当前位置：网站首页>JS reverse case -rus5 logic learning

JS reverse case -rus5 logic learning

2022-06-30 01:59:00 【Eleven elder sister】

Catalog

One 、rs5 characteristic

About 4 The introduction of Dai can be seen in this article , Some processes and 4 Generation is almost the same. This article omits the introduction
Server response status code 202 perhaps 412 Return to the first cookie_S（ perhaps cookie_O）; then js Confusion produces a second cookie_T（ perhaps cookie_P）, Only carry valid cookie_T（ perhaps cookie_P） To correctly request the page status code 200
How to distinguish between several generations of versions , see cookie_T（ perhaps cookie_P） The first number of , The vast majority of generations can be identified by this number ;cookie_T（ perhaps cookie_P）, The difference is P representative (https)、T representative (http) It's actually a different agreement , Common are ：gOEoYMGvg36yT、neCYtZEjo8GmP、9CKCOkIaqzqET、DLjfPow8PDr4T;
load vm Of 1 More than ten thousand lines of code Inlet characteristics Yes 3 Kind of , Pictured 4 generation 、 Old edition 5 generation 、 new edition 5 generation , See this article for more detailed version differentiation

Two 、cookie Formal logical analysis

The following process can be understood as a one-step debugging process ,cookie You can read this article first , meanwhile vm Before thinking analysis, you can Look at this article
1、 First type script Break point and refresh the web page , First, the external chain will be loaded js file （ Let's call it version.js）, It may be a little stuck here. Just wait a while , And will js The contents of the file are assigned to global variables $_ts This object
2、 Keep following script Breakpoints go , It will jump to a self executing function of the source code js here , Let's call it main.js
3、main.js Execute to call The location of , Only two things have been done ：$_ts Objects have many properties ,version.js The file was decrypted into VM The executable js Code , Get into call Function for decrypted to vm Of js Code , We call it... For short vm.js
4、 Then passed hook_cookie + Stack backtracking location we know generate cookie The entrance to is vm In code _$6p(); ===》 _$co(772, 1) ===》 _$co(742, _$TI, false); This position , To 742 The control flow of starts to generate cookie Logic.
5、 So we'll search directly next time (772, 1) Look for cookie Entry generation logic for （ Pay attention to the point ： From now on, you need to save a static file for fiddler Replace or overrides Replace to start static analysis , Prevent each refresh of function variable names from being dynamic and difficult to analyze , It's not easy to buckle ）
6、742 The first step in the control flow code is to jump here , First, a timestamp difference is generated , In the rear 128 The number of digits in the group will be changed to 8 Digit group push go in
7、742 The second step of the control flow code is to jump here , take _$$d A variable is assigned to another variable _$$E,( In the middle of the _$Wp Variables are only used to determine which way to change the control flow if ~else Of , Next, many processes will use similar judgments to change the direction of control flow , Ignore here )
8、742 The third step of the control flow code is to jump here , Get into 279 New control flow for , The core main logic is 279 In the control stream
9、279 The first step of control flow , First, define a local variable as follows
10、279 The second step of the control flow code is to jump here _$co(157);, Are some automated tools for feature detection （msCrypto、ActiveXObject、_Selenium_IDE_Recorder,_selenium,callSelenium） etc. , If any , There will be 3 Global variables will be changed , The default does not change , So there is no need to enter the control flow for debugging
11、279 The third step of the control flow code is to jump here _$Sc(4, _$t2); There will be a global variable that will change , Later on 128 There will be... In the digit group push go in , among _$t2 If this is true It will change 25165824, Default undefined
12、279 The fourth step of the control flow code is to jump here , Generated _$qC, One 128 Bit empty array
13、279 The fifth step of the control flow code is to jump here , It's very important ,695 The control flow of will $_ts Of 5 Values generate 20 Digit group , Among them is 4 The order of values is very important and needs to be mapped
14、695 The first step of the control flow code will $_ts The first value of generates 16 Digit group , The second step code will 16 Digit group and 4 Values are connected
15、279 The sixth step of the control flow code is to jump here , The difference of the previous timestamp is converted to 8 Digit group
16、279 Control flow seventh 、 8、 ... and 、 Nine 、 The ten step code jumps here ,_$qC128 Bit empty array has push 了 6 One went in
17、279 Control flow step 11 ,push One. _$34 Four bit array of , This 4 The bit group is obtained in the initialization process _$ts An array generated by one of the values
18、279 Control flow 12th 、 Thirteen steps ,push One. _$CL An eight bit array of , This 8 The digit group can be written to death for the time being ; then push There's a 0 Also write death first
19、279 Control flow fourteenth 、 15、 ... and 、 Sixteen steps , then push 了 3 Representative is Chrome; then push One. 8 Digit group （ Here's one _$bJ=25165824, If the previous selenium When detected , This value will change ）; then push 了 14 Fixed value
20、279 Control flow step 18 , Indexes _$1g Preemption ,push One. undefined, Then there will be values to override this undefined, at present _$qC128 The digit group has push 了 13 A the
21、279 Control flow step 19 ,_$co(58) This control flow will return with localStorage Related values , If it's worth it , will push One 20 Digit group , Not this time push
22、279 Control flow step 20 ,_$co(247, _$_j[580]); This control flow will return localStorage["$_f0"] Value , If it's worth it , will push One 20 Digit group , Not this time push
23、279 Control flow step 21 ,_$co(247, _$_j[154]); This control flow will return localStorage["$_fh0"] Value , If it's worth it , will push One 20 Digit group , Not this time push
24、279 Control flow step 22 ,_$co(247, _$_j[636]); This control flow will return localStorage["$_f1"] Value , If it's worth it , will push One 20 Digit group , Not this time push
25、279 Control flow step 23 ,_$Jk Is the value corresponding to the network status NetworkInformation.type, This return is 0, then _$ty Or operation

Insert picture description here

26、279 There is another wave of judgment in the control flow , return localStorage Correlation value , As usual undefined, If it's worth it , will push One 20 Digit group , Not this time push
27、279 Control flow step 24 ,push A fixed value 4, It's initializing 777 Control flow generated by , then _$ty Or operation

==》
28、279 Control flow step 25 ,_$ty Or operation , then push One. 'https:443'.length, Then return the protocol port at the same time 9 The digit group again push
29、279 Control flow step 25 ,_$1g Preemption The index of , Here will be multiple or operations _$ty Turn it into 4 The digit group is supplemented by , thus 128 Digit group push Finished ,17 Bit length （localStorage It will be longer if it is worth it ）
30、279 Control flow step 25 , Keep intercepting 128 Before the digit group 17 Bit has been assigned
31、279 Step 26 of the control flow returns 128 Digit group final 17 Bit all merged and spliced array , thus 279 Control flow pairs 128 The operation of digit group is over , Continue to go 742 Control flow logic
32、742 The control flow then enters 279 Control the entry of the flow , The generated results give _$ty
33、742 Control flow step 4 code , It generates a 32 Digit group
34、742 Control flow step 5 code ,
35、742 Control flow step 6 code , That by 17 The bit merged array is now connected to another _$ts Value , Calculate a large value , Then the large value is converted to 4 The digit group is connected to 17 Bit merged array
36、742 Control flow step 7 code , For timestamp , The timestamp difference is converted to an array , And it turns into cookie Prefix string
37、742 Control flow step 8 code , Generated cookie, Will be 5 + Timestamp array string + （128 A combination of digits + 32 A combination of digits ） Array string converted to , thus 742 Control flow has ended , go back to 772 Control flow of
38、772 Control flow into 742 Control the entry of the flow , Generated _$$d namely cookie
39、772 The control flow then puts _$$d namely cookie Given to document.cookie, thus （772,1） Control flow ends
40、 Finally, the logic flow of the deduction code is as follows

3、 ... and 、cookie Operations after generation

1、_$6p() The function performs the generation cookie after , The remaining 2 And then bind functions to some global objects , And then Back to cookie To the front main.js 了
2、 among _$6p() Function generation completed cookie after , give back _$ts The property of is bound to a function ; And then there's the modification xhr Object , Pictured xhr.open To be changed to another function ; modify xhr After the object is changed Storage.$_nd value , This parameter may be used in suffix generation

Four 、 Suffix generation analysis

1、 Suffix generation is recommended to see This article , as well as This article details why suffixes are not found , First determine which request and what suffix , If here search request , Two suffix parameters , Actually sum 4 Generation suffixes are the same xhr.open The function has been modified
2、 After the page has been loaded , Open the console and infinite will pop up debugger, then never pause here Beyond infinity debugger, then xhr Lower breakpoint , Then click the search button to trigger xhr request , It will automatically break to the following page , Then start to analyze
3、_$9v Function is the specific logical part of generating suffix , First pair url Parameter to array , Then generate the suffix hKHnQfLv, And then generate the suffix 8X7Yi61c
4、 The final suffix logic flow is as follows