[100 Cases of JS Reverse] The fourth question of the anti-climbing practice platform for net losers: JSFuck encryption

Pay attention to WeChat public account: Brother K crawler, continue to share advanced crawler, JS/Android reverse engineering and other technical dry goods!

statement

All the content in this article is for learning and communication only. The captured content, sensitive URLs, and data interfaces have been desensitized, and it is strictly forbidden to use them for commercial or illegal purposes. Otherwise, all the consequences arising therefrom will have nothing to do with the author. Infringement, please contact me to delete it immediately!

Reverse target

• Goal: Netluo’s anti-crawler training platform Question 4: JSFuck encryption
• Link: http://spider.wangluozhe.com/challenge/4
• Introduction: This question still requires collecting all the numbers of 100 pages, and calculating the sum of all the data, you need to extract the source code for calculation, mainly using JSFuck encryption

Introduction to JSFuck

JSFuck, AAEncode, and JJEncode are all the same author. JSFuck was created by Yosuke HASEGAWA of Japan in 2010. It can encode any JavaScript into an obfuscated form using only 6 symbols []()!+ . In 2012, Martin Kleppe created a jsfuck on GitHub. Project and a JSFuck.com website, which contains a web application implemented using the encoder. JSFuck can be used to bypass the detection of malicious code submitted on a website, such as a cross-site scripting (XSS) attack. Another potential use of JSFuck is code obfuscation. Currently, jQuery already has a fully functional version after JSFuck obfuscation.

Online experience address: https://utf-8.jp/public/jsfuck.html http://www.jsfuck.com/

A normal piece of JS code:

alert(1)

The code after JSFuck obfuscation is similar to:

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])

The common elements, numbers, and symbols conversion in JSFuck are as follows. For more elements, please refer to JSFuck official GitHub or JSFuck Wikipedia :

Let's take the letter a as an example to demonstrate the confusion process:

1. "false"[1] : The letter a is taken from the string false. In false, the index value of a is 1;
2. (false+[])[1] : false can be written as false+[], that is, the Boolean constant false plus an empty array;
3. (![]+[])[1] : false can also be written as ![], that is, negation is applied to an empty array;
4. (![]+[])[+true] : 1 is a number, we can write it as +true;
5. (![]+[])[+!![]] : Since false is ![], true is !![], and the final obfuscated code is generated.

JSFuck deobfuscation method

JSFuck is usually executed in the form of Function(xxx)() and eval(xxx) when calling methods. Therefore, JSFuck's common de-obfuscation methods are as follows:

1. Use online tools to directly decrypt, such as: https://lelinhtinh.github.io/de4js/ ;
2. In the case of Function, copy the content in the second-to-last parenthesis of the outermost layer of the code, put it in the browser and execute it directly to see the source code;
3. In the case of eval, copy the content in the last parenthesis of the outermost layer of the code, put it in the browser and execute it directly to see the source code;
4. Use the Hook method, Hook Function and eval respectively, and print out the source code;
5. Use AST to de-obfuscate, AST's tutorial K will also be written later, this article will not introduce it in detail.

For example alert(1) , copy the content in the last bracket of the outermost layer to the browser, you can see the source code:

Reverse parameters

The goal of the reverse engineering is mainly the _signature . The encryption method called is still window.get_sign() , which is the same as the previous questions. This article will not repeat them. If you are unclear, you can go to the previous article of Brother K.

Continue to follow up, and you will find that it is a JSFuck confusion:

We copy this code and put it in the editor. Here we take PyCharm as an example. Since we want to select the content in the matching brackets, we can set the PyCharm bracket matching to be highlighted in red, so that we can find it, click File in turn -Settings-Editor-Color Scheme-General-Code-Matched brace, set Background to a prominent color:

At this time, we select the last parenthesis and look up, and you can clearly see another parenthesis that matches it, as shown in the following figure:

We copy the content inside the brackets (can include the brackets or not), put it in the browser console and run it, you can see the source code:

In addition to this method, we can also use the Hook method to directly capture the source code and print it out. Note that this obfuscated code has no () brackets at the end, that is, it is executed in the eval way. We write the Hook eval code as follows:

eval_ = eval;
eval = function (a){
    debugger;
    return eval_()
}


// 另外提供一个 Hook Function 的代码
// Function.prototype.constructor_ = Function.prototype.constructor;
// Function.prototype.constructor = function (a) {
//     debugger;
//     return Function.prototype.constructor_(a);
// };

Refresh the webpage and disconnect it directly. At this time, the value of a is the source code:

Copy the source code and analyze it locally:

(function () {
    let time_tmp = Date.now();
    let date = Date.parse(new Date());
    window = {};
    let click = window.document.onclick;
    let key_tmp;
    let iv_tmp;
    if (!click) {
        key_tmp = date * 1234;
    } else {
        key_tmp = date * 1244;
    }
    if (time_tmp - window.time < 1000) {
        iv_tmp = date * 4321;
    } else {
        iv_tmp = date * 4311;
    }
    const key = CryptoJS.enc.Utf8.parse(key_tmp);
    var iv = CryptoJS.enc.Utf8.parse(iv_tmp);
    (function tmp(date, key, iv) {
        function Encrypt(word) {
            let srcs = CryptoJS.enc.Utf8.parse(word);
            let encrypted = CryptoJS.AES.encrypt(srcs, key, {
                iv: iv,
                mode: CryptoJS.mode.CBC,
                padding: CryptoJS.pad.Pkcs7
            });
            return encrypted.ciphertext.toString().toUpperCase();
        }

        window.sign = Encrypt(date);
    })(date, key, iv);
})();

It can be seen that it is an AES encryption. The main attention here is to have two if-else statements. The first is to determine whether window.document.onclick exists, and the second is to determine the time difference. We can try to get window.document.onclick and window.time in the console, and take a look. In the end, if you take if or else, you can fill in these two values locally. In fact, after K brother test window.document.onclick is null, then you can get the result no matter if you take if or else, so for this question Say, the two window objects don't matter, just remove them directly, and iv_tmp any values of key_tmp

Since the analysis of this question is completed, after the local rewriting, with the Python code carrying _signature to calculate the data of each page one by one, the final submission is successful:

Complete code

Follow K brother crawler on GitHub and continue to share crawler-related code! Welcome star! https://github.com/kgepachong/

only part of the key code is demonstrated and cannot be run directly! complete code warehouse address: https://github.com/kgepachong/crawler/

JavaScript encryption code

/* ==================================
# @Time    : 2021-12-13
# @Author  : 微信公众号：K哥爬虫
# @FileName: challenge_4.js
# @Software: PyCharm
# ================================== */

var CryptoJS = require('crypto-js')

let date = Date.parse(new Date());
window = {};

let key_tmp = date * 1234;
// let key_tmp = date * 1244;
let iv_tmp = date * 4321;
// let iv_tmp = date * 4311;

const key = CryptoJS.enc.Utf8.parse(key_tmp);
var iv = CryptoJS.enc.Utf8.parse(iv_tmp);
(function tmp(date, key, iv) {
    function Encrypt(word) {
        let srcs = CryptoJS.enc.Utf8.parse(word);
        let encrypted = CryptoJS.AES.encrypt(srcs, key, {
            iv: iv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
        return encrypted.ciphertext.toString().toUpperCase();
    }

    window.sign = Encrypt(date);
})(date, key, iv);

function getSign() {
    return window.sign
}

// 测试输出
// console.log(getSign())

Python calculation key code

# ==================================
# --*-- coding: utf-8 --*--
# @Time    : 2021-12-13
# @Author  : 微信公众号：K哥爬虫
# @FileName: challenge_4.py
# @Software: PyCharm
# ==================================


import execjs
import requests


challenge_api = "http://spider.wangluozhe.com/challenge/api/4"
headers = {
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Cookie": "将 cookie 值改为你自己的！",
    "Host": "spider.wangluozhe.com",
    "Origin": "http://spider.wangluozhe.com",
    "Referer": "http://spider.wangluozhe.com/challenge/4",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
    "X-Requested-With": "XMLHttpRequest"
}


def get_signature():
    with open('challenge_4.js', 'r', encoding='utf-8') as f:
        ppdai_js = execjs.compile(f.read())
    signature = ppdai_js.call("getSign")
    print("signature: ", signature)
    return signature


def main():
    result = 0
    for page in range(1, 101):
        data = {
            "page": page,
            "count": 10,
            "_signature": get_signature()
        }
        response = requests.post(url=challenge_api, headers=headers, data=data).json()
        for d in response["data"]:
            result += d["value"]
    print("结果为: ", result)


if __name__ == '__main__':
    main()