Incapsula js加密混淆分析

标签: JS分析

js破解之Incapsula cdn


网址:https://booking.volotea.com
上抓包,3次请求才返回正常的数据,本文目的分析图中这个参数值
抓包1
从上一条数据看到js代码
在这里插入图片描述
简单分析下eval函数 拿到混淆的代码
在这里插入图片描述
代码量不大 1000多行 没有通过AST反混淆 直接调试 中间会有死循环代码导致浏览器崩溃 直接删掉即可
在这里插入图片描述
慢慢跟即可找到生成的函数 rc4
在这里插入图片描述
最后整理下思路:
首先数组重组

(function(_0x37d3b6, _0x103c9e) {
    var _0x22c41d = function(_0x2fc0f8) {
        while (--_0x2fc0f8) {
            _0x37d3b6['\x70\x75\x73\x68'](_0x37d3b6['\x73\x68\x69\x66\x74']());
        }
    };
    _0x22c41d(0xe5+1);
}(_0x4f01, 0xe5));

解密代码

        var _0xdfe4f5 = function(_0x56cad0, _0x426eb3) {
            var _0x60d81a = [], _0x2488db = 0x0, _0x19c121, _0x38870a = '', _0x520c85 = '';
            _0x56cad0 = atob(_0x56cad0);
            for (var _0x412e47 = 0x0, _0x2c85a1 = _0x56cad0['\x6c\x65\x6e\x67\x74\x68']; _0x412e47 < _0x2c85a1; _0x412e47++) {
                _0x520c85 += '\x25' + ('\x30\x30' + _0x56cad0['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x412e47)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](0x10))['\x73\x6c\x69\x63\x65'](-0x2);
            }
            _0x56cad0 = decodeURIComponent(_0x520c85);
            for (var _0x1c6093 = 0x0; _0x1c6093 < 0x100; _0x1c6093++) {
                _0x60d81a[_0x1c6093] = _0x1c6093;
            }
            for (_0x1c6093 = 0x0; _0x1c6093 < 0x100; _0x1c6093++) {
                _0x2488db = (_0x2488db + _0x60d81a[_0x1c6093] + _0x426eb3['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x1c6093 % _0x426eb3['\x6c\x65\x6e\x67\x74\x68'])) % 0x100;
                _0x19c121 = _0x60d81a[_0x1c6093];
                _0x60d81a[_0x1c6093] = _0x60d81a[_0x2488db];
                _0x60d81a[_0x2488db] = _0x19c121;
            }
            _0x1c6093 = 0x0;
            _0x2488db = 0x0;
            for (var _0x46d360 = 0x0; _0x46d360 < _0x56cad0['\x6c\x65\x6e\x67\x74\x68']; _0x46d360++) {
                _0x1c6093 = (_0x1c6093 + 0x1) % 0x100;
                _0x2488db = (_0x2488db + _0x60d81a[_0x1c6093]) % 0x100;
                _0x19c121 = _0x60d81a[_0x1c6093];
                _0x60d81a[_0x1c6093] = _0x60d81a[_0x2488db];
                _0x60d81a[_0x2488db] = _0x19c121;
                _0x38870a += String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](_0x56cad0['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x46d360) ^ _0x60d81a[(_0x60d81a[_0x1c6093] + _0x60d81a[_0x2488db]) % 0x100]);
            }
            return _0x38870a;
        };

js是动态的,所以通过自己的开发语言正则出代码中的数组下标和第二个参数 处理下atob即可用调试工具计算出正确的值
在这里插入图片描述
本文仅作为技术讨论与分享,严禁用于非法用途 逆向交流QQ:321481996

版权声明:本文为qq_18421167原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_18421167/article/details/90707141