去模糊算法在“免费robux”诈骗网站上的应用

Question

今天我一直在尝试分析一个网站背后的代码，这个网站用于诈骗，涉及一个名为Roblox的在线游戏，这是一个名为buxgenerator.com的域名

这个域名使用了非常常见的骗局，它使用调查收集个人数据，将受害者发送到这个链接https://cpbild.co/93c0cd5，受害者通常是容易上当受骗的孩子

他们最终被告知，他们需要解决“人类验证”，这是收集您个人数据的调查的骗局言论。

通过使用免费的html代码分析器应用程序，我能够查看网站https://pastebin.com/sc0inEv8的以下代码

有趣的是，我发现有一小部分代码被一种未知算法混淆了

eyJjYWxsX3RvX2FjdGlvbiI6IkdFVCBWLUJVQ0tTIiwiZGVzY3JpcHRpb24iOiJSb2Jsb3ggRnJlZSBSb2J1eCBHZW5lcmF0b3IuIFNwZWNpYWwgcmVxdWVzdCB0byBjcmVhdGUgYSBuZXcgZ2VuZXJhdG9yIGZvciBmcmVlIHVubGltaXRlZCBSb2J1eC4iLCJnb29nbGVfYW5hbHl0aWNzIjoiVUEtMDAwMDAtMCIsImtleXdvcmRzIjoiUm9ibG94IEZyZWUgUm9idXggR2VuZXJhdG9yIiwibWVudV9oZWFkZXIiOiJTZWxlY3QgQW1vdW50IG9mIFYtQnVja3MiLCJwbGF0Zm9ybV9maWVsZCI6IllvdXIgUGxhdGZvcm0iLCJyZWRpcmVjdF91cmwiOiJodHRwczpcL1wvZ29vZ2xlLmNvbSIsInNlbGVjdF9idXR0b24iOiJTZWxlY3QiLCJ0aXRsZSI6IlJvYmxveCBSb2J1eCBHZW5lcmF0b3IgfCBHZXQgRnJlZSBSb2J1eCIsInVzZXJuYW1lX2ZpZWxkIjoiWW91ciB1c2VybmFtZSIsInZlcmlmaWNhdGlvbl9idXR0b24iOiJWZXJpZnkgTm93IiwidmVyaWZpY2F0aW9uX25hbWUiOiJBbnRpLUJvdCBWZXJpZmljYXRpb24iLCJ2ZXJpZmljYXRpb25fdGl0bGUiOiJWRVJJRklDQVRJT04iLCJjZW50c19yZXF1aXJlZCI6IjIwIiwibGVhZHNfcmVxdWlyZWQiOiIyIiwib2ZmZXJzX2Ftb3VudCI6IjYiLCJmYXN0ZXJfZ2VuZXJhdG9yIjoiMCIsInRpeF9vbiI6IjAiLCJoYXNfaGVhZGVyIjoiMSIsImdlbmVyYXRvcl9vbiI6IjEiLCJzb3VuZHNfb24iOiIxIiwiY2hhdF9vbiI6IjEiLCJ2ZXJpZmljYXRpb25faGVhZGVyIjoiQW50aS1Cb3QgVmVyaWZpY2F0aW9uIiwidmVyaWZpY2F0aW9uX3RleHQiOiJDb21wbGV0ZSBhbnkgMiBvZmZlcnMgdG8gdmVyaWZ5Iiwidm91Y2hlcl9uYW1lIjoiQ2FyZCJ9

我一直没有成功地找到关于诈骗者的原始ip地址的信息，所以我希望这个算法的解混可能会帮助我更接近我的目标，那就是找出这个网站的实际位置。

Answer 1

这是base64编码的JSON。

有效载荷是

{"call_to_action":"GET V-BUCKS","description":"Roblox Free Robux Generator. Special request to create a new generator for free unlimited Robux.","google_analytics":"UA-00000-0","keywords":"Roblox Free Robux Generator","menu_header":"Select Amount of V-Bucks","platform_field":"Your Platform","redirect_url":"https:\/\/google.com","select_button":"Select","title":"Roblox Robux Generator | Get Free Robux","username_field":"Your username","verification_button":"Verify Now","verification_name":"Anti-Bot Verification","verification_title":"VERIFICATION","cents_required":"20","leads_required":"2","offers_amount":"6","faster_generator":"0","tix_on":"0","has_header":"1","generator_on":"1","sounds_on":"1","chat_on":"1","verification_header":"Anti-Bot Verification","verification_text":"Complete any 2 offers to verify","voucher_name":"Card"}

Answer 2

在您共享的代码中，我注意到那里的长字符串被放入一个名为atob()的函数中。经过进一步研究，atob基本上将base64转换为字符串。使用base64解码器，我发现它是一个包含以下内容的JSON字符串：

{"call_to_action":"GET V-BUCKS","description":"Roblox Free Robux Generator. Special request to create a new generator for free unlimited Robux.","google_analytics":"UA-00000-0","keywords":"Roblox Free Robux Generator","menu_header":"Select Amount of V-Bucks","platform_field":"Your Platform","redirect_url":"https:\/\/google.com","select_button":"Select","title":"Roblox Robux Generator | Get Free Robux","username_field":"Your username","verification_button":"Verify Now","verification_name":"Anti-Bot Verification","verification_title":"VERIFICATION","cents_required":"20","leads_required":"2","offers_amount":"6","faster_generator":"0","tix_on":"0","has_header":"1","generator_on":"1","sounds_on":"1","chat_on":"1","verification_header":"Anti-Bot Verification","verification_text":"Complete any 2 offers to verify","voucher_name":"Card"}

我希望这回答了您的问题:)

编辑

此外，在进一步阅读代码后，这个骗局只会向你索要“线索”和“美分”，一旦你给出了足够的信息(在JSON中的cents_required和leads_required )，它就会将你重定向到一些网页。在redirect_url，它显示的是“google.com”，但我想他们会把它改成其他的。