声明
本文仅供学习参考,禁止用于其他途径,违者后果自负
前言
网站:aHR0cHM6Ly93d3cuYmFpZHUuY29tLw==
接口:aHR0cHM6Ly9wYXNzcG9ydC5iYWlkdS5jb20vdjIvYXBpLz9sb2dpbg==
逆向分析
抓包后会发现post请求会提交很多的参数,有很多参数都加密了。所以今天的逆向是个大工程。
老规矩还是以搜索为主,搜索passoword。
有12个文件,文件内容比较多。搜索比较费劲,搜索一下别的关键字试一下。
搜索rsakey
完美!就一个文件,点进去继续寻找。
典型RSA加密,打下断点,重新调试。
console中打印结果。
此时就已经完成了加密。
token值和gid(不清除数据)为固定值,网页源码中可以直接找到,这个没有什么说的,写死就可以。
gid的生成逻辑
guideRandom = function() {return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {var t = 16 * Math.random() | 0, n = "x" === e ? t : 3 & t | 8;return n.toString(16)}).toUpperCase()}();
至于as、ds、tk其实在另一个请求中就可以得到,这里就不做分析了。
继续搜索sig、shaOne等关键词。最终在moonshad.js中找到,找到后打下断点,继续调试。
代码经过混淆,但是也不影响我们观察,可以看到_0x2933a3对象中有我们想要的内容,接下来一个一个拿下来就可以了。
首先看sig的生成,简单解一下混淆
_0x54af57['encryption'](_0x5831c9, _0x264412, _0x59e197)
参数如下:
_0x5831c9 = {"staticpage": "https://www.baidu.com/cache/user/html/v3Jump.html","charset": "UTF-8","token": "脱敏1a01b6bb1896c020c5","tpl": "mn","subpro": "","apiver": "v3","tt": 1660983405451,"codestring": "","safeflg": "0","u": "https://www.baidu.com/s?tn=68018901_2_oem_dg&ie=utf-8&wd=%E7%99%BE%E5%BA%A6","isPhone": "","detect": "1","gid": "DF63DA6-D5DA-44D2-8047-B9EBF4E70064","quick_user": "0","logintype": "dialogLogin","logLoginType": "pc_loginDialog","idc": "","loginmerge": "true","mkey": "","splogin": "rate","username": "13888888888","password": "脱敏yZDczo+RzjY0jtcXYdMw1UbO9lTkTvWgyh+6zHiCs9rlgcX1PRyqOw89D175fMAY4yzUdCWMhrhFnSuA0d+zWWDj5Xe9LB0vuAT3D93dzd9R8HUKf1oJC4EbTKgWLdRlFY9048yIqyZAz97Y/6U49nS7MIefvtE=","mem_pass": "on","rsakey": "ZEzbf6Ny3wfSMkTA4yXdQW8EFfjD4VRK","crypttype": 12,"ppui_logintime": 595891,"countrycode": "","fp_uid": "","fp_info": "","loginversion": "v4","supportdv": "1","bdint_sync_cookie": "","ds": "y2UQ4N脱敏5IEbud7HnGMQLdiJzwTyFi+4jYtAfaT9gJWTeunP8snvlg4D1Kjp5aLPFDbFAMtkzvaaVENbGjs5okXPUUWu6r3cP7MoU6jI8as0PC7e6Az+TVO3gBhC0mPMY4n9z7rPTcLZTtefMZR3oaCoazJj/roMhlZxtBnmyQxZala4+TlY+7og9AoikMBgYpVV6//ntDLyfJX6n9k1jkF3ZkIhJKFeckdnBDQ89/BYTzEB7X1OJTnMvSdsJKkJbjsMbPqRLARhl8nTpZwzDP0eq/nKa/4s5iOsdtBI9xkHZpdoHhgbJn7BkdswhmYjLILPbzs+yToQ1S1uRqd3PLVkbIM0OcQtRQBGNdFwFUXuI9uvl8uE1+DehDkMz2Ysv7Q277RzPKt22SjNWbfaaZ3xkYp/YwEezhOJqvoFf3VCpFER/QSrj7462b/cN0ZPftniu+MAUfOATwlS5Snhmcg08jwf+j88mHkvXl+XnujRPE3OLhWp9Hf+uYHIfy4XC1vyFdO0ad47Gvfe9diQnD8phpZTTF3vywtY/s/RfXExTiN/73S7wV/K5WaAyHieEm61xDwJDuzXi6umIKzKPlwyMeUxoElOKvrgkfRdutPtulwPW1tpWInqAceDTPYeH3MJHxipJFLkxc6X+kle9L+yJnqi+rc82op8wa2prOCICqts6cSsIhFNhNf4KLQCFdQPLeG3UJXo/cLNrK/i1rE3/ajocbY3o1ACOI81/pmzuRgxE7CULFvGsPQRwhyQU0Dc5d/HHrg3GxHS4Cz+YB06etGa6yBl7wkp58Q+AEhm1GCkfbnopJRbk6Ruz8YbbdYGqXrbgJtgnPsdOp79m2T312r1aqnVlR2gjAfTPq/rhX5PUQ+CQfcOswRVn59hbWkES5/dkoaAHPoodVLCexCoXg/71Wu2cl3WAy1/ueGG2Y5wQQFg/uCt0ugtH9mZxgWWlyLtHD7WKAy7zqflFbneXmr5sbvNDvP5ju3umiGbOChfoljcXYwK/7rgsGZkvRRqMsUbloCDCv7CyZ4mnWLJl0Y8pg4WBMggVorOccePCWK9XvLokd5Gn1cqjp3Qq8mqrjjvqm70xIMZGbLOc04518Lwk5OCDfXMYZwtcaFs+v4Q3I+IC8k7YceAyIqQxVHGMyL+jgU6MvBRCPWIkiK5KWxtYSaLpZKbIQ08rHNwQ3SuW5tMWlifBRFgdgHz1+zrupIjIR87MViDWXjVQzhca557pclA6upUHjcrMln3MJHT5N1+5YlLJLdV1A7S/tUdruz4QFm3Q5HTaXtgfbK/AMhagljXr3LCRsx/AXRCdwq3fKgxlKiSAwr17ldSp+jbcX1ssqWOo1byrrgugoX1UNDv1/FsSQssS2kVNA1pUbxWaOunLXoNVkPbmC+Tw+biz78XnBmrFk6XXiT8IIcoqN2BQnTlvblyd2TfH4K3jHW7lEA52PQm4FG+YFg9aBJqyKL/7uIh27zjnlT+2Z7KzVyquaOaoIIBOn6PkVDHAyDyQZFNrLB+vOtUpqpGnom99DT9+A3pTNC6P53FVAnIiBPEvWAUbMYLxZd6PtX7O9fkz0p//RhnMYiSg/ewdUZ45uuhgMgVP+tKr3Pz/VS7uJK4wHpr4Gy1acZ/JjfZsz6bSrLvEkqDPDgKUw6CEV/rNmOjQm+NTFbLCNVx9m9ZCDNJJcKpIFLrG85bKaUJrvsaV6MNqCRSH38mjjFwxk59TxA2YkB53FLhnySOgb/5TSNljcYARXk=","tk": "2819RfayEoNj80zsjv+SSCiCCDRCR7kxDOftg+DfYPcU7jK008xmrBEoaAfG+gt7G693Os/aEVMpDDlVFiw9mnjvkqyflet+kUkoH2IbyvjJ+2w=","dv": "tk0.28786421530038231660982809765@rrp0Xy2GNKrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnkserGpw2G3KrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnksa2kOwrGqenkqK8ou27a0hG8YMBupDFgojFaYaNd8xGRuWHAzx2kDyMkozpmzznu7hG3OADBaMFahGBuwjr8YMOFpQN3-9PLBKrgqy25zjrkDKrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnkrxpGHwdp0Ly2kDynkozrAz-pSrK8ou27a0hG8YMBupDFgojFaYQNU0ZNUzypgBKrSDKrGDarAjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQMk3jpmzjrgNKpgDgrAjBDB-5B3upFaYDBahMrGuMF~pavRaVO5z~rSCKrSv-nkoy2k3dn5HSPd7QnFpzILyWvRYeOtYW2GNxMkvapxzerg3KrG3dpGDKNtugNxaSPd-eHL-e2GNxMq__ynnIwn~Hv0qSh~pBrAzxnkozpq__FpUOtKznSsypgCdpksjpGrzrkryrSrjpSvz2GCx2kq-pgvahpNImjaPR7QHRQJHLD_-pvrmzznkoargvKrSNa2mzjpGrdnk3drmzjpGrdnkoargvK2Gox","fuid": "FOCoIC3q5fKa8fgJnwzbE67EJ49BGJeplOzf+4l4EOvDuu2RXBRv6R3A1AZMa49I27C0gDDLrJyxcIIeAeEhD8JYsoLTpBiaCXhLqvzbzmvy3SeAW17tKgNq/Xx+RgOdb8TWCFe62MVrDTY6lMf2GrfqL8c87KLF2qFER3obJGl43uTZzSgDGcEe8IZtTqNSGEimjy3MrXEpSuItnI4KD4K+4yxfmojUV0RdBd4+Oukqsp4Z6BDtw7ctbZCaAm94P2D3AzmuQKtwVwPlZfqNnoOswVAInEL977Gkc4LGHFurc6cZOQiWpdWZFfM9cCLuTBuECl+tiP++NCHKpXEMdWH1SPBXDyoMbf9Ga3EX3JC70/lU+rOcT92RpNAO3HyuQbeCqJ91LNPfk1CUv8oZVlm2kjHPQwsGQ9uwCuW8RID0uiYirEQ4VKXMmTE7xcZoq7kqBCL+XRozeJ7jdMpMPSKGrlOAU2xKyPf12iIeqlp1pfuVcgAAXBP18U5zCRDX2z2pK9F7JDaBbznWo6XY3dMMGrweUracAvqOGvkcWCkbabfuAhICynUZ9dpyd84KIArwzZKNYlfcEkE/coI4l9E8V02o2uAuZkYGvr/xRKGfezxD2zg/ciUh9kJABfAzTeAd2C9z9UHlh+I3bt/mn2o3PFDIohCzg/DRTUtNxRgJ13AUairLDWhe5SwH+f9kx+4rjNadQYRXY62cs4wa6vu3FNhnx0vECH7/RD7jOBK8s5HD6sBtW/MElAB0oMo4jKy5x23aGU1DlI3auIZ7ZNPbWvBGdywMRZgsegAwbNhsBAiZVqRumDq+zV3cirOdalgjfdDmOpvo6TsQUOMAzrtNSRMEGREm8qOjoaqrQ87P+ZDbYZPDEQGdhuxHTXO3W36eKL+Mph5GSAWOEr53TgnFB5JmUP4Qdg4gpcDC59EN6c3W7FZhGROFu41/8n2Qc5K6v586kUCA/y0bCSVtuHvtTeMJSc4TZhVzENGImFXau2hzfPTsm7rfsbHN/CeiOFndq1Yucax/IRqr3e+zibsx/F/rW9D1fl57tzS9X5qiyIfl3Ben58jxT1MbXkLW7S8ovoKuc6MINaBY/Dvy/eFFJ0izWQNfgqQiCVUlDzl17+9HHzEp+Dq5hHfufQG9+AkTn4pt67ALIC8lEZQDZ53VW4iqCsR7wY7tkA+HnvZnR2AMO4uEIa13c3O+4rF4ji2jIgUyGLK2eNsG1KoWdZCJfNSGrHvwtel1Tyjo/Vw=","alg": "v3","time": 1660983436
}
_0x264412 = undefined;
_0x59e197 = 'moonshad1moonsh9'
继续步入看一下加密函数的逻辑
function encryption(_0x3b8bda, _0x24f1ad, _0x5c5637) {var _0x422d82 = _0x199e5c(_0x3b8bda, _0x24f1ad);return _0x573aaf(_0x39342d(_0x422d82, _0x5c5637));}
剩下的就是扣代码了,细看逻辑就知道是一个md5和AES的混合加密。
shaOne的加密,其实已经告诉我们了就是SHA1,只要找到入参就可以还原出了。
拿下来就OK了。
最后逆向就完成了。
