欢迎来到赛兔子家园

逆向之闭包技巧

需求

凡科网登录密码逆向。

地址:https://i.fkw.com/

具体流程

通过谷歌浏览器开发者工具登录请求,发现是使用md5加密

查找进行md5加密的前端js代码

 进入md5加密函数的代码页面,分析代码

 复制到js调试工具中调试代码

总结:需要逆向的js函数实现是出现在一个闭包中,那么直接将闭包的整个代码块拷贝出进行调试即可。

调试成功后保持本地fke.js

(function(g) {
function o(u, z) {
    var w = (u & 65535) + (z & 65535),
    v = (u >> 16) + (z >> 16) + (w >> 16);
    return (v << 16) | (w & 65535)
}
function s(u, v) {
    return (u << v) | (u >>> (32 - v))
}
function c(A, w, v, u, z, y) {
    return o(s(o(o(w, A), o(u, y)), z), v)
}
function b(w, v, B, A, u, z, y) {
    return c((v & B) | ((~v) & A), w, v, u, z, y)
}
function i(w, v, B, A, u, z, y) {
    return c((v & A) | (B & (~A)), w, v, u, z, y)
}
function n(w, v, B, A, u, z, y) {
    return c(v ^ B ^ A, w, v, u, z, y)
}
function a(w, v, B, A, u, z, y) {
    return c(B ^ (v | (~A)), w, v, u, z, y)
}
function d(F, A) {
    F[A >> 5] |= 128 << ((A) % 32);
    F[(((A + 64) >>> 9) << 4) + 14] = A;
    var w, z, y, v, u, E = 1732584193,
    D = -271733879,
    C = -1732584194,
    B = 271733878;
    for (w = 0; w < F.length; w += 16) {
        z = E;
        y = D;
        v = C;
        u = B;
        E = b(E, D, C, B, F[w], 7, -680876936);
        B = b(B, E, D, C, F[w + 1], 12, -389564586);
        C = b(C, B, E, D, F[w + 2], 17, 606105819);
        D = b(D, C, B, E, F[w + 3], 22, -1044525330);
        E = b(E, D, C, B, F[w + 4], 7, -176418897);
        B = b(B, E, D, C, F[w + 5], 12, 1200080426);
        C = b(C, B, E, D, F[w + 6], 17, -1473231341);
        D = b(D, C, B, E, F[w + 7], 22, -45705983);
        E = b(E, D, C, B, F[w + 8], 7, 1770035416);
        B = b(B, E, D, C, F[w + 9], 12, -1958414417);
        C = b(C, B, E, D, F[w + 10], 17, -42063);
        D = b(D, C, B, E, F[w + 11], 22, -1990404162);
        E = b(E, D, C, B, F[w + 12], 7, 1804603682);
        B = b(B, E, D, C, F[w + 13], 12, -40341101);
        C = b(C, B, E, D, F[w + 14], 17, -1502002290);
        D = b(D, C, B, E, F[w + 15], 22, 1236535329);
        E = i(E, D, C, B, F[w + 1], 5, -165796510);
        B = i(B, E, D, C, F[w + 6], 9, -1069501632);
        C = i(C, B, E, D, F[w + 11], 14, 643717713);
        D = i(D, C, B, E, F[w], 20, -373897302);
        E = i(E, D, C, B, F[w + 5], 5, -701558691);
        B = i(B, E, D, C, F[w + 10], 9, 38016083);
        C = i(C, B, E, D, F[w + 15], 14, -660478335);
        D = i(D, C, B, E, F[w + 4], 20, -405537848);
        E = i(E, D, C, B, F[w + 9], 5, 568446438);
        B = i(B, E, D, C, F[w + 14], 9, -1019803690);
        C = i(C, B, E, D, F[w + 3], 14, -187363961);
        D = i(D, C, B, E, F[w + 8], 20, 1163531501);
        E = i(E, D, C, B, F[w + 13], 5, -1444681467);
        B = i(B, E, D, C, F[w + 2], 9, -51403784);
        C = i(C, B, E, D, F[w + 7], 14, 1735328473);
        D = i(D, C, B, E, F[w + 12], 20, -1926607734);
        E = n(E, D, C, B, F[w + 5], 4, -378558);
        B = n(B, E, D, C, F[w + 8], 11, -2022574463);
        C = n(C, B, E, D, F[w + 11], 16, 1839030562);
        D = n(D, C, B, E, F[w + 14], 23, -35309556);
        E = n(E, D, C, B, F[w + 1], 4, -1530992060);
        B = n(B, E, D, C, F[w + 4], 11, 1272893353);
        C = n(C, B, E, D, F[w + 7], 16, -155497632);
        D = n(D, C, B, E, F[w + 10], 23, -1094730640);
        E = n(E, D, C, B, F[w + 13], 4, 681279174);
        B = n(B, E, D, C, F[w], 11, -358537222);
        C = n(C, B, E, D, F[w + 3], 16, -722521979);
        D = n(D, C, B, E, F[w + 6], 23, 76029189);
        E = n(E, D, C, B, F[w + 9], 4, -640364487);
        B = n(B, E, D, C, F[w + 12], 11, -421815835);
        C = n(C, B, E, D, F[w + 15], 16, 530742520);
        D = n(D, C, B, E, F[w + 2], 23, -995338651);
        E = a(E, D, C, B, F[w], 6, -198630844);
        B = a(B, E, D, C, F[w + 7], 10, 1126891415);
        C = a(C, B, E, D, F[w + 14], 15, -1416354905);
        D = a(D, C, B, E, F[w + 5], 21, -57434055);
        E = a(E, D, C, B, F[w + 12], 6, 1700485571);
        B = a(B, E, D, C, F[w + 3], 10, -1894986606);
        C = a(C, B, E, D, F[w + 10], 15, -1051523);
        D = a(D, C, B, E, F[w + 1], 21, -2054922799);
        E = a(E, D, C, B, F[w + 8], 6, 1873313359);
        B = a(B, E, D, C, F[w + 15], 10, -30611744);
        C = a(C, B, E, D, F[w + 6], 15, -1560198380);
        D = a(D, C, B, E, F[w + 13], 21, 1309151649);
        E = a(E, D, C, B, F[w + 4], 6, -145523070);
        B = a(B, E, D, C, F[w + 11], 10, -1120210379);
        C = a(C, B, E, D, F[w + 2], 15, 718787259);
        D = a(D, C, B, E, F[w + 9], 21, -343485551);
        E = o(E, z);
        D = o(D, y);
        C = o(C, v);
        B = o(B, u)
    }
    return [E, D, C, B]
}
function p(v) {
    var w, u = "";
    for (w = 0; w < v.length * 32; w += 8) {
        u += String.fromCharCode((v[w >> 5] >>> (w % 32)) & 255)
    }
    return u
}
function j(v) {
    var w, u = [];
    u[(v.length >> 2) - 1] = undefined;
    for (w = 0; w < u.length; w += 1) {
        u[w] = 0
    }
    for (w = 0; w < v.length * 8; w += 8) {
        u[w >> 5] |= (v.charCodeAt(w / 8) & 255) << (w % 32)
    }
    return u
}
function k(u) {
    return p(d(j(u), u.length * 8))
}
function f(w, z) {
    var v, y = j(w),
    u = [],
    x = [],
    A;
    u[15] = x[15] = undefined;
    if (y.length > 16) {
        y = d(y, w.length * 8)
    }
    for (v = 0; v < 16; v += 1) {
        u[v] = y[v] ^ 909522486;
        x[v] = y[v] ^ 1549556828
    }
    A = d(u.concat(j(z)), 512 + z.length * 8);
    return p(d(x.concat(A), 512 + 128))
}
function t(w) {
    var z = "0123456789abcdef",
    v = "",
    u, y;
    for (y = 0; y < w.length; y += 1) {
        u = w.charCodeAt(y);
        v += z.charAt((u >>> 4) & 15) + z.charAt(u & 15)
    }
    return v
}
function m(u) {
    return unescape(encodeURIComponent(u))
}
function q(u) {
    return k(m(u))
}
function l(u) {
    return t(q(u))
}
function h(u, v) {
    return f(m(u), m(v))
}
function r(u, v) {
    return t(h(u, v))
}
g.md5 = function(v, w, u) {
    if (!w) {
        if (!u) {
            return l(v)
        } else {
            return q(v)
        }
    }
    if (!u) {
        return r(w, v)
    } else {
        return h(w, v)
    }
}
} (typeof jQuery === "function" ? jQuery: this));

fkw.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# author: 青城子
# datetime: 2021/9/1 20:27 
# ide: PyCharm

import execjs


class Fkw:
    def __init__(self, password="123456", exe_function="md5"):
        self.password = password
        self.exe_function = exe_function
        # 1、实例化一个node对象
        self.node = execjs.get()

    def reverse_engineer(self):
        """
        js源码编译和执行
        :return:
        """
        ctx = self.node.compile(open("../static/fke.js", encoding="utf-8").read())
        func_name = "{0}('{1}')".format(self.exe_function, self.password)
        return ctx.eval(func_name)  # 执行获取加密后的pwd


if __name__ == '__main__':
    obj = Fkw()
    pwd = obj.reverse_engineer()
    print(pwd)

代码地址:https://gitee.com/tianxiang2018/spider-item

 

posted on 2021-09-01 20:47  赛兔子  阅读(112)  评论(0编辑  收藏  举报

导航