JS逆向分析--天翼云网站
目录
comParam_seqCode和comParam_signature参数
前言
分析网站天翼云登录的加密算法,此文章仅用于技术交流。
网站地址:https://m.ctyun.cn/wap/main/auth/login?redirect=%2Fmy
网站分析
一、打开网址随便输入账号和密码,按F12,打开网站抓包工具,点到网络页面。
二、点击登录按钮,查看抓到的数据包。发现抓到两个数据包,其中一个包含了登录的信息。
三、多次点击登录,观察那个数据是需要还原的,发现密码(password)是加密了的,然后有两个参数(comParam_seqCode,comParam_signature)是会随机改变的,还有一个变化的是时间戳(comParam_curTime),接下来就是把这几个参数还原出来就行了。
逆向分析(扣JS)
密码分析
首先:搜索要分析的参数,先解决密码的加密:
搜索password参数一个一个往下找,哎,突然发现这里有账号和密码有点意思了,打上两个断点,点击登录看看。
没错了,密码就是这里加密的,接下来就是分析【encodeURI(Object(u["c"])(s.value, Object(u["f"])(Object(u["g"])(a.value))))】这条数据就行了。
通过分析可知:a.value就是账号,Object(u["g"])是K函数,Object(u["f"])是F(e)函数,s.value是密码,Object(u["c"])是T(e)函数。
接下来就是将相应的JS扣下来就行了。
function getpassword() {
var a = "123456";
var b = "123456789@163.com";
return T(a,F((K)(b)))
}
const CryptoJS = require('crypto-js')
function T(e) {
var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "",
t = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : {},
a = t.enc,
r = void 0 === a ? "Utf8": a,
c = t.mode,
i = void 0 === c ? "ECB": c,
o = t.padding,
u = void 0 === o ? "Pkcs7": o,
d = CryptoJS.enc[r].parse(n),
l = {
mode: CryptoJS.mode[i],
padding: CryptoJS.pad[u]
},
s = CryptoJS.TripleDES.encrypt(e, d, l);
return s.toString()
}
function F(e) {
var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {};
if (e && "string" === typeof e) {
var t = n.text || "0",
a = n.length || 24;
if (e.length < a) for (var r = e.length; r < a; r++) e += t;
else e = e.substring(0, a);
return e
}}
function K() {
var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "";
return e.replace(/\s+/g, "")
}
console.log(getpassword())
comParam_seqCode和comParam_signature参数
和password一样,先搜索参数看下在哪里出现,哎,刚刚好,这两个参数都在同一地方,这样我们可以一起分析了。
下断点,运行发现,comParam_seqCode参数刚好是一个函数生成的,好的,简单,扣它下来,完成。
function A() {
var e, n, t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 32, a = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 16, r = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split(""), c = [];
if (a = a || r.length,
t)
for (e = 0; e < t; e++)
c[e] = r[0 | Math.random() * a];
else
for (c[8] = c[13] = c[18] = c[23] = "-",
c[14] = "4",
e = 0; e < 36; e++)
c[e] || (n = 0 | 16 * Math.random(),
c[e] = r[19 === e ? 3 & n | 8 : n]);
return c.join("")
}
function getcomParam_seqCode(){
return A()
}
console.log(getcomParam_seqCode())而 comParam_signature参数,分析发现o()是S函数,n是时间戳,a是comParam_seqCode参数,t是一个固定的字符串,这样简简单单的comParam_signature参数也出来了。
function B(){
var n = (new Date).getTime() - "1283";
var t = "s54zv9bm1vd5czfujy6nnuxj1l4g2ny6";
return S(n + A + S(A+ t + n))
}
function i(t, e) {
var n = (65535 & t) + (65535 & e)
, r = (t >> 16) + (e >> 16) + (n >> 16);
return r << 16 | 65535 & n
}
function a(t, e) {
return t << e | t >>> 32 - e
}
function u(t, e, n, r, o, u) {
return i(a(i(i(e, t), i(r, u)), o), n)
}
function c(t, e, n, r, o, i, a) {
return u(e & n | ~e & r, t, e, o, i, a)
}
function s(t, e, n, r, o, i, a) {
return u(e & r | n & ~r, t, e, o, i, a)
}
function f(t, e, n, r, o, i, a) {
return u(e ^ n ^ r, t, e, o, i, a)
}
function l(t, e, n, r, o, i, a) {
return u(n ^ (e | ~r), t, e, o, i, a)
}
function p(t, e) {
var n, r, o, a, u;
t[e >> 5] |= 128 << e % 32,
t[14 + (e + 64 >>> 9 << 4)] = e;
var p = 1732584193
, h = -271733879
, d = -1732584194
, v = 271733878;
for (n = 0; n < t.length; n += 16)
r = p,
o = h,
a = d,
u = v,
p = c(p, h, d, v, t[n], 7, -680876936),
v = c(v, p, h, d, t[n + 1], 12, -389564586),
d = c(d, v, p, h, t[n + 2], 17, 606105819),
h = c(h, d, v, p, t[n + 3], 22, -1044525330),
p = c(p, h, d, v, t[n + 4], 7, -176418897),
v = c(v, p, h, d, t[n + 5], 12, 1200080426),
d = c(d, v, p, h, t[n + 6], 17, -1473231341),
h = c(h, d, v, p, t[n + 7], 22, -45705983),
p = c(p, h, d, v, t[n + 8], 7, 1770035416),
v = c(v, p, h, d, t[n + 9], 12, -1958414417),
d = c(d, v, p, h, t[n + 10], 17, -42063),
h = c(h, d, v, p, t[n + 11], 22, -1990404162),
p = c(p, h, d, v, t[n + 12], 7, 1804603682),
v = c(v, p, h, d, t[n + 13], 12, -40341101),
d = c(d, v, p, h, t[n + 14], 17, -1502002290),
h = c(h, d, v, p, t[n + 15], 22, 1236535329),
p = s(p, h, d, v, t[n + 1], 5, -165796510),
v = s(v, p, h, d, t[n + 6], 9, -1069501632),
d = s(d, v, p, h, t[n + 11], 14, 643717713),
h = s(h, d, v, p, t[n], 20, -373897302),
p = s(p, h, d, v, t[n + 5], 5, -701558691),
v = s(v, p, h, d, t[n + 10], 9, 38016083),
d = s(d, v, p, h, t[n + 15], 14, -660478335),
h = s(h, d, v, p, t[n + 4], 20, -405537848),
p = s(p, h, d, v, t[n + 9], 5, 568446438),
v = s(v, p, h, d, t[n + 14], 9, -1019803690),
d = s(d, v, p, h, t[n + 3], 14, -187363961),
h = s(h, d, v, p, t[n + 8], 20, 1163531501),
p = s(p, h, d, v, t[n + 13], 5, -1444681467),
v = s(v, p, h, d, t[n + 2], 9, -51403784),
d = s(d, v, p, h, t[n + 7], 14, 1735328473),
h = s(h, d, v, p, t[n + 12], 20, -1926607734),
p = f(p, h, d, v, t[n + 5], 4, -378558),
v = f(v, p, h, d, t[n + 8], 11, -2022574463),
d = f(d, v, p, h, t[n + 11], 16, 1839030562),
h = f(h, d, v, p, t[n + 14], 23, -35309556),
p = f(p, h, d, v, t[n + 1], 4, -1530992060),
v = f(v, p, h, d, t[n + 4], 11, 1272893353),
d = f(d, v, p, h, t[n + 7], 16, -155497632),
h = f(h, d, v, p, t[n + 10], 23, -1094730640),
p = f(p, h, d, v, t[n + 13], 4, 681279174),
v = f(v, p, h, d, t[n], 11, -358537222),
d = f(d, v, p, h, t[n + 3], 16, -722521979),
h = f(h, d, v, p, t[n + 6], 23, 76029189),
p = f(p, h, d, v, t[n + 9], 4, -640364487),
v = f(v, p, h, d, t[n + 12], 11, -421815835),
d = f(d, v, p, h, t[n + 15], 16, 530742520),
h = f(h, d, v, p, t[n + 2], 23, -995338651),
p = l(p, h, d, v, t[n], 6, -198630844),
v = l(v, p, h, d, t[n + 7], 10, 1126891415),
d = l(d, v, p, h, t[n + 14], 15, -1416354905),
h = l(h, d, v, p, t[n + 5], 21, -57434055),
p = l(p, h, d, v, t[n + 12], 6, 1700485571),
v = l(v, p, h, d, t[n + 3], 10, -1894986606),
d = l(d, v, p, h, t[n + 10], 15, -1051523),
h = l(h, d, v, p, t[n + 1], 21, -2054922799),
p = l(p, h, d, v, t[n + 8], 6, 1873313359),
v = l(v, p, h, d, t[n + 15], 10, -30611744),
d = l(d, v, p, h, t[n + 6], 15, -1560198380),
h = l(h, d, v, p, t[n + 13], 21, 1309151649),
p = l(p, h, d, v, t[n + 4], 6, -145523070),
v = l(v, p, h, d, t[n + 11], 10, -1120210379),
d = l(d, v, p, h, t[n + 2], 15, 718787259),
h = l(h, d, v, p, t[n + 9], 21, -343485551),
p = i(p, r),
h = i(h, o),
d = i(d, a),
v = i(v, u);
return [p, h, d, v]
}
function h(t) {
var e, n = "", r = 32 * t.length;
for (e = 0; e < r; e += 8)
n += String.fromCharCode(t[e >> 5] >>> e % 32 & 255);
return n
}
function d(t) {
var e, n = [];
for (n[(t.length >> 2) - 1] = void 0,
e = 0; e < n.length; e += 1)
n[e] = 0;
var r = 8 * t.length;
for (e = 0; e < r; e += 8)
n[e >> 5] |= (255 & t.charCodeAt(e / 8)) << e % 32;
return n
}
function v(t) {
return h(p(d(t), 8 * t.length))
}
function y(t, e) {
var n, r, o = d(t), i = [], a = [];
for (i[15] = a[15] = void 0,
o.length > 16 && (o = p(o, 8 * t.length)),
n = 0; n < 16; n += 1)
i[n] = 909522486 ^ o[n],
a[n] = 1549556828 ^ o[n];
return r = p(i.concat(d(e)), 512 + 8 * e.length),
h(p(a.concat(r), 640))
}
function g(t) {
var e, n, r = "0123456789abcdef", o = "";
for (n = 0; n < t.length; n += 1)
e = t.charCodeAt(n),
o += r.charAt(e >>> 4 & 15) + r.charAt(15 & e);
return o
}
function b(t) {
return unescape(encodeURIComponent(t))
}
function m(t) {
return v(b(t))
}
function _(t) {
return g(m(t))
}
function w(t, e) {
return y(b(t), b(e))
}
function x(t, e) {
return g(w(t, e))
}
function S(t, e, n) {
return e ? n ? w(e, t) : x(e, t) : n ? m(t) : _(t)
}
console.log(B())
总结
这样一个网站的登录分析就出来了,好了,今天分析网站到此结束。
注意:本文章只用于技术交流。
