好友
阅读权限 10
听众
最后登录 1970-1-1
本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关 .本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作者均不负责
----------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------
目标网址 : aHR0cHM6Ly9tLmN0eXVuLmNuL3dhcC9tYWluL2F1dGgvbG9naW4=
------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------
感谢各位大佬的观看,我是菜鸟,新手上路,在某同学的忽悠下入坑js逆向,请多指教
f12, 输入账号密码点击登录后找到数据接口
查看请求标头,经对比,需要求解的有: Csm 、 Cst
cookie和 x-riskdevicesign 是定值
查看请求载荷,表单数据中的userName是明文,password加密,comParam_curTime、comParam_seqCode、comParam_signature会变
------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------
先从请求载荷开始Csm、Cst的求解:全局搜索 Cst,断点,点击登录触发断点
F9,进来这里,扣代码
扣代码运行
ReferenceError: Fe is not defined
ReferenceError: _e is not defined
ReferenceError: Te is not defined(类似的,在那个文件找,能找到对应的函数) 实际要扣取的全部代码如下,在红框内
最后报错:
从t进来,发现是加载器,用到了 webpack技术,将当前文件内容复制下来,不知道什么是 webpack请自行搜索教程
只复制红框内的内容
导出加载器全局使用
打印所需要的模块
全局搜索 4917
后面发现缺很多,干脆直接把那些模块全部复制下来
运行
------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------
接下来是请求载荷中加密参数的求解:全局搜索 comParam_curTime ,断点调试
r = Object(u["k"])() 指的是下面这个H函数
c()函数执行的是_()函数
全部复制下来
运行
核心代码:[JavaScript] 纯文本查看 复制代码
function run() {
biaotou = Ue(e_url)
n = (new Date).getTime() - '182'
t = "s54zv9bm1vd5czfujy6nnuxj1l4g2ny6"
r = H()
a = _(n + r + _(r + t + n));
return [biaotou,n,r,a]
} ------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------- 接下来是表单数据中的password 的求解 全局搜索password,这里的username和password在一起,猜测加密位置在这里,所以选择在这里断点
进来到这里,这里的逻辑是在用户输入的账号末尾补0直到长度为24,如果超过24位则取前24位
F9进来,这就太明显了
----------------
改写M函数
代码:
[Python] 纯文本查看 复制代码
const cryptoJs = require('crypto-js')
function M(username, password) {
if (username.length < 24)
for (var a = username.length; a < 24; a++)
username += "0";
else
username = username.substring(0, 24);
d = cryptoJs.enc.Utf8.parse(username)
s = {
mode: cryptoJs.mode.ECB,
padding: cryptoJs.pad.Pkcs7
}
l = cryptoJs.TripleDES.encrypt(password, d, s);
return l.toString()
}
// console.log(M("adfsa@qq.com","123456"))
function login(userName, password) {
return M(userName, password)
}
运行结果对比:
主函数:
[Python] 纯文本查看 复制代码
import json
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs
base_url = "数据接口,自行填写"
username = input("请输入您的账号:")
password = input("请输入您的密码:")
# 求password
with open("password.js", encoding="utf-8") as f:
jscode = f.read()
js = execjs.compile(jscode)
password_encryption = js.call("login", username, password)
print(password_encryption)
form_data = {
"userName": username,
"password": password_encryption
}
# 求标头和载荷的加密参数
with open("demo.js", encoding="utf-8") as f:
jscode = f.read()
js = execjs.compile(jscode)
result = js.call("run")
print(result)
Csm = result[0]['sign']
Cst = result[0]['time']
print(Csm,Cst)
headers = {
"accept": "application/json, text/plain, */*",
"accept-encoding": "gzip, deflate, br, zstd",
"accept-language": "zh-CN,zh;q=0.9",
"cache-control": "no-cache",
"connection": "keep-alive",
"content-length": "60",
"content-type": "application/x-www-form-urlencoded",
"csm": Csm,
"cst": str(Cst),
"host": "m.ctyun.cn",
"origin": "。。。",
"pragma": "no-cache",
"referer": "。。。",
"sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"Windows\"",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
"x-riskdevicesign": "50b8ae96f222fd0f2879125bc5fc6e08",
}
params = {
"referrer": "wap",
"mainVersion": "300031500",
"comParam_curTime": result[1],
"comParam_seqCode": result[2],
"comParam_signature": result[3],
"isCheck": True,
"locale": "zh-cn"
}
print(params)
res = requests.post(base_url, headers=headers, params=params, data=form_data)
user_data = res.text
user_data = json.loads(user_data)
print(json.dumps(user_data,indent=4, ensure_ascii=False))
登录成功显示:
登录失败显示:
整个过程就是这样,有不足之处请各位大佬指出,有逆向的资源也可以分享,本人正在学习逆向中,目前已经学了一个月,菜鸟上路,多多指教
------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------
免费评分
查看全部评分