爬虫逆向：瑞数5(华能电子)

原创于 2025-12-17 22:10:16 发布 · 210 阅读

2 ·

CC 4.0 BY-SA版权

文章标签：

#爬虫

# 本案例仅供学习和参考，不做商用

声明一下，因为瑞数主要是对网站的cookie或者url后缀进行加密，所以我们就需要分析了

这里我们现分析cookie是如何生成的，分析cookie的话，需要开一个无痕模式

1，清空应用里面的cookie

2，打开事件监听的脚本断点

3，刷新页面

4，这里有一个VM说明是在某一个文件读取并运行，可以理解为虚拟机并没有保存在我们的磁盘

5，继续往后调

6，继续往后面调

7，第一次虚拟机里面的代码就是这里所写的，第二次加载的代码也是通过这里的外链调用的

8，继续往后走又会走到这里来，执行这里的文件代码，第一次虚拟机的代码也就是cd后面的值其实是jsvmp位移混淆的，现在这个代码会将这个jsvmp位移混淆的代码变成可以执行的js文件也就是这个BmTo这个文件的eval去执行

9，先将第一次虚拟机的代码还原成可以执行的js代码，然后再通过eval执行

10，通用的方法就是搜.call,在BmTo里面搜.call

11,鼠标悬浮在这个参数上面，可以看到解密之后js代码

12，点击右侧的单步执行就可以跳到里面去，就可以看到解密之后的js文件

13，

14，除了用脚本来定位，还可以用hook，用hook是最稳的一种方式

hook之后点击调用第一个调用堆栈，可以看到这个结构是一样的，而且很快很准

15，分析完以后就可以开始逆向

16，先拿虚拟机的代码，哈哈哈

再拿外链的代码

然后一步一步补环境，打印信息也是出来了

这里完整的代码

/*环境代理*/
function get_enviroment(proxy_array) {
    for (let i = 0; i < proxy_array.length; i++) {
        handler = `{
            get: function(target, property, receiver) {
                   console.log('方法：get','    对象：${proxy_array[i]}','    属性：',property,'    属性类型：',typeof property,'    属性值类型：',typeof target[property]);
                   return target[property];
            },
            set: function(target, property, value, receiver){
                    console.log('方法：set','    对象：${proxy_array[i]}','    属性：',property,'    属性类型：',typeof property,'    属性值类型：',typeof target[property]);
                    return Reflect.set(...arguments);
            }
        }`;
        eval(`
            try {
                ${proxy_array[i]};
                ${proxy_array[i]} = new Proxy(${proxy_array[i]}, ${handler});
            } catch (e) {
                ${proxy_array[i]} = {};
                ${proxy_array[i]} = new Proxy(${proxy_array[i]}, ${handler});
            }
        `);
    }
}

/*补环境*/
window = global
top = self =  window
window.ActiveXObject =  undefined
window.addEventListener = function(){};
window.attachEvent = undefined
div = {
    getElementsByTagName:function(tag_name){
        console.log("div getElementsByTagName ->",tag_name)
        return []
    }
}
head = {
    removeChild:function(child){
        console.log("head removeChild ->",child)
    }
}
script = {
    getAttribute:function(attr){
        console.log("script getAttribute ->", attr)
        if (attr === "r"){
            return "m"
        }
    },
    parentElement:head
}
meta = {
    getAttribute:function(attr){
        console.log("meta getAttribute ->", attr)
        if (attr === "r"){
            return "m"
        }
    },
    parentNode:head
}

document = {
    createElement:function(tag_name){
        console.log("document createElement ->",tag_name)
        if(tag_name === "div"){
            return  div
        }
    },
    removeChild:function(child){
        console.log("document removeChild ->",child)
    },
    getElementsByTagName:function(tag_name){
        console.log("document getElementsByTagName ->",tag_name)
        if (tag_name === "script"){
            return [script,script,script,script,script,script]
        }
        if(tag_name === 'meta'){
            return [meta,meta]
        }
        if(tag_name === 'base'){
            return []
        }
    },
    appendChild:function(child){
        console.log("document appendChild ->",child)
    }
}
location = {
    "ancestorOrigins": {},
    "href": "https://ec.chng.com.cn/channel/home/#/purchase?top=0",
    "origin": "https://ec.chng.com.cn",
    "protocol": "https:",
    "host": "ec.chng.com.cn",
    "hostname": "ec.chng.com.cn",
    "port": "",
    "pathname": "/channel/home/",
    "search": "",
    "hash": "#/purchase?top=0"
}
navigator = {
  "vendorSub": "",
  "productSub": "20030107",
  "vendor": "Google Inc.",
  "maxTouchPoints": 0,
  "scheduling": {},
  "userActivation": {},
  "geolocation": {},
  "doNotTrack": null,
  "plugins": {
    "0": {
      "0": {},
      "1": {}
    },
    "1": {
      "0": {},
      "1": {}
    },
    "2": {
      "0": {},
      "1": {}
    },
    "3": {
      "0": {},
      "1": {}
    },
    "4": {
      "0": {},
      "1": {}
    }
  },
  "mimeTypes": {
    "0": {},
    "1": {}
  },
  "pdfViewerEnabled": true,
  "webkitTemporaryStorage": {},
  "webkitPersistentStorage": {},
  "hardwareConcurrency": 16,
  "cookieEnabled": true,
  "appCodeName": "Mozilla",
  "appName": "Netscape",
  "appVersion": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
  "platform": "Win32",
  "product": "Gecko",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
  "language": "zh-CN",
  "languages": [
    "zh-CN"
  ],
  "onLine": true,
  "webdriver": false,
  "connection": {},
  "windowControlsOverlay": {},
  "deprecatedRunAdAuctionEnforcesKAnonymity": false,
  "protectedAudience": {},
  "bluetooth": {},
  "clipboard": {},
  "credentials": {},
  "keyboard": {},
  "managed": {},
  "mediaDevices": {},
  "storage": {},
  "serviceWorker": {},
  "virtualKeyboard": {},
  "wakeLock": {},
  "deviceMemory": 8,
  "userAgentData": {
    "brands": [
      {
        "brand": "Google Chrome",
        "version": "143"
      },
      {
        "brand": "Chromium",
        "version": "143"
      },
      {
        "brand": "Not A(Brand",
        "version": "24"
      }
    ],
    "mobile": false,
    "platform": "Windows"
  },
  "locks": {},
  "login": {},
  "ink": {},
  "mediaCapabilities": {},
  "devicePosture": {},
  "hid": {},
  "mediaSession": {},
  "permissions": {},
  "presentation": {},
  "serial": {},
  "gpu": {},
  "usb": {},
  "xr": {},
  "storageBuckets": {}
}
setInterval = function(){};
setTimeout = function(){};
/*代理检测*/
proxy_array = ['window', 'document','location','navigator','div','script','meta','script.parentElement','base']


get_enviroment(proxy_array);