1.简介
公司网站的接口经常被爬虫爬,时不时就导致服务器压力过大,白白消耗公司服务器资源。于是开始接触js加密这块的业务。发现了不少支持js在线加密的站,以及各种加密方案,在这做个笔记,一一列举各大加密站的优缺点。看看哪种才是最安全的html代码加密方式。
2.加密探索
最开始在网络上搜索js加密,看到了很多解决方案,例如crypto、base64、MD5、sha1、sha256、unicode编码、AES/DES、RSA都是优秀的js加密算法,但是最终我发现,这些加密都是在前端完成的,也就是在用户电脑上完成的,完全透明化的,所以爬虫作者破解难度也很低,他不需要去摸索你这个算法计算的过程,他只要拿到你相同的加密算法代码,就可以通过同样的手段加密出来,继而盗取接口信息。
3.工具介绍
toolfk支持js的不可逆混淆加密,以及一些简单的加密配置。
4.js案例代码
(function () {
String.prototype.searchAB = function (){
return this.match(/[^A|B]/g);
}
const str = '本工具由 wwBw.jsjiami.cAom 提供接口。\n专注JS安全领域近10年\n企业化运营\n专业的JS加密研发团队。'.searchAB().toString().replaceAll(',', '');
alert(str);
console.log(str);
}());
5.经过Toolfk加密后
function toolfk0_0x32d0(){const _0x3bbec2=['toString','117834ngWBQW','425511tUIIta','bind','apply','3hGjcGO','log','30IpJIXE','本工具由\x20wwBw.jsjiami.cAom\x20提供接口。专注JS安全领域近10年,企业化运营,专业的JS加密研发团队。','warn','20vlCvIB','1022697VpKmbG','4033827JRtqjM','113586bEjYjG','length','3589336pHNyCL','(((.+)+)+)+$','12pKQVdE','table','search','error','info','{}.constructor(\x22return\x20this\x22)(\x20)','11482262SDednJ','prototype','match','searchAB','console','8lToHKa','replaceAll'];toolfk0_0x32d0=function(){return _0x3bbec2;};return toolfk0_0x32d0();}function toolfk0_0x5a72(_0x2e2be1,_0x43c1ea){const _0x5c8242=toolfk0_0x32d0();return toolfk0_0x5a72=function(_0x32ad28,_0x173913){_0x32ad28=_0x32ad28-0x1dc;let _0x210fec=_0x5c8242[_0x32ad28];return _0x210fec;},toolfk0_0x5a72(_0x2e2be1,_0x43c1ea);}(function(_0x5ca880,_0x30f18c){const _0x2178e8=toolfk0_0x5a72,_0x117c22=_0x5ca880();while(!![]){try{const _0x3f63fa=parseInt(_0x2178e8(0x1dc))/0x1*(-parseInt(_0x2178e8(0x1f6))/0x2)+-parseInt(_0x2178e8(0x1f7))/0x3*(-parseInt(_0x2178e8(0x1f3))/0x4)+parseInt(_0x2178e8(0x1e1))/0x5*(-parseInt(_0x2178e8(0x1e4))/0x6)+parseInt(_0x2178e8(0x1e3))/0x7+parseInt(_0x2178e8(0x1e6))/0x8+parseInt(_0x2178e8(0x1e2))/0x9*(parseInt(_0x2178e8(0x1de))/0xa)+parseInt(_0x2178e8(0x1ee))/0xb*(-parseInt(_0x2178e8(0x1e8))/0xc);if(_0x3f63fa===_0x30f18c)break;else _0x117c22['push'](_0x117c22['shift']());}catch(_0x3bd4d2){_0x117c22['push'](_0x117c22['shift']());}}}(toolfk0_0x32d0,0x563a0),(function(){const _0x2e860a=toolfk0_0x5a72,_0x574fae=(function(){let _0x5ad1ec=!![];return function(_0x45cf64,_0x52ec9b){const _0x59bd47=_0x5ad1ec?function(){const _0x55f4cb=toolfk0_0x5a72;if(_0x52ec9b){const _0x49c7fc=_0x52ec9b[_0x55f4cb(0x1f9)](_0x45cf64,arguments);return _0x52ec9b=null,_0x49c7fc;}}:function(){};return _0x5ad1ec=![],_0x59bd47;};}()),_0x404242=_0x574fae(this,function(){const _0x160a3a=toolfk0_0x5a72;return _0x404242[_0x160a3a(0x1f5)]()[_0x160a3a(0x1ea)](_0x160a3a(0x1e7))['toString']()['constructor'](_0x404242)[_0x160a3a(0x1ea)](_0x160a3a(0x1e7));});_0x404242();const _0x51a3ef=(function(){let _0x2131d3=!![];return function(_0x544121,_0x560f33){const _0x11bae6=_0x2131d3?function(){if(_0x560f33){const _0x27215c=_0x560f33['apply'](_0x544121,arguments);return _0x560f33=null,_0x27215c;}}:function(){};return _0x2131d3=![],_0x11bae6;};}()),_0x498218=_0x51a3ef(this,function(){const _0xdd05ea=toolfk0_0x5a72;let _0x4d0db2;try{const _0x52c2c6=Function('return\x20(function()\x20'+_0xdd05ea(0x1ed)+');');_0x4d0db2=_0x52c2c6();}catch(_0x486dd0){_0x4d0db2=window;}const _0x6303a1=_0x4d0db2[_0xdd05ea(0x1f2)]=_0x4d0db2[_0xdd05ea(0x1f2)]||{},_0x3d73a9=[_0xdd05ea(0x1dd),_0xdd05ea(0x1e0),_0xdd05ea(0x1ec),_0xdd05ea(0x1eb),'exception',_0xdd05ea(0x1e9),'trace'];for(let _0xea864b=0x0;_0xea864b<_0x3d73a9[_0xdd05ea(0x1e5)];_0xea864b++){const _0x144049=_0x51a3ef['constructor']['prototype'][_0xdd05ea(0x1f8)](_0x51a3ef),_0x132f4e=_0x3d73a9[_0xea864b],_0x3059c6=_0x6303a1[_0x132f4e]||_0x144049;_0x144049['__proto__']=_0x51a3ef['bind'](_0x51a3ef),_0x144049['toString']=_0x3059c6[_0xdd05ea(0x1f5)][_0xdd05ea(0x1f8)](_0x3059c6),_0x6303a1[_0x132f4e]=_0x144049;}});_0x498218(),String[_0x2e860a(0x1ef)][_0x2e860a(0x1f1)]=function(){const _0x3efbd7=_0x2e860a;return this[_0x3efbd7(0x1f0)](/[^A|B]/g);};const _0x3f04b3=_0x2e860a(0x1df)[_0x2e860a(0x1f1)]()['toString']()[_0x2e860a(0x1f4)](',','');alert(_0x3f04b3),console[_0x2e860a(0x1dd)](_0x3f04b3);}()));
6.格式化一下
function toolfk0_0x32d0() {
const _0x3bbec2 = ['toString', '117834ngWBQW', '425511tUIIta', 'bind', 'apply', '3hGjcGO', 'log', '30IpJIXE', '本工具由\x20wwBw.jsjiami.cAom\x20提供接口。专注JS安全领域近10年,企业化运营,专业的JS加密研发团队。', 'warn', '20vlCvIB', '1022697VpKmbG', '4033827JRtqjM', '113586bEjYjG', 'length', '3589336pHNyCL', '(((.+)+)+)+$', '12pKQVdE', 'table', 'search', 'error', 'info', '{}.constructor(\x22return\x20this\x22)(\x20)', '11482262SDednJ', 'prototype', 'match', 'searchAB', 'console', '8lToHKa', 'replaceAll'];
toolfk0_0x32d0 = function () {
return _0x3bbec2;
};
return toolfk0_0x32d0();
}
function toolfk0_0x5a72(_0x2e2be1, _0x43c1ea) {
const _0x5c8242 = toolfk0_0x32d0();
return toolfk0_0x5a72 = function (_0x32ad28, _0x173913) {
_0x32ad28 = _0x32ad28 - 0x1dc;
let _0x210fec = _0x5c8242[_0x32ad28];
return _0x210fec;
}, toolfk0_0x5a72(_0x2e2be1, _0x43c1ea);
}
(function (_0x5ca880, _0x30f18c) {
const _0x2178e8 = toolfk0_0x5a72, _0x117c22 = _0x5ca880();
while (!![]) {
try {
const _0x3f63fa = parseInt(_0x2178e8(0x1dc)) / 0x1 * (-parseInt(_0x2178e8(0x1f6)) / 0x2) + -parseInt(_0x2178e8(0x1f7)) / 0x3 * (-parseInt(_0x2178e8(0x1f3)) / 0x4) + parseInt(_0x2178e8(0x1e1)) / 0x5 * (-parseInt(_0x2178e8(0x1e4)) / 0x6) + parseInt(_0x2178e8(0x1e3)) / 0x7 + parseInt(_0x2178e8(0x1e6)) / 0x8 + parseInt(_0x2178e8(0x1e2)) / 0x9 * (parseInt(_0x2178e8(0x1de)) / 0xa) + parseInt(_0x2178e8(0x1ee)) / 0xb * (-parseInt(_0x2178e8(0x1e8)) / 0xc);
if (_0x3f63fa === _0x30f18c) break; else _0x117c22['push'](_0x117c22['shift']());
} catch (_0x3bd4d2) {
_0x117c22['push'](_0x117c22['shift']());
}
}
}(toolfk0_0x32d0, 0x563a0), (function () {
const _0x2e860a = toolfk0_0x5a72, _0x574fae = (function () {
let _0x5ad1ec = !![];
return function (_0x45cf64, _0x52ec9b) {
const _0x59bd47 = _0x5ad1ec ? function () {
const _0x55f4cb = toolfk0_0x5a72;
if (_0x52ec9b) {
const _0x49c7fc = _0x52ec9b[_0x55f4cb(0x1f9)](_0x45cf64, arguments);
return _0x52ec9b = null, _0x49c7fc;
}
} : function () {
};
return _0x5ad1ec = ![], _0x59bd47;
};
}()), _0x404242 = _0x574fae(this, function () {
const _0x160a3a = toolfk0_0x5a72;
return _0x404242[_0x160a3a(0x1f5)]()[_0x160a3a(0x1ea)](_0x160a3a(0x1e7))['toString']()['constructor'](_0x404242)[_0x160a3a(0x1ea)](_0x160a3a(0x1e7));
});
_0x404242();
const _0x51a3ef = (function () {
let _0x2131d3 = !![];
return function (_0x544121, _0x560f33) {
const _0x11bae6 = _0x2131d3 ? function () {
if (_0x560f33) {
const _0x27215c = _0x560f33['apply'](_0x544121, arguments);
return _0x560f33 = null, _0x27215c;
}
} : function () {
};
return _0x2131d3 = ![], _0x11bae6;
};
}()), _0x498218 = _0x51a3ef(this, function () {
const _0xdd05ea = toolfk0_0x5a72;
let _0x4d0db2;
try {
const _0x52c2c6 = Function('return\x20(function()\x20' + _0xdd05ea(0x1ed) + ');');
_0x4d0db2 = _0x52c2c6();
} catch (_0x486dd0) {
_0x4d0db2 = window;
}
const _0x6303a1 = _0x4d0db2[_0xdd05ea(0x1f2)] = _0x4d0db2[_0xdd05ea(0x1f2)] || {},
_0x3d73a9 = [_0xdd05ea(0x1dd), _0xdd05ea(0x1e0), _0xdd05ea(0x1ec), _0xdd05ea(0x1eb), 'exception', _0xdd05ea(0x1e9), 'trace'];
for (let _0xea864b = 0x0; _0xea864b < _0x3d73a9[_0xdd05ea(0x1e5)]; _0xea864b++) {
const _0x144049 = _0x51a3ef['constructor']['prototype'][_0xdd05ea(0x1f8)](_0x51a3ef),
_0x132f4e = _0x3d73a9[_0xea864b], _0x3059c6 = _0x6303a1[_0x132f4e] || _0x144049;
_0x144049['__proto__'] = _0x51a3ef['bind'](_0x51a3ef), _0x144049['toString'] = _0x3059c6[_0xdd05ea(0x1f5)][_0xdd05ea(0x1f8)](_0x3059c6), _0x6303a1[_0x132f4e] = _0x144049;
}
});
_0x498218(), String[_0x2e860a(0x1ef)][_0x2e860a(0x1f1)] = function () {
const _0x3efbd7 = _0x2e860a;
return this[_0x3efbd7(0x1f0)](/[^A|B]/g);
};
const _0x3f04b3 = _0x2e860a(0x1df)[_0x2e860a(0x1f1)]()['toString']()[_0x2e860a(0x1f4)](',', '');
alert(_0x3f04b3), console[_0x2e860a(0x1dd)](_0x3f04b3);
}()));
7.加密后分析
可以看到,代码量加密后变得十分庞大,并且变量名就经过了混淆,我们先来看一下加密后的代码是否还是正常运行,F12打开浏览器控制台,将加密后的js代码复制粘贴到控制台运行一下试试是否成功运行。
实验发现,格式化后的加密代码是无法正常执行的,代码卡死,并且电脑风扇也转起来了,说明这个工具默认增加了反格式化的代码在里边。一旦格式化后,就卡死,不格式化的话就默认正常运行。你们可以自己手动复制运行一下试试
基本上到这一步就能筛选掉很多js基本功差的人了。解决方案就是找到反格式化的地方改一下判断逻辑就好了
所以到这里我给toolfk的评价是7分,综合来说还是比较有用的,能防住一部分图谋不轨的人,但性能下降比较多。
sojson.v6
sojson.com