【2020-12-23】JS逆向之某在线监测分析平台

声明:本文只作学习研究,禁止用于非法用途,否则后果自负,如有侵权,请告知删除,谢谢!



文章目录


前言

目标网站:aHR0cHM6Ly93d3cuYXFpc3R1ZHkuY24v
反爬类型:无限debugger、禁止F12调试
加密类型:JS混淆、AES、DES、BASE64


一、页面分析

1.1 解决无限debugger

进入网页按F12,出现下图
【2020-12-23】JS逆向之某在线监测分析平台
解决办法:在行数旁边点击右键,点击红框内容,输入false,点击运行即可

【2020-12-23】JS逆向之某在线监测分析平台

1.2 解决禁止调试

解决无限debugger后,又不给调试了,如下图,咋解决呢??
【2020-12-23】JS逆向之某在线监测分析平台
解决办法:主要是下面两个函数在搞事情熬,用fiddler中间人改写,咋改写自己去搜吧,这里就不描述了

【2020-12-23】JS逆向之某在线监测分析平台

【2020-12-23】JS逆向之某在线监测分析平台

【2020-12-23】JS逆向之某在线监测分析平台
弄好之后就可以调试了!!
【2020-12-23】JS逆向之某在线监测分析平台


二、加密解密破解

获取如下数据
【2020-12-23】JS逆向之某在线监测分析平台

加密参数是请求时传入的参数
【2020-12-23】JS逆向之某在线监测分析平台
解密参数就是响应的数据
【2020-12-23】JS逆向之某在线监测分析平台

2.1 请求参数数破解

直接下XHR断点,找到请求参数的加密位置,这个文件的JS是https://www.aqistudy.cn/js/encrypt_eZMqs7H0RJRS.min.js?t=1603351502,扣下来放本地可以调试用
【2020-12-23】JS逆向之某在线监测分析平台

【2020-12-23】JS逆向之某在线监测分析平台

这里的加密方法是pNg63WJXHfm8r,可以在扣下的JS代码里看出主要的加密方式MD5和BASE64,这里就不用源码的加密方式了,直接用CryptoJS加密包
【2020-12-23】JS逆向之某在线监测分析平台

源码的加密函数都在这个混淆的JS里面
【2020-12-23】JS逆向之某在线监测分析平台

改写好代码后就可以破解请求参数的加密方式了,应为里面的时间戳不一样,所以有部分差异,用来发请求是完全没问题的

【2020-12-23】JS逆向之某在线监测分析平台
【2020-12-23】JS逆向之某在线监测分析平台
【2020-12-23】JS逆向之某在线监测分析平台

2.2 返回参数解密

解密的函数位置在这里,也在之前扣下来的JS函数里

【2020-12-23】JS逆向之某在线监测分析平台

里面是这几个加密方法
【2020-12-23】JS逆向之某在线监测分析平台

自己用加密包改写一下就可以实现解密了

【2020-12-23】JS逆向之某在线监测分析平台


三、JS源码

var CryptoJS = require('crypto-js');

const askCju6cmMLz = "apAteRdhDd5i5n74";
const asieXomd2dAl = "bN8izWwuwRjjA0pH";
const ackWpSYGqWDU = "dOzNkylRKkmvJ8WP";
const aciPXJAqV8bc = "fS6yu6Kz72UWOqLm";
const dskq6mV934LL = "hY8XWvmotJ7yhyBV";
const dsi68kk2Mig9 = "xCYtuanHBbJFWlKg";
const dckmQMBceyd6 = "ougX3aSyswLitv49";
const dciNka5Pmv4x = "pebJx2rKU7WTkBP6";
const aes_local_key = 'emhlbnFpcGFsbWtleQ==';
const aes_local_iv = 'emhlbnFpcGFsbWl2';
var BASE64 = {
    encrypt: function (text) {
        // var b = new Base64();
        // return b.encode(text)
        var wordArray = CryptoJS.enc.Utf8.parse(text);
        return CryptoJS.enc.Base64.stringify(wordArray)
    }, decrypt: function (text) {
        // var b = new Base64();
        // return b.decode(text)
        var parsedWordArray = CryptoJS.enc.Base64.parse(text);
        return parsedWordArray.toString(CryptoJS.enc.Utf8)
    }
};
var DES = {
    encrypt: function (text, key, iv) {
        var secretkey = (CryptoJS.MD5(key).toString()).substr(0, 16);
        var secretiv = (CryptoJS.MD5(iv).toString()).substr(24, 8);
        secretkey = CryptoJS.enc.Utf8.parse(secretkey);
        secretiv = CryptoJS.enc.Utf8.parse(secretiv);
        var result = CryptoJS.DES.encrypt(text, secretkey, {
            iv: secretiv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
        return result.toString()
    }, decrypt: function (text, key, iv) {
        var secretkey = (CryptoJS.MD5(key).toString()).substr(0, 16);
        var secretiv = (CryptoJS.MD5(iv).toString()).substr(24, 8);
        secretkey = CryptoJS.enc.Utf8.parse(secretkey);
        secretiv = CryptoJS.enc.Utf8.parse(secretiv);
        var result = CryptoJS.DES.decrypt(text, secretkey, {
            iv: secretiv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
        return result.toString(CryptoJS.enc.Utf8)
    }
};
var AES = {
    encrypt: function (text, key, iv) {
        var secretkey = (CryptoJS.MD5(key).toString()).substr(16, 16);
        var secretiv = (CryptoJS.MD5(iv).toString()).substr(0, 16);
        secretkey = CryptoJS.enc.Utf8.parse(secretkey);
        secretiv = CryptoJS.enc.Utf8.parse(secretiv);
        var result = CryptoJS.AES.encrypt(text, secretkey, {
            iv: secretiv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
        return result.toString()
    }, decrypt: function (text, key, iv) {
        var secretkey = (CryptoJS.MD5(key).toString()).substr(16, 16);
        var secretiv = (CryptoJS.MD5(iv).toString()).substr(0, 16);
        secretkey = CryptoJS.enc.Utf8.parse(secretkey);
        secretiv = CryptoJS.enc.Utf8.parse(secretiv);
        var result = CryptoJS.AES.decrypt(text, secretkey, {
            iv: secretiv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
        return result.toString(CryptoJS.enc.Utf8)
    }
};
var localStorageUtil = {
    save: function (name, value) {
        var text = JSON.stringify(value);
        text = BASE64.encrypt(text);
        text = AES.encrypt(text, aes_local_key, aes_local_iv);
        try {
            localStorage.setItem(name, text)
        } catch (oException) {
            if (oException.name === 'QuotaExceededError') {
                console.log('超出本地存储限额!');
                localStorage.clear();
                localStorage.setItem(name, text)
            }
        }
    }, check: function (name) {
        return localStorage.getItem(name)
    }, getValue: function (name) {
        var text = localStorage.getItem(name);
        var result = null;
        if (text) {
            text = AES.decrypt(text, aes_local_key, aes_local_iv);
            text = BASE64.decrypt(text);
            result = JSON.parse(text)
        }
        return result
    }, remove: function (name) {
        localStorage.removeItem(name)
    }
};

function getDataFromLocalStorage(key, period) {
    if (typeof period === 'undefined') {
        period = 0
    }
    var d = DES.encrypt(key);
    d = BASE64.encrypt(key);
    var data = localStorageUtil.getValue(key);
    if (data) {
        const time = data.time;
        const current = new Date().getTime();
        if (new Date().getHours() >= 0 && new Date().getHours() < 5 && period > 1) {
            period = 1
        }
        if (current - (period * 60 * 60 * 1000) > time) {
            data = null
        }
        if (new Date().getHours() >= 5 && new Date(time).getDate() !== new Date().getDate() && period === 24) {
            data = null
        }
    }
    return data
}

function ObjectSort(obj) {
    var newObject = {};
    Object.keys(obj).sort().map(function (key) {
        newObject[key] = obj[key]
    });
    return newObject
}

function dX506x9jVK3vuMMhoz6ZXx(data) {
    data = AES.decrypt(data, askCju6cmMLz, asieXomd2dAl);
    data = DES.decrypt(data, dskq6mV934LL, dsi68kk2Mig9);
    data = BASE64.decrypt(data);
    return data
}

var pNg63WJXHfm8r = (function () {
    function ObjectSort(obj) {
        var newObject = {};
        Object.keys(obj).sort().map(function (key) {
            newObject[key] = obj[key]
        });
        return newObject
    }

    return function (method, obj) {
        var appId = 'baec98a73c1bff796603cb2fa9d6d449';
        var clienttype = 'WEB';
        var timestamp = new Date().getTime();
        var param = {
            appId: appId,
            method: method,
            timestamp: timestamp,
            clienttype: clienttype,
            object: obj,
            // secret: hex_md5(appId + method + timestamp + clienttype + JSON.stringify(ObjectSort(obj)))
            secret: CryptoJS.MD5(appId + method + timestamp + clienttype + JSON.stringify(ObjectSort(obj))).toString()
        };
        param = BASE64.encrypt(JSON.stringify(param));
        return param
    }
})();

function sJwf3VwkSgqmf0Ddr92K(method, object, callback, period) {
    const key = hex_md5(method + JSON.stringify(object));
    const data = getDataFromLocalStorage(key, period);
    if (!data) {
        var param = pNg63WJXHfm8r(method, object);
        $.ajax({
            url: '../apinew/aqistudyapi.php', data: {h0lgYxgR3: param}, type: "post", success: function (data) {
                data = dX506x9jVK3vuMMhoz6ZXx(data);
                obj = JSON.parse(data);
                if (obj.success) {
                    if (period > 0) {
                        obj.result.time = new Date().getTime();
                        localStorageUtil.save(key, obj.result)
                    }
                    callback(obj.result)
                } else {
                    console.log(obj.errcode, obj.errmsg)
                }
            }
        })
    } else {
        callback(data)
    }
}
上一篇:React + AntD + MD5 前端上传文件到阿里OSS(JS版本)(分片上传,普通上传)


下一篇:前端JS加密那些事