天翼云登錄參數 password 、comParam_curTime、comParam_seqCode、comParam_signature JavaSrcipt逆向
目標網站
https://m.ctyun.cn/wap/main/auth/login?redirect=/my
目標參數
要逆向的有 password、comParam_curTime、comParam_seqCode、comParam_signature 四個參數
逆向分析
打開搜索工具欄,根據經驗搜索**password:**得到
猜測password大概在此處加密
userName: Object(w["g"])(r.value),password: encodeURI(Object(w["c"])(a.value, Object(w["f"])(Object(w["g"])(r.value))))
此處添加斷點,輸入賬號、密碼,從新登錄,斷點斷住,分析得出密碼在此處加密。
只要解出 Object(u[“c”])、Object(u[“f”])、Object(u[“g”])、a.value、s.value 即可
在控制臺輸入 **a.value、s.value,**其值分別為賬號、密碼
Object(w[“c”]) 方法是一個 M 函數:
M = function(e) {var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "",t = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : {}, r = t.enc,a = void 0 === r ? "Utf8" : r,o = t.mode,c = void 0 === o ? "ECB" : o,i = t.padding,u = void 0 === i ? "Pkcs7" : i,d = p.a.enc[a].parse(n),s = {mode: p.a.mode[c],padding: p.a.pad[u]}, l = p.a.TripleDES.encrypt(e, d, s);return l.toString()
}
p.a 屬性不用扣代碼,使用 crypto-js 第三方模塊就可以
Object(w[“f”]) 方法是一個 _ 函數:
_ = function(e) {var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {};if (e && "string" === typeof e) {var t = n.text || "0",r = n.length || 24;if (e.length < r) for (var a = e.length; a < r; a++)e += t;else e = e.substring(0, r);return e}
}
Object(w[“g”]) 方法是一個 K 函數:
Q = function() {var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "";return e.replace(/\s+/g, "")
};
代碼:
// crypto-js 模塊安裝命令:npm i crypto-js --save
const CryptoJS = require('crypto-js')const T = function (e) {var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "", t = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : {}, a = t.enc, r = void 0 === a ? "Utf8" : a, c = t.mode, i = void 0 === c ? "ECB" : c, o = t.padding, u = void 0 === o ? "Pkcs7" : o, d = CryptoJS.enc[r].parse(n), l = {mode: CryptoJS.mode[i],padding: CryptoJS.pad[u]}, s = CryptoJS.TripleDES.encrypt(e, d, l);return s.toString()
}const F = function (e) {var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {};if (e && "string" === typeof e) {var t = n.text || "0", a = n.length || 24;if (e.length < a)for (var r = e.length; r < a; r++)e += t;elsee = e.substring(0, a);return e}
}const K = function () {var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "";return e.replace(/\s+/g, "")
}const password = encodeURI(T('abc123', F(K('123@163.com'))))
console.log(password)
運行結果與瀏覽器一致:
mY7jlZItWJ8=
comParam_curTime
全局搜索 comParam_curTime
發現與 comParam_seqCode、comParam_signature 是放在一起的
在 return 處打上斷點重新登錄
comParam_curTime 值是變量 n:
n = (new Date).getTime() - h.getTimestampOffset()
h.getTimestampOffset() 是一個函數:
h.getTimestampOffset = function() {return localStorage.getItem("timestampOffset") || f
}
它返回一個整數形式的字符串,如果頁面關閉后再打開,那么該字符串也隨之改變。可以把它寫成一個固定值
代碼:
const n = (new Date).getTime() - '512'
console.log(n)
運行結果:
1663060561792
comParam_seqCode
comParam_seqCode 值是變量 r
r = Object(u["k"])()
Object(u[“k”]) 是一個 H 函數
H = function() {var e, n, t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 32,r = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 16,a = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split(""),o = [];if (r = r || a.length,t) for (e = 0; e < t; e++)o[e] = a[0 | Math.random() * r];else for (o[8] = o[13] = o[18] = o[23] = "-",o[14] = "4",e = 0; e < 36; e++)o[e] || (n = 0 | 16 * Math.random(),o[e] = a[19 === e ? 3 & n | 8 : n]);return o.join("")
}
運行結果:
C1255B5F897C5C4F6EC0379ED98A3890
comParam_signature
comParam_signature 值是變量 a:
a = i()(n + r + i()(r + t + n));
n 是 comParam_curTime
r 是 comParam_seqCode
t 是 s54zv9bm1vd5czfujy6nnuxj1l4g2ny6 固定值
i() 是 S 函數
function S(t, e, n) {return e ? n ? w(e, t) : x(e, t) : n ? m(t) : _(t)
}
r = function() {return S
}
代碼:
function i(t, e) {var n = (65535 & t) + (65535 & e),r = (t >> 16) + (e >> 16) + (n >> 16);return r << 16 | 65535 & n
}function a(t, e) {return t << e | t >>> 32 - e
}function c(t, e, n, r, o, c) {return i(a(i(i(e, t), i(r, c)), o), n)
}function u(t, e, n, r, o, i, a) {return c(e & n | ~e & r, t, e, o, i, a)
}function s(t, e, n, r, o, i, a) {return c(e & r | n & ~r, t, e, o, i, a)
}function f(t, e, n, r, o, i, a) {return c(e ^ n ^ r, t, e, o, i, a)
}function l(t, e, n, r, o, i, a) {return c(n ^ (e | ~r), t, e, o, i, a)
}function p(t, e) {var n, r, o, a, c;t[e >> 5] |= 128 << e % 32,t[14 + (e + 64 >>> 9 << 4)] = e;var p = 1732584193,h = -271733879,d = -1732584194,v = 271733878;for (n = 0; n < t.length; n += 16)r = p,o = h,a = d,c = v,p = u(p, h, d, v, t[n], 7, -680876936),v = u(v, p, h, d, t[n + 1], 12, -389564586),d = u(d, v, p, h, t[n + 2], 17, 606105819),h = u(h, d, v, p, t[n + 3], 22, -1044525330),p = u(p, h, d, v, t[n + 4], 7, -176418897),v = u(v, p, h, d, t[n + 5], 12, 1200080426),d = u(d, v, p, h, t[n + 6], 17, -1473231341),h = u(h, d, v, p, t[n + 7], 22, -45705983),p = u(p, h, d, v, t[n + 8], 7, 1770035416),v = u(v, p, h, d, t[n + 9], 12, -1958414417),d = u(d, v, p, h, t[n + 10], 17, -42063),h = u(h, d, v, p, t[n + 11], 22, -1990404162),p = u(p, h, d, v, t[n + 12], 7, 1804603682),v = u(v, p, h, d, t[n + 13], 12, -40341101),d = u(d, v, p, h, t[n + 14], 17, -1502002290),h = u(h, d, v, p, t[n + 15], 22, 1236535329),p = s(p, h, d, v, t[n + 1], 5, -165796510),v = s(v, p, h, d, t[n + 6], 9, -1069501632),d = s(d, v, p, h, t[n + 11], 14, 643717713),h = s(h, d, v, p, t[n], 20, -373897302),p = s(p, h, d, v, t[n + 5], 5, -701558691),v = s(v, p, h, d, t[n + 10], 9, 38016083),d = s(d, v, p, h, t[n + 15], 14, -660478335),h = s(h, d, v, p, t[n + 4], 20, -405537848),p = s(p, h, d, v, t[n + 9], 5, 568446438),v = s(v, p, h, d, t[n + 14], 9, -1019803690),d = s(d, v, p, h, t[n + 3], 14, -187363961),h = s(h, d, v, p, t[n + 8], 20, 1163531501),p = s(p, h, d, v, t[n + 13], 5, -1444681467),v = s(v, p, h, d, t[n + 2], 9, -51403784),d = s(d, v, p, h, t[n + 7], 14, 1735328473),h = s(h, d, v, p, t[n + 12], 20, -1926607734),p = f(p, h, d, v, t[n + 5], 4, -378558),v = f(v, p, h, d, t[n + 8], 11, -2022574463),d = f(d, v, p, h, t[n + 11], 16, 1839030562),h = f(h, d, v, p, t[n + 14], 23, -35309556),p = f(p, h, d, v, t[n + 1], 4, -1530992060),v = f(v, p, h, d, t[n + 4], 11, 1272893353),d = f(d, v, p, h, t[n + 7], 16, -155497632),h = f(h, d, v, p, t[n + 10], 23, -1094730640),p = f(p, h, d, v, t[n + 13], 4, 681279174),v = f(v, p, h, d, t[n], 11, -358537222),d = f(d, v, p, h, t[n + 3], 16, -722521979),h = f(h, d, v, p, t[n + 6], 23, 76029189),p = f(p, h, d, v, t[n + 9], 4, -640364487),v = f(v, p, h, d, t[n + 12], 11, -421815835),d = f(d, v, p, h, t[n + 15], 16, 530742520),h = f(h, d, v, p, t[n + 2], 23, -995338651),p = l(p, h, d, v, t[n], 6, -198630844),v = l(v, p, h, d, t[n + 7], 10, 1126891415),d = l(d, v, p, h, t[n + 14], 15, -1416354905),h = l(h, d, v, p, t[n + 5], 21, -57434055),p = l(p, h, d, v, t[n + 12], 6, 1700485571),v = l(v, p, h, d, t[n + 3], 10, -1894986606),d = l(d, v, p, h, t[n + 10], 15, -1051523),h = l(h, d, v, p, t[n + 1], 21, -2054922799),p = l(p, h, d, v, t[n + 8], 6, 1873313359),v = l(v, p, h, d, t[n + 15], 10, -30611744),d = l(d, v, p, h, t[n + 6], 15, -1560198380),h = l(h, d, v, p, t[n + 13], 21, 1309151649),p = l(p, h, d, v, t[n + 4], 6, -145523070),v = l(v, p, h, d, t[n + 11], 10, -1120210379),d = l(d, v, p, h, t[n + 2], 15, 718787259),h = l(h, d, v, p, t[n + 9], 21, -343485551),p = i(p, r),h = i(h, o),d = i(d, a),v = i(v, c);return [p, h, d, v]
}function h(t) {var e, n = "",r = 32 * t.length;for (e = 0; e < r; e += 8)n += String.fromCharCode(t[e >> 5] >>> e % 32 & 255);return n
}function d(t) {var e, n = [];for (n[(t.length >> 2) - 1] = void 0,e = 0; e < n.length; e += 1)n[e] = 0;var r = 8 * t.length;for (e = 0; e < r; e += 8)n[e >> 5] |= (255 & t.charCodeAt(e / 8)) << e % 32;return n
}function v(t) {return h(p(d(t), 8 * t.length))
}function y(t, e) {var n, r, o = d(t),i = [],a = [];for (i[15] = a[15] = void 0,o.length > 16 && (o = p(o, 8 * t.length)),n = 0; n < 16; n += 1)i[n] = 909522486 ^ o[n],a[n] = 1549556828 ^ o[n];return r = p(i.concat(d(e)), 512 + 8 * e.length),h(p(a.concat(r), 640))
}function g(t) {var e, n, r = "0123456789abcdef",o = "";for (n = 0; n < t.length; n += 1)e = t.charCodeAt(n),o += r.charAt(e >>> 4 & 15) + r.charAt(15 & e);return o
}function b(t) {return unescape(encodeURIComponent(t))
}function m(t) {return v(b(t))
}function _(t) {return g(m(t))
}function w(t, e) {return y(b(t), b(e))
}function x(t, e) {return g(w(t, e))
}function S(t, e, n) {return e ? n ? w(e, t) : x(e, t) : n ? m(t) : _(t)
}function aaa(){n = (new Date).getTime() - "512"t = "s54zv9bm1vd5czfujy6nnuxj1l4g2ny6"r = "D10FE9733A3314D7DD777734F5476ACA"return S(n + r + S(r + t + n));
}
調用aaa()
運行結果:
e5555b27c401a8533f0a8ad5afe77427
參考網站:https://www.gaoyuanqi.cn/crawler-tianyiyun/
)
