破解JS加密：url unicode加密而已

加密所在的地方：http://tool.chinaz.com/Tools/UrlCrypt.aspx?url=www.baidu.com
 结果： 　　　　http://%77%77%77%2E%62%61%69%64%75%2E%63%6F%6D/
 替换：http://x77x77x77x2Ex62x61x69x64x75x2Ex63x6Fx6D/
查看：在地址栏输入javascript:alert("x68x6Cx61x64x66x28x29x3Bx66x75x6Ex63x74x69x6Fx6Ex20");

window.location.href='http://x77x77x77x2Ex62x61x69x64x75x2Ex63x6Fx6D/';

<script language="JavaScript">
window.location.href='x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex62x61x69x64x75x2Ex63x6Fx6D/';
</script>

加密后：%63%61%6F%62%75%67%2E%63%6F%6D

替换后：x63x61x6Fx62x75x67x2Ex63x6Fx6D

朋友发来一套盗用过来的DISCUZ模板，但打开网站会弹出提示框：Sorry！xxx.com，然后自动跳转到原开发者网站，通过搜索N次也没有找到代码写在何处。没办法了，谁让小明哥这样乐于助人呢，瞧瞧吧^_^。

本地安装DISCUZ，接着将模板文件架构好。输入：http://localhost/portal.php，没有任何提示，好小子估计没判断 localhost。好吧，换成：http://127.0.0.1/portal.php 试试，有了…

当我们单击确定的时候，将自动跳到开发者网站，悲痛呀！不过这样做就显然给我们留下入口，JS有多少种提示框弹出方式？试试最简单的Alert吧。于是搜索 alert，所有文件中，侥幸找到一个。

弹出源码：alert(_0xb200[10])，好吧，改成：alert('test')，刷新网页，哈哈~预期弹出：test，看来是找对地方了。

于是删除他的条件判断：

1	;if(obj[_0xb200[7]](_0xb200[8])==0||obj[_0xb200[7]](_0xb200[9])==0){}else{alert(_0xb200[10]);window[_0xb200[2]][_0xb200[0]]=_0xb200[11];};

在刷新网页，发现没任何弹窗和任何跳转了，这样就解决了问题，但如果也想像作者一样保护自己的“版权”，可以这样：

其中_0xb200[7]这样的形式，很显然是数组，看看开发者如何申明遍历的吧，本文件中搜索：_0xb200，找到了：

1

var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x35x69x32x33x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x53x69x6Ex67x63x65x72x65x2Ex4Ex65x74","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex73x69x6Ex67x63x65x72x65x2Ex6Ex65x74"];

我去，加密了！解密还是比较简单，让浏览器去做。于是小明哥在桌面新创建了 test.html 文件，写道：

1 2 3 4 5 6

<script type="text/javascript">     var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x35x69x32x33x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x53x69x6Ex67x63x65x72x65x2Ex4Ex65x74","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex73x69x6Ex67x63x65x72x65x2Ex6Ex65x74"];     for(var i =0; i < _0xb200.length; i++){         alert(i +': '+ _0xb200[i]);     } </script>

运行 test.html 试试吧，结果输出：

0: location

1: replace

2: top

3: href

4: toLowerCase

5: substr

6: www.

7: indexOf

8: localhost

9:5i23.com

10:Sorry!Singcere.Net

11:  http://www.singcere.net

好小子，首先获得页面 URL，然后用 indexOf 截取判断，最后弹出消息和跳到指定网站！于是小明哥把数组下标为9的5i23.com修改为自己的网站URL，然后数组下标为11的目标网页修改自己成网站，将计就计，哈哈！

好吧，先找个转换工具把我们新的URL用十六进制加密，然后将百分号（%）替换成：x

实战：caobug.com（数组 9）

工具：http://www.55la.cn/UrlCrypt/

加密后：%63%61%6F%62%75%67%2E%63%6F%6D

替换后：x63x61x6Fx62x75x67x2Ex63x6Fx6D

弹出信息也替换了（数组 10）：

加密后：%53%6F%72%72%79%21%20%43%61%6F%62%75%67%2E%63%6F%6D

替换后：x53x6Fx72x72x79x21x20x43x61x6Fx62x75x67x2Ex63x6Fx6D

侵权后跳转到（数组 11）：

加密后：%77%77%77%2E%63%61%6F%62%75%67%2E%63%6F%6D（www.caobug.com）

替换后：x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex63x61x6Fx62x75x67x2Ex63x6Fx6D（http://www.caobug.com）

其中，x20x68x74x74x70x3Ax2Fx2F 表示：http://，有的工具无法转换，我们就自己添加上。

最终结果：

1

var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x63x61x6Fx62x75x67x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x43x61x6Fx62x75x67x2Ex63x6Fx6D","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex63x61x6Fx62x75x67x2Ex63x6Fx6D"];

我们粘贴到 test.html，看下能否正常输出我们加密的字符串。

1 2 3 4 5 6

<scripttype="text/javascript">     var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x63x61x6Fx62x75x67x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x43x61x6Fx62x75x67x2Ex63x6Fx6D","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex63x61x6Fx62x75x67x2Ex63x6Fx6D"];     for(var i =0; i < _0xb200.length; i++){         alert(i +': '+ _0xb200[i]);     } </script>

输出结果：

0: location

1: replace

2: top

3: href

4: toLowerCase

5: substr

6: www.

7: indexOf

8: localhost

9: caobug.com

10: Sorry! Caobug.com

11:  http://www.caobug.com

哇塞，一次成功。我们到此就可以替换开发者提供的文件啦~

1

var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x35x69x32x33x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x53x69x6Ex67x63x65x72x65x2Ex4Ex65x74","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex73x69x6Ex67x63x65x72x65x2Ex6Ex65x74"];

替换成：

1

var _0xb200=["x6Cx6Fx63x61x74x69x6Fx6E","x72x65x70x6Cx61x63x65","x74x6Fx70","x68x72x65x66","x74x6Fx4Cx6Fx77x65x72x43x61x73x65","x73x75x62x73x74x72","x77x77x77x2E","x69x6Ex64x65x78x4Fx66","x6Cx6Fx63x61x6Cx68x6Fx73x74","x63x61x6Fx62x75x67x2Ex63x6Fx6D","x53x6Fx72x72x79x21x20x43x61x6Fx62x75x67x2Ex63x6Fx6D","x20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex63x61x6Fx62x75x67x2Ex63x6Fx6D"];

最后成功了，我们使用 127.0.0.1 等其它域名访问都会弹出提示框，然后跳到 caobug.com 网站。

到这里，问题就解决了，也实现了我们的想法。假期结束了，还没睡够呢~