Skip to content

P
px3
Commit e1882a66 authored by wang's avatar wang
Browse files
Options

33

parent a3affa8e
Hide whitespace changes
Inline Side-by-side
Showing with 7161 additions and 2385 deletions
captcha/111.js 0 → 100644
View file @ e1882a66
This source diff could not be displayed because it is too large. You can view the blob instead.
captcha/captcha.js
View file @ e1882a66
......@@ -1136,7 +1136,8 @@ try {
} catch (r) {
u.push(u.shift())
}
}(), function (r, n) {
}(),
function (r, n) {
var u = Vn();
function v(r, n) {
......
captcha/copy.js 0 → 100644
View file @ e1882a66
This source diff could not be displayed because it is too large. You can view the blob instead.
captcha/decode.js
View file @ e1882a66
......@@ -449,7 +449,8 @@ function strArrToNodeList(strs) {
}
let funcs = {};
let funcTemp = {}
let nameMap = {};
traverse(ast, {
FunctionDeclaration(path) {
let {id, body} = path.node;
......@@ -477,16 +478,55 @@ traverse(ast, {
console.log('开始一个新的反混淆', id.name)
// console.log(code1)
// console.log(binding.references)
// if (id.name === 'ar') {
// debugger;
// }
if (id.name === 'Vn') {
// debugger;
return;
}
let d = 0;
let reference;
for (const referencePath of binding.referencePaths) {
// console.log(generator(referencePath.parentPath.parentPath.parentPath.parentPath.parent).code)
// console.log(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.type)
if (types.isCallExpression(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent) || types.isUnaryExpression(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent)) {
code2 = `!${generator(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent).code}`
if (types.isCallExpression(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent)
|| types.isUnaryExpression(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent)
) {
let code = `!${generator(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parent).code}`
if (code.indexOf('parseInt') > -1 && code.length < 1000) {
code2 = code;
console.log(code2.length)
console.log()
referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.replaceWith(
types.CallExpression(
types.FunctionExpression(
null,[],
types.BlockStatement([])
),
[]
)
)
}
}
if (types.isCallExpression(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parent)) {
let code = `!${generator(referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parent).code}`
if (code.indexOf('parseInt') > -1 && code.length < 1000) {
code2 = code;
console.log(code2.length)
console.log()
referencePath.parentPath.parentPath.parentPath.parentPath.parentPath.parentPath.replaceWith(
types.CallExpression(
types.FunctionExpression(
null,[],
types.BlockStatement([])
),
[]
)
)
}
}
if (types.isBlockStatement(referencePath.parentPath.parentPath.parentPath.parentPath)
&& referencePath.parentPath.parentPath.parentPath.parentPath.parent.body.body.length == 2
......@@ -505,15 +545,17 @@ traverse(ast, {
let res = eval((code1 + ';' + code2 + ';' + code3).replaceAll(`function ${id.name}`, `let ${id.name} = function`) + `;${id.name}()`)
let result = strArrToNodeList(res)
reference.parentPath.replaceWith(result);
console.log('result', generator(result).code)
// console.log('result', generator(result).code)
let tName = reference.parentPath.parentPath.parentPath.parentPath.parent.id.name;
let binding2 = reference.scope.getBinding(tName)
let code = generator(reference.parentPath.parentPath.parentPath.parentPath.parent).code;
let nn = getUnusedName();
eval(`function ${nn}(a, b) {
console.log('newFunc', nn, `funcTemp.${nn} = function (a, b) {
return ${code}(a, b)
}`)
eval(`funcTemp.${nn} = function (a, b) {
return ${code}(a, b)
}`)
console.log()
for (const referPath2 of binding2.referencePaths) {
if (!types.isCallExpression(referPath2.parent)) continue;
let refer = referPath2.parent;
......@@ -533,57 +575,80 @@ traverse(ast, {
// 再次引用
if (types.isFunctionDeclaration(referPath2.parentPath.parentPath.parentPath.parent)) {
let dName = referPath2.parentPath.parentPath.parentPath.parent.id.name;
// 差 要减去的值
let arguments2 = referPath2.parent.arguments;
if (arguments2.length == 2 && types.isNumericLiteral(arguments2[0].right)) {
d = arguments2[0].right.value
console.log(callee.name, nn, arguments2[0].right.value)
}
if (arguments2.length == 2 && types.isUnaryExpression(arguments2[0].right)
&& arguments2[0].right.operator === '-') {
d = -arguments2[0].right.argument.value
console.log(callee.name, nn, arguments2[0].right.value)
}
let code22 = generator(referPath2.parent).code
code22 = code22.replace(`${callee.name}(`, `funcTemp.${nn}(`)
console.log(`funcTemp.${dName} = function (r, n) {
return ${code22}
}`)
eval(`funcTemp.${dName} = function (r, n) {
return ${code22}
}`)
let binding3 = referPath2.scope.getBinding(dName)
funcs[dName] = nn;
funcs[dName] = {
name: nn,
v: d
};
console.log(dName, nn)
if (!binding3) continue;
console.log(dName)
for (const referPath3 of binding3.referencePaths) {
let {callee, arguments} = referPath3.parent;
if (!arguments) continue;
if (arguments.length !== 2) continue;
let ifExec = true;
for (let j = 0; j < arguments.length; j++) {
if (!types.isNumericLiteral(arguments[0])) {
ifExec = false;
}
}
if (!ifExec) {
let dName2 = referPath3.parentPath.parentPath.parentPath.parent.id.name;
let binding4 = referPath2.scope.getBinding(dName2)
console.log(dName2)
for (const referPath4 of binding4.referencePaths) {
let {callee, arguments} = referPath4.parent;
if (!arguments) continue;
if (arguments.length !== 2) continue;
let ifExec = true;
for (let j = 0; j < arguments.length; j++) {
if (!types.isNumericLiteral(arguments[0])) {
ifExec = false;
}
}
if (ifExec) {
} else {
try {
let res = eval(`${nn}(${arguments[0].value}, ${arguments[1].value})`)
console.log(tName, arguments[0].value, arguments[1].value, '=>', res)
} catch (e) {
}
}
}
} else {
try {
let res = eval(`${nn}(${arguments[0].value}, ${arguments[1].value})`)
console.log(tName, arguments[0].value, arguments[1].value, '=>', res)
} catch (e) {
}
}
}
// for (const referPath3 of binding3.referencePaths) {
// let {callee, arguments} = referPath3.parent;
// if (!arguments) continue;
// if (arguments.length !== 2) continue;
// let ifExec = true;
// for (let j = 0; j < arguments.length; j++) {
// if (!types.isNumericLiteral(arguments[0])) {
// ifExec = false;
// }
// }
// if (!ifExec) {
// let dName2 = referPath3.parentPath.parentPath.parentPath.parent.id.name;
// let binding4 = referPath2.scope.getBinding(dName2)
// console.log(dName2)
// for (const referPath4 of binding4.referencePaths) {
// let {callee, arguments} = referPath4.parent;
// if (!arguments) continue;
// if (arguments.length !== 2) continue;
// let ifExec = true;
// for (let j = 0; j < arguments.length; j++) {
// if (!types.isNumericLiteral(arguments[0])) {
// ifExec = false;
// }
// }
// if (ifExec) {
//
// } else {
// try {
// let res = eval(`${nn}(${arguments[0].value}, ${arguments[1].value})`)
// console.log(tName, arguments[0].value, arguments[1].value, '=>', res)
// } catch (e) {
//
// }
// }
//
// }
//
// } else {
// try {
// let res = eval(`${nn}(${arguments[0].value}, ${arguments[1].value})`)
// console.log(tName, arguments[0].value, arguments[1].value, '=>', res)
// } catch (e) {
//
// }
// }
//
// }
}
}
......@@ -649,8 +714,8 @@ for (let i = 0; i < keys.length; i++) {
keys2.push(funcs[keys[i]].name)
}
var map2 = {};
// 开始还原
let funcTemp = {}
// for (let j = 0; j < 3; j++) {
// traverse(ast, {
// VariableDeclaration(path) {
......@@ -714,26 +779,37 @@ let funcTemp = {}
// }
// })
// }
traverse(ast, {
CallExpression(path) {
let {callee, arguments} = path.node;
let callee = path.node.callee;
let args = path.node.arguments;
if (funcs[callee.name]) {
if (arguments.length === 2 && types.isNumericLiteral(arguments[0]) && types.isNumericLiteral(arguments[1])) {
if (args.length !== 2)return;
if (args[1] === undefined)return;
if (types.isNumericLiteral(args[0]) && types.isNumericLiteral(args[1])) {
// let res = funcs[callee.name](arguments[0].value, arguments[1].value)
let res = eval(`${funcs[callee.name]}(${arguments[0].value}, ${arguments[1].value})`)
console.log(callee.name, arguments[0].value, res)
if (!res) return
try {
console.log(callee.name, args[0].value,args[1].value)
let res = funcTemp[callee.name](args[0].value, args[1].value)
console.log(callee.name, args[0].value,args[1].value, res)
if (!res) return
path.replaceWith(types.StringLiteral(res))
} catch (e) {
}
// if (id.name === 'zo') {
// console.log(arguments[0].value, res)
// }
path.replaceWith(types.StringLiteral(res))
}
}
}
})
console.log(keys2 + '')
// console.log(keys2 + '')
console.log(funcs)
function t() {
return Date.now();
......
captcha/decodeResult.js
View file @ e1882a66
This source diff could not be displayed because it is too large. You can view the blob instead.
index.html
View file @ e1882a66
......@@ -9,19 +9,19 @@
</head>
<body>
<script>
window._pxVid = '9a5cbb54-44c8-11ee-a95b-8d293efb2b16';
window._pxUuid = 'c3e2ba21-6c58-1031-9f5f-6b3e11e921ab';
window._pxVid = '3a2a17ab-4589-11ee-9a79-a66c82883c88';
window._pxUuid = '85d1e219-6c58-1031-85c2-eb4a560bf6cf';
window._pxAppId = 'PXVb73hTEg';
window._pxHostUrl = 'https://collector-PXVb73hTEg.perimeterx.net';
window._pxCustomLogo = '';
window._pxJsClientSrc = '//client.perimeterx.net/PXVb73hTEg/main.min.js';
window._pxFirstPartyEnabled = 'false';
var script = document.createElement('script');
script.src = '//captcha.perimeterx.net/PXVb73hTEg/captcha.js?a=&u=c3e2ba21-6c58-1031-9f5f-6b3e11e921ab&v=9a5cbb54-44c8-11ee-a95b-8d293efb2b16&m=0';
script.src = '//captcha.perimeterx.net/PXVb73hTEg/captcha.js?a=&u=85d1e219-6c58-1031-85c2-eb4a560bf6cf&v=3a2a17ab-4589-11ee-9a79-a66c82883c88&m=0';
document.head.appendChild(script);
script.onerror = function () {
script = document.createElement('script');
script.src = 'https://captcha.px-cloud.net/PXVb73hTEg/captcha.js?a=&u=c3e2ba21-6c58-1031-9f5f-6b3e11e921ab&v=9a5cbb54-44c8-11ee-a95b-8d293efb2b16&m=0';
script.src = 'https://captcha.px-cloud.net/PXVb73hTEg/captcha.js?a=&u=85d1e219-6c58-1031-85c2-eb4a560bf6cf&v=3a2a17ab-4589-11ee-9a79-a66c82883c88&m=0';
script.onerror = window._pxDisplayErrorMessage;
document.head.appendChild(script);
};
......
main.py
View file @ e1882a66
......@@ -56,7 +56,7 @@ class PxBypass():
"accept-language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,ru;q=0.6",
"cache-control": "no-cache",
"pragma": "no-cache",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
}
res = self.session.get(self.target_url, headers=headers, allow_redirects=True)
self.log.info(f"初始化请求 res {res.status_code}")
......@@ -169,7 +169,7 @@ class PxBypass():
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
}
response = self.session.post(url, headers=headers, data=body)
self.log.info(f'collector1 {response.text}')
......@@ -243,7 +243,7 @@ class PxBypass():
"sec-fetch-site": "none",
"sec-fetch-user": "?1",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
}, allow_redirects=True)
print(response.status_code)
with open('index.html', 'w') as f:
......@@ -292,7 +292,7 @@ class PxBypass():
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
}
response = self.session.post(url, headers=headers, data=body)
self.log.info(f'collector2 {response.text}')
......
step2.js
View file @ e1882a66
......@@ -93,7 +93,7 @@ function getNoPX(data) {
return res;
}
let ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36';
let ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36';
function genPayload2(m, uuid) {
......@@ -109,7 +109,8 @@ function genPayload2(m, uuid) {
"PX11555": 4294705152,// jsHeapSizeLimit
"PX11833": 122502277,// totalJSHeapSize
// "PX11840": "Fri Aug 25 2023 14:20:11 GMT+0800 (中国标准时间)",
"PX11840": new Date() + '', // "PX12573": "e29b74b1", // parseInt(0llll00l/10)
"PX11840": new Date() + '',
// "PX12573": "e29b74b1", // parseInt(0llll00l/10)
"PX12573": getPX12573(m['0llll00l'], m['l000l0'], uuid), // parseInt(0llll00l/10)
// "PX11804": "36f924a304c56d1ae9971c767ca7f510", //uuid 转换
"PX11804": createPx2(ua, uuid), //uuid 转换
......@@ -181,24 +182,24 @@ function genPayload2(m, uuid) {
"PX11583": "en-US",
"PX12458": "MacIntel",
"PX11681": ["en-US", "en", "zh-CN", "ru"],
"PX11754": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"PX11754": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"PX12037": true,
"PX11390": -480,
"PX11621": 8,
"PX11657": 4,
"PX12081": "Gecko",
"PX11908": "20030107",
"PX12314": "5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"PX12314": "5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"PX11829": true,
"PX11464": true,
"PX12054": 2,
"PX11821": "Netscape",
"PX11479": "Mozilla",
"PX11674": true,
"PX12241": 500, //m["connection"]["rtt"]
"PX12241": 100, //m["connection"]["rtt"]
"PX11372": false,
"PX11683": 1.5,
"PX11561": "3g",
"PX11683": 3.4,
"PX11561": "4g",
"PX11877": true,
"PX12100": true,
"PX12506": "x86",
......@@ -207,7 +208,7 @@ function genPayload2(m, uuid) {
"PX12510": "",
"PX12511": "macOS",
"PX12512": "13.2.0",// platformVersion
"PX12513": "114.0.5735.198", //Mu["uaFullVersion"]
"PX12513": "115.0.0.0", //Mu["uaFullVersion"]
"PX12548": true,
"PX12555": {
"plugext": {
......@@ -238,9 +239,9 @@ function genPayload2(m, uuid) {
"PX12508": [{
"brand": "Not.A/Brand", "version": "8"
}, {
"brand": "Chromium", "version": "114"
"brand": "Chromium", "version": "115"
}, {
"brand": "Google Chrome", "version": "114"
"brand": "Google Chrome", "version": "115"
}],
"PX12549": true,
"PX11539": "64556c77", //Me(console.log)
......@@ -255,7 +256,7 @@ function genPayload2(m, uuid) {
"PX12520": true,
"PX12524": "4YC14YCd4YCd4YCV4YCe4YCX4YGS5J256aus7r266YaI5oCR7r27", // Pu = speechSynthesis.getVoices() is(Pu[161].voiceURI)
"PX12527": "3207084bd110f1ac964863e23aa78e04", // '1970/1/1'
"PX12260": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"PX12260": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"PX12249": false,
"PX11897": "90e65465", // 固定
"PX12597": 1,
......
test.js
View file @ e1882a66
......@@ -455,4 +455,50 @@ function oaa2(n) {
// console.log(atob(u))
return btoa(u).replaceAll('=','')
}
console.log('oaa2',oaa2("PX11496"))
\ No newline at end of file
console.log('oaa2',oaa2("PX12099"))
function $C_pMN(t) {
return l(Z) === "function" ? Z(t) : function (t) {
var e;
var n;
var r;
var i;
var a = [];
var o = 0;
var c = t.length;
try {
if (/[^+/=0-9A-Za-z]/.test(t) || /=/.test(t) && (/=[^=]/.test(t) || /={3}/.test(t))) return null;
for (c % 4 > 0 && (c = (t += v.Array(4 - c % 4 + 1).join("=")).length); o < c;) {
for (n = [], i = o; o < i + 4;) n.push("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(t.charAt(o++)));
for (r = [((e = (n[0] << 18) + (n[1] << 12) + ((63 & n[2]) << 6) + (63 & n[3])) & 255 << 16) >> 16, 64 === n[2] ? -1 : (65280 & e) >> 8, 64 === n[3] ? -1 : 255 & e], i = 0; i < 3; ++i) (r[i] >= 0 || 0 === i) && a.push(String.fromCharCode(r[i]));
}
return a.join("");
} catch (t) {
return null;
}
}(t);
}
var Z = function () {
try {
return atob;
} catch (t) {}
}();
function l(t) {
return l = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (t) {
return typeof t;
} : function (t) {
return t && "function" == typeof Symbol && t.constructor === Symbol && t !== Symbol.prototype ? "symbol" : typeof t;
}, l(t);
}
console.log($C_pMN("Y2hyb21l"))
function $C_dMU(t) {
t = "" + t;
for (var e, n = 0, r = 0; r < t.length; r++) {
n = (n << 5) - n + t.charCodeAt(r), n |= 0;
}
return e = n, (e |= 0) < 0 && (e += 4294967296), e.toString(16);
}
console.log($C_dMU('[object Object]'))
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment