuDwhBpJ+UfZ/ENWfPsGjl5B2BmT9fD8JKsdQgKQfLvfpDfH2I+L/r4wI1AQZ76f3vaF+YWBg//mJ9e51rjVT2OefglsBZ2Czn4EBrhmo7ic73xct81d1i59d3P4zShquE8JA6P/LB009LD9/soMQmkqGv3xKr1o3fEtEMYKRQP61S/2VFPTJXuk73LSf98TjPdlOQvnM/ALCcCksjIfnmDcs5dr1k9XN+Ds3OLBYBP+LPuXacAOiGOF+LJrhQtdnc+Vu5YdxvxkG/oWxidMPVH2ykus8LEj4RP+QrJ+BgeXJa5guBE20/QwMWEsXEvT/lpGB2vsTkUGI1m/X900Lqh2YHOHJljj90nHfe1w+w2zn3dwAZTIg8p/Gfx9buCiCIW32t3vl+73Vb0ShxQPbtRXcMxDy8PTX/ul+0EeQOErK/cPODo9qoBzb3a2i8UVMSKUT3CNwI9l/IgoiuCDIXJ6DkwUTZiMLAdlw/ac4Tmj+1VL6zc6AbCfzz59sn55yndjDMb2X6TqaXhAXAA8XiW6ahRdHAAAAAElFTkSuQmCC': '5', 'iVBORw0KGgoAAAANSUhEUgAAABUAAAAdCAIAAADKJrCsAAADAklEQVQ4EaWVX0hTURzHz7brzt30bqLcfNgN0kFtPZR7mgQqhASlPkx6MB98iBZICWL0IESISKZoSCBRSeKg7CHsQfNB7KF82faQ9aK9GBR3D3XFP9fadrY2u3fn/nZv2wyhy4V7fr/f9/M7v3POb2em4ydOov94mH+xXYPxy42J0zzBOJPTWYlsXY9yz+4xizEKmkrP7w3Gn/TuCDhbOv2XmtqL1lyo1PxdU7t3W/axjjKEWFQLpzGiGQ8gWMQ3jcg6TCrC887Jp+aIVi3yBtJ91/cuAI1QQf2BRPT+Fp8LE5Ef6mZfAKkjCHk9aOMzdZiN/oPHN7cpjOTq0UNgBQBYGRr5YLxZoMtj117aZ0rNbJwtNzbww62wZyI3OlGkLO3I866Uz5umKTejbKS0utib5zvTbi1q33xdrDvMA+fX5iHagcs4HFXVbbcSPYFfbj6R85sRYcUN+8KsbWzJmAt4H5/S3LJl2ZV9OL3VXkcMwizCcaE+3lOP2wNVnUEGNhfq5zm6eIRSB33TEsBWQrDyGhIRoen7Uui3S3NpfIZ3gMa1316XQqQ8POe6dKrGc+aY8taeF4beOGVNknX4d8e7qQHzA600eRIT56sbVVcGzRt5b8w00+/onXfCkhINHalcCcU8Mosr3O3VPKoP3g9wyyIA3mSfGgFTVyEuPGEymMahafRTOdgpQV2CxlskWBySmXXYXJDq39hHKwgJ79V5JO2X6aojjegvBepfjsEhOTLCkXibpG4v8JEIhsKSvuChCfx+AgdtkdUrAHgUYtckiiV9rfRsirNke87+1LwSu6C2eZ5H5kdRTot5d2ZH8jecnqVtaq9Zu17KNlfZRTWi8yjSz4VlaqfcHVsrDzJ+6FLkyQ6HtsdbYHKxcmiAnnHB/ddIVqZ+uGErEVL6X9VhDI2nGHLl837ujtZgFmdltVqH9nxj3n61NZxL8pjWn2EY9YWwmYhVE9cqxj6Ao/D+BX/XSPxqY1xQ/nnohU9sUsz+bs42GTL93VwF9QN/5O8fGRn4ilT2qk0AAAAASUVORK5CYII=': '6', 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAeCAIAAACjcKk8AAABuklEQVQ4EWOUVVBjIBcwkasRpI8FrDnu28Xqt3ykmcO/Rp0im8nWfI99DQMjKQEW+P1UxxtRkO+4D1YIJawnweb/3WkfwToZfl7gq14PNIJozdLF33yVfoPDlH9zL8tTEItYzf/rvD6wg7W+PsRTegrMIlKzdNUXe5l/YB0CuxrgFsIZELOwk/9aEdZy14BdDFZIhGbphq/2kIBiQLYWqJ2w5n+tLh8gDnp9CNlaIjRLV321gFrLe2I2mlVoXIgVCPJ/ufMnSCD/vMCTBw1kuDR+zXHfYYHMdWIFJA/BdQIZeDW3BH2CZrUn3NNBSQoN4NFs9sNeE5KkWK8d5jiJphHExa3ZPOKHDFQD9/nZWLTi0fwv0+wzRMfPC5xICQPZFFw2B/7QgsYQ+7VTmEEFMQKH5sTAb1C9P7lP9CLbhszGrvmvm+Z3iKqf19m7kNWjsLFq9vqlDI0i1rsXcbkZaAw2zebeP6BuZuC4uxDFLlQONs0hSt+gil6z70JkQFSNIB4WzX+UpSH5nuHnU9YtmFoQIpiavX7LQLICA8PrN8wIlVhYmJoN/sA8zP76HiMWLQghkspthDYICwBClnHZDNYAMQAAAABJRU5ErkJggg==': '7', 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAIAAAAl5NuSAAADUElEQVQ4EZ1UX0hTURi/u7vbmV29ztwiuwvSQOYegj2kIqXlg5DkgxQlaInCVIiepKQgMss9ZEFQUlkPIZgz+gfiopDA5cMUApMYvejTBuVVi93m3dH96d57zrl3ExVpG7vf953f7/u+c7/fOYaDh0qp//0wWxBPd0vt9WsuOwQgqSxDEBXYoD+n7z4dyYIbsis7Ey8GV2scMAuDHRqGC0Z699z+oi0a862FxOETo69+HbMniM9AaEomGeWrhNIMJ7lPmKJ+05yIIDRBUtSNwZVKLqX6ZiFQ1FRb5DyyT/nVOvom83Az3ErP4DqPSVrleulei8gqUTo8ub+qyxjB6SlKNMz5LfO8ob4Myi0wdto+a/mg7F6rfHzDjvJB6/glAzIz/wPXcoMCCsRcjcgg5DZ+HUMjzN1Mkm7TAu4FbU1eIOSQaMQwc7pCJ+xsEfLMDIgipCPeXL4Vh193laA4G8bTImRqOCcYRo5YdwtWb6anB57/dqHgIvvYjyyNTBk6e20L6kBAydLQdGzAky5TMdUe+HZ66WyJ+lJg/msvmMGpsxXGN8V911ccQHslGIUfMO+T19rp04LanNWI+J0JJZiaKkkduAZCBjv1wHpz2KCNn6IyK/Opp8PLdbqwaQqaIJUEQBOsLO/CvouWl/h8aHuWhT32kzBzFiYONNXyxYo8i4pleU5Y1VmkgEPoH1trw/okbbcNrjaXklfSVXDhGZ0lz49gfNFSczK2V9YnK7md7Pg7WsQiKY+3V0jqzswhH3dFP3T6tiN+0OqzouPBVfztUbSgtl3RKjkQDOZOeXXCJivizQnhwyVWeuSJqOQ6HseobYWN8jAL5CqxO+S3qJI5sLGpyC7cNCYLUYDRtmTbTrykw4aXYVQ+SGrlkUULjnGxBs/2bE/czaFVWogQcuSRJYQpcXeHNsbsLM7EaMcf0mFe0CdfGGjOojFclmpE0gdSTaPhMDTPf9OVeKZ7bah/2cUizdNCoPDcE5msyzN95/1yc1k8o5wZQvU+ApAUlBdpuGjrOAUCCo4oTE7z2ccKJfTR0jiBJhn50sX3LsppCQdsLefNX5GXURkHKGfq6mWpoTxm5zYAhfoEMGoKzeaOPDS9+UFgylNvOzO6S/sfNQgekSrMrRAAAAAASUVORK5CYII=': '8', 'iVBORw0KGgoAAAANSUhEUgAAABQAAAAcCAIAAADuuAg3AAAC9klEQVQ4EZVUTUwTQRSeblvG1rYW6KKwJVZMEDgYPFB6kaMHwEQSDyZGkChejAlKRY1eROJBrDFBYjAEYhNCPGCIP3DQi3CBJoYQEspBenE5yJ9hwZah7dbZnZl1t9QE2snOe99837w3f89U6isHWb/KpmT7pe1A5a4L7qpDFiQdWog4B59aPi3ruSajWJC7+zYuVyb0lH82cnx7nn81rAHmI+5C5gipkXe/6o+TaBjkAMpDaYvyJxTLrq8uGZDso3PE55gSZHoG1gN8WvU5KcZ3XRFOnC6qwO1UaXCkYJUSE4Fb8VaBOFrabX8WgxtQBVH0WNMFa5SyaSc0x8cfrrsUj1udLPa34bAscnfDFlEC5B6+ma3EiuWw/eWMTZ1J5qt3WtVZVBekqsqSxEJR2xPDlhJY+Q69cojEc8XPNWOLRPaneBoXiDG6O4Rm+EasokSAhLc2w8QVsroYAzOXYxbXKMx78NayNWtUyFLQkJwGdGnisJmdBOCFVE62Cqa9HjbolBtZZKvI1LA63uNnDGMvdOyc0ZYHMzwTc68jTsbcPP8YNdJrwDDcn0VvW+hFYChb80zIMS1RB5at9I5t9Xek6yoUmuCXO/u25gZWTirbYaVKZMK54ofB2rWiHzsgk/l/2yz8MG2jhKUiXzmLrMw3BVvuH12QzHTurE7KH75jn9VAZMo+quXxvIaakuAbz2zssIQgUpsk5k+/L6mvcTyaAlU8fa2SEiPXdRoN2XDTYugM7ais4iIW69PWsXKb/qSXHhUUv2LKQcS1LQkvmVW0DUYOJk63+7dVLSfOwRnF2nfk1vDvAMkZuT+G8FYbxcLeW6VS8KfxhXSvluxz3tJn+zP64HWR2wdWImOJziamUHtchvsn1nobNsljQzF31wMSFg9rNQyAnomfF8uIEp+wasAkBDKB8ApRzBO8DnWlO9c5A4D2vGooThbcaLMYq6Kubn/57oS8tdgjQ8gKNYBIss1PFYRuu+4OcayKsFT0aWvYvo2/Mt8Dn3GoSZ0AAAAASUVORK5CYII=': '9' } sums = 0 for page in range(1, 6): url = 'http://match.yuanrenxue.com/api/match/4?page='+str(page) response = requests.get(url) response = response.json() j_key = hashlib.md5(base64.b64encode((response['key']+response['value']).encode()).replace(b'=', b'')).hexdigest() tds = re.findall('(?<=<td>).+?(?=</td>)', response['info']) for td in tds: imgs = re.findall('(?<=<img).+?(?=>)', td) outnumber = ['', '', '', '', ''] i = 0 for img in imgs: number = re.findall('(?<=data:image/png;base64,).+?(?=")', img)[0] imgclass = re.findall('(?<=img_number ).+?(?=")', img)[0] imgstyle = int(int(re.findall('(?<=style="left:).+?(?=px")', img)[0]) / 11) if imgclass != j_key: outnumber[i + imgstyle] = numbers[number] i += 1 outnumber = int(''.join(list(filter(lambda n: n, outnumber)))) sums += outnumber print(sums) # 总数:243701if __name__ == '__main__': main()
第五题【接口-查询参数-值加密】【接口-请求头-值加密】
这题还是和cookie有关,那么依旧使用浏览器的无痕模式打开,并先选中【Preserve log】
查看其接口的请求内容
可以看到cookie有m参数和RM4hZBv0dDon443M参数两个加密参数,已经查询参数m和f,看起来有点像两个时间戳
首先从识别度比较高的RM4hZBv0dDon443M参数开始,在全局中搜索RM4hZBv0dDon443M参数,这里就不贴图了,因为发现啥也么有
那么此时比较值得分析的就是主页,格式化一下代码
这里可以发现有一段混淆的代码,复制出来使用之前用过的ob混淆专解测试版V0.1进行反混淆
[JavaScript]
纯文本查看 复制代码function _$KS() { V(); if (eval["toString"]() === "function eval() { [native code] }") { if ($_zw["length"] === 25) { $_ow = ""; for (var h = 0; h < window["$$$"]["length"]; h++) { $_ow += String["fromCharCode"](window["$$$"][h]["charCodeAt"]() - ($_zw["length"] + 1) * 3 - parseInt(h["toString"]()["slice"](0, 1)) * 2); } eval($_ow); } else { $_ow = ""; for (var h = 0; h < window["$$$"]["length"]; h++) { $_ow += String["fromCharCode"](window["$$$"][h]["charCodeAt"]() - 78 - parseInt(h["toString"]()["slice"](0, 1)) * 2); } eval($_ow); } } else { $_ow = ""; for (var h = 0; h < window["$$$"]["length"]; h++) { $_ow += String["fromCharCode"](window["$$$"][h]["charCodeAt"]() - 2331 - parseInt(h["toString"]()["slice"](0, 1)) * 2); } eval($_ow); }}_$KS();
这里就和第一题有点像,代码是在eval函数里面的,此时我们就要拿到解密后的代码,在三个eval前面都点一下,饭后刷新页面
此时成功断下,如果不行的话就重新开一个无痕模式重复上面步骤
然后在控制台分别输入【eval["toString"]()】和【$_zw["length"]】
可以得出函数最后运行的是这段代码,然后在控制台输入
[JavaScript]
纯文本查看 复制代码 $_ow = ""; for (var h = 0; h < window["$$$"]["length"]; h++) { $_ow += String["fromCharCode"](window["$$$"][h]["charCodeAt"]() - 78 - parseInt(h["toString"]()["slice"](0, 1)) * 2); }
此时可以得到解密后的js代码,复制出来格式化一下
此时就可以搜索到我们需要的RM4hZBv0dDon443M变量
这里网站给我们留下了一条路,我们发现在控制台会不断的打印【世上无难事,只要肯放弃】
而在我们解密后的js中也可以搜索到这段字符串,也就是说这段字符串是在我们解密后的代码里面执行打印的,此时只要点击右边的链接就可以进入到代码块了
找到我们需要的RM4hZBv0dDon443M变量,然后设置断点,并刷新,就可以成功断下
此时我们看到【_$8K['_$ss']】还是【undefined】,那么就继续执行,直到不为【undefined】的时候,此时RM4hZBv0dDon443M的值已经加密完成
此时我们在代码中搜索【_$ss】的话,又是啥也没有搜索到,那就转为搜索【_$8K[】,发现有61个结果,还行,不算很多,都过一遍,查找可能与【_$ss】有关的,跳过赋值的操作,只看被赋值的操作
可以找到1207行就是【_$8K['_$ss']】被赋值的操作,继续下断点,然后刷新
再次断下后可以看到【_$8K['_$ss']】是前面加密的结果,加密的算法使用的是AES/ECB/Pkcs7,,然后在控制台输入【_$8K[_$pe('0x6', 'OCbs')].toString()】来获取加解密的key
将16进制转换为2进制可以发现是一段字符串,并且像是base64编码的,那么再将它进行base64解码
可以看到最终得到的是一个类似与时间截的东西,经过对比发现其实这就是查询参数中的m参数去掉最后一位
因为AES是对称加密,所以可以用得到的key来看看加密前的内容是什么
[Python]
纯文本查看 复制代码from Crypto.Cipher import AESfrom Crypto.Util.Padding import unpad_ss = 'X+B1D1B6iiwDOZVNuWwP3wjJ3DfyVTh1+mvR8dZicNoQ4+tfI4QQ2Qpbe2IU4xXfYQMzGBT5qP4uR6lEUtY8kbmCITQJ7CkIum8vf5VxuEWy6nujLSXDlI/scpSr/J3/TrmXvzYFnqAziOoUBq7hGLXC6RLJhLi1MNyVV3HDKlUkwbFQ/iFusspgWs/tTdZkg1qkg95k5BW+/mgfiZSPNLms5aekP+IdTpdJM3Y2948='cryptor = AES.new(key='MTYwMzI5MTg1NTU4'.encode(), mode=AES.MODE_ECB)print(unpad(cryptor.decrypt(base64.b64decode(_ss.encode())), AES.block_size).decode())# 6e6c4989f57580aa4a1ba51fe6901ed2,788d57895ac6376da4ea4cf54875e6ce,90aa7ce116c6c55311eccc1ddf868adb,90aa7ce116c6c55311eccc1ddf868adb,be4d9d6c4119c22212430ea3ba4947de
可以看到是由5段字符串用逗号拼接后组成的,接着搜索【'_$pr'】,看看这些字符串是什么时候被加入进去的
因为【_$8K['_$pr']】是一个数组,那么主要看它的【push】方法,在这个方法的地方都下一个端点,其中可以发现都是调用的b函数
经过对比发现,第一次调用b函数的参数就是查询参数中的f参数,其他三个都是比第一个大的数即可,第五次调用b函数的参数就是查询参数中的m参数
那么就下来就只能下b函数的问题了,重新刷新页面,再次断下的时候,进入b函数看一下,然后将b函数以及它调用到的函数都复制出来
后面发现前面四次和最后一次里面的参数有少许的变化,需要分别修改,分别保存为0501.js和0502.js
[JavaScript]
纯文本查看 复制代码var _$8K = {};var _$ev = [], _$Uy = String.fromCharCode;function _$HY(_$5X) { var _$HY = _$Uy(96); _$ev = _$Ch(_$5X).split(_$HY)}function _$Ch(_$5X) { var _$HY = _$5X.length; var _$o4, _$_Z = new Array(_$HY - 1), _$KJ = _$5X.charCodeAt(0) - 97; for (var _$Q_ = 0, _$TO = 1; _$TO < _$HY; ++_$TO) { _$o4 = _$5X.charCodeAt(_$TO); if (_$o4 >= 40 && _$o4 < 92) { _$o4 += _$KJ; if (_$o4 >= 92) _$o4 = _$o4 - 52 } else if (_$o4 >= 97 && _$o4 < 127) { _$o4 += _$KJ; if (_$o4 >= 127) _$o4 = _$o4 - 30 } _$_Z[_$Q_++] = _$o4 } return _$Uy.apply(null, _$_Z)} _$HY('o~q}u`euf3ffdyrgfu`fkbu`xduv`wuf3ffdyrgfu`qsfya~`sq||`efdy~w`bdafafkbu`e|ysu`$_vb~W`eb|ysu`qbb|k`3sfyhuJArzusf`dueg|f`sxqd5atu3f`rgffa~`eu~t`vad}`ratk`}ageu}ahu`xqeAi~Bdabudfk`xaef~q}u`|asqfya~`abu~`eb|yf`euf;~fudhq|`xffbe,`s|ys{`sa~sqf`}ufxat`faEfdy~w`~atuFkbu`adywy~`v|aad`badf`$_~t`:F?>9u~udys7|u}u~f`fqw@q}u`saa{yu`$_<C~x`exai?atq|6yq|aw`du}ahu5xy|t`{uk5atu`bqdu~f@atu`wufFy}u`duqtkEfqfu`ujus`bqfx~q}u`euqdsx`fuef`yvdq}u`eufFy}uagf`:F?>8ad}7|u}u~f`hyeyry|yfk`qbbu~t5xy|t`qtt7hu~f>yefu~ud`y~tujut64`esdybf`a~duqtkefqfusxq~wu`uhq|`y~~ud:F?>`hq|gu`7{sB`|asq|Efadqwu`a~egr}yf`arzusf`bdafasa|`sa~fu~f`s|a~u@atu`y~tujAv`qeeyw~`idyfu`tasg}u~f`du}ahu7hu~f>yefu~ud`dag~t`efk|u`$_hh5;`dub|qsu`vg~sfya~`?ysda?ueeu~wud`geud3wu~f`ixy|u`a~s|ys{`y~bgf`suy|`?qfx`xyttu~`fqdwuf`|aqt`}rezmkexsv`~g}rud`sduqfu7|u}u~f`wuf7|u}u~fe4kFqw@q}u`wuf7|u}u~f4k;t`qffqsx7hu~f`$_vxV`s|yu~f6qfq`egr}yf`fy}uEfq}b`va~fe`A~|k a~u hqdyqr|u tus|qdqfya~ q||aiut y~ vadTTy~ |aab`fdq~eyu~f`qdyfk`tyeqr|ut`fkbuav`sxqdeuf`egbud`|u~wfx`#v*X`?ej}|XTJ?>:FFBTYTV`fa6qfqGD>`asd_dtkfigDsddqqmujgnh`qbb|ysqfya~5qsxu`}g|fybqdfUvad}Stqfq`hqd wuf3ffdyrgfu/vg~sfya~N~q}uOmdufgd~ sgd_u|uTwuf3ffdyrgfuN~q}uO-o-`qff
发表评论: