识别javascript crackme加密方法算法
identify javascript crackme encryption method algorithm
有什么方法可以识别加密方法吗?
在这个 crackme 示例中,他们使用 rc4
我花了几个小时在某些网站上迭代加密方法并提取 'input128' 值
更新澄清:
屏幕上有一个文本输入元素,你输入一个值(设置为_inputValue),然后你点击一个按钮,函数在最后一行执行,如果selectedOption 是 2 它将打印 "good"
否则optionsArr中有5个错误的选项。
拆包清理后的主要功能是:
var mainFunction = function(e) {
var arr256 = new Array();
for (var index = 0; index < 256; index++) arr256[(index).toString()] = index;
var varX = 0;
var _inputValue = document.getElementsByTagName('input')[0]['value'];
for (var index = 0; index < 256; index++) {
var secret = 'click';
varX = (varX + arr256[(index).toString()] + secret.charCodeAt(index % 5)) % 256;
arr256[(index).toString()] ^= arr256[(varX).toString()];
arr256[(varX).toString()] ^= arr256[(index).toString()];
arr256[(index).toString()] ^= arr256[(varX).toString()];
}
index = varX = 0;
var cmpStr = '';
for (var index2 = index; index2 < _inputValue.length; index2 += 2) {
index = (index + 1) % 256;
varX = (varX + arr256[(index).toString()]) % 256;
arr256[(index).toString()] ^= arr256[(varX).toString()];
arr256[(varX).toString()] ^= arr256[(index).toString()];
arr256[(index).toString()] ^= arr256[(varX).toString()];
var parsedInt = parseInt(_inputValue.substr(index2, 2), 16);
var idxAtArr = arr256[(index).toString()];
var xAtArr = arr256[(varX).toString()];
var secondVal = arr256[((idxAtArr + xAtArr) % 256).toString()];
var xorVal = parsedInt ^ secondVal;
cmpStr += String.fromCharCode(xorVal);
}
var selectedOption = cmpStr.charCodeAt(cmpStr.charCodeAt(0) % cmpStr.length) % 6;
if (cmpStr != 'input128' && selectedOption == 2) selectedOption++;
optionsArr[(selectedOption).toString()]();
};
在我看来 RC4。除了此实现出于某种原因将密钥限制为仅 5 个字符。
第一个干净的解决方案
Password: <input/><br/>
<button>Check</button>
<script id="urchin">
(function () {
var optionsArr = [
function () {
console.warn("boo")
},
function () {
console.warn(":(")
},
function () {
console.log("Congratz!")
},
function () {
console.warn("allmost there")
},
function () {
console.warn("muhaha")
},
function () {
console.warn("nahhh")
},
function () {
console.warn("not even close")
}
];
var mainFunction = function () {
var arr = [];
for (var i = 0; i < 256; i++) {
arr[i] = i;
}
var inputVal = document.getElementsByTagName('input')[0].value;
var varX = 0;
var secret = 'click';
for (var i2 = 0; i2 < 256; i2++) {
varX = (varX + arr[i2] + secret.charCodeAt(i2 % 5)) % 256;
arr[i2] ^= arr[varX];
arr[varX] ^= arr[i2];
arr[i2] ^= arr[varX];
}
var idx = varX = 0;
var cmpStr = '';
var key = 'input128';
for (var i3 = idx; i3 < key.length; i3 += 1) {
idx = (idx + 1) % 256;
varX = (varX + arr[idx]) % 256;
arr[idx] ^= arr[varX];
arr[varX] ^= arr[idx];
arr[idx] ^= arr[varX];
var hex2int = key.charCodeAt(i3);
var charCode = hex2int ^ arr[(arr[idx] + arr[varX]) % 256];
var hexCharCode = charCode.toString(16);
if (hexCharCode.length == 1) hexCharCode = '0' + hexCharCode;
cmpStr += hexCharCode;
}
alert('code is ' + cmpStr);
var selectedOption = cmpStr.charCodeAt(cmpStr.charCodeAt(0) % cmpStr.length) % 6;
if (cmpStr != key && selectedOption == 2) selectedOption++;
optionsArr[selectedOption]();
};
var btn = document.getElementsByTagName('button')[0];
if (typeof(btn.addEventListener) != typeof(mainFunction)) {
btn.attachEvent('onclick', mainFunction);
} else {
btn.addEventListener('click', mainFunction, true);
}
btn = document.getElementById('urchin');
btn.parentNode.removeChild(btn);
})();
</script>
或暴力破解,因为它不仅使用 rc4,它还会转换为痛苦的十六进制
Password: <input/><br/>
<button>Check</button>
<script id="urchin">
(function () {
var optionsArr = [
function () {
console.warn("boo")
},
function () {
console.warn(":(")
},
function () {
console.log("Congratz!")
},
function () {
console.warn("allmost there")
},
function () {
console.warn("muhaha")
},
function () {
console.warn("nahhh")
},
function () {
console.warn("not even close")
}
];
function decryptFunc(inputVal, arr) {
var idx = 0, idx2 = 0;
var decrypt = '';
for (var i4 = idx; i4 < inputVal.length; i4 += 2) {
idx = (idx + 1) % 256;
idx2 = (idx2 + arr[idx]) % 256;
arr[idx] ^= arr[idx2];
arr[idx2] ^= arr[idx];
arr[idx] ^= arr[idx2];
var curHex = inputVal.substr(i4, 2);
var hex2int = parseInt(curHex, 16);
var charCode = hex2int ^ arr[(arr[idx] + arr[idx2]) % 256];
decrypt += String.fromCharCode(charCode);
}
return decrypt;
}
var mainFunction = function () {
var arr = [];
for (var i = 0; i < 256; i++) {
arr[i] = i;
}
var inputVal = document.getElementsByTagName('input')[0].value;
var i2 = 0;
var secret = 'click';
var originalKey = 'input128';
for (var i3 = 0; i3 < 256; i3++) {
i2 = (i2 + arr[i3] + secret.charCodeAt(i3 % 5)) % 256;
arr[i3] ^= arr[i2];
arr[i2] ^= arr[i3];
arr[i3] ^= arr[i2];
}
var decrypt = null;
var codeFound = false;
var s = '';
var idx = 1;
while (!codeFound) {
for (var h = 0; h < 256; h++) {
var hexLetter = h.toString(16);
var cmpKey = s + hexLetter;
decrypt = decryptFunc(cmpKey, arr);
// restore arr
arr = [99, 116, 115, 37, 16, 120, 211, 90, 197, 22, 166, 63, 146, 59, 123, 237, 93, 44, 76, 118, 168, 91, 55, 187, 62, 220, 135, 49, 127, 185, 153, 8, 66, 155, 152, 181, 117, 149, 31, 87, 169, 6, 172, 34, 101, 134, 107, 157, 199, 231, 124, 2, 243, 35, 241, 139, 68, 3, 159, 86, 77, 225, 105, 29, 144, 19, 32, 42, 227, 147, 133, 15, 160, 73, 190, 148, 82, 97, 170, 201, 212, 14, 18, 13, 193, 121, 143, 141, 182, 122, 21, 108, 112, 111, 217, 60, 250, 27, 137, 244, 191, 38, 171, 214, 248, 132, 228, 43, 232, 213, 223, 129, 28, 64, 247, 205, 138, 95, 202, 235, 61, 119, 224, 88, 238, 206, 230, 94, 195, 5, 179, 54, 72, 92, 136, 98, 188, 200, 173, 226, 198, 4, 71, 196, 126, 9, 69, 110, 84, 48, 85, 210, 30, 180, 229, 216, 162, 56, 75, 0, 67, 253, 163, 167, 53, 26, 7, 12, 174, 57, 130, 194, 209, 165, 1, 140, 183, 70, 23, 89, 150, 25, 145, 104, 233, 74, 142, 151, 222, 65, 207, 96, 154, 218, 106, 131, 255, 109, 254, 33, 113, 164, 203, 40, 246, 83, 192, 236, 189, 78, 158, 234, 177, 175, 161, 251, 100, 221, 219, 103, 50, 41, 242, 10, 249, 240, 20, 184, 24, 80, 52, 51, 81, 11, 156, 245, 114, 239, 186, 125, 17, 204, 128, 47, 36, 39, 215, 208, 46, 176, 178, 58, 45, 102, 252, 79];
if (decrypt == originalKey.substr(0, idx)) {
console.log(cmpKey, decrypt);
if (hexLetter.length == 1) hexLetter = '0' + hexLetter; // zero padding to convert to hex
s += hexLetter;
idx++;
break;
}
}
if (decrypt == originalKey) {
codeFound = true;
console.log('code is', s);
}
}
var selectedOption = decrypt.charCodeAt(decrypt.charCodeAt(0) % decrypt.length) % 6;
if (decrypt != originalKey && selectedOption == 2) selectedOption++;
optionsArr[selectedOption]();
};
var btn = document.getElementsByTagName('button')[0];
if (typeof(btn.addEventListener) != typeof(mainFunction)) {
btn.attachEvent('onclick', mainFunction);
} else {
btn.addEventListener('click', mainFunction, true);
}
btn = document.getElementById('urchin');
btn.parentNode.removeChild(btn);
})();
</script>
有什么方法可以识别加密方法吗?
在这个 crackme 示例中,他们使用 rc4
我花了几个小时在某些网站上迭代加密方法并提取 'input128' 值
更新澄清: 屏幕上有一个文本输入元素,你输入一个值(设置为_inputValue),然后你点击一个按钮,函数在最后一行执行,如果selectedOption 是 2 它将打印 "good" 否则optionsArr中有5个错误的选项。
拆包清理后的主要功能是:
var mainFunction = function(e) {
var arr256 = new Array();
for (var index = 0; index < 256; index++) arr256[(index).toString()] = index;
var varX = 0;
var _inputValue = document.getElementsByTagName('input')[0]['value'];
for (var index = 0; index < 256; index++) {
var secret = 'click';
varX = (varX + arr256[(index).toString()] + secret.charCodeAt(index % 5)) % 256;
arr256[(index).toString()] ^= arr256[(varX).toString()];
arr256[(varX).toString()] ^= arr256[(index).toString()];
arr256[(index).toString()] ^= arr256[(varX).toString()];
}
index = varX = 0;
var cmpStr = '';
for (var index2 = index; index2 < _inputValue.length; index2 += 2) {
index = (index + 1) % 256;
varX = (varX + arr256[(index).toString()]) % 256;
arr256[(index).toString()] ^= arr256[(varX).toString()];
arr256[(varX).toString()] ^= arr256[(index).toString()];
arr256[(index).toString()] ^= arr256[(varX).toString()];
var parsedInt = parseInt(_inputValue.substr(index2, 2), 16);
var idxAtArr = arr256[(index).toString()];
var xAtArr = arr256[(varX).toString()];
var secondVal = arr256[((idxAtArr + xAtArr) % 256).toString()];
var xorVal = parsedInt ^ secondVal;
cmpStr += String.fromCharCode(xorVal);
}
var selectedOption = cmpStr.charCodeAt(cmpStr.charCodeAt(0) % cmpStr.length) % 6;
if (cmpStr != 'input128' && selectedOption == 2) selectedOption++;
optionsArr[(selectedOption).toString()]();
};
在我看来 RC4。除了此实现出于某种原因将密钥限制为仅 5 个字符。
第一个干净的解决方案
Password: <input/><br/>
<button>Check</button>
<script id="urchin">
(function () {
var optionsArr = [
function () {
console.warn("boo")
},
function () {
console.warn(":(")
},
function () {
console.log("Congratz!")
},
function () {
console.warn("allmost there")
},
function () {
console.warn("muhaha")
},
function () {
console.warn("nahhh")
},
function () {
console.warn("not even close")
}
];
var mainFunction = function () {
var arr = [];
for (var i = 0; i < 256; i++) {
arr[i] = i;
}
var inputVal = document.getElementsByTagName('input')[0].value;
var varX = 0;
var secret = 'click';
for (var i2 = 0; i2 < 256; i2++) {
varX = (varX + arr[i2] + secret.charCodeAt(i2 % 5)) % 256;
arr[i2] ^= arr[varX];
arr[varX] ^= arr[i2];
arr[i2] ^= arr[varX];
}
var idx = varX = 0;
var cmpStr = '';
var key = 'input128';
for (var i3 = idx; i3 < key.length; i3 += 1) {
idx = (idx + 1) % 256;
varX = (varX + arr[idx]) % 256;
arr[idx] ^= arr[varX];
arr[varX] ^= arr[idx];
arr[idx] ^= arr[varX];
var hex2int = key.charCodeAt(i3);
var charCode = hex2int ^ arr[(arr[idx] + arr[varX]) % 256];
var hexCharCode = charCode.toString(16);
if (hexCharCode.length == 1) hexCharCode = '0' + hexCharCode;
cmpStr += hexCharCode;
}
alert('code is ' + cmpStr);
var selectedOption = cmpStr.charCodeAt(cmpStr.charCodeAt(0) % cmpStr.length) % 6;
if (cmpStr != key && selectedOption == 2) selectedOption++;
optionsArr[selectedOption]();
};
var btn = document.getElementsByTagName('button')[0];
if (typeof(btn.addEventListener) != typeof(mainFunction)) {
btn.attachEvent('onclick', mainFunction);
} else {
btn.addEventListener('click', mainFunction, true);
}
btn = document.getElementById('urchin');
btn.parentNode.removeChild(btn);
})();
</script>
或暴力破解,因为它不仅使用 rc4,它还会转换为痛苦的十六进制
Password: <input/><br/>
<button>Check</button>
<script id="urchin">
(function () {
var optionsArr = [
function () {
console.warn("boo")
},
function () {
console.warn(":(")
},
function () {
console.log("Congratz!")
},
function () {
console.warn("allmost there")
},
function () {
console.warn("muhaha")
},
function () {
console.warn("nahhh")
},
function () {
console.warn("not even close")
}
];
function decryptFunc(inputVal, arr) {
var idx = 0, idx2 = 0;
var decrypt = '';
for (var i4 = idx; i4 < inputVal.length; i4 += 2) {
idx = (idx + 1) % 256;
idx2 = (idx2 + arr[idx]) % 256;
arr[idx] ^= arr[idx2];
arr[idx2] ^= arr[idx];
arr[idx] ^= arr[idx2];
var curHex = inputVal.substr(i4, 2);
var hex2int = parseInt(curHex, 16);
var charCode = hex2int ^ arr[(arr[idx] + arr[idx2]) % 256];
decrypt += String.fromCharCode(charCode);
}
return decrypt;
}
var mainFunction = function () {
var arr = [];
for (var i = 0; i < 256; i++) {
arr[i] = i;
}
var inputVal = document.getElementsByTagName('input')[0].value;
var i2 = 0;
var secret = 'click';
var originalKey = 'input128';
for (var i3 = 0; i3 < 256; i3++) {
i2 = (i2 + arr[i3] + secret.charCodeAt(i3 % 5)) % 256;
arr[i3] ^= arr[i2];
arr[i2] ^= arr[i3];
arr[i3] ^= arr[i2];
}
var decrypt = null;
var codeFound = false;
var s = '';
var idx = 1;
while (!codeFound) {
for (var h = 0; h < 256; h++) {
var hexLetter = h.toString(16);
var cmpKey = s + hexLetter;
decrypt = decryptFunc(cmpKey, arr);
// restore arr
arr = [99, 116, 115, 37, 16, 120, 211, 90, 197, 22, 166, 63, 146, 59, 123, 237, 93, 44, 76, 118, 168, 91, 55, 187, 62, 220, 135, 49, 127, 185, 153, 8, 66, 155, 152, 181, 117, 149, 31, 87, 169, 6, 172, 34, 101, 134, 107, 157, 199, 231, 124, 2, 243, 35, 241, 139, 68, 3, 159, 86, 77, 225, 105, 29, 144, 19, 32, 42, 227, 147, 133, 15, 160, 73, 190, 148, 82, 97, 170, 201, 212, 14, 18, 13, 193, 121, 143, 141, 182, 122, 21, 108, 112, 111, 217, 60, 250, 27, 137, 244, 191, 38, 171, 214, 248, 132, 228, 43, 232, 213, 223, 129, 28, 64, 247, 205, 138, 95, 202, 235, 61, 119, 224, 88, 238, 206, 230, 94, 195, 5, 179, 54, 72, 92, 136, 98, 188, 200, 173, 226, 198, 4, 71, 196, 126, 9, 69, 110, 84, 48, 85, 210, 30, 180, 229, 216, 162, 56, 75, 0, 67, 253, 163, 167, 53, 26, 7, 12, 174, 57, 130, 194, 209, 165, 1, 140, 183, 70, 23, 89, 150, 25, 145, 104, 233, 74, 142, 151, 222, 65, 207, 96, 154, 218, 106, 131, 255, 109, 254, 33, 113, 164, 203, 40, 246, 83, 192, 236, 189, 78, 158, 234, 177, 175, 161, 251, 100, 221, 219, 103, 50, 41, 242, 10, 249, 240, 20, 184, 24, 80, 52, 51, 81, 11, 156, 245, 114, 239, 186, 125, 17, 204, 128, 47, 36, 39, 215, 208, 46, 176, 178, 58, 45, 102, 252, 79];
if (decrypt == originalKey.substr(0, idx)) {
console.log(cmpKey, decrypt);
if (hexLetter.length == 1) hexLetter = '0' + hexLetter; // zero padding to convert to hex
s += hexLetter;
idx++;
break;
}
}
if (decrypt == originalKey) {
codeFound = true;
console.log('code is', s);
}
}
var selectedOption = decrypt.charCodeAt(decrypt.charCodeAt(0) % decrypt.length) % 6;
if (decrypt != originalKey && selectedOption == 2) selectedOption++;
optionsArr[selectedOption]();
};
var btn = document.getElementsByTagName('button')[0];
if (typeof(btn.addEventListener) != typeof(mainFunction)) {
btn.attachEvent('onclick', mainFunction);
} else {
btn.addEventListener('click', mainFunction, true);
}
btn = document.getElementById('urchin');
btn.parentNode.removeChild(btn);
})();
</script>