Destination address
ZHkuZmVpZ3VhLmNu
Requirements
An old friend contacted me, hoping to make a small tool that is easy to read for internal use within the company, and promised not to spread it to outsiders. However, there was a problem in the last step of obtaining the interface data. The response data was heavily encrypted and could not be identified.
Code analysis
The site code does a lot of Promise asynchronous processing and webpack packaging format. It was difficult to trace, and it took a lot of effort to track down the key functions in the end. (For the characteristics and principles of Promise, you can read the article I wrote before. If there is anything wrong in the writing, please point it out)
// They are all functions similar to this format, with a lot of asynchronous methods mixed in, making it impossible to follow up.
function T(e, o, t, a) {<!-- -->
var n = C(e);
if (!n)
return "function" == typeof o & amp; & amp; o(p),
void 0;
var r = t & & t.cdn
, i = t & & t.sync
, m = t & amp; & amp; t.timeout || 5e3;
if (0 !== n.depends.length)
for (var s = 0; s < n.depends.length; s + + ) {<!-- -->
var l = n.depends[s];
t & amp; & amp; (delete t.sync,
delete t.timeout,
delete t.cdn),
M(l, void 0, t)
}
var c = a || {<!-- -->};
c.module = n,
c.name = e,
c.state = b,
c.callbacks = c.callbacks || [],
c.options = t,
o & amp; & amp; c.callbacks.push(o),
c.timeoutTimer = setTimeout(function() {<!-- -->
c.state = g,
W(c, t & amp; & amp; t.throwExceptionInCallback)
}, m),
a || u.push(c);
var f = n.sync;
i & amp; & amp; (f = i);
var h = d(n.name, r);
S(h, "AWSC_" + n.name, f)
}
Results
Finally, I found the code, which is a variant of AES encryption + customized string transcoding encryption. The relevant logic was manually restored step by step. The encryption logic similar to jsjiami official website is also used in the middle.
ggnsh = '', _0x4aec=['w71Uw6fCsGg=','6L2C5puu5Lqs5Li/5LqF57O/5Yi/w4ou5pKI5L6h44Km','56m96Ze05o646aqX57mjNeKDnm7DmOKjuWvkeKDk1blk qLCuOKBs8Oyw6TopK7lrpTigobDru + 8nOS + hOWMl + S + peeaksOww7Av44Oh','w61VwrbDuA= =','wqPDr8OcBGHClw==','QjLDk8K7dQ==','wo3CqXZrYWRc','diLDmQ==','B8OgHA==','wrfDpcORD2HCkcO/w4HCuQ==\ ','b8O4XsOCwpXDocOPw4sVI2LDg8KLYw==','5aSG5p6n5oG455iTfsKV6Yej5bSk5aah5Lm8wrQcwq3vvoJlNcOD5qCN56 + 177 + 3566q56 + 35YWW5LiE6Z6swoAxwoPDonbChETDm 8OVw5LnmJDkurbnopLvvLXorIjmjoPljJTlhL/mnqzlhrzli5XlrbXjg7fovLvku57ltbnlhYfkuZXogpDliJLlrLQCUnLjgIZFc8Kq566b5qid54i15YaS5a + r','5YmT6Zus54mi5p + w 5YyJ77 + yZU/kvZ/lroDmno3lv6Pnq44=','w67Dt145VA==',\ 'azMQw55U','w6rCrcOPYsKl','w5DCgMOWf8KM','w7F/w73CrGI=','w5LChcK4wonDtsKh','FcOzGm7CvxDChg==','w4g8w6pGOA=='];( function(_0xf49075,_0x43a770){<!-- -->var _0x452f8c=function(_0x38b3d2){<!-- -->while(--_0x38b3d2){<!-- -->_0xf49075['push' ](_0xf49075['shift']());}};_0x452f8c( + + _0x43a770);}(_0x4aec,0xa9));var _0x3f46=function(_0x14f8df,_0x5b5bda){<!-- -->_0x14f8df =_0x14f8df-0x0;var _0x45b4b0=_0x4aec[_0x14f8df];if(_0x3f46['initialized']===undefined){<!-- -->(function(){<!-- -->var _0x1e077d =typeof window!=='undefined'?window:typeof process==='object' & amp; & amp;typeof require==='function' & amp; & amp;typeof global== ='object'?global:this;var _0x2edf07='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /=';_0x1e077d['atob']||(_0x1e077d['atob']=function(_0x3a4810) {<! -- -->var _0x5bf5a1=String(_0x3a4810)['replace'](/= + $/,'');for(var _0x305cfd=0x0,_0x22fa5b,_0x2dea49,_0x381f3f=0x0,_0x1afedf=\ '';_0x2dea49=_0x5bf5a1['charAt'](_0x381f3f + + );~_0x2dea49 & amp; & amp;(_0x22fa5b=_0x305cfd%0x4?_0x22fa5b*0x40 + _0x2dea49:_0x2dea49,_0x305cf d + + %0x4)? _0x1afedf + =String['fromCharCode'](0xff & amp;_0x22fa5b>>(-0x2*_0x305cfd & amp;0x6)):0x0){<!-- -->_0x2dea49=_0x2edf07['indexOf' ](_0x2dea49);}return _0x1afedf;});}());var _0x8b5ca2=function(_0x1f3132,_0x92107a){<!-- -->var _0x216991=[],_0x1faf0e=0x0,_0x1af4ca,_0x3fb046=' ',_0x27048e='';_0x1f3132=atob(_0x1f3132);for(var _0x51ad13=0x0,_0x21236d=_0x1f3132['length'];_0x51ad13<_0x21236d;_0x51ad13 + + ){<!-- -- >_0x27048e + ='%' + ('00' + _0x1f3132['charCodeAt'](_0x51ad13)['toString'](0x10))['slice'](-0x2) ;}_0x1f3132=decodeURIComponent(_0x27048e);for(var _0x53b9f8=0x0;_0x53b9f8<0x100;_0x53b9f8 + + ){<!-- -->_0x216991[_0x53b9f8]=_0x53b9f8;}for(_0x53b9f 8=0x0;_0x53b9f8<0x100; _0x53b9f8 + + ){<!-- -->_0x1faf0e=(_0x1faf0e + _0x216991[_0x53b9f8] + _0x92107a['charCodeAt'](_0x53b9f8%_0x92107a['length']))%0x100;_0x1af4ca =_0x216991[ _0x53b9f8];_0x216991[_0x53b9f8]=_0x216991[_0x1faf0e];_0x216991[_0x1faf0e]=_0x1af4ca;}_0x53b9f8=0x0;_0x1faf0e=0x0;for(var _0xfdc631=0 x0;_0xfdc631<_0x1f3132['length'];_0xfdc631 + + ){<!-- -->_0x53b9f8=(_0x53b9f8 + 0x1)%0x100;_0x1faf0e=(_0x1faf0e + _0x216991[_0x53b9f8])%0x100;_0x1af4ca=_0x216991[_0x53b9f8];_0x216 991[_0x53b9f8]=_0x216991[_0x1faf0e];_0x216991 [_0x1faf0e]=_0x1af4ca;_0x3fb046 + =String['fromCharCode'](_0x1f3132['charCodeAt'](_0xfdc631)^_0x216991[(_0x216991[_0x53b9f8] + _0x216991[_0x1faf0 e])%0x100]);}return _0x3fb046;};_0x3f46['rc4']=_0x8b5ca2;_0x3f46['data']={<!-- -->};_0x3f46['initialized']=!![];}var _0x5b32d9=_0x3f46['data'][_0x14f8df];if(_0x5b32d9===undefined){<!-- -->if(_0x3f46['once']===undefined){<!-- -->_0x3f46['once']=!![];}_0x45b4b0=_0x3f46['rc4'](_0x45b4b0,_0x5b5bda);_0x3f46['data'][_0x14f8df]=_0x45b4b0;}else {<!-- -->_0x45b4b0=_0x5b32d9;}return _0x45b4b0;};var a={<!-- -->},b={<!-- -->};(function(_0x506b2e,_0x58d7e0) {<!-- -->var _0x19e8e1={<!-- -->'rRNLz':_0x3f46('0x0','1s0Z'),'BgIBC':_0x3f46(' 0x1','8!@M')};_0x506b2e[_0x3f46('0x2','w1o8')]=_0x19e8e1['rRNLz'];_0x58d7e0[_0x3f46('0x3\ ','*!GJ')]=_0x19e8e1[_0x3f46('0x4','USRf')];_0x58d7e0[_0x3f46('0x5','U$Z9')]= 'If your JS has PHP, JSP tags, or other non-JavaScript code embedded in it, please extract it and then encrypt it. This tool cannot encrypt template content such as php and jsp';}(a,b));;(function(_0x4bdcfe,_0x4fbc37,_0x225d65){<!-- -->var _0xa570a3={<!-- --> 'cKiRe':function _0x4524a2(_0x28244c,_0x3e739a){<!-- -->return _0x28244c===_0x3e739a;},'OatFh':_0x3f46('0x6','dutS') ,'JiHQK':_0x3f46('0x7','1BqD'),'pDQLb':function _0x21f4e0(_0x1041c5,_0x24bbc1){<!-- -->return _0x1041c5!==_0x24bbc1; },'HmQGk':_0x3f46('0x8','*!GJ'),'pdbgu':_0x3f46('0x9','09i)'),'bdJmK ':'Version number, js will pop up regularly, please support our work','mwSYx':'Webmaster connects to advanced\x20 "JS encryption"\x20 and\x20" JS decryption"\x20, protect your\x20js. ','noQRJ':_0x3f46('0xa','w1o8'),'nOPqA':_0x3f46('0xb','^WDP')};_0x225d65=\ 'al';try{<!-- -->if(_0xa570a3['cKiRe'](_0xa570a3[_0x3f46('0xc','4GGL')],_0xa570a3[_0x3f46('0xd ','y]bZ')])){<!-- -->_0x225d65 + =_0xa570a3[_0x3f46('0xe','%Li]')];_0x4fbc37=encode_version;if (!(_0xa570a3[_0x3f46('0xf','%Li]')](typeof _0x4fbc37,_0xa570a3['HmQGk']) & amp; & amp;_0xa570a3['cKiRe']( _0x4fbc37,_0xa570a3['pdbgu']))){<!-- -->_0x4bdcfe[_0x225d65]('Delete' + _0xa570a3[_0x3f46('0x10','r5C!')] );}}else{<!-- -->_0x4bdcfe['info']='This is a series of js operations. ';d[_0x3f46('0x11','1H)L')]=_0xa570a3['mwSYx'];d[_0x3f46('0x12','1BqD')]= _0xa570a3[_0x3f46('0x13','w@A#')];}}catch(_0x433f0a){<!-- -->_0x4bdcfe[_0x225d65](_0xa570a3[_0x3f46('0x14',\ 'r5C!')]);}}(window));
The code after algorithm restoration will not be posted, respecting the privacy of the website author. If necessary, you can contact jsjiami official customer service.