Shulou(Shulou.com)06/01 Report--

This article is to share with you about the reverse process of ua, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

I haven't posted an article for a long time, it's not that the account number has been forgotten, but that I have become lazy, and the current technical article, no matter how well written, is useless, but not many people read it. There are those who read my article and then came to add my Wechat. I didn't even look good at the article. I refused directly, and it was the same with those who kept saying how helpful they were to them, so I became lazy. I just wrote down some summary records in my notebook. Anyway, I read it for myself, so I don't need to look good.

So this time send a record, do not say any code these, look at the officials at will.

123ua is encrypted from a coll***.js file, and anyone who has seen it should know that since the 122nd update, there are not only terrifying control flow confusion, but also comma expressions. After the comma expressions are added, it is very difficult to debug these comma expressions, and it is basically impossible to debug. Here, I convert the code to ast, and then convert the code format to restore it. If you need to know about ast's own Baidu search, you can do it. I won't say much here.

I restored conditional expressions, comma expressions, and string additions, but the rest could not be restored due to limited personal skills.

After the restore, you can easily debug, there is no debugger, so directly use the redirect of fiddler to replace the original file, you can debug directly on the website. This is the first step, and then the difficulties are heavy.

Since it takes a lot of time and effort to restore the code to a non-control flow, I directly pile dom for convenience, so you don't need to be too afraid of the next update, of course, it would be better if you have the time and ability to restore.

Before heap dom, you first need to add a breakpoint to each catch, because some functions or properties cannot get a direct error report, and if you keep clicking, you may not be able to find it. Or delete the try catch directly.

Then run the code locally, plus the dynamic proxy, and print out the dom attributes they need. Those who do not understand the dynamic proxy can take a look at this article of the Sponge God: the alternative idea of js reverse buckle code.

After filling in those attributes, login can also be used, but if you log in, you don't know if it will become a wind control number, self-test, slider, and you still need a lot of things, and some dynamic agents can't figure it out, you need to follow the code more, or you can do it with your own skills.

Next, let's talk about the things that are detected. For the attributes of window, most of the attributes you see are those of selenium. That pyppeteer seems to detect less, as follows:

Var keys = ['WeixinJSBridge',' WindVane','_ _ wxjs_environment', 'AlipayJSBridge',' shenjian', 'ScriptEngineMinorVersion',' ScriptEngineMajorVersion', 'ScriptEngineBuildVersion',' ActiveXObject','_ $cdc7c2f8ab481c8964b__', 'UCCoreJava',' ucapi', 'ApplePayError',' ApplePaySession','_ _ acjs_awsc_123','_ _ acjs','_ uab_module', 'mozPaintCount',' mozInnerScreenX', 'Debug',' WebKitPlaybackTargetAvailabilityEvent', 'attachEvent']

It also detects the toString of the entire large function, and the path taken is completely different.

There are a lot of hasOwnProperty and getOwnPropertyDescriptors, not clear under their own Google, the second difficult to change point, the first is relatively easy, mainly to find those attributes in the judgment of these two things, you can try hook.

The rest is the track, and the track also has a point to pay attention to, in which only the time difference between each track is greater than 2 milliseconds will be recorded, so you need to stop, otherwise it will be useless.

The trajectory I am doing now is fixed and can be passed, if not frequently, the trajectory is always valid, because it is always slippery to the end.

At this point, ua is over, if you are happy at this time, then, congratulations, there are still tens of thousands of lines of file to read, which is similar to the one above.

Um this file, generated is 106data, but this file does not detect many things, basically device fingerprints, that is, related to canvas, and those that support plug-ins and so on, do not detect dom attributes.

This file has a lot of timing functions, the purpose is to update some storage like, and there is this umiToken, the slider needs this.

At this point, ua and um, done can pass, the whole six days, the computer is almost unable to stand.

The above is what the reverse process of ua is, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.