[JS reverse hundred examples] anti climbing training platform for netizens question 6: JS encryption, environment simulation detection

Pay attention to WeChat public number ：K Brother reptile , Continue to share advanced crawler 、JS/ Android reverse and other technology dry goods ！

Statement

All contents in this article are for learning and communication only , The content of the package 、 Sensitive website 、 All data interfaces have been desensitized , It is strictly prohibited to use for commercial and illegal purposes , Otherwise, all the consequences have nothing to do with the author , If there is infringement , Please contact me to delete ！

Reverse target

• The goal is ： Question 6 of the anti crawler practice platform of the web crawler ：JS encryption , Environmental simulation test
• link ：http://spider.wangluozhe.com/challenge/6
• brief introduction ： It is also required to collect 100 Total number of pages , And calculate the sum of all data . Please note that ！ Do not reuse a parameter value , Don't deceive yourself ！

Caught analysis

Through packet capturing analysis , It can be found that this question is not the same as the previous questions Payload There is a change in the parameters in , But in Request Headers There is a hexin-v Of , Every request changes , If a friend has been a financial crawler of Huashun , You will find that this parameter is also widely used in a Huashun site , As shown in the figure below ：

Find encryption

First try a direct search hexin-v, Only in 6.js There is value in it , Obviously this JS Is confused , Unable to locate , Take a close look at , Whole 6.js Is a self executing function （IIFE）, The parameter passed in is 7 An array , They correspond to each other n,t,r,e,a,u,c, As shown below ：

!function (n, t, r, e, a, u, c) {
}(
    [],[],[],[],[],[],[]
);

6.js When the value is called, it is obtained through the element subscript , So the confusion is simple , If you want to restore , Directly write a script to replace the corresponding values of the array , In this case, of course, it is simpler , Don't confuse .

because hexin-v The value of the Request Headers in , So we can pass Hook The way , Capture settings header Of hexin-v Value debugger live （ Inject Hook Code method K I have explained in detail in my previous articles , This article will not be repeated ）：

(function () {
    'use strict';
    var org = window.XMLHttpRequest.prototype.setRequestHeader;
    window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) {
        if (key == 'hexin-v') {
            debugger;
        }
        return org.apply(this, arguments);
    };
})();

The next step is to follow the stack , Follow one up and you will be able to 6.js See in h The value of is what we want ,h = ct.update(),ct.update() It's actually x(), As shown in the figure below ：

Continue to follow up x(),t Is the value we want ,t = N()：

Continue to follow up N(),et.encode(n) Is the final value , You can see some similar mouse movements 、 Click the wait function ：

We have already analyzed ,6.js Is a self executing method , And the amount of code is not very much , So we directly define a global variable here , Put this N Method can be exported , It will not be deducted one by one , The pseudocode is as follows ：

//  Define global variables 
var Hexin;

!function (n, t, r, e, a, u, c) {
    //  Omit  N  Multi code 
    function N() {
        S[T]++,
        S[f] = ot.serverTimeNow(),
        S[l] = ot.timeNow(),
        S[k] = zn,
        S[I] = it.getMouseMove(),
        S[_] = it.getMouseClick(),
        S[y] = it.getMouseWhell(),
        S[E] = it.getKeyDown(),
        S[A] = it.getClickPos().x,
        S[C] = it.getClickPos().y;
        var n = S.toBuffer();
        return et.encode(n)
    }
    //  take  N  Method is assigned to a global variable 
    Hexin = N
}(
    [],[],[],[],[],[],[]
);

//  Custom function to get the final  hexin-v  value 
function getHexinV(){
    return Hexin()
}

Environment supplement

After the above rewriting , Let's debug it locally , Will find window、document And so on , Let's follow the previous method , Directly defined as null , Errors will be reported later getElementsByTagName is not a function, We know getElementsByTagName Gets the object with the specified tag name , Belong to HTML DOM The content of , Our local node There must be no such environment for execution .

Here we introduce a method that can be used directly in Node.js establish DOM The way of the environment , It uses jsdom This library , That's what the officials say ：

jsdom It's a lot of Web Standard pure JavaScript Realization , especially WHATWG DOM and HTML standard , be used for Node.js. Generally speaking , The goal of the project is to simulate enough Web Browser subset , For testing and capturing real Web Applications . Latest version jsdom need Node.js v12 Or later .（ lower than v17 Of jsdom This version still applies to the previous Node.js edition , But not supported .） For specific usage, please refer to jsdom file .

It should be noted that ,jsdom Also depends on canvas, So it also needs to be installed separately canvas This library ,HTML canvas Tags are used to pass through scripts （ Usually JavaScript） Drawing graphics dynamically , For specific introduction and usage, please refer to canvas file .

We're here JS After adding the following code to , And then there is DOM Environmental Science , To run successfully ：

// var canvas = require("canvas");
var jsdom = require("jsdom");
var {JSDOM} = jsdom;
var dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`);
window = dom.window;
document = window.document;
navigator = window.navigator;

coordination Python Code , In the request header , Carry different... Each time hexin-v, Calculate the data of each page one by one , Finally submitted successfully ：

Complete code

GitHub Focus on K Brother reptile , Continue to share crawler related code ！ welcome star ！https://github.com/kgepachong/

The following shows only part of the key code , Can't run directly ！ Full code warehouse address ：https://github.com/kgepachong/crawler/

JavaScript Encrypt key code

/* ==================================
# @Time    : 2021-12-20
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: challenge_6.js
# @Software: PyCharm
# ================================== */


var TOKEN_SERVER_TIME = 1611313000.340;
var Hexin;
var jsdom = require("jsdom");
var {JSDOM} = jsdom;
var dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`);
window = dom.window;
document = window.document;
navigator = window.navigator;

!function(n, t, r, e, a, u, c) {
    !function() {
        function Gn() {}
        var Qn = [new a[23](n[20]), new e[3](f + l + d + p)];
        function Zn() {}
        var Jn = [new t[16](c[13]), new u[9](e[19])], qn = a[24][u[16]] || a[24].getElementsByTagName(st(r[19], r[20]))[a[25]], nt;
        !function(o) {}(nt || (nt = {}));
        var tt;
        !function(o) {}(tt || (tt = {}));
        var rt = function() {}(), et;
        RT = rt
        !function(o) {}(et || (et = {}));
        function at() {}
        var ot;
        !function(o) {}(ot || (ot = {}));
        var it;
        !function(o) {}(it || (it = {}));
        var ut;
        !function(s) {}(ut || (ut = {}));
        var ct;
        !function(o) {
            function x() {}
            function L() {}
            function M() {}
            o[a[105]] = M;
            
            function N() {
                S[T]++,
                S[f] = ot.serverTimeNow(),
                S[l] = ot.timeNow(),
                S[k] = zn,
                S[I] = it.getMouseMove(),
                S[_] = it.getMouseClick(),
                S[y] = it.getMouseWhell(),
                S[E] = it.getKeyDown(),
                S[A] = it.getClickPos().x,
                S[C] = it.getClickPos().y;
                var n = S.toBuffer();
                return et.encode(n)
            }
            Hexin = N
            o[r[81]] = x
        }(ct || (ct = {}));

        function st() {}
        var vt;
        !function(o) {}(vt || (vt = {}));
        var ft;
        !function(r) {}(ft || (ft = {}))
    }()
}(
    [],[],[],[],[],[],[]
);


function getHexinV(){
    return Hexin()
}

//  Test output 
// console.log(getHexinV())

Python Calculate key code

# ==================================
# --*-- coding: utf-8 --*--
# @Time    : 2021-12-20
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: challenge_6.py
# @Software: PyCharm
# ==================================


import execjs
import requests


challenge_api = "http://spider.wangluozhe.com/challenge/api/6"
headers = {
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Cookie": "cookie  Replace it with your own ！",
    "Host": "spider.wangluozhe.com",
    "Origin": "http://spider.wangluozhe.com",
    "Referer": "http://spider.wangluozhe.com/challenge/6",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
    "X-Requested-With": "XMLHttpRequest"
}


def get_hexin_v():
    with open('challenge_6.js', 'r', encoding='utf-8') as f:
        wlz_js = execjs.compile(f.read())
    hexin_v = wlz_js.call("getHexinV")
    print("hexin-v: ", hexin_v)
    return hexin_v


def main():
    result = 0
    for page in range(1, 101):
        data = {
            "page": page,
            "count": 10,
        }
        headers["hexin-v"] = get_hexin_v()
        response = requests.post(url=challenge_api, headers=headers, data=data).json()
        for d in response["data"]:
            result += d["value"]
    print(" The result is : ", result)


if __name__ == '__main__':
    main()