同盾环境分析与补环境
同盾环境分析与补环境
看此文章之前可先了解前两篇文章:
同盾BlackBox逆向分析:http://1997.pro/archives/1706068432055
同盾AST思路与插件:http://1997.pro/archives/1706077758696
环境分析(第一套i,j,k,l,o)
// 下面指纹不是完整的指纹,随便截取了部分
data = {
"i": "919^^-^^20^^1040^^-^^1^^6470a21d4c329f0ab99b6025df4bff39^^4746e7f5fbc70ef2ccd365c366a|b0f2202fcf72f424ca4fc6db815df^^Webkit-Chrome^^-^^-^^-^^0_Windows_Not_A 8_Chro0_Google Chrome_120^^1hkvqq1g2",
"j": "-^^-^^zh-CN^^0^^^-^^919^^1^^1920^^Mozilla^^1080^^-^^Google Inc. (Intel)-&-ANGLE (Intel, Intel(R) UHD Graphics irect3D11 vs_5_0 ps_5_0, D3D11)^^functiongetoffsetHeight(){[nativecode]}^^-^^-^^-^^-^^12536^^-^^1hk",
"k": "63e9e0254e8ec24|0110010001111111101111011011110001111111111011111^^Netscape^^920^^1040^^Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53ke Gecko) Chrom0.0.0 Safari/537.36^^0a386f39b15d2eac07d^^zh-CN,zh^^-^^48000_2_1_0_2_explicit_speakers^^-^^0^^functiongetParameter(){[nativecode]}^^-^^-^^UTF-8^^-^^1872_8_0_0^^qq1ir",
"l": "Win32^^6ef4aad14d663a1e981^^1920^^0^724534^^-^^480^^https%3A%2F%2Fwww.juneyaoae^^1706170320246^^1914^^M0FlrCpOOP1qUZnHF8ny0SwYqBdNcgdRQPlC4QI\sw4aIMPbfm8g352BUHRXIJuHP7lGPsrHOFUPJEgPiGaSnIP9lKFsGTi8wIetQgFt2DlUjC2^^[object Window]^^functioncreatlyser(){[nativecode]}^^-^^-^^-^^-^^-^^1hkvqq1jp",
"o": "functiontoStrnativecode]}^^33^^HyFpfpf0-1706170320513-f01a12b88ddb8941325680^^[objectPluginArray]^^8^^1unctionenumerateDevices(){[nativecode]}^^20^^functiontoDataURL(){[nativecode]}^^-^^functionRTCPion(){[nativecode]}^^Failed to construct 'WebSocket': The URL 'itsgonnafail' is invalid.^^-^^-^^-^^a04ec137d669da06e6a^^-^^1f2d82cb673277e484582d66e4^^-^^1hkvqq1k0",
}通过分析,只需要在这里断点即可分析检测的环境,拿到最终的数组即可,后面的大switch case只是对这个数组进行拼接,不需要过多分析switch case循环。
每次开始循环的时间,用来时间检测,最后会放到字符串最后
var OOQO0o = new window["Date"]()["getTime"]()["toString"](32); // "1hla8pb5u"i分析
// 如果检测结果是undefined 则为 -
// 如果不经过QOQOoO[QQQOo["x"]](QQQOo),判断QQQOo QQQOo["z"] QQQOo["w"] 中东西,有就直接return了 TODO 是异步任务 异步任务不参与加密运算
[
918, // document.body.clientHeight
"-", // navigator.appMinorVersion undefined
20, // navigator.hardwareConcurrency
1040, // window.outerHeight
"-", // navigator.oscpu
1, // window.devicePixelRatio
"6470a21d4c329f0ab99b6025df4bff39", // canvas
"4746e7f5fbc70ef2ccd365c30c93f66a|b0f2202fc3f0f72f424ca4fc6db815df", // canvas和两个固定值相关
"Webkit-Chrome", // 检测window document navigator 里面的各种东西,然后判断,得到的结果做一个拼接
"-", // 判断QQQOo中东西,有就直接return了
"-", // 判断QQQOo中东西,有就直接return了
"-", // 判断QQQOo中东西,有就直接return了
"0_Windows_Not_A Brand_8_Chromium_120_Google Chrome_120" // Qo0oOo["userAgentDataStr"] || ""
]j分析
[
"-", // navigator.userLanguage
"-", // navigator.doNotTrack
"zh-CN", // navigator.language
// QQQOo["y"](QQQOo["p"]) 进入里面就是复杂的检测
0, // typeof window["screenLeft"] === "number" ? window["screenLeft"] : window["screenX"]
1920, // window.innerWidth
"-",
918, // window.innerHeight
"1", // navigator.cookieEnabled true 经过一个函数变 1
1920, // window.screen.width
"Mozilla",// navigator.appCodeName
1080, // window.screen.height
"-", // navigator.browserLanguage
// QQQOo["y"](QQQOo["p"]) 进入里面就是复杂的检测
"Google Inc. (Intel)-&-ANGLE (Intel, Intel(R) UHD Graphics 770 (0x00004680) Direct3D11 vs_5_0 ps_5_0, D3D11)", // webgl 下面单独写
"functiongetoffsetHeight(){[nativecode]}", // 内置函数格式化检测
"-", // 返回了一个空数组 经过一个函数变成 -
"-", // QQQOo["w"] retrun
"-", // QQQOo["w"] retrun
"-", // QQQOo["w"] retrun
12536, // 下面,直接陷入死循环,内存溢出RangeError: Maximum call stack size exceeded
"-" // QQQOo["z"] retrun
]
// a[12]
function oQ0OQO() {
try {
var QQQOo = document["createElement"]("canvas");
var QQoQ0 = QQQOo["getContext"]("webgl");
var OOO0o = QQoQ0["getExtension"]("WEBGL_debug_renderer_info");
var OooQ0 = O0QOOo(O0QOOo(QQoQ0["getParameter"](OOO0o["UNMASKED_VENDOR_WEBGL"]), "-&-"), QQoQ0["getParameter"](OOO0o["UNMASKED_RENDERER_WEBGL"]));
if (_fmOpt["resetTime"]) {
try {
QQoQ0["getExtension"]("WEBGL_lose_context")["loseContext"]();
} catch (oQOQQo) {
}
}
return OooQ0; // TODO Google Inc. (Intel)-&-ANGLE (Intel, Intel(R) UHD Graphics 770 (0x00004680) Direct3D11 vs_5_0 ps_5_0, D3D11)
} catch (e32) {
return "-";
}
}
// a[13]
QQoQ0 = Object["getOwnPropertyDescriptor"](HTMLElement["prototype"], "offsetHeight")["get"]["toString"]()
QQoQ0 = QQoQ0 || "";
QQoQ0["replace"](/\s+/g, "")["slice"](0, 60)
// a[14] 返回了一个空数组
function o00QoQ() {
var QQQOo = [];
for (var QQoQ0 = 0, OOO0o = oO00o0["length"]; ooO0OQ(QQoQ0, OOO0o); QQoQ0++) {
if (ooQoQO(oO00o0[QQoQ0], 1)) {
QQQOo["push"](QQoQ0);
}
}
return QQQOo;
}
// a[18]
function OO0QoQ() {
var Q000oQ = 0;
function OoQOQO() {
Q000oQ++,
OoQOQO(); // TODO 这里递归,陷入死循环,直到内存溢出RangeError: Maximum call stack size exceeded报错走catch
}
try {
OoQOQO();
} catch (oQOQQo) {
return Q000oQ || "-";
}
return Q000oQ || "-";
}k分析
[
"63e9e04dc73e254e8ec26ccfae604c64|01100100011111111011111011011111011111011011110001111111111011111",
"Netscape", // navigator.appName
"11110", // document["createElement"]("td_ua")
1920, // window.outerWidth
1040, // window.screen.availHeight
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", // navigator.userAgent
// navigator.appVersion == '5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
"0a386f39b15d28bc1dee2ad2a0eac07d", // 对它做了一个加密 hash128
"zh-CN,zh", // navigator.languages
"-", // navigator.cpuClass
"48000_2_1_0_2_explicit_speakers", // a[9] AudioContext
"-", // QQQOo["z"] retrun
"0", // 正确的话返回false,环境检测document["createEvent"]("TouchEvent")
"functiongetParameter(){[nativecode]}", // a[12] OOQoQ["getParameter"]["toString"]() 会额外检测canvas和webgl的创建
"-", // QQQOo["z"] retrun
"-", // 返回一个空数组
"UTF-8", // window["document"]["characterSet"] || window["document"]["charset"] || ""
"-", // QQQOo["w"] retrun
"1697_8_29_0" // a[17] document["all"] document["scripts"] document["timeline"] document["title"]
]
// a[0]
var a0 = function () {
var Qo0QQ = new window["Date"]()["getTime"]();
var OOQoQ = navigator["userAgent"]["toLocaleLowerCase"]();
var OOoQo = OOQoQ["match"](/(msie) ([\w.]+)/);
QQQOo = 101;
if (OOoQo && ooQoQO(OOoQo[2], "8.0")) {
OooQQ0["durations"]["fl"] = Oo0QO0(new window["Date"]()["getTime"](), Qo0QQ);
return "-";
}
var OoOO0 = ["Andale Mono", "Arial", "Arial Black", "Arial Hebrew", "Arial MT", "Arial Narrow", "Arial Rounded MT Bold", "Arial Unicode MS", "Bitstream Vera Sans Mono", "Book Antiqua", "Bookman Old Style", "Calibri", "Cambria", "Cambria Math", "Century", "Century Gothic", "Century Schoolbook", "Comic Sans", "Comic Sans MS", "Consolas", "Courier", "Courier New", "Garamond", "Geneva", "Georgia", "Helvetica", "Helvetica Neue", "Impact", "Lucida Bright", "Lucida Calligraphy", "Lucida Console", "Lucida Fax", "LUCIDA GRANDE", "Lucida Handwriting", "Lucida Sans", "Lucida Sans Typewriter", "Lucida Sans Unicode", "Microsoft Sans Serif", "Monaco", "Monotype Corsiva", "MS Gothic", "MS Outlook", "MS PGothic", "MS Reference Sans Serif", "MS Sans Serif", "MS Serif", "MYRIAD", "MYRIAD PRO", "Palatino", "Palatino Linotype", "Segoe Print", "Segoe Script", "Segoe UI", "Segoe UI Light", "Segoe UI Semibold", "Segoe UI Symbol", "Tahoma", "Times", "Times New Roman", "Times New Roman PS", "Trebuchet MS", "Verdana", "Wingdings", "Wingdings 2", "Wingdings 3"];
function Q00o0o() {
var QQQOo = 49;
while (QQQOo) {
switch (QQQOo) {
case 128 + 9 - 87: {
var QQoQ0 = "72px";
var o000O0 = document["getElementsByTagName"]("body")[0];
QQQOo = 51;
break;
}
case 81 + 20 - 52: {
var OO0O00 = ["monospace", "sans-serif", "serif"];
var Qo0QQ = "mmmmmmmmmmlli";
QQQOo = 50;
break;
}
case 134 + 10 - 93: {
var O0o0OQ = document["createElement"]("span");
O0o0OQ["style"]["fontSize"] = QQoQ0,
O0o0OQ["style"]["position"] = "absolute",
O0o0OQ["style"]["left"] = "-9999px",
O0o0OQ["style"]["lineHeight"] = "normal",
O0o0OQ["innerHTML"] = Qo0QQ;
QQQOo = 52;
break;
}
case 116 + 6 - 70: {
var O0QO0O = {};
var OOo0Q0 = {};
for (var oQOOo in OO0O00) {
O0o0OQ["style"]["fontFamily"] = OO0O00[oQOOo],
o000O0["appendChild"](O0o0OQ),
O0QO0O[OO0O00[oQOOo]] = O0o0OQ["offsetWidth"],
OOo0Q0[OO0O00[oQOOo]] = O0o0OQ["offsetHeight"],
o000O0["removeChild"](O0o0OQ);
}
function QO0o0Q(QQQOo) {
var QQoQ0 = false;
for (var OOO0o in OO0O00) {
O0o0OQ["style"]["fontFamily"] = O0QOOo(O0QOOo(QQQOo, ","), OO0O00[OOO0o]),
o000O0["appendChild"](O0o0OQ);
var OooQ0 = O0Qo00(O0o0OQ["offsetWidth"], O0QO0O[OO0O00[OOO0o]]) || O0Qo00(O0o0OQ["offsetHeight"], OOo0Q0[OO0O00[OOO0o]]);
o000O0["removeChild"](O0o0OQ),
QQoQ0 = QQoQ0 || OooQ0;
if (QO0o0Q) {
break;
}
}
return QQoQ0;
}
this["detect"] = QO0o0Q;
QQQOo = 0;
break;
}
}
}
}
QQQOo = 102;
var QQoQ0 = new Q00o0o();
var OOO0o = [];
var OooQ0 = [];
QQQOo = 103;
for (var OOo00 = 0; ooO0OQ(OOo00, OoOO0["length"]); OOo00++) {
if (QQoQ0["detect"](OoOO0[OOo00])) {
OooQ0["push"](OoOO0[OOo00]),
OOO0o["push"](1);
} else {
OOO0o["push"](0);
}
}
var oQOOo = O0QOOo(O0QOOo("[", OooQ0["join"](", ")), "]");
oQOOo = OOQQoO["hash128"](oQOOo),
oQOOo = O0QOOo(O0QOOo(oQOOo, "|"), OOO0o["join"]("")),
OooQQ0["durations"]["fl"] = Oo0QO0(new window["Date"]()["getTime"](), Qo0QQ);
return oQOOo;
}
// a[2]
var a2 = function () {
var OooQ0 = ["zoom", "resize", "text-rendering", "text-align-last", "-webkit-hyphens"];
QQQOo = 7;
var Qo0QQ = document["createElement"]("td_ua");
QQQOo = 8;
var OOO0o = "";
QQQOo = 9;
for (var QQoQ0 = 0; ooO0OQ(QQoQ0, OooQ0["length"]); QQoQ0++) {
OOO0o += O0Qo00(Qo0QQ["style"][OooQ0[QQoQ0]], undefined) ? 1 : 0;
}
return OOO0o;
}
// a[9]
var a9 = function () {
try {
var QQQOo = window;
var QQoQ0 = navigator["userAgent"]["toUpperCase"]()["match"](/CPU IPHONE OS (.*?) LIKE MAC OS(.*) APPLEWEBKIT/);
if (QQoQ0 && QQoQ0[1]) {
var OOO0o = QQoQ0[1]["split"]("_");
if (o0O00Q(Number(OOO0o[0]), 15) || ooQoQO(Number(OOO0o[0]), 14) && o0O00Q(Number(OOO0o[1]), 6)) {
return "-";
}
}
var OooQ0 = void 0;
if (oOoOQo(navigator["userAgent"]["indexOf"]("Alipay"), -1)) {
OooQ0 = AudioContext();
} else {
OooQ0 = new (QQQOo["AudioContext"] || QQQOo["webkitAudioContext"])(); // TODO 走了这里
}
var Qo0QQ = OooQ0;
var OOQoQ = Qo0QQ["destination"];
var OOoQo = O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(OooQ0["sampleRate"]["toString"](), "_"), OOQoQ["maxChannelCount"]), "_"), OOQoQ["numberOfInputs"]), "_"), OOQoQ["numberOfOutputs"]), "_"), OOQoQ["channelCount"]), "_"), OOQoQ["channelCountMode"]), "_"), OOQoQ["channelInterpretation"]);
return OOoQo; // 返回
} catch (e123) {
return "-";
}
}
// a[11]
var a11 = function () {
var QQQOo = false;
try {
document["createEvent"]("TouchEvent"),
QQQOo = true;
} catch (_) {
}
return QQQOo; // 正确的话返回false,环境检测document["createEvent"]("TouchEvent")
}
// a[12]
var a12 = function () {
var Qo0QQ = document["createElement"]("canvas");
var OOQoQ = Qo0QQ["getContext"]("webgl") || Qo0QQ["getContext"]("experimental-webgl");
QQoQ0 = OOQoQ["getParameter"]["toString"](); // TODO 检测 QQoQ0
if (_fmOpt["resetTime"]) {
try {
OOQoQ["getExtension"]("WEBGL_lose_context")["loseContext"]();
} catch (oQOQQo) {
}
}
QQoQ0 = QQoQ0 || "";
return QQoQ0["replace"](/\s+/g, "")["slice"](0, 60);
}
// a[17]
var a17 = function () {
var OOO0o = "all" in document && document["all"]["length"] ? document["all"]["length"] : "";
var Qo0QQ = document["scripts"] ? document["scripts"]["length"] : "";
var OooQ0 = document["timeline"] && document["timeline"]["currentTime"] ? parseInt(QoOOOO(document["timeline"]["currentTime"], 1000)) : "";
var QQoQ0 = document["title"] && O0Qo00(document["title"], "title") ? 0 : 1;
return O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(O0QOOo(OOO0o, "_"), Qo0QQ), "_"), OooQ0), "_"), QQoQ0);
}l分析
[
"Win32", // navigator.platform
"6ef4a53a32a3086171ad14d663a1e981", // a[1] navigator.plugins
1920, // window.screen.availWidth
"0", // navigator.maxTouchPoints a[3]
0, // ooQoQO(typeof Q0OOQo["screenTop"], "number") ? Q0OOQo["screenTop"] : Q0OOQo["screenY"]
"-", // navigator.systemLanguage
"724534", // a[6]
"-",
480, // a[8]
"https%3A%2F%2Fwww.juneyaoair.com%2Fhome", // window.location
"1706520043118", // TODO OooQQ0["jsDownloadedTime"]
1914, // TODO document.body.clientWidth
"uR19HptGmGPvdCgHVH0TkNo0dn1DP/MfEYBL1tve7wg=", // a[12] TODO这个还要看,长度不一样
"[object Window]", // 检测window["toString"]()
"functioncreateAnalyser(){[nativecode]}", // a[14]
"-", // QQQOo["w"] retrun
"-", // QQQOo["w"] retrun
"-", // a[17] TODO
"-", // QQQOo["w"] retrun
"-" // QQQOo["z"] retrun
]
// a[1]
var a1 = function () {
var OOQoQ = [];
var OOoQo = window["navigator"];
for (var QQoQ0 = 0, OOO0o = OOoQo["plugins"]["length"]; ooO0OQ(QQoQ0, OOO0o); QQoQ0++) {
var OooQ0 = OOoQo["plugins"][QQoQ0];
var Qo0QQ = ooO0OQ(OooQ0["description"]["indexOf"]("Shockwave Flash"), 0) ? OooQ0["description"] : "";
OOQoQ["push"](O0QOOo(O0QOOo(O0QOOo(OooQ0["name"], Qo0QQ), OooQ0["filename"]), OooQ0["length"]));
}
OOQoQ["sort"]();
var OOo00 = OOQoQ["join"]();
OOo00 = !OOo00 ? "-" : OOo00["replace"](/\s/g, ""),
OOo00 = O0Qo00(OOoQo["plugins"]["length"], 0) ? O0QOOo(O0QOOo(OOoQo["plugins"]["length"], ","), OOo00) : "-";
return OOo00;
}
// a[3]
var a3 = function () {
var QQQOo = 0;
if (O0Qo00(typeof navigator["maxTouchPoints"], "undefined")) {
QQQOo = navigator["maxTouchPoints"];
} else if (O0Qo00(typeof navigator["msMaxTouchPoints"], "undefined")) {
QQQOo = navigator["msMaxTouchPoints"];
}
return QQQOo;
}
// a[6]
var a6 = function () {
var QQQOo = 31;
while (QQQOo) {
switch (QQQOo) {
case 99 + 5 - 72: {
if (OOO0o["caller"] && OOO0o["caller"]["caller"]) {
OooQ0 = OOO0o["caller"]["caller"]["toString"]() || "";
}
var QQoQ0 = /^\((function.+)\)$/["exec"](OooQ0) || [];
QQQOo = 33;
break;
}
case 80 + 9 - 58: {
var OOO0o = arguments["callee"]["caller"]["caller"];
var OooQ0 = "";
QQQOo = 32;
break;
}
case 59 + 15 - 40: {
var Qo0QQ = OQQ0O0();
if (!Qo0QQ || oOoOQo(Qo0QQ, 8)) {
try {
Q0QQO0 = QOQoOQ(OooQ0);
} catch (oQOQQo) {
}
}
return arguments["callee"]["caller"]["toString"]()["length"];
}
case 113 + 17 - 97: {
var OOQoQ = /^function\s*\(\)\s*(.+)$/["exec"](OooQ0) || [];
if (QQoQ0[1]) {
OooQ0 = QQoQ0[1];
} else if (OOQoQ[1]) {
OooQ0 = O0QOOo("function()", OOQoQ[1]);
}
QQQOo = 34;
break;
}
}
}
}();
// a[8]
var a8 = function () {
var OooQ0 = new window["Date"]();
OooQ0["setDate"](1),
OooQ0["setMonth"](5);
var QQoQ0 = -OooQ0["getTimezoneOffset"]();
OooQ0["setMonth"](11);
var OOO0o = -OooQ0["getTimezoneOffset"]();
return window["Math"]["min"](QQoQ0, OOO0o);
}();
// a[12]
window = globalThis;
var a12 = function () {
function ooO0OQ(QQQOo, QQoQ0) {
return QQQOo < QQoQ0;
}
function oOQOOo(QQQOo, QQoQ0) {
return QQQOo * QQoQ0;
}
function Oo0QO0(QQQOo, QQoQ0) {
return QQQOo - QQoQ0;
}
function OooOOQ() {
var QQQOo = 79;
while (QQQOo) {
switch (QQQOo) {
case 122 + 12 - 53: {
for (var QQoQ0 = 0, OOO0o = OOQoQ["length"]; ooO0OQ(QQoQ0, 127); QQoQ0++) {
OooQ0 += OOQoQ["charAt"](window["Math"]["floor"](oOQOOo(window["Math"]["random"](), OOO0o)));
}
QQQOo = 82;
break;
}
case 164 + 8 - 92: {
var OooQ0 = "";
QQQOo = 81;
break;
}
case 158 + 15 - 91: {
var Qo0QQ = OooQ0["split"]("");
Qo0QQ["splice"](window["Math"]["floor"](oOQOOo(window["Math"]["random"](), Oo0QO0(OOQoQ["length"], 1))), 0, "\\");
return Qo0QQ["join"]("");
}
case 130 + 12 - 63: {
var OOQoQ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
QQQOo = 80;
break;
}
}
}
}
var QQQOo = "_xid"; // TODO 给_xid赋值
var QQoQ0 = QQOoOO["get"](QQQOo);
if (!QQoQ0) {
QQoQ0 = OooOOQ(),
QQOoOO["set"](QQQOo, QQoQ0);
}
return QQoQ0; // TODO 返回的值经过oO0OoO函数
}();
// a[14]
var a14 = function () {
QQoQ0 = new (window["OfflineAudioContext"] || window["webkitOfflineAudioContext"])(1, 44100, 44100)["createAnalyser"]["toString"]();
QQoQ0 = QQoQ0 || "";
return QQoQ0["replace"](/\s+/g, "")["slice"](0, 60);
}();
// a[17]
var a17 = function () {
if (OooQQ0["iePrivacy"] && (!!window["ActiveXObject"] || "ActiveXObject" in window)) {
try {
var QQQOo = new ActiveXObject("WbemScripting.SWbemLocator");
var QQoQ0 = QQQOo["ConnectServer"](".");
var OOO0o = QQoQ0["ExecQuery"]("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled =True");
var OooQ0 = new Enumerator(OOO0o);
var Qo0QQ = OooQ0["item"]();
Qo0QQ["MACAddress"];
return Qo0QQ["MACAddress"] || "";
} catch (OooQ0) {
return "";
}
} else {
return "";
}
}o分析
// 这个就不这么详细了
[
"functiontoString(){[nativecode]}", // navigator["toString"]["toString"]()
33, // eval["toString"]()["length"]
"7LcSEbXN-1706520085316-2c8d2bf1655a71364294707", // a[2] clientIdKey
"[objectPluginArray]", // navigator["plugins"]["toString"]();
8, // navigator.deviceMemory
"1", // var OooQ0 = document["createElement"]("canvas"); QQoQ0 = OooQ0["toDataURL"] && OooQ0["toDataURL"]() ? "1" : "0"
8, // navigator.deviceMemory
20, // navigator.hardwareConcurrency
"functionenumerateDevices(){[nativecode]}", // navigator["mediaDevices"] && navigator["mediaDevices"]["enumerateDevices"]["toString"]()
20, // navigator.hardwareConcurrency
"functiontoDataURL(){[nativecode]}", // var OOO0o = document["createElement"]("canvas"); QQoQ0 = OOO0o["toDataURL"]["toString"]();
"-", // QQQOo["z"] return
"functionRTCPeerConnection(){[nativecode]}", // window["RTCPeerConnection"] && window["RTCPeerConnection"]["toString"]();
"Failed to construct 'WebSocket': The URL 'itsgonnafail' is invalid.", // a[13] new WebSocket("itsgonnafail")
"-", // 检测一堆环境,最终返回""
"-", // QQQOo["z"] return
"-", // QQQOo["z"] return
"a04ec18b0f453ba491237d669da06e6a", // TODO a[18] 代码格式化检测 搜索Q0QQO0 = QOQoOQ(OooQ0)
"-", // 判断东西,返回空数组
"1f2d82cb67327772481ce484582d66e4", // a[19] navigator.mimeTypes
"-" // QQQOo["w"] return
]
// a[2]
var a2 = function () {
function oo0Qo0() {
var QQQOo = 13;
while (QQQOo) {
switch (QQQOo) {
case 104 + 10 - 98: {
var QQoQ0 = 34;
while (QQoQ0) {
switch (QQoQ0) {
case 85 + 15 - 65: {
OOO0o += oOQQO0(),
OooQ0--;
QQoQ0 = 34;
break;
}
case 88 + 20 - 74: {
QQoQ0 = OooQ0 ? 35 : 0;
break;
}
}
}
OOO0o = O0QOOo(O0QOOo(O0QOOo(O0QOOo(OOO0o, "-"), new window["Date"]()["getTime"]()), "-"), window["Math"]["random"]()["toString"](16)["substr"](2));
return O0QOOo(OOO0o, QOQooQ(OOO0o)); // 返回
}
case 83 + 20 - 88: {
function oOQQO0() {
var QQQOo = window["Math"]["floor"](oOQOOo(window["Math"]["random"](), 62));
if (ooO0OQ(QQQOo, 10)) {
return QQQOo;
}
if (ooO0OQ(QQQOo, 36)) {
return window["String"]["fromCharCode"](O0QOOo(QQQOo, 55));
}
return window["String"]["fromCharCode"](O0QOOo(QQQOo, 61));
}
QQQOo = 16;
break;
}
case 42 + 19 - 48: {
var OOO0o = "";
QQQOo = 14;
break;
}
case 82 + 12 - 80: {
var OooQ0 = 8;
QQQOo = 15;
break;
}
}
}
}
var QQQOo = QQOoOO["get"](OooQQ0["clientIdKey"], 255);
if (QQQOo) {
var QQoQ0 = QQQOo["substring"](0, 36);
var OOO0o = QQQOo["substring"](36, QQQOo["length"]);
var OooQ0 = String(QOQooQ(QQoQ0));
if (O0Qo00(OooQ0, OOO0o)) {
QQQOo = oo0Qo0(),
QQOoOO["set"](OooQQ0["clientIdKey"], QQQOo);
}
} else {
QQQOo = oo0Qo0(), // TODO 生成clientIdKey入口
QQOoOO["set"](OooQQ0["clientIdKey"], QQQOo);
}
return QQQOo;
}
// a[13]
var a13 = function () {
try {
new WebSocket("itsgonnafail");
} catch (oQOQQo) {
if (ooQoQO(oQOQQo["message"], "'WebSocket' is undefined") || oOoOQo(oQOQQo["message"]["indexOf"]("\u672A\u5B9A\u4E49"), -1)) {
return "SyntaxError";
}
return oQOQQo["message"];
}
return "-";
}
// a[19]
var a19 = function () {
var OOoQo = [];
var Qo0QQ = window["navigator"];
for (var QQoQ0 = 0, OOO0o = Qo0QQ["mimeTypes"]["length"]; ooO0OQ(QQoQ0, OOO0o); QQoQ0++) {
var OooQ0 = Qo0QQ["mimeTypes"][QQoQ0];
OOoQo["push"](O0QOOo(O0QOOo(OooQ0["type"], OooQ0["suffixes"]), OooQ0["description"]));
}
OOoQo["sort"]();
var OOQoQ = OOoQo["join"]();
OOQoQ = !OOQoQ ? "-" : OOQoQ["replace"](/\s/g, ""),
OOQoQ = O0Qo00(Qo0QQ["mimeTypes"]["length"], 0) ? O0QOOo(O0QOOo(Qo0QQ["mimeTypes"]["length"], ","), OOQoQ) : "-";
return OOQoQ;
}上面的a[17],代码格式化检测
DES3
from Crypto.Cipher import DES3
from Crypto.Util.Padding import pad
import base64
def swap_ij(text):
swapped_text = ""
for char in text:
if char == "i":
swapped_text += "j"
elif char == "j":
swapped_text += "i"
elif char == "I":
swapped_text += "J"
elif char == "J":
swapped_text += "I"
else:
swapped_text += char
return swapped_text
def des3_encrypt(key: str, text: str, iv='12345678'):
key = key[:24]
key, text, iv = key.encode(), text.encode(), iv.encode()
cipher = DES3.new(key, DES3.MODE_CBC, iv)
encrypted_text = cipher.encrypt(pad(text, DES3.block_size))
encoded_text = base64.b64encode(encrypted_text).decode()
return encoded_text
timestamp = '1706164685457-1262764575'
text = '63e9e04dc73e254e8ec26ccfae604c64|01100100011111111011111011011111011111011011110001111111111011111^^Netscape^^11110^^1920^^1040^^Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36^^0a386f39b15d28bc1dee2ad2a0eac07d^^zh-CN,zh^^-^^48000_2_1_0_2_explicit_speakers^^-^^0^^functiongetParameter(){[nativecode]}^^-^^-^^UTF-8^^-^^2308_10_392_0^^1hkvlpe73'
data = des3_encrypt(timestamp, text).swapcase().replace('+', '~')
data = swap_ij(data)
print(data)
环境分析(第二套a,b,c,d,g)
这套环境检测大概都一样,只是打乱顺序,没有全部看完
a,b,c,d,g分析
下面给出五个指纹数组
核心:两处格式化检测,两处检测 navigator["storage"]["estimate"]() 异步出来的值
[
"-",
"0",
"63e9e04dc73e254e8ec26ccfae604c64|01100100011111111011111011011111011111011011110001111111111011111",
"307384", // TODO 代码格式化检测
"-",
918,
"48000_2_1_0_2_explicit_speakers",
480,
"0a386f39b15d28bc1dee2ad2a0eac07d",
"1706594834813",
1920,
1080,
"4746e7f5fbc70ef2ccd365c30c93f66a|b0f2202fc3f0f72f424ca4fc6db815df",
"functiongetParameter(){[nativecode]}",
"-", // TODO 检测无痕/F12 quota 正确应该返回-
"64047668428__", // TODO quota
"-",
"10.0.0",
"-"
]
[
"Win32",
"zh-CN",
918,
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"zh-CN,zh",
"-",
"Mozilla",
1,
"0",
"Webkit-Chrome",
"424",
"Google Chrome",
"-",
"1f2d82cb67327772481ce484582d66e4",
"0_Windows_Not_A Brand_8_Chromium_120_Google Chrome_120"
]
[
"6ef4a53a32a3086171ad14d663a1e981",
"-",
1920,
0,
"Netscape",
"11110",
0,
"6470a21d4c329f0ab99b6025df4bff39",
1040,
"https%3A%2F%2Fwww.juneyaoair.com%2Fhome",
1040,
"-",
"-",
"uR19HptGmGPvdCgHVH0TkKnqKQ/FjsryK9moAPDUvFY=", // _xid 初始化的很长的
"functiongetoffsetHeight(){[nativecode]}",
"-",
"2c42fc7f8ddcc017c89d49af29f2fc99", // TODO 代码格式化检测
"-",
"-"
]
[
"-",
1920,
"-",
20,
1920,
"-",
"1",
1914,
"true_0_1_Infinity",
"Google Inc. (Intel)-&-ANGLE (Intel, Intel(R) UHD Graphics 770 (0x00004680) Direct3D11 vs_5_0 ps_5_0, D3D11)",
"[object Window]",
"functioncreateAnalyser(){[nativecode]}",
"120.0.6099.225",
"120.0.6099.225",
"-",
"-",
12536,
"1697_8_0_0" // document all scripts timeline title
]
[
"2NX7CPH9-1706594827690-9a16dbec935bd142333190", // clientIdKey
8,
8,
33,
20,
"1",
20,
"functionenumerateDevices(){[nativecode]}",
"functiontoDataURL(){[nativecode]}",
"[objectPluginArray]",
"functiontoString(){[nativecode]}",
"Failed to construct 'WebSocket': The URL 'itsgonnafail' is invalid.",
"1",
"functionRTCPeerConnection(){[nativecode]}",
"-",
"-",
"1696.5823364257812",
"-",
"UTF-8",
"-",
"-"
]navigator["storage"]["estimate"]
var QOo0Q = new window["Promise"](function (QoOOOo) {
navigator["storage"]["estimate"]()["then"](function (O0oOo) {
O0oOo = {
"quota": 64047668428,
"usage": 0,
"usageDetails": {}
}, // TODO
O0oo00 = O0oOo,
QoOOOo(O0oOo);
}, function () {
QoOOOo(0);
});
}
);
// TODO 判断oQOoQO(O0oOo[O0o00]["quota"], oOOooQ())是否小于
Promise["all"](Q0oOQ)["then"](function (O0oOo) {
var O0QoQ = false;
for (var O0o00 = 0; oQOoQO(O0o00, O0oOo["length"]); O0o00++) {
if (Oo00Q0(O0OoO0(O0oOo[O0o00]), "object")) {
if (oQOoQO(O0oOo[O0o00]["quota"], oOOooQ()) && QQOQOQ(O0oOo[O0o00]["quota"], O0oOo[O0o00]["usage"])) {
O0QoQ = true;
}
} else if (Oo00Q0(O0oOo[O0o00], 1)) {
O0QoQ = true;
}
}
O0QoQ && OoQ0O0["push"](1),
Q0Q0O0(O0QoQ);
});
// oQOoQO函数
function oOOooQ() {
if (Qoo0O0(QOQQOO(), 83)) {
var O0oOo = void 0;
var O0QoQ = void 0;
var O0o00 = void 0;
var Q0oOQ = QOQ0o0(Oo00Q0(O0oOo = navigator["userAgent"], null) || Oo00Q0(void 0, O0oOo) ? void 0 : O0oOo["indexOf"]("Mac OS"), 0) && Oo00Q0(Oo00Q0(O0QoQ = navigator["userAgent"], null) || Oo00Q0(void 0, O0QoQ) ? void 0 : O0QoQ["indexOf"]("iPhone"), -1);
var QooOo = QOQ0o0(Oo00Q0(O0o00 = navigator["userAgent"], null) || Oo00Q0(void 0, O0o00) ? void 0 : O0o00["indexOf"]("CrOS"), 0);
return Q0oOQ || QooOo ? 3221225472 : 1273741824;
}
if (QOQ0o0(QOQQOO(), 80) && OQQQO0) {
return 400000000;
}
if (Qoo0O0(QOQQOO(), 76)) {
return 120000000;
}
return 0;
}AES
第二套算法用的是AES,a,b,c,d,g 都需要经过这个加密,如下图:
代码如下,同样是魔改的AES(看之前文章):
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
def swap_ij(text):
swapped_text = ""
for char in text:
if char == "i":
swapped_text += "j"
elif char == "j":
swapped_text += "i"
elif char == "I":
swapped_text += "J"
elif char == "J":
swapped_text += "I"
else:
swapped_text += char
return swapped_text
def aes_cbc_encrypt(key: str, text: str, iv='1234567812345678'):
iv, key, text = iv.encode(), key.encode(), text.encode()
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted_text = cipher.encrypt(pad(text, AES.block_size))
encoded_text = base64.b64encode(encrypted_text).decode()
return encoded_text
key = "1706691300054-15"
text = "-^^1920^^-^^20^^1920^^-^^1^^1914^^-^^Google Inc. (Intel)-&-ANGLE (Intel, Intel(R) UHD Graphics 770 (0x00004680) Direct3D11 vs_5_0 ps_5_0, D3D11)^^[object Window]^^functioncreateAnalyser(){[nativecode]}^^-^^-^^-^^-^^12539^^1975_8_1945_0^^1hlfdge0t"
# 加密
data = aes_cbc_encrypt(key, text).swapcase().replace('+', '~')
data = swap_ij(data)
print(data)补环境
缺啥补啥!!(狗头保命)
结束
本文是原创文章,采用 CC 4.0 协议,完整转载请注明来自 http://www.1997.pro/
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果