AI逆向|使用AI反编译反混淆练习平台第18题jsvmp

关注它不迷路。本文章中所有内容仅供学习交流不可用于任何商业用途和非法用途否则后果自负如有侵权请联系作者立即删除一.题目地址https://match.yuanrenxue.cn/match/18二.抓包分析先打开控制台然后再打开上面的网站查看数据所在的页面:post的参数有个t时间戳和加密参数v。切换 启动器 定位到一段jsvmp的代码硬分析有点难度将这段jsvmp代码下载下来让AI反编译吧。三.AI反编译我这里使用codeX的cli工具 Gpt-5.4 xhigh 的AI模型。提示语比较简单:请用你最顶级的技能对yrx18.js文件中的jsvmp进行full 反编译。并保存到当面目录。注意当前目录已安装babel库。大概弄了个把小时就把反编译的代码生成好了下面是核心代码:var _open XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open function() { if (/data\?/.test(arguments[1])) { var toggle false; var pagestr arguments[1].match(/page(\d)/)[1]; if (pagestr 1) { toggle true; } else if (pagestr 5) { toggle true; } else { for (var i 0; i mouses.length; i) { if (mouses[i].indexOf(u) ! -1) { toggle true; } else null } if (arguments[1].slice(-1) ! ) { arguments[1] ; } else null var t parseInt(Date.now() / 1000); arguments[1] t t.toString(); var t t.toString(16) t.toString(16).slice(0, 16); arguments[1] v encodeURIComponent(window.myenc(pagestr | mouses.toString(), t)); } if (toggle) { return _open.apply(this, arguments); } else null } else { return _open.apply(this, arguments); } };虽然代码没办法替换但是能看到核心的加密它改写了XMLHttpRequest的open函数t和v的加密参数也能看到。注意到myenc函数直接hook该函数获取实参:const _myenc myenc;myenc function() { console.log(Hooked myenc called with:, arguments); debugger; const result _myenc(str); return result;};Hook 效果:第1个实参:3|134m676,134m677,134d677,134m677,134u677根据上面的代码可知 3 表示 page|后面的数据是 mouses.toString()。第二个实参:69df489069df4890根据上面的代码它是时间戳t经过一段toString()操作获取。有了这些交给AI写代码:import argparseimport base64import jsonfrom dataclasses import dataclass import requestsfrom Crypto.Cipher import AES BASE_URL https://match.yuanrenxue.cnMATCH_URL f{BASE_URL}/match/18DATA_URL f{BASE_URL}/api/v/question/18dataTIME_URL f{BASE_URL}/api/getTimeCHROME_UA ( yuanrenxue)SESSION_ID XXXXXX dataclass(frozenTrue)class BrowserSample: page: int plaintext: str secret_key: str expected_v: str def pkcs7_pad(data: bytes, block_size: int 16) - bytes: pad_len block_size - (len(data) % block_size) return data bytes([pad_len]) * pad_len def myenc(plaintext: str, secret_key: str) - str: key secret_key.encode(utf-8) cipher AES.new(key, AES.MODE_CBC, ivkey) ciphertext cipher.encrypt(pkcs7_pad(plaintext.encode(utf-8))) return base64.b64encode(ciphertext).decode(ascii) def build_secret_key(ts_seconds: int) - str: ts_hex format(ts_seconds, x) # Equivalent to: t.toString(16) t.toString(16).slice(0, 16) return ts_hex ts_hex[:16] def build_mouse_trace(page: int, ts_seconds: int) - str: # The browser code only needs the serialized track and at least one u. x1 100 page * 11 (ts_seconds % 13) y1 200 page * 7 (ts_seconds % 17) x2 x1 24 page y2 y1 18 page parts [ f{x1}m{y1}, f{x1}d{y1}, f{x1}u{y1}, f{x2}m{y2}, f{x2}u{y2}, ] return ,.join(parts) def build_v(page: int, ts_seconds: int) - tuple[str, str, str]: mouse_trace build_mouse_trace(page, ts_seconds) plaintext f{page}|{mouse_trace} secret_key build_secret_key(ts_seconds) return plaintext, secret_key, myenc(plaintext, secret_key) def get_browser_time_seconds(session: requests.Session) - int: response session.get(TIME_URL, timeout15) response.raise_for_status() return int(response.text.strip()) // 1000 def fetch_page(session: requests.Session) - dict: total 0 for i in range(1,6): ts_seconds get_browser_time_seconds(session) plaintext, secret_key, v_value build_v(i, ts_seconds) response session.get( DATA_URL, params[(page, str(i)), (t, str(ts_seconds)), (v, v_value)], timeout15, ) response.raise_for_status() payload response.json() print (payload) total sum(payload[data]) return total def main() - None: session requests.Session() session.headers.update( { User-Agent: CHROME_UA, Referer: MATCH_URL, Accept: */*, } ) session.cookies.set(sessionid, SESSION_ID, domainmatch.yuanrenxue.cn, path/) payload fetch_page(session) print(payload) if __name__ __main__: main()运行结果:今天的分享就到这里感谢阅读。建了个 AST反混淆AI逆向 的 群想进群的可以私聊我。