js逆向步骤
- js调试工具
- PyExecJs
- 实现使用python执行js代码
- 安装环境
- 安装node.js开发环境
- pip install PyExecJs
- js算法改写初探
- 打断点
- 代码调试时,如果发现了相关变量的缺失,一般给其定义成空字典即可。
- 代码调试时,如果js内置对象确实,直接将该内置对象赋值为
this。例如:window = this;
js反混淆
- 相关概念
- js混淆:对核心的js代码进行加密
- js反混淆:对js加密代码进行解密
- 破解
- 使用浏览器自带的反混淆工具【推荐】:打开开发者工具 ----> 点击小齿轮 ----> 找到Souces选项卡 ----> 勾选Search in anonymous and scripts框 ----> 刷新页面
- 暴力破解【迫不得已】:暴力破解网站
1. 微信公众号平台js算法逆向【MD5算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件./wechat.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{}")'.format('123123123')
pwd = ctx.eval(funcName)
print(pwd)
2. Steam游戏平台js算法逆向【RSA算法】
import requests
import execjs
import time
# 动态获取mod和exp串
url = 'https://store.steampowered.com/login/getrsakey/'
data = {
'donotcache': str(int(time.time() * 1000)), # 时间戳
'username': '123@qq.com',
}
headers = {
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36',
}
response_json = requests.post(url=url,headers=headers,data=data).json()
mod = response_json['publickey_mod']
exp = response_json['publickey_exp']
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件./steam.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{0}","{1}","{2}")'.format('123123123',mod,exp)
pwd = ctx.eval(funcName)
print(pwd)
3. 凡科网js算法逆向【MD5算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/fanke.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'md5("{0}")'.format('123123123')
pwd = ctx.eval(funcName)
print(pwd)
4. 完美世界游戏js算法逆向【RSA算法】
import requests
from lxml import etree
import execjs
# 获取公钥串
url = 'https://passport.wanmei.com/sso/login?service=passport&isiframe=1&location=2f736166652f'
headers = {
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36',
}
response_text = requests.post(url=url,headers=headers).text
tree = etree.HTML(response_text)
publicKey = tree.xpath('//input[@id="e"]/@value')[0]
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/wanmei.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{0}","{1}")'.format('123123123',publicKey)
pwd = ctx.eval(funcName)
print(pwd)
5. 试客联盟js算法逆向【RSA算法】
import requests
from lxml import etree
import execjs
import re
# 获取rsa_n串
url = 'http://login.shikee.com/getkey?v=19b53e441bc51f28a9e6afead8e665ea'
headers = {
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36',
}
response_text = requests.get(url=url,headers=headers).text
ex = 'var rsa_n = "(.*?)";'
rsa_n = re.findall(ex,response_text)[0]
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/shike.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{}","{}")'.format('123123123',rsa_n)
pwd = ctx.eval(funcName)
print(pwd)
6. 空中网js算法逆向【RSA算法】
import requests
import execjs
import re
import json
# 获取j_data['dc']串
url = 'https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=1626875097213'
headers = {
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36',
'Referer': 'https://passport.kongzhong.com/'
}
response_text = requests.get(url=url,headers=headers).text
ex = "KZLoginHandler.jsonpCallbackKongZ\((.*?)\)"
data = re.findall(ex,response_text)[0]
dc = json.loads(data)['dc']
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/kongzhong.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{}","{}")'.format('123123123',dc)
pwd = ctx.eval(funcName)
print(pwd)
7. 长房网js算法逆向【DES算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/changfang.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{}")'.format('123123123')
pwd = ctx.eval(funcName)
print(pwd)
8. 有道翻译js算法逆向【MD5算法】
import time
import random
import execjs
import requests
word = input("Please input a English word:")
r = str(int(time.time() * 1000))
i = r + str(random.randint(0,9))
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/youdao.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getSign("{}","{}")'.format(word,i)
sign = ctx.eval(funcName)
url = 'https://fanyi.youdao.com/translate_o?smartresult=dict&smartresult=rule'
headers = {
'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36',
'Referer': 'https://fanyi.youdao.com/',
'Cookie': 'OUTFOX_SEARCH_USER_ID_NCOO=512615467.85577774; OUTFOX_SEARCH_USER_ID="-673357154@10.169.0.82"; _ga=GA1.2.446310143.1622377950; _ntes_nnid=4ef5ec83bdbbbe870ec8f8c735810336,1622941677257; JSESSIONID=aaa-vW4aILneN-aFSiiRx; ___rl__test__cookies=1626879075736',
}
data = {
'i': word,
'from': 'AUTO',
'to': 'AUTO',
'smartresult': 'dict',
'client': 'fanyideskweb',
'salt': i,
'sign': sign,
'lts': r,
'bv': '24ecb70ba6203e4453baed50aa26b78e',
'doctype': 'json',
'version': '2.1',
'keyfrom': 'fanyi.web',
'action': 'FY_BY_REALTlME',
}
response_json = requests.post(url=url,headers=headers,data=data).json()
print(response_json)
9. CTE四六级js算法逆向【DES算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open('./js源文件/CTE.js',encoding='utf-8').read())
# 3. 执行js函数
funcName = 'getPwd("{}")'.format('123123123')
pwd = ctx.eval(funcName)print(pwd)
