x-s3-s4e参数分析
x-s3-s4e参数分析
前言
这个参数我去年分析过,但是没有做笔记,现在更新了检测的环境以及其他生成值的流程,有小改动
现在重新看到这个参数,就想着做一份笔记,重头开始重新分析
注意点:之前分析过,它可能会走错误逻辑(需要注意一下),而且生成值的流程也不是固定的(这里并不是说代码是动态的)
比如下图的key的生成
这个key生成流程是这样的
解决方法也比较简单,就是把控制函数执行的流程也给扣下来或者补环境,不能只扣一个流程
目标参数
x-s3-sid,x-s3-tid 是响应中返回的
x-s3-s4e 是需要分析的值
x-s3-s4e生成值流程
出值
所以现在就是需要将_0xed69e4这个对象给扣出来,已经把环境数组给分析出来即可
接下来先把环境数组给分析一下
环境数组分析
new _s3_es4(_0x1cfdd1)
17位环境数组(下面的arr1,arr10,arr11,arr13是分析这个数组)
[
"eec7dd5e820acf0afbdde3e1ec810ddc70ef6665:c2:cb3e1eff-0b7e-11ef-a270-005056b92763:08033224bb;S18oLZg9w0mYn244zjnb5vo2c",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
"",
"",
"Win32",
"",
"",
[
"1920",
"1080",
"1",
"24"
],
"",
"https://www.9air.com/zh-CN/book/booking",
"e797715c235257fce726a303ed682a3e7b8efbb4",
"c0dc2443",
"(https://m.9air.com/emp/vodka/v1/js/sw.js:1:202126)\n",
"e5eb74d47165905b681bd82bd8e1a441352b719d",
[
[
2,
2,
2,
2,
2
],
[
2,
2,
3,
2,
3,
3
],
2,
2,
2,
[
3,
2,
3,
2,
2,
3
],
[
2,
2,
2,
1,
1,
1,
3,
0
],
[
2
],
[
2
],
2,
[
2
],
[
2,
2
],
2,
2
],
[],
2
]
这里只分析几个不同点,那些userAgent、屏幕宽高之类的就不看了
继续看
先找到window['_s3']['_sc']赋值的位置,因为它是数组,所以肯定会有push,这里还是该解混淆就解混淆
解混淆后,搜索_s3
上图可以知道值是在_0x46fde6中
往上看,可以看到_0x17f708对象,这个对象如何生成的先不管,先找一下arr1、arr10、arr11、arr13这四个值
_0x17f708中的da是一个42位的环境数组
_0x17f708中的tr是一个14位的数组
var _0x17f708 = {"da":["","","","","",[[],"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"],[[],[0,0,0]],[[],null],[[],2,"(https://m.9air.com/emp/vodka/v1/js/sw.js:5338:25)\n"],[[],null],[[],["","probably","probably"]],[[],["Portable Document Format~~application/pdf~~pdf","Portable Document Format~~text/pdf~~pdf"]],[[],"Win32"],[[],"20030107"],[[],8],[[],[945,1032]],[[],[["PDF Viewer","Portable Document Format","internal-pdf-viewer","",[["application/pdf","pdf","Portable Document Format"],["text/pdf","pdf","Portable Document Format"]]],["Chrome PDF Viewer","Portable Document Format","internal-pdf-viewer","",[["application/pdf","pdf","Portable Document Format"],["text/pdf","pdf","Portable Document Format"]]],["Chromium PDF Viewer","Portable Document Format","internal-pdf-viewer","",[["application/pdf","pdf","Portable Document Format"],["text/pdf","pdf","Portable Document Format"]]],["Microsoft Edge PDF Viewer","Portable Document Format","internal-pdf-viewer","",[["application/pdf","pdf","Portable Document Format"],["text/pdf","pdf","Portable Document Format"]]],["WebKit built-in PDF","Portable Document Format","internal-pdf-viewer","",[["application/pdf","pdf","Portable Document Format"],["text/pdf","pdf","Portable Document Format"]]]]],[[],[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]],[[],[0,0,0,0]],[[],null],[[],[]],[[],0],[[],null],[[],[1,0,0]],[[],1],[[],0],[[],[0,0,0]],[[],[1,"(min-width: 1919px)"]],[[],["1920","1080","1","24"]],[[],null],[[],[1,13,1,5,1]],[[],[2,3,6,8,10,11,12,13,14,15,16,17,19,20,21,22,24,25,27,28,29,30,31,33,34,35,36,37,39,40,42,43,44,45,49,50,51,52,53,54,55,56,57,58,60,61,62,63,64,67,68,69,79,80,81,82,83,84,85,86]],[[],[106,110,137,141,143,146,148,153,158,159,160,162,165,168,171,172,173,175,177,178,190,195,196,197,199,201,203,209,223,224,225,227,239,242,243,248,249,259,268,270,271,279,280,289,291,297,304,309,318,319,333,335,338,346,347,349,355,357,360,362,363,364,365,367,370,371,376,378,380,387,388,389,391,398,399,405,406,412,413,414,417,418,422,424,425,429,434,436,437,454,462,467,473,479,486,495,496,507,509,510,514,522,523,524,525,526,528,529,530,531,532]],[[],2],[[],"https://www.9air.com/zh-CN/book/booking"],[[],["0:value initNECaptcha:function n(t,e,i){var a=(new Date).getTime();e=","0:value QRCode:function(a,b){if(this._htOption={width:256,","0:value html2canvas:function(A,e){var t=e||{},s=new B.default(\"","0:value initNEWatchman:function N(a,b,c){var e=a.productNumber,d=a.mer","0:value initWatchman:function N(a,b,c){var e=a.productNumber,d=a.mer","0:value _:","0:value setImmediate:function(e){\"function\"!=typeof e&&(e=new ","0:value clearImmediate:function h(e){delete l[e]}","0:value __JSONP_x7sxj94_0:function(e){c(),n&&n(null,e,{url:t})}","0:value _0x85a7:function(_0xb331cf, _0x161b26) {\n _0xb331cf = _0xb331cf - ","0:value _0x1870:function(_0x24de4e, _0x1eb75e) {\n _0x24de4e = _0x24de4e - ","0:value _0x1112:function(_0x432851, _0x46888a) {\n _0x432851 = _0x432851 - ","0:value safeAdd:function safeAdd(_0x8f2cb2, _0x4435df) {\n var _0xc4b214 = {\n ","0:value bitRotateLeft:function bitRotateLeft(_0x280a41, _0x246375) {\n var _0x1f6b92 = {\n ","0:value kzg:function kzg(_0x1a371f, _0x2287e7, _0x4ff1d0, _0xb97506, _0x12761f, _0x228186) {\n var _0x1dd37b = {\n ","0:value nkV:function nkV(_0x517299, _0x40a08e, _0x427423, _0x1c248e, _0x1feb8d, _0x20dcde, _0x6e501b) {\n var _0x255c15 = {\n ","0:value yIk:function yIk(_0x1faf75, _0x565d0b, _0x4f1eb9, _0x131bcf, _0x36d6c6, _0x27f8c9, _0x44da81) {\n var _0x16d5fa = {\n ","0:value qZE:function qZE(_0x4c7bcc, _0x3d65ba, _0x8cad23, _0x5a6e4d, _0x369203, _0x3b3361, _0x132459) {\n return kzg(_0x3d65ba ^ _","0:value rEw:function rEw(_0x50aab8, _0x2986a8, _0x10730f, _0x359e6a, _0x12485b, _0x479665, _0x4a2cca) {\n var _0x5bbe8f = {\n ","0:value xgq:function xgq(_0x469c47, _0x298d40) {\n var _0x29c352 = {\n ","0:value binl2rstr:function binl2rstr(_0x3e23bc) {\n var _0x59a170 = {\n ","0:value rstr2binl:function rstr2binl(_0x233a82) {\n var _0x372a94 = {\n ","0:value gIC:function gIC(_0x5afac2) {\n var _0x81fab4 = {\n ","0:value wAL:function wAL(_0x514cd2, _0xdf0d6d) {\n var _0x25cbdb = {\n ","0:value njn:function njn(_0x42a346) {\n var _0xbdc053 = {\n ","0:value str2rstrUTF8:function str2rstrUTF8(_0x23a6c7) {\n return unescape(encodeUR","0:value kBe:function kBe(_0x86c6ca) {\n var _0x3ca55b = {\n ","0:value lZn:function lZn(_0x5bf7ce) {\n var _0x346c5f = {\n ","0:value cot:function cot(_0x203400, _0x36383f) {\n return wAL(str2rstrUTF8(","0:value bTq:function bTq(_0x4b002e, _0x5463c5) {\n var _0x586151 = {\n ","0:value lDf:function(_0x2c1954, _0x57a2e0, _0x36f221) {\n var _0x19d836 = {\n ","0:value _s3gCU:function() {\n var _0xc8d36e = window[s","0:value _s3gCs:function(_0x4abf21, _0x1275ed) {\n var _0x80b4b3 = {\n ","0:value _s3gCe:function(_0xa0c2de, _0x5a5e83) {\n var _0x1ece8f = _s3gCs(_","0:value _s3Jn:function(_0x2f336d) {\n var _0x3b1cbb = {\n ","0:value smN:function _0x461b74(_0x124f19) {\n return _0xa9cef3","0:value _s3_es4:function _0x2c17a4(_0x1a8fa9) {\n var _0x3af532 = ","0:value _s3dm:function(_0x2c1954, _0x57a2e0, _0x36f221) {\n var _0x19d836 = {\n ","0:value uPr:function(_0x22b10a, _0x4f7094) {\n if (typeof _0x22b10a","0:value _s3hr:function(_0x1f5494) {\n var _0x4f5cde = '';\n","0:value _s3dsm:function _0x536ca9() {\n _0x7e6b9c += _0x3526","0:value _s3Benb:function(_0x23bde3) {\n var _0x1e846f;\n ","0:value _s3Ben:function(_0xfebdc1) {\n var _0x140f9b = wind"]],[[],"c0dc2443","41f37a0b235257fce726a303ed682a3e7b8efbb4"],[[],[],"6b531f707165905b681bd82bd8e1a441352b719d"],[-1,400,0,100,100,-1,0,100,-1,123900,0,12300,0,100,0,0,100,0,300,300,232700,100,400,110200,1800,122200,100,120600,0,-1,100,0,200,100,200,200,200,-1,100,28100,58200,50800,100,17000,0,-1,196800],[0,0,0,0,0,0,0,0,0,0,0],[],[["chrome:",["loadTimes","csi","app","constructor","__defineGetter__","__defineSetter__","hasOwnProperty","__lookupGetter__","__lookupSetter__","isPrototypeOf","propertyIsEnumerable","toString","valueOf","__proto__","toLocaleString"]],["runtime:",null],["app:",["isInstalled","getDetails","getIsInstalled","installState","runningState","InstallState","RunningState","constructor","__defineGetter__","__defineSetter__","hasOwnProperty","__lookupGetter__","__lookupSetter__","isPrototypeOf","propertyIsEnumerable","toString","valueOf","__proto__","toLocaleString"]],["HTMLDialogElement:","function HTMLDialogElement() { [native code] }"],["connection:",["4g",10,150,false,null]],["HTMLMediaElement","function HTMLMediaElement() { [native code] }"],["fastSeek:","W"],["safari",null],["webkitAudioContext:","W"],["Notification:","function Notification() { [native code] }"],["mozNotification:","W"],["netscape:",null],["AudioContext:","function AudioContext() { [native code] }"],["AudioContext.close:","function close() { [native code] }"],["createMediaStreamTrackSource:","W"],["maxTouchPoints: ",0],["webdriver: ",false],["Browser, BVersion, OS, CPU, Device","Chrome: 124.0.0.0: Win: amd64"],"vendor: null","model: null","type: null","124.0.0.0",12400000000,"Chrome2",2,"OS+2",null]],"tr":[[2,2,2,2,2],[2,2,3,2,3,3],2,2,2,[3,2,3,2,2,3],[2,2,2,1,1,1,3,0],[2],[2],2,[2],[2,2],2,2]}
arr1
这里两个接口返回的,但是应该是可以从同一个接口拿到的
var _0x46fde6 = [_0x27e9fd + ';' + _s3did];
// x-s3-tid https://m.9air.com/emp/vodka/v1/bootstrap/param?t=1714981921794
eec7dd5e820acf0afbdde3e1ec810ddc70ef6665:c2:cb3e1eff-0b7e-11ef-a270-005056b92763:08033224bb
// x-s3-sid https://m.9air.com/emp/vodka/v1/bootstrap/param?t=1714981831848
S18oLZg9w0mYn244zjnb5vo2c
arr1 = x-s3-tid + ';' + x-s3-sid
arr10
_0x46fde6['push'](_0x17f708['da'][36][2])
// TODO 这里可以看到是_0x17f708['da'][36][2]的值
'41f37a0b235257fce726a303ed682a3e7b8efbb4'
arr11
_0x46fde6['push'](!!_0x17f708['da'][36][1] ? _0x17f708['da'][36][1] : '')
// TODO 这里可以看到是_0x17f708['da'][36][1]的值
'c0dc2443'
arr13
_0x46fde6['push'](_0x17f708['da'][37][2])
// TODO 这里可以看到是_0x17f708['da'][37][2]的值
'6b531f707165905b681bd82bd8e1a441352b719d'
42位环境数组分析
42位环境数组如下
{
"da": [
"",
"",
"",
"",
"",
[
[],
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
],
[
[],
[
0,
0,
0
]
],
[
[],
null
],
[
[],
2,
"(https://m.9air.com/emp/vodka/v1/js/sw.js:5338:25)\n"
],
[
[],
null
],
[
[],
[
"",
"probably",
"probably"
]
],
[
[],
[
"Portable Document Format~~application/pdf~~pdf",
"Portable Document Format~~text/pdf~~pdf"
]
],
[
[],
"Win32"
],
[
[],
"20030107"
],
[
[],
8
],
[
[],
[
945,
1032
]
],
[
[],
[
[
"PDF Viewer",
"Portable Document Format",
"internal-pdf-viewer",
"",
[
[
"application/pdf",
"pdf",
"Portable Document Format"
],
[
"text/pdf",
"pdf",
"Portable Document Format"
]
]
],
[
"Chrome PDF Viewer",
"Portable Document Format",
"internal-pdf-viewer",
"",
[
[
"application/pdf",
"pdf",
"Portable Document Format"
],
[
"text/pdf",
"pdf",
"Portable Document Format"
]
]
],
[
"Chromium PDF Viewer",
"Portable Document Format",
"internal-pdf-viewer",
"",
[
[
"application/pdf",
"pdf",
"Portable Document Format"
],
[
"text/pdf",
"pdf",
"Portable Document Format"
]
]
],
[
"Microsoft Edge PDF Viewer",
"Portable Document Format",
"internal-pdf-viewer",
"",
[
[
"application/pdf",
"pdf",
"Portable Document Format"
],
[
"text/pdf",
"pdf",
"Portable Document Format"
]
]
],
[
"WebKit built-in PDF",
"Portable Document Format",
"internal-pdf-viewer",
"",
[
[
"application/pdf",
"pdf",
"Portable Document Format"
],
[
"text/pdf",
"pdf",
"Portable Document Format"
]
]
]
]
],
[
[],
[
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0
]
],
[
[],
[
0,
0,
0,
0
]
],
[
[],
null
],
[
[],
[]
],
[
[],
0
],
[
[],
null
],
[
[],
[
1,
0,
0
]
],
[
[],
1
],
[
[],
0
],
[
[],
[
0,
0,
0
]
],
[
[],
[
1,
"(min-width: 1919px)"
]
],
[
[],
[
"1920",
"1080",
"1",
"24"
]
],
[
[],
null
],
[
[],
[
1,
13,
1,
5,
1
]
],
[
[],
[
2,
3,
6,
8,
10,
11,
12,
13,
14,
15,
16,
17,
19,
20,
21,
22,
24,
25,
27,
28,
29,
30,
31,
33,
34,
35,
36,
37,
39,
40,
42,
43,
44,
45,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
60,
61,
62,
63,
64,
67,
68,
69,
79,
80,
81,
82,
83,
84,
85,
86
]
],
[
[],
[
106,
110,
137,
141,
143,
146,
148,
153,
158,
159,
160,
162,
165,
168,
171,
172,
173,
175,
177,
178,
190,
195,
196,
197,
199,
201,
203,
209,
223,
224,
225,
227,
239,
242,
243,
248,
249,
259,
268,
270,
271,
279,
280,
289,
291,
297,
304,
309,
318,
319,
333,
335,
338,
346,
347,
349,
355,
357,
360,
362,
363,
364,
365,
367,
370,
371,
376,
378,
380,
387,
388,
389,
391,
398,
399,
405,
406,
412,
413,
414,
417,
418,
422,
424,
425,
429,
434,
436,
437,
454,
462,
467,
473,
479,
486,
495,
496,
507,
509,
510,
514,
522,
523,
524,
525,
526,
528,
529,
530,
531,
532
]
],
[
[],
2
],
[
[],
"https://www.9air.com/zh-CN/book/booking"
],
[
[],
[
"0:value initNECaptcha:function n(t,e,i){var a=(new Date).getTime();e=",
"0:value QRCode:function(a,b){if(this._htOption={width:256,",
"0:value html2canvas:function(A,e){var t=e||{},s=new B.default(\"",
"0:value initNEWatchman:function N(a,b,c){var e=a.productNumber,d=a.mer",
"0:value initWatchman:function N(a,b,c){var e=a.productNumber,d=a.mer",
"0:value _:",
"0:value setImmediate:function(e){\"function\"!=typeof e&&(e=new ",
"0:value clearImmediate:function h(e){delete l[e]}",
"0:value __JSONP_x7sxj94_0:function(e){c(),n&&n(null,e,{url:t})}",
"0:value _0x85a7:function(_0xb331cf, _0x161b26) {\n _0xb331cf = _0xb331cf - ",
"0:value _0x1870:function(_0x24de4e, _0x1eb75e) {\n _0x24de4e = _0x24de4e - ",
"0:value _0x1112:function(_0x432851, _0x46888a) {\n _0x432851 = _0x432851 - ",
"0:value safeAdd:function safeAdd(_0x8f2cb2, _0x4435df) {\n var _0xc4b214 = {\n ",
"0:value bitRotateLeft:function bitRotateLeft(_0x280a41, _0x246375) {\n var _0x1f6b92 = {\n ",
"0:value kzg:function kzg(_0x1a371f, _0x2287e7, _0x4ff1d0, _0xb97506, _0x12761f, _0x228186) {\n var _0x1dd37b = {\n ",
"0:value nkV:function nkV(_0x517299, _0x40a08e, _0x427423, _0x1c248e, _0x1feb8d, _0x20dcde, _0x6e501b) {\n var _0x255c15 = {\n ",
"0:value yIk:function yIk(_0x1faf75, _0x565d0b, _0x4f1eb9, _0x131bcf, _0x36d6c6, _0x27f8c9, _0x44da81) {\n var _0x16d5fa = {\n ",
"0:value qZE:function qZE(_0x4c7bcc, _0x3d65ba, _0x8cad23, _0x5a6e4d, _0x369203, _0x3b3361, _0x132459) {\n return kzg(_0x3d65ba ^ _",
"0:value rEw:function rEw(_0x50aab8, _0x2986a8, _0x10730f, _0x359e6a, _0x12485b, _0x479665, _0x4a2cca) {\n var _0x5bbe8f = {\n ",
"0:value xgq:function xgq(_0x469c47, _0x298d40) {\n var _0x29c352 = {\n ",
"0:value binl2rstr:function binl2rstr(_0x3e23bc) {\n var _0x59a170 = {\n ",
"0:value rstr2binl:function rstr2binl(_0x233a82) {\n var _0x372a94 = {\n ",
"0:value gIC:function gIC(_0x5afac2) {\n var _0x81fab4 = {\n ",
"0:value wAL:function wAL(_0x514cd2, _0xdf0d6d) {\n var _0x25cbdb = {\n ",
"0:value njn:function njn(_0x42a346) {\n var _0xbdc053 = {\n ",
"0:value str2rstrUTF8:function str2rstrUTF8(_0x23a6c7) {\n return unescape(encodeUR",
"0:value kBe:function kBe(_0x86c6ca) {\n var _0x3ca55b = {\n ",
"0:value lZn:function lZn(_0x5bf7ce) {\n var _0x346c5f = {\n ",
"0:value cot:function cot(_0x203400, _0x36383f) {\n return wAL(str2rstrUTF8(",
"0:value bTq:function bTq(_0x4b002e, _0x5463c5) {\n var _0x586151 = {\n ",
"0:value lDf:function(_0x2c1954, _0x57a2e0, _0x36f221) {\n var _0x19d836 = {\n ",
"0:value _s3gCU:function() {\n var _0xc8d36e = window[s",
"0:value _s3gCs:function(_0x4abf21, _0x1275ed) {\n var _0x80b4b3 = {\n ",
"0:value _s3gCe:function(_0xa0c2de, _0x5a5e83) {\n var _0x1ece8f = _s3gCs(_",
"0:value _s3Jn:function(_0x2f336d) {\n var _0x3b1cbb = {\n ",
"0:value smN:function _0x461b74(_0x124f19) {\n return _0xa9cef3",
"0:value _s3_es4:function _0x2c17a4(_0x1a8fa9) {\n var _0x3af532 = ",
"0:value _s3dm:function(_0x2c1954, _0x57a2e0, _0x36f221) {\n var _0x19d836 = {\n ",
"0:value uPr:function(_0x22b10a, _0x4f7094) {\n if (typeof _0x22b10a",
"0:value _s3hr:function(_0x1f5494) {\n var _0x4f5cde = '';\n",
"0:value _s3dsm:function _0x536ca9() {\n _0x7e6b9c += _0x3526",
"0:value _s3Benb:function(_0x23bde3) {\n var _0x1e846f;\n ",
"0:value _s3Ben:function(_0xfebdc1) {\n var _0x140f9b = wind"
]
],
[
[],
"c0dc2443", // TODO
"41f37a0b235257fce726a303ed682a3e7b8efbb4" // TODO
],
[
[],
[],
"6b531f707165905b681bd82bd8e1a441352b719d" // TODO
],
[
-1,
400,
0,
100,
100,
-1,
0,
100,
-1,
123900,
0,
12300,
0,
100,
0,
0,
100,
0,
300,
300,
232700,
100,
400,
110200,
1800,
122200,
100,
120600,
0,
-1,
100,
0,
200,
100,
200,
200,
200,
-1,
100,
28100,
58200,
50800,
100,
17000,
0,
-1,
196800
],
[
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0
],
[],
[
[
"chrome:",
[
"loadTimes",
"csi",
"app",
"constructor",
"__defineGetter__",
"__defineSetter__",
"hasOwnProperty",
"__lookupGetter__",
"__lookupSetter__",
"isPrototypeOf",
"propertyIsEnumerable",
"toString",
"valueOf",
"__proto__",
"toLocaleString"
]
],
[
"runtime:",
null
],
[
"app:",
[
"isInstalled",
"getDetails",
"getIsInstalled",
"installState",
"runningState",
"InstallState",
"RunningState",
"constructor",
"__defineGetter__",
"__defineSetter__",
"hasOwnProperty",
"__lookupGetter__",
"__lookupSetter__",
"isPrototypeOf",
"propertyIsEnumerable",
"toString",
"valueOf",
"__proto__",
"toLocaleString"
]
],
[
"HTMLDialogElement:",
"function HTMLDialogElement() { [native code] }"
],
[
"connection:",
[
"4g",
10,
150,
false,
null
]
],
[
"HTMLMediaElement",
"function HTMLMediaElement() { [native code] }"
],
[
"fastSeek:",
"W"
],
[
"safari",
null
],
[
"webkitAudioContext:",
"W"
],
[
"Notification:",
"function Notification() { [native code] }"
],
[
"mozNotification:",
"W"
],
[
"netscape:",
null
],
[
"AudioContext:",
"function AudioContext() { [native code] }"
],
[
"AudioContext.close:",
"function close() { [native code] }"
],
[
"createMediaStreamTrackSource:",
"W"
],
[
"maxTouchPoints: ",
0
],
[
"webdriver: ",
false
],
[
"Browser, BVersion, OS, CPU, Device",
"Chrome: 124.0.0.0: Win: amd64"
],
"vendor: null",
"model: null",
"type: null",
"124.0.0.0",
12400000000,
"Chrome2",
2,
"OS+2",
null
]
],
"tr": [
[
2,
2,
2,
2,
2
],
[
2,
2,
3,
2,
3,
3
],
2,
2,
2,
[
3,
2,
3,
2,
2,
3
],
[
2,
2,
2,
1,
1,
1,
3,
0
],
[
2
],
[
2
],
2,
[
2
],
[
2,
2
],
2,
2
]
}
42位环境数组出值流程
搜索Promise['all'],得到_0x1ddee3的值
往下追栈
进入case 5
通过_0x320b94["owS"]对_0x4482f9进行加密,得到_0x2c377f,这时_0x2c377f的da长度是39
继续,经过几个setTimeout
继续,这时da的长度还是39位
继续进入 this["_sfm"]['_2dcng']["_3kptn"]["rTK"] 函数,里面push了三个值,就变成了42位了
到此,出值流程已经走完
记下来分析几个重要的元素是如何生成的
分析
分析异步出来的值
aNZ
进行条件断点
所以可以知道
[
[],
"c0dc2443", // canvas 有关
"8ce46a202c307ae6c3c283bb253e97450ccf4a52" // 随机数有关,共四十位,循环20次,每次2位进行++操作
],
其他
想看其他的值的话,同理(打条件断点看即可)
分析_0x320b94["owS"]函数
这是一个case签到case的控制流,如下图
生成da数组有39位,但是里面没有什么关键的东西
接下来,我主要是想找42位数组中的第37位
arr37
这里
arr37 = _0x1a54c9["_sfm"]["_2dcng"]["_3kptn"]["plRt"]['da'][37][2] = window['_s3hr'](0x4) + window['_s3dm'](typeof _0x229632['c'] != 'undefined' ? _s3Jn(_0x229632['c']) + 'c' : "undefined")
window['_s3hr'](0x4)
window['_s3dm'](_s3Jn(_0x229632['c']) + 'c')
window['_s3hr'](4)
这个是生成8位的随机数
var _0x14c2dd = function(_0x1f5494) {
var _0x4f5cde = '';
for (var _0x12180e = 0x0; _0x12180e < _0x1f5494; _0x12180e++) {
_0x4f5cde += _0x47ee7b['xjtxw'](_0xa30054);
}
return _0x4f5cde;
};
var _0x47ee7b = {
'xjtxw': function(_0x5a616a) {
return _0x5a616a();
},
}
var _0xa30054 = function (_0x51df9d) {
var _0x1a3a06, _0x14d1d1 = typeof _0x51df9d === "undefined" ? -0x1 : _0x51df9d;
do {
_0x1a3a06 = Math["round"](Math["random"]() * 0xff);
} while (_0x1a3a06 === _0x14d1d1);
var _0x4c417b = _0x1a3a06['toString'](0x10);
return _0x4c417b["length"] == 0x1 ? _0x47ee7b["RttFl"]('0', _0x4c417b) : _0x4c417b;
};
console.log(_0x14c2dd(4))
window['_s3dm'](_s3Jn(_0x229632['c']) + 'c')
这里主要对_0x229632进行加密,_0x229632的值为
{
"s": "bDW", // 不管,没用到
"v": "70fdf41e-0b9c-11ef-a274-005056b92763", // 不管,没用到
"f": "xUY", // 不管,没用到
"c": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
"Win32",
"1920",
"1080",
"1",
"24",
"https://www.9air.com/zh-CN/book/booking",
"c0dc2443", // canvas
"null",
"null"
],
"fm": "7e7cb9087d4a3d4936620f9e3242cac5" // 不管,没用到
}
_s3Jn函数
// _s3Jn是对_0x229632['c']进行拼接,不是单纯的拼接,还会加null
// 最终生成值:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Win3219201080124https://www.9air.com/zh-CN/book/bookingc0dc2443nullnullc"
window['_s3dm']函数
加密得到结果
结束
分析到这里就可以扣算法了,还需要注意的就是前言里面说的,还有就是注意那几个setTimeout......