JS逆向-抠代码的第四天【手把手学会抠代码】
疏楼龙宿^ 人气:0今天是md5巩固项目,该项目比昨天的复杂一些,但方法思路是一样的。
今天的目标:https://www.webportal.top/
打开网站,填入账号密码(密码项目以123456做测试)。点击登录抓包后,发现该登录包为ajax请求,其中加密参数只有pwd。
接下来,就是解析pwd的加密方式,通过全局所搜,可以出如下结果:
第二个很明显不是加密。那么是不是在第一个js文件里面呢,点进去,简单搜索发现了这样的情况:
这么友好的吗?果断打下断点,调试,发现到这里后,i.pwd就是我们的密码123456,而$.md5整体是一个加密函数,处理之后,也确实是加密数据。直接跳入函数,会发现该函数时这样的:
这里明显是该函数调用了其他函数,而且没有什么加密算法会只有两行!先不用管,把前面的加密动作和这里复制出来进行简单的改写:
接下来,对MD5这个改写后的函数简单分析,返回的这个玩意首先我是看不懂的,但是我猜测,字母后面跟括号,那么这个字母肯定是某函数!只有函数才需要传参。通过调试工具进行调试,发现函数u不存在,断点跳进来,查看函数,直接复制过来。看了下格式,改都不需要改。来都来了,我们把这一行的几个函数都先看下,比如,f c u,其中u已经找到了,找下f和c,然后也复制过来,接着就重复上述操作,根据调试工具的提示,缺啥补啥。当我们补完就发现,没问题了,运行也直接出结果了。
至此该加密数据解密结束。
下附代码:
python部分:
1 import execjs
2
3
4 def read_js(file):
5 with open(file, 'r', encoding='utf8') as f:
6 data = f.read()
7 return data
8
9
10 if __name__ == '__main__':
11 js_str = read_js('webportal.js')
12 js_o = execjs.compile(js_str)
13 md5_password = js_o.call('getpwd', '123456')
14 print(md5_password)
JS代码部分
1 function a(e, t, n, o, a, r, s) {
2 return i(t ^ n ^ o, e, t, a, r, s)
3 }
4
5 function r(e, t, n, o, a, r, s) {
6 return i(n ^ (t | ~o), e, t, a, r, s)
7 }
8
9 function o(e, t, n, o, a, r, s) {
10 return i(t & o | n & ~o, e, t, a, r, s)
11 }
12
13 function t(e, t) {
14 var i = (65535 & e) + (65535 & t);
15 return (e >> 16) + (t >> 16) + (i >> 16) << 16 | 65535 & i
16 }
17
18 function i(e, i, n, o, a, r) {
19 return t((s = t(t(i, e), t(o, r))) << (l = a) | s >>> 32 - l, n);
20 var s, l
21 }
22
23 function n(e, t, n, o, a, r, s) {
24 return i(t & n | ~t & o, e, t, a, r, s)
25 }
26
27 function d(e) {
28 var t, i = [];
29 for (i[(e.length >> 2) - 1] = void 0, t = 0; t < i.length; t += 1) i[t] = 0;
30 for (t = 0; t < 8 * e.length; t += 8) i[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32;
31 return i
32 }
33
34 function s(e, i) {
35 e[i >> 5] |= 128 << i % 32,
36 e[14 + (i + 64 >>> 9 << 4)] = i;
37 var s, l, d, c, p, u = 1732584193,
38 f = -271733879,
39 h = -1732584194,
40 g = 271733878;
41 for (s = 0; s < e.length; s += 16) l = u,
42 d = f,
43 c = h,
44 p = g,
45 u = n(u, f, h, g, e[s], 7, -680876936),
46 g = n(g, u, f, h, e[s + 1], 12, -389564586),
47 h = n(h, g, u, f, e[s + 2], 17, 606105819),
48 f = n(f, h, g, u, e[s + 3], 22, -1044525330),
49 u = n(u, f, h, g, e[s + 4], 7, -176418897),
50 g = n(g, u, f, h, e[s + 5], 12, 1200080426),
51 h = n(h, g, u, f, e[s + 6], 17, -1473231341),
52 f = n(f, h, g, u, e[s + 7], 22, -45705983),
53 u = n(u, f, h, g, e[s + 8], 7, 1770035416),
54 g = n(g, u, f, h, e[s + 9], 12, -1958414417),
55 h = n(h, g, u, f, e[s + 10], 17, -42063),
56 f = n(f, h, g, u, e[s + 11], 22, -1990404162),
57 u = n(u, f, h, g, e[s + 12], 7, 1804603682),
58 g = n(g, u, f, h, e[s + 13], 12, -40341101),
59 h = n(h, g, u, f, e[s + 14], 17, -1502002290),
60 u = o(u, f = n(f, h, g, u, e[s + 15], 22, 1236535329), h, g, e[s + 1], 5, -165796510),
61 g = o(g, u, f, h, e[s + 6], 9, -1069501632),
62 h = o(h, g, u, f, e[s + 11], 14, 643717713),
63 f = o(f, h, g, u, e[s], 20, -373897302),
64 u = o(u, f, h, g, e[s + 5], 5, -701558691),
65 g = o(g, u, f, h, e[s + 10], 9, 38016083),
66 h = o(h, g, u, f, e[s + 15], 14, -660478335),
67 f = o(f, h, g, u, e[s + 4], 20, -405537848),
68 u = o(u, f, h, g, e[s + 9], 5, 568446438),
69 g = o(g, u, f, h, e[s + 14], 9, -1019803690),
70 h = o(h, g, u, f, e[s + 3], 14, -187363961),
71 f = o(f, h, g, u, e[s + 8], 20, 1163531501),
72 u = o(u, f, h, g, e[s + 13], 5, -1444681467),
73 g = o(g, u, f, h, e[s + 2], 9, -51403784),
74 h = o(h, g, u, f, e[s + 7], 14, 1735328473),
75 u = a(u, f = o(f, h, g, u, e[s + 12], 20, -1926607734), h, g, e[s + 5], 4, -378558),
76 g = a(g, u, f, h, e[s + 8], 11, -2022574463),
77 h = a(h, g, u, f, e[s + 11], 16, 1839030562),
78 f = a(f, h, g, u, e[s + 14], 23, -35309556),
79 u = a(u, f, h, g, e[s + 1], 4, -1530992060),
80 g = a(g, u, f, h, e[s + 4], 11, 1272893353),
81 h = a(h, g, u, f, e[s + 7], 16, -155497632),
82 f = a(f, h, g, u, e[s + 10], 23, -1094730640),
83 u = a(u, f, h, g, e[s + 13], 4, 681279174),
84 g = a(g, u, f, h, e[s], 11, -358537222),
85 h = a(h, g, u, f, e[s + 3], 16, -722521979),
86 f = a(f, h, g, u, e[s + 6], 23, 76029189),
87 u = a(u, f, h, g, e[s + 9], 4, -640364487),
88 g = a(g, u, f, h, e[s + 12], 11, -421815835),
89 h = a(h, g, u, f, e[s + 15], 16, 530742520),
90 u = r(u, f = a(f, h, g, u, e[s + 2], 23, -995338651), h, g, e[s], 6, -198630844),
91 g = r(g, u, f, h, e[s + 7], 10, 1126891415),
92 h = r(h, g, u, f, e[s + 14], 15, -1416354905),
93 f = r(f, h, g, u, e[s + 5], 21, -57434055),
94 u = r(u, f, h, g, e[s + 12], 6, 1700485571),
95 g = r(g, u, f, h, e[s + 3], 10, -1894986606),
96 h = r(h, g, u, f, e[s + 10], 15, -1051523),
97 f = r(f, h, g, u, e[s + 1], 21, -2054922799),
98 u = r(u, f, h, g, e[s + 8], 6, 1873313359),
99 g = r(g, u, f, h, e[s + 15], 10, -30611744),
100 h = r(h, g, u, f, e[s + 6], 15, -1560198380),
101 f = r(f, h, g, u, e[s + 13], 21, 1309151649),
102 u = r(u, f, h, g, e[s + 4], 6, -145523070),
103 g = r(g, u, f, h, e[s + 11], 10, -1120210379),
104 h = r(h, g, u, f, e[s + 2], 15, 718787259),
105 f = r(f, h, g, u, e[s + 9], 21, -343485551),
106 u = t(u, l),
107 f = t(f, d),
108 h = t(h, c),
109 g = t(g, p);
110 return [u, f, h, g]
111 }
112
113 function p(e) {
114 return unescape(encodeURIComponent(e))
115 }
116 function l(e) {
117 var t, i = "";
118 for (t = 0; t < 32 * e.length; t += 8) i += String.fromCharCode(e[t >> 5] >>> t % 32 & 255);
119 return i
120 }
121 function c(e) {
122 var t, i, n = "";
123 for (i = 0; i < e.length; i += 1) t = e.charCodeAt(i),
124 n += "0123456789abcdef".charAt(t >>> 4 & 15) + "0123456789abcdef".charAt(15 & t);
125 return n
126 }
127
128 function u(e) {
129 return function(e) {
130 return l(s(d(e), 8 * e.length))
131 } (p(e))
132 }
133
134 MD5 = function(e, t, i) {
135 return t ? i ? f(t, e) : c(f(t, e)) : i ? u(e) : c(u(e))
136 }
137
138 function getpwd(pwd) {
139 var password = MD5(pwd);
140 return password
141 }
加载全部内容