Python处理JS加密和混淆算法获取__jsl_clearance(一)
__jsl_clearance这个Cookie变量很多网站都在使用,目前很多网站的Js都已处理过了JS的算法
比如加入了一些其他语言没法直接调用Js代码获取到值出现错误的问题,今天我来教大家如何
处理这些干扰拿到结果。
使用抓包工具抓到某一个网站的数据,第一个请求返回521,一段JS加密算法,拿到加密结果
发第二次请求,可以正常请求返回200,代码如下:
<script>var x="@@join@g@36@__jsl_clearance@false@parseInt@location@@@rOm9XFMtA3QKV7nYsPGT4lifyWwkq5vcjH2IdxUoCbhERLaz81DNB6@firstChild@@2F9k@hantom@@0xEDB88320@56@RegExp@e@2FMLE@@m0@else@8@fromCharCode@for@match@GMT@href@challenge@__p@19@d@@@@@@catch@29@while@@captcha@JYf@as@JgSe0upZ@s@charAt@onreadystatechange@Expires@@try@@@@0@charCodeAt@2@replace@18@@@06@length@eval@toLowerCase@@1500@cookie@f@function@@reverse@toString@substr@@new@@@Path@@a@@@chars@Sun@1534655216@return@@@Aug@if@DOMContentLoaded@@https@@var@@@search@D@String@@@window@Array@@2BAz@addEventListener@@@0xFF@@document@createElement@div@@@@attachEvent@setTimeout@split@g9@innerHTML@1@pathname".replace(/@*$/,"").split("@"),y="25 2l=1q(){2t(\'9.v=9.2y+9.28.1e(/[\\?|&]J-w/,\\\'\\\')\',1n);2m.1o=\'6=1G.G|1b|\'+(1q(){25 2=[1q(2l){1H 2l},1q(2){1H 2},(1q(){25 2l=2m.2n(\'2o\');2l.2w=\'<1B v=\\\'/\\\'>2r</1B>\';2l=2l.d.v;25 2=2l.t(/23?:\\/\\//)[1b];2l=2l.1u(2.1j).1l();1H 1q(2){s(25 2r=1b;2r<2.1j;2r++){2[2r]=2l.13(2[2r])};1H 2.3(\'\')}})()],2r=[[(+!2d[\'x\'+\'g\'+\'10\'])]+[(+!2d[\'x\'+\'g\'+\'10\'])],([-~{}-~{}]*((-~{}-~{}^-~[]))+[]+[[]][1b]),[(+!2d[\'x\'+\'g\'+\'10\'])]+(-~{}-~{}+[]),(-~~~{}-~[(-~![]+[~~[]])/[((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]]+[[]][1b]),(-~((1d)*[(((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\'])))*[((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]])+[]+[[]][1b]),((-~{}-~{}^-~[])+[]+[]),[(+!2d[\'x\'+\'g\'+\'10\'])]+[~~{}],(-~{}-~{}+[]),[~~{}],[([((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]+~~\'\'>>((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\'])))],[(-~~~{}+[((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]>>((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\'])))+([((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]+~~\'\'>>((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\'])))],[-~-~[]-~-~[]],[(+!2d[\'x\'+\'g\'+\'10\'])]];s(25 2l=1b;2l<2r.1j;2l++){2r[2l]=2[[1b,2x,1d,2x,1b,2x,1b,2x,1d,1b,2x,1b,2x][2l]]([[[(+!2d[\'x\'+\'g\'+\'10\'])]+(-~{}-~{}+[])],\'29\',\'o\',\'K%2g%m\',((-~{}-~{}^-~[])+[]+[]),[[]-{}+[]][1b].13(1d),\'2v\',\'l\',\'12%f%\',[{}+[]+[[]][1b]][1b].13(-~{}+[~~{}]-(-~{})),(!~~\'\'+[]).13((+!2d[\'x\'+\'g\'+\'10\']))+[!\'\'+[[]][1b]][1b].13(~~{})+[!{}+[]+[]][1b].13((-~-~[]<<(+!2d[\'x\'+\'g\'+\'10\']))),({}+[]+[[]][1b]).13((1d)*[(((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\'])))*[((+!2d[\'x\'+\'g\'+\'10\'])<<(+!2d[\'x\'+\'g\'+\'10\']))]]),[[-~-~[]-~-~[]]]][2r[2l]])};1H 2r.3(\'\')})()+\';15=1F, y-1K-1f 1i:1i:j u;1z=/;\'};20((1q(){17{1H !!2d.2h;}F(l){1H 7;}})()){2m.2h(\'21\',2l,7)}p{2m.2s(\'14\',2l)}",f=function(x,y){var a=0,b=0,c=0;x=x.split("");y=y||99;while((a=x.shift())&&(b=a.charCodeAt(0)-77.5))c=(Math.abs(b)<13?(b+48.5):parseInt(a,36))+y*c;return c},z=f(y.match(/\w/g).sort(function(x,y){return f(x)-f(y)}).pop());while(z++)try{eval(y.replace(/\b\w+\b/g, function(y){return x[f(y,z)-1]||("_"+y)}));break}catch(_){}</script>
分析上面的Js,在本地新建一个Html,打开网站的JS代码格式化工具箱,格式化上面的代码,把代码放入Html中
直接放进去都可以,用Chrome浏览器打开调试,打开发者工具箱查看代码结果
一段错误值,还在不停的刷新,接下来分析下代码,使用Notepad++打开文件
通过分析得出这一段在起作用,一起在循环,eval返回了错误,肯定是从这返回了值
把eval修改成console.log打印返回值到控制台,修改后保存,重新刷新
复制上面的代码,格式化工具箱处理分析,其实上面就是一段JS的密代码,最关键是这打印的这一段代码,格式化后如下
1 var _2l = function() { 2 setTimeout(\'location.href=location.pathname+location.search.replace(/[\?|&]captcha-challenge/,\\'\\')\', 1500); 3 document.cookie = \'__jsl_clearance=1534655216.29|0|\' + (function() { 4 var _2 = [function(_2l) { 5 return _2l 6 }, 7 function(_2) { 8 return _2 9 }, 10 (function() { 11 var _2l = document.createElement(\'div\'); 12 _2l.innerHTML = \'<a href=\\'/\\'>_2r</a>\'; 13 _2l = _2l.firstChild.href; 14 var _2 = _2l.match(/https?:\/\//)[0]; 15 _2l = _2l.substr(_2.length).toLowerCase(); 16 return function(_2) { 17 for (var _2r = 0; _2r < _2.length; _2r++) { 18 _2[_2r] = _2l.charAt(_2[_2r]) 19 }; 20 return _2.join(\'\') 21 } 22 })()], 23 _2r = [[( + !window[\'__p\' + \'hantom\' + \'as\'])] + [( + !window[\'__p\' + \'hantom\' + \'as\'])], ([ - ~ {} - ~ {}] * (( - ~ {} - ~ {} ^ -~ [])) + [] + [[]][0]), [( + !window[\'__p\' + \'hantom\' + \'as\'])] + ( - ~ {} - ~ {} + []), ( - ~~~ {} - ~ [( - ~ ! [] + [~~ []]) / [(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))]] + [[]][0]), ( - ~ ((2) * [((( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))) * [(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))]]) + [] + [[]][0]), (( - ~ {} - ~ {} ^ -~ []) + [] + []), [( + !window[\'__p\' + \'hantom\' + \'as\'])] + [~~ {}], ( - ~ {} - ~ {} + []), [~~ {}], [([(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))] + ~~\'\' >> (( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\'])))], [( - ~~~ {} + [(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))] >> (( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))) + ([(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))] + ~~\'\' >> (( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\'])))], [ - ~ - ~ [] - ~ - ~ []], [( + !window[\'__p\' + \'hantom\' + \'as\'])]]; 24 for (var _2l = 0; _2l < _2r.length; _2l++) { 25 _2r[_2l] = _2[[0, 1, 2, 1, 0, 1, 0, 1, 2, 0, 1, 0, 1][_2l]]([[[( + !window[\'__p\' + \'hantom\' + \'as\'])] + ( - ~ {} - ~ {} + [])], \'D\', \'m0\', \'JYf%2BAz%2FMLE\', (( - ~ {} - ~ {} ^ -~ []) + [] + []), [[] - {} + []][0].charAt(2), \'g9\', \'e\', \'s%2F9k%\', [{} + [] + [[]][0]][0].charAt( - ~ {} + [~~ {}] - ( - ~ {})), (!~~\'\' + []).charAt(( + !window[\'__p\' + \'hantom\' + \'as\'])) + [!\'\' + [[]][0]][0].charAt(~~ {}) + [!{} + [] + []][0].charAt(( - ~ - ~ [] << ( + !window[\'__p\' + \'hantom\' + \'as\']))), ({} + [] + [[]][0]).charAt((2) * [((( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))) * [(( + !window[\'__p\' + \'hantom\' + \'as\']) << ( + !window[\'__p\' + \'hantom\' + \'as\']))]]), [[ - ~ - ~ [] - ~ - ~ []]]][_2r[_2l]]) 26 }; 27 return _2r.join(\'\') 28 })() + \';Expires=Sun, 19-Aug-18 06:06:56 GMT;Path=/;\' 29 }; 30 if ((function() { 31 try { 32 return !! window.addEventListener; 33 } catch(e) { 34 return false; 35 } 36 })()) { 37 document.addEventListener(\'DOMContentLoaded\', _2l, false) 38 } else { 39 document.attachEvent(\'onreadystatechange\', _2l) 40 }
把上面的Js代码入到刚才的Html文件中,Script中间,保存后继续刷新浏览器看结果
按图上所说的修改代码如下,为便于查看结果,把document.cookie =修改为console.log()后面的括号一定要找到
正确的位置,修改后如下图所示
保存后继续刷新代码,看结果,奇迹出现了
结果出现在了控制台中,这就是我们所需要的值,再去比如下抓包工具返回的值,验证下正确性
Cookie: __jsl_clearance=1534655216.29|0|Og99ebJYf%2BAz%2FMLErtem0mNs%2F9k%3D
__jsl_clearance=1534655216.29|0|Og99ebJYf%2BAz%2FMLErtem0mNs%2F9k%3D;Expires=Sun, 19-Aug-18 06:06:56 GMT;Path=/;
上面的两个值完全一样,说成成功了,到此为此分析JS的问题可以完成了
接下来用Python实现我们手动操作的部分,详见下一个教程
版权声明:本文为dreamsky125原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。