第一步 点击关键字
visit('U3kwBQctIQAjMHZdVC1xRDs5LVQqURUfKxwQGjQACBZ5VysGVytwfmVgDQBVKSMZYRpbGwxAFhYOKl5JAWZRDw4EXzwWBwMT')
第二步 在控制台输入visit定位
第三步 观察并且下断点
发现存在传入url的函数,发现可疑的加密函数!
补充知识点 单步跟踪和多行跳
最关键一步 扣js代码--缺啥补啥
缺base64decode
缺base64DecodeChars
缺Gword 这个特殊需要写死
成功了
中间遇到了一个错误
这个错误是由于被调用函数放在最后,调用时找不到该函数,需要把base64DecodeChars函数放在前面
爬取多个网站
发现 autourl这个变量,我们继续去断点那看是如何调用的 扣下来
然后修改下输出 把输出图片去掉 我们只要url 最后调用
最终效果
参考代码
点击查看代码
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
</head>
<body>
<script type="text/javascript">
function strdecode(string) {
string = base64decode(string);
key = Gword + hn;
len = key.length;
code = '';
for (i = 0; i < string.length; i++) {
var k = i % len;
code += String.fromCharCode(string.charCodeAt(i) ^ key.charCodeAt(k));
}
return base64decode(code);
}
var base64DecodeChars = new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
var Gword = '21b5del6oIO57e01a'
var hn = 'ac.scmor.com'
//输出至控制台看看缺啥
//console.log(strdecode('U3kwBQctIQAjMHZdVC1xRDs5LVQqURUfKxwQGjQACBZ5VysGVytwfmVgDQBVKSMZYRpbGwxAFhYOKl5JAWZRDw4EXzwWBwMT'));
var autourl=["ZAM0RgYmLl0Ne3pZfjZxATgbMlcpJD8HKEMyGDdlfBVsMDcBbzgAf2xjJEhoDDBWYBkAFyE1eAghLA8M","U3kwBQctIQAjMHZdVC1xRDs5LVQqURUfKxwQGjQACBZ5VysGVytwfmVgDQBVKSMZYRpbGwxAFhYOKl5JAWZRDw4EXzwWBwMT","U3kwBQctIQAjMHZPbldbRQApNUc/DlQWKFdWBQ9bCV8=","U3kwBQctIQAjMHZPbhwFRjg2VkUqNyAWP31WBQ8AARQ=","U3kwBQctIQAjMHYGU1ZTRAMmD0cQDisWF31WBzRLBAhXDV1R","U3kwBQctIQAjMHYGU1ZTRAJTLV4pJFRcEEdWBQ9bCAxXHV1R","U3kwBQctIQAjMHZebTJmRgJTNUYQDiMAPkMtBSFFDF8=","U3kwBQctIQAjMHYBVBwFQgJSJR0RIFgZEUMAGQ==","U3kwBQctIQAjMHZPbldYRwMmJVc/DhUHEEM5Bw9cfw1RN1AGVAZxcg=="]
function run() {
for (var i = 1; i < autourl.length; i++) {
url = autourl[i];
if (Gword != '')
url = strdecode(url);
var st = url.indexOf("//", 1);
var _domain = url.substring(st + 1, url.length);
var et = _domain.indexOf("/", 1);
surl = url.substring(0, et + st + 2);
document.write(url+'<br/>'); //<br/> == c语言中的\n
}
}
//调用输出的函数
run()
function base64decode(str) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while (i < len) {
do {
c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);
if (c1 == -1)
break;
do {
c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c2 == -1);
if (c2 == -1)
break;
out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61)
return out;
c3 = base64DecodeChars[c3];
} while (i < len && c3 == -1);
if (c3 == -1)
break;
out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));
do {
c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61)
return out;
c4 = base64DecodeChars[c4];
} while (i < len && c4 == -1);
if (c4 == -1)
break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4);
}
return out;
}
</script>
</body>
</html>