JS逆向|使用express框架开启服务并替换加密字符串

举报
悦来客栈的老板 发表于 2020/12/29 00:36:53 2020/12/29
3.5k+ 0 0
【摘要】 在阅读本文之前请确保电脑已安装好Node.js. express,根据其Github上的描述,是一个: Fast, unopinionated, minimalist web framework for node. 其Github地址: https://github.com/expressjs/express 根据其Readme文档,安装: npm in...

在阅读本文之前请确保电脑已安装好Node.js.

express,根据其Github上的描述,是一个:

Fast, unopinionated, minimalist web framework for node.

  

其Github地址:

https://github.com/expressjs/express

  

根据其Readme文档,安装:

npm install express

  

保存演示code:


       const express = require('express')
       const app = express()
       app.get('/', function (req, res) {
         res.send('Hello World')
       })
       app.listen(3000)
   
  

然后运行(控制台下输入node xxx.js),并打开浏览器,输入:

http://127.0.0.1:3000/

  

并回车,得到浏览器上的结果:

当然,这仅仅是个简单的例子,还需要了解function (req, res)的用途,上面的代码稍微改一下:


       app.get('/', function (req, res) {
         console.log(req.query);  //只增加这一行,看看打印结果
         res.send('Hello World')
       })
   
  

在浏览器上输入如下URL,并回车:

http://127.0.0.1:3000/?sign=123456

  

查看命令行下的结果:

这样就清楚了,直接构造参数,然后用res.send返回结果。

继续沿用上一篇文章的代码,将 大数组 + 位移函数 + 解密函数的代码添加进来,并构造参数,如下:


       const express = require('express')
       const app = express()
       var _0x2075 = ['wrw3EMKc', 'BBdBHWk=', 'wplgd8O5dHbDtFfDucK9CsOS', 'f8KvAcKewoDClg==', 'XcKowo9uOyfChw==', 'XcKowpRzOzDCgMKuw5vCtH8=', 'HmQkw5vDt8OIBDbCpMKdw6Aaw7HDmcKb', 'wpxzdMO4', 'R8KHF1k1w5A=', 'w4LDgcOowrjDhg==', 'w6RKw6PCmVDDpw==', 'w6DDgsKrCsK5wqAwKsOMTkPDilwgB241RVBIw6rCvwpWw5fCo8OSw59pBcK7UlrCucOZHy7DgsO5wpx5J8K5wqbCtMOMwqvCsiUFw5s4JGfDmwQPw7Fawq3CgXlkJyE=', 'VcObYsOHKcKpwpI=', 'KkZfcE52w77ChsKgUQ==', 'CmQsw57DvA==', 'YV7CscOYZg==', 'w5jDt8OUwr46w5c6LsKEPsO0', 'F8OUMQhRw78Q', 'YMKzeTvCpMKzHcKKGSjCj2dJwq3Cj3/ChsKSFVpMw4sZwrg9H8OLw4/DqUlhYlpaa8KYJsO5AcK2wqnCmGhEwqkbdMKKLsO/wpBFMcKlC8OvKUkXZ8KpBsOxw4XDk8K5w4Y6w7VZO8K/wojCqcO2wqQow5Z+w6dew7I3TMObw6Ykw7I=', 'Mk8Bw6QawqU=', 'wo5zw4vCkxvDuSBqwoENw7rCrF3DksKewoPDqMKHNSzCgcK2fcKxPMKbGcKwCW5GZWRpw6fDmgHCjXrCnXE3w4zDqlt3w64lw7JiworDi8Knw5YoW1LDlUbDpkEtGQPDnw==', 'w6lvdMKW', 'w7JFdsOhwrBqwrlMYcKVJRjCuMKQwpLDtMONwprCsMORw4BtRV0oeEQPCgAmMgx2'];
       (function(_0xf486e7, _0x2075d7) {
       var _0x5c3a18 = function(_0x5b65b1) {
       while (--_0x5b65b1) {
        _0xf486e7['push'](_0xf486e7['shift']());
        }
        };
        _0x5c3a18(++_0x2075d7);
       }(_0x2075, 0xa4));
       var _0x5c3a = function(_0xf486e7, _0x2075d7) {
        _0xf486e7 = _0xf486e7 - 0x0;
       var _0x5c3a18 = _0x2075[_0xf486e7];
       if (_0x5c3a['vEVEZj'] === undefined) {
        (function() {
       var _0x2e1ca4;
       try {
       var _0x28e173 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
        _0x2e1ca4 = _0x28e173();
        } catch (_0x16acc9) {
        _0x2e1ca4 = window;
        }
       var _0x16f958 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
        _0x2e1ca4['atob'] || (_0x2e1ca4['atob'] = function(_0x5a7812) {
       var _0x3c7e74 = String(_0x5a7812)['replace'](/=+$/, '');
       var _0x5e030c = '';
       for (var _0x4eaee2 = 0x0, _0x5954ef, _0x29200e, _0x5a128b = 0x0; _0x29200e = _0x3c7e74['charAt'](_0x5a128b++); ~_0x29200e && (_0x5954ef = _0x4eaee2 % 0x4 ? _0x5954ef * 0x40 + _0x29200e : _0x29200e,
        _0x4eaee2++ % 0x4) ? _0x5e030c += String['fromCharCode'](0xff & _0x5954ef >> (-0x2 * _0x4eaee2 & 0x6)) : 0x0) {
        _0x29200e = _0x16f958['indexOf'](_0x29200e);
        }
       return _0x5e030c;
        }
        );
        }());
       var _0x3acf89 = function(_0x593a19, _0xfee22e) {
       var _0x1b5349 = [], _0x4ddb21 = 0x0, _0x28ed27, _0x4b4996 = '', _0xbdd0c6 = '';
        _0x593a19 = atob(_0x593a19);
       for (var _0x1d6343 = 0x0, _0x3f947e = _0x593a19['length']; _0x1d6343 < _0x3f947e; _0x1d6343++) {
        _0xbdd0c6 += '%' + ('00' + _0x593a19['charCodeAt'](_0x1d6343)['toString'](0x10))['slice'](-0x2);
        }
        _0x593a19 = decodeURIComponent(_0xbdd0c6);
       var _0x1a120c;
       for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x1b5349[_0x1a120c] = _0x1a120c;
        }
       for (_0x1a120c = 0x0; _0x1a120c < 0x100; _0x1a120c++) {
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c] + _0xfee22e['charCodeAt'](_0x1a120c % _0xfee22e['length'])) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
        }
        _0x1a120c = 0x0;
        _0x4ddb21 = 0x0;
       for (var _0x585b7f = 0x0; _0x585b7f < _0x593a19['length']; _0x585b7f++) {
        _0x1a120c = (_0x1a120c + 0x1) % 0x100;
        _0x4ddb21 = (_0x4ddb21 + _0x1b5349[_0x1a120c]) % 0x100;
        _0x28ed27 = _0x1b5349[_0x1a120c];
        _0x1b5349[_0x1a120c] = _0x1b5349[_0x4ddb21];
        _0x1b5349[_0x4ddb21] = _0x28ed27;
        _0x4b4996 += String['fromCharCode'](_0x593a19['charCodeAt'](_0x585b7f) ^ _0x1b5349[(_0x1b5349[_0x1a120c] + _0x1b5349[_0x4ddb21]) % 0x100]);
        }
       return _0x4b4996;
        };
        _0x5c3a['HKkhxp'] = _0x3acf89;
        _0x5c3a['eabUGz'] = {};
        _0x5c3a['vEVEZj'] = !![];
        }
       var _0x5b65b1 = _0x5c3a['eabUGz'][_0xf486e7];
       if (_0x5b65b1 === undefined) {
       if (_0x5c3a['vszZjY'] === undefined) {
        _0x5c3a['vszZjY'] = !![];
        }
        _0x5c3a18 = _0x5c3a['HKkhxp'](_0x5c3a18, _0x2075d7);
        _0x5c3a['eabUGz'][_0xf486e7] = _0x5c3a18;
        } else {
        _0x5c3a18 = _0x5b65b1;
        }
       return _0x5c3a18;
       };
       app.get('/', function (req, res) {
         //req.query = {callback:"_0x5c3a('0x8', 'CwZq')"}
        let callback = req.query.callback;
         let value = eval(callback); //直接eval计算传递进来的解密函数及参数
        console.log(callback,value);
         res.send(value)  //结果
       })
       app.listen(3000)
   
  

在node下运行后,在浏览器上进行简单的测试:

http://127.0.0.1:3000/?callback=_0x5c3a('0x8', 'CwZq')

  

回车后的结果:

这样,我们就可以用requests库进行请求,代码如下:


       reg = re.compile(r"_0x5c3a\([\s\S]{12,14}'\)")
       results = reg.findall(code) # code是所有混淆代码
       for result in results:
           params = {"callback":result} #构造参数
           r = requests.get("http://127.0.0.1:3000/",params = params) #请求
       print (result,r.text) #打印结果
        code = code.replace(result,"'" + r.text + "'") #全局替换
   
  

结果如下:

和上一篇文章的结果一致,但效果明显要好很多,特别是在处理多个这样的调用时,其性能不是一个量级,因此在这里建议,卸载掉电脑上的pyexecjs在这个库吧,反正也没再更新了。

不过这里在使用get时,遇到了一个坑,就是当提交的参数里面包含特殊字符时(比如'&'),可能会解析错误,因此建议使用post方式,可自行百度相关教程。

文章来源: blog.csdn.net,作者:悦来客栈的老板,版权归原作者所有,如需转载,请联系作者。

原文链接:blog.csdn.net/qq523176585/article/details/109508031

【版权声明】本文为华为云社区用户转载文章,如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

作者其他文章

评论(0

抱歉,系统识别当前为高风险访问,暂不支持该操作

    全部回复

    上滑加载中

    设置昵称

    在此一键设置昵称,即可参与社区互动!

    *长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

    *长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。