本帖最后由 anning666 于 2025-6-6 16:50 编辑
- 目标网址: aHR0cHM6Ly93d3cuc29odS5jb20v
- 点击
登录,切换到账号密码登录,邮箱随便输一个,密码为123456,点击登录,结果如下
- 可以看到,我们输入的密码为
123456,现在变成了一串长长的字符串: e10adc3949ba59abbe56e057f20f883e,所以本次目标就是把长长的字符串还原回来
- 我们点击
启动器进去看看,出于一点点Web逆向的小经验,猜测userLogin或者login大概率就是登录的逻辑,分别点进去看看
- 比较
userLogin和login的逻辑,显然login的逻辑更适合下断点,因为password加密的逻辑刚好就在这(运气不错,我觉得"逆向"真的需要运气...),我们把断点下在password的下方,这样子当我们重新点击登录按钮的时候,就会触发该断点,可以观察到断点上方password的值
- 可以看到,经过
d.md5(e.params.password)函数加密完以后,password变成了e10adc3949ba59abbe56e057f20f883e`
- 所以只要在本地模拟出
d.md5()这个函数的加密逻辑,本次逆向的目标就完成了,我们把鼠标移动到md5函数,点进去看看
md5()这个函数的逻辑好长好长,看得人头晕~~~我们把它拷贝下来(记得拷贝完整,我是手动拷贝的,有更简便的方法吗,请大佬指导),丢给AI分析(结果是md5算法),用python模拟出来
md5: function(e) {
function t(e, t, n, i, r, o) {
return a((s = a(a(t, e), a(i, o))) << (c = r) | s >>> 32 - c, n);
var s, c
}
function n(e, n, i, r, o, a, s) {
return t(n & i | ~n & r, e, n, o, a, s)
}
function i(e, n, i, r, o, a, s) {
return t(n & r | i & ~r, e, n, o, a, s)
}
function r(e, n, i, r, o, a, s) {
return t(n ^ i ^ r, e, n, o, a, s)
}
function o(e, n, i, r, o, a, s) {
return t(i ^ (n | ~r), e, n, o, a, s)
}
function a(e, t) {
var n = (65535 & e) + (65535 & t);
return (e >> 16) + (t >> 16) + (n >> 16) << 16 | 65535 & n
}
var s, c = 0, l = 8;
return function(e) {
for (var t = c ? "0123456789ABCDEF" : "0123456789abcdef", n = "", i = 0; i < 4 * e.length; i++)
n += t.charAt(e[i >> 2] >> i % 4 * 8 + 4 & 15) + t.charAt(e[i >> 2] >> i % 4 * 8 & 15);
return n
}(function(e, t) {
e[t >> 5] |= 128 << t % 32,
e[14 + (t + 64 >>> 9 << 4)] = t;
for (var s = 1732584193, c = -271733879, l = -1732584194, u = 271733878, p = 0; p < e.length; p += 16) {
var d = s
, h = c
, f = l
, g = u;
s = n(s, c, l, u, e[p + 0], 7, -680876936),
u = n(u, s, c, l, e[p + 1], 12, -389564586),
l = n(l, u, s, c, e[p + 2], 17, 606105819),
c = n(c, l, u, s, e[p + 3], 22, -1044525330),
s = n(s, c, l, u, e[p + 4], 7, -176418897),
u = n(u, s, c, l, e[p + 5], 12, 1200080426),
l = n(l, u, s, c, e[p + 6], 17, -1473231341),
c = n(c, l, u, s, e[p + 7], 22, -45705983),
s = n(s, c, l, u, e[p + 8], 7, 1770035416),
u = n(u, s, c, l, e[p + 9], 12, -1958414417),
l = n(l, u, s, c, e[p + 10], 17, -42063),
c = n(c, l, u, s, e[p + 11], 22, -1990404162),
s = n(s, c, l, u, e[p + 12], 7, 1804603682),
u = n(u, s, c, l, e[p + 13], 12, -40341101),
l = n(l, u, s, c, e[p + 14], 17, -1502002290),
s = i(s, c = n(c, l, u, s, e[p + 15], 22, 1236535329), l, u, e[p + 1], 5, -165796510),
u = i(u, s, c, l, e[p + 6], 9, -1069501632),
l = i(l, u, s, c, e[p + 11], 14, 643717713),
c = i(c, l, u, s, e[p + 0], 20, -373897302),
s = i(s, c, l, u, e[p + 5], 5, -701558691),
u = i(u, s, c, l, e[p + 10], 9, 38016083),
l = i(l, u, s, c, e[p + 15], 14, -660478335),
c = i(c, l, u, s, e[p + 4], 20, -405537848),
s = i(s, c, l, u, e[p + 9], 5, 568446438),
u = i(u, s, c, l, e[p + 14], 9, -1019803690),
l = i(l, u, s, c, e[p + 3], 14, -187363961),
c = i(c, l, u, s, e[p + 8], 20, 1163531501),
s = i(s, c, l, u, e[p + 13], 5, -1444681467),
u = i(u, s, c, l, e[p + 2], 9, -51403784),
l = i(l, u, s, c, e[p + 7], 14, 1735328473),
s = r(s, c = i(c, l, u, s, e[p + 12], 20, -1926607734), l, u, e[p + 5], 4, -378558),
u = r(u, s, c, l, e[p + 8], 11, -2022574463),
l = r(l, u, s, c, e[p + 11], 16, 1839030562),
c = r(c, l, u, s, e[p + 14], 23, -35309556),
s = r(s, c, l, u, e[p + 1], 4, -1530992060),
u = r(u, s, c, l, e[p + 4], 11, 1272893353),
l = r(l, u, s, c, e[p + 7], 16, -155497632),
c = r(c, l, u, s, e[p + 10], 23, -1094730640),
s = r(s, c, l, u, e[p + 13], 4, 681279174),
u = r(u, s, c, l, e[p + 0], 11, -358537222),
l = r(l, u, s, c, e[p + 3], 16, -722521979),
c = r(c, l, u, s, e[p + 6], 23, 76029189),
s = r(s, c, l, u, e[p + 9], 4, -640364487),
u = r(u, s, c, l, e[p + 12], 11, -421815835),
l = r(l, u, s, c, e[p + 15], 16, 530742520),
s = o(s, c = r(c, l, u, s, e[p + 2], 23, -995338651), l, u, e[p + 0], 6, -198630844),
u = o(u, s, c, l, e[p + 7], 10, 1126891415),
l = o(l, u, s, c, e[p + 14], 15, -1416354905),
c = o(c, l, u, s, e[p + 5], 21, -57434055),
s = o(s, c, l, u, e[p + 12], 6, 1700485571),
u = o(u, s, c, l, e[p + 3], 10, -1894986606),
l = o(l, u, s, c, e[p + 10], 15, -1051523),
c = o(c, l, u, s, e[p + 1], 21, -2054922799),
s = o(s, c, l, u, e[p + 8], 6, 1873313359),
u = o(u, s, c, l, e[p + 15], 10, -30611744),
l = o(l, u, s, c, e[p + 6], 15, -1560198380),
c = o(c, l, u, s, e[p + 13], 21, 1309151649),
s = o(s, c, l, u, e[p + 4], 6, -145523070),
u = o(u, s, c, l, e[p + 11], 10, -1120210379),
l = o(l, u, s, c, e[p + 2], 15, 718787259),
c = o(c, l, u, s, e[p + 9], 21, -343485551),
s = a(s, d),
c = a(c, h),
l = a(l, f),
u = a(u, g)
}
return Array(s, c, l, u)
}(function(e) {
for (var t = Array(), n = (1 << l) - 1, i = 0; i < e.length * l; i += l)
t[i >> 5] |= (e.charCodeAt(i / l) & n) << i % 32;
return t
}(s = e), s.length * l))
},
import hashlib
def standard_md5(target_string):
return hashlib.md5(target_string.encode()).hexdigest()
print(standard_md5("123456")) # 输出: e10adc3949ba59abbe56e057f20f883e
-
小结: 本次逆向没有碰到复杂的场景,比如js代码的混淆和加密,跟栈和下断点也比较简单,只是最后加密函数的逻辑复杂,但是没关系,借助AI强大的分析,最后实现解密(我好奇的是,以前没有AI的时代,碰到这种很长很长的加密函数逻辑,大佬们是怎么熬过来的,非常欢迎大佬分享以前的经验...俺十分佩服...).本次逆向适合小白新手练练手感,为以后应对更为复杂的场景打下基础
-
PS: 这里还可以有另外一种思路,就是在python脚本里面,直接执行拷贝下来的md5()函数,这样做的好处就是不用再去关注md5()函数的复杂逻辑,反正我们只关心结果,能拿到结果就行,python脚本如下
">
import execjs
# 创建完整的 JavaScript 函数
js_code = """
function md5(e) {
function t(e, t, n, i, r, o) {
return a((s = a(a(t, e), a(i, o))) << (c = r) | s >>> 32 - c, n);
var s, c
}
function n(e, n, i, r, o, a, s) {
return t(n & i | ~n & r, e, n, o, a, s)
}
function i(e, n, i, r, o, a, s) {
return t(n & r | i & ~r, e, n, o, a, s)
}
function r(e, n, i, r, o, a, s) {
return t(n ^ i ^ r, e, n, o, a, s)
}
function o(e, n, i, r, o, a, s) {
return t(i ^ (n | ~r), e, n, o, a, s)
}
function a(e, t) {
var n = (65535 & e) + (65535 & t);
return (e >> 16) + (t >> 16) + (n >> 16) << 16 | 65535 & n
}
var s, c = 0, l = 8;
return function(e) {
for (var t = c ? "0123456789ABCDEF" : "0123456789abcdef", n = "", i = 0; i < 4 * e.length; i++)
n += t.charAt(e[i >> 2] >> i % 4 * 8 + 4 & 15) + t.charAt(e[i >> 2] >> i % 4 * 8 & 15);
return n
}(function(e, t) {
e[t >> 5] |= 128 << t % 32,
e[14 + (t + 64 >>> 9 << 4)] = t;
for (var s = 1732584193, c = -271733879, l = -1732584194, u = 271733878, p = 0; p < e.length; p += 16) {
var d = s
, h = c
, f = l
, g = u;
s = n(s, c, l, u, e[p + 0], 7, -680876936),
u = n(u, s, c, l, e[p + 1], 12, -389564586),
l = n(l, u, s, c, e[p + 2], 17, 606105819),
c = n(c, l, u, s, e[p + 3], 22, -1044525330),
s = n(s, c, l, u, e[p + 4], 7, -176418897),
u = n(u, s, c, l, e[p + 5], 12, 1200080426),
l = n(l, u, s, c, e[p + 6], 17, -1473231341),
c = n(c, l, u, s, e[p + 7], 22, -45705983),
s = n(s, c, l, u, e[p + 8], 7, 1770035416),
u = n(u, s, c, l, e[p + 9], 12, -1958414417),
l = n(l, u, s, c, e[p + 10], 17, -42063),
c = n(c, l, u, s, e[p + 11], 22, -1990404162),
s = n(s, c, l, u, e[p + 12], 7, 1804603682),
u = n(u, s, c, l, e[p + 13], 12, -40341101),
l = n(l, u, s, c, e[p + 14], 17, -1502002290),
s = i(s, c = n(c, l, u, s, e[p + 15], 22, 1236535329), l, u, e[p + 1], 5, -165796510),
u = i(u, s, c, l, e[p + 6], 9, -1069501632),
l = i(l, u, s, c, e[p + 11], 14, 643717713),
c = i(c, l, u, s, e[p + 0], 20, -373897302),
s = i(s, c, l, u, e[p + 5], 5, -701558691),
u = i(u, s, c, l, e[p + 10], 9, 38016083),
l = i(l, u, s, c, e[p + 15], 14, -660478335),
c = i(c, l, u, s, e[p + 4], 20, -405537848),
s = i(s, c, l, u, e[p + 9], 5, 568446438),
u = i(u, s, c, l, e[p + 14], 9, -1019803690),
l = i(l, u, s, c, e[p + 3], 14, -187363961),
c = i(c, l, u, s, e[p + 8], 20, 1163531501),
s = i(s, c, l, u, e[p + 13], 5, -1444681467),
u = i(u, s, c, l, e[p + 2], 9, -51403784),
l = i(l, u, s, c, e[p + 7], 14, 1735328473),
s = r(s, c = i(c, l, u, s, e[p + 12], 20, -1926607734), l, u, e[p + 5], 4, -378558),
u = r(u, s, c, l, e[p + 8], 11, -2022574463),
l = r(l, u, s, c, e[p + 11], 16, 1839030562),
c = r(c, l, u, s, e[p + 14], 23, -35309556),
s = r(s, c, l, u, e[p + 1], 4, -1530992060),
u = r(u, s, c, l, e[p + 4], 11, 1272893353),
l = r(l, u, s, c, e[p + 7], 16, -155497632),
c = r(c, l, u, s, e[p + 10], 23, -1094730640),
s = r(s, c, l, u, e[p + 13], 4, 681279174),
u = r(u, s, c, l, e[p + 0], 11, -358537222),
l = r(l, u, s, c, e[p + 3], 16, -722521979),
c = r(c, l, u, s, e[p + 6], 23, 76029189),
s = r(s, c, l, u, e[p + 9], 4, -640364487),
u = r(u, s, c, l, e[p + 12], 11, -421815835),
l = r(l, u, s, c, e[p + 15], 16, 530742520),
s = o(s, c = r(c, l, u, s, e[p + 2], 23, -995338651), l, u, e[p + 0], 6, -198630844),
u = o(u, s, c, l, e[p + 7], 10, 1126891415),
l = o(l, u, s, c, e[p + 14], 15, -1416354905),
c = o(c, l, u, s, e[p + 5], 21, -57434055),
s = o(s, c, l, u, e[p + 12], 6, 1700485571),
u = o(u, s, c, l, e[p + 3], 10, -1894986606),
l = o(l, u, s, c, e[p + 10], 15, -1051523),
c = o(c, l, u, s, e[p + 1], 21, -2054922799),
s = o(s, c, l, u, e[p + 8], 6, 1873313359),
u = o(u, s, c, l, e[p + 15], 10, -30611744),
l = o(l, u, s, c, e[p + 6], 15, -1560198380),
c = o(c, l, u, s, e[p + 13], 21, 1309151649),
s = o(s, c, l, u, e[p + 4], 6, -145523070),
u = o(u, s, c, l, e[p + 11], 10, -1120210379),
l = o(l, u, s, c, e[p + 2], 15, 718787259),
c = o(c, l, u, s, e[p + 9], 21, -343485551),
s = a(s, d),
c = a(c, h),
l = a(l, f),
u = a(u, g)
}
return Array(s, c, l, u)
}(function(e) {
for (var t = Array(), n = (1 << l) - 1, i = 0; i < e.length * l; i += l)
t[i >> 5] |= (e.charCodeAt(i / l) & n) << i % 32;
return t
}(s = e), s.length * l))
}
"""
# 创建 JS 环境
ctx = execjs.compile(js_code)
# 调用 md5 函数
input_string = "123456"
md5_hash = ctx.call("md5", input_string)
print(f"MD5 of '{input_string}': {md5_hash}") # MD5 of '123456': e10adc3949ba59abbe56e057f20f883e
```
|
发表于 2025-6-6 09:18
|
发表于 2025-6-6 13:19
