JS逆向之新榜登錄

原創 保护我方豆豆 2020-05-15 00:14

文章目錄

1. 模擬登錄

在這裏插入圖片描述

三個加密參數password nonce xyz

2. 解決 password 參數

全局搜索password 定位到加密的地方
在這裏插入圖片描述

單步進入g()方法
在這裏插入圖片描述
如上就是密碼加密邏輯

js源碼如下, 就是一個MD5加密

function o(e, t) {
var n = (65535 & e) + (65535 & t);
return (e >> 16) + (t >> 16) + (n >> 16) << 16 | 65535 & n
}
function a(e, t, n, c, r, a) {
return o((i = o(o(t, e), o(c, a))) << (l = r) | i >>> 32 - l, n);
var i, l
}
function i(e, t, n, c, r, o, i) {
return a(t & n | ~t & c, e, t, r, o, i)
}
function l(e, t, n, c, r, o, i) {
return a(t & c | n & ~c, e, t, r, o, i)
}
function s(e, t, n, c, r, o, i) {
return a(t ^ n ^ c, e, t, r, o, i)
}
function u(e, t, n, c, r, o, i) {
return a(n ^ (t | ~c), e, t, r, o, i)
}
function h(e, t) {
var n, c, r, a, h;
e[t >> 5] |= 128 << t % 32,
e[14 + (t + 64 >>> 9 << 4)] = t;
var f = 1732584193,
v = -271733879,
p = -1732584194,
d = 271733878;
for (n = 0; n < e.length; n += 16) c = f,
r = v,
a = p,
h = d,
f = i(f, v, p, d, e[n], 7, -680876936),
d = i(d, f, v, p, e[n + 1], 12, -389564586),
p = i(p, d, f, v, e[n + 2], 17, 606105819),
v = i(v, p, d, f, e[n + 3], 22, -1044525330),
f = i(f, v, p, d, e[n + 4], 7, -176418897),
d = i(d, f, v, p, e[n + 5], 12, 1200080426),
p = i(p, d, f, v, e[n + 6], 17, -1473231341),
v = i(v, p, d, f, e[n + 7], 22, -45705983),
f = i(f, v, p, d, e[n + 8], 7, 1770035416),
d = i(d, f, v, p, e[n + 9], 12, -1958414417),
p = i(p, d, f, v, e[n + 10], 17, -42063),
v = i(v, p, d, f, e[n + 11], 22, -1990404162),
f = i(f, v, p, d, e[n + 12], 7, 1804603682),
d = i(d, f, v, p, e[n + 13], 12, -40341101),
p = i(p, d, f, v, e[n + 14], 17, -1502002290),
f = l(f, v = i(v, p, d, f, e[n + 15], 22, 1236535329), p, d, e[n + 1], 5, -165796510),
d = l(d, f, v, p, e[n + 6], 9, -1069501632),
p = l(p, d, f, v, e[n + 11], 14, 643717713),
v = l(v, p, d, f, e[n], 20, -373897302),
f = l(f, v, p, d, e[n + 5], 5, -701558691),
d = l(d, f, v, p, e[n + 10], 9, 38016083),
p = l(p, d, f, v, e[n + 15], 14, -660478335),
v = l(v, p, d, f, e[n + 4], 20, -405537848),
f = l(f, v, p, d, e[n + 9], 5, 568446438),
d = l(d, f, v, p, e[n + 14], 9, -1019803690),
p = l(p, d, f, v, e[n + 3], 14, -187363961),
v = l(v, p, d, f, e[n + 8], 20, 1163531501),
f = l(f, v, p, d, e[n + 13], 5, -1444681467),
d = l(d, f, v, p, e[n + 2], 9, -51403784),
p = l(p, d, f, v, e[n + 7], 14, 1735328473),
f = s(f, v = l(v, p, d, f, e[n + 12], 20, -1926607734), p, d, e[n + 5], 4, -378558),
d = s(d, f, v, p, e[n + 8], 11, -2022574463),
p = s(p, d, f, v, e[n + 11], 16, 1839030562),
v = s(v, p, d, f, e[n + 14], 23, -35309556),
f = s(f, v, p, d, e[n + 1], 4, -1530992060),
d = s(d, f, v, p, e[n + 4], 11, 1272893353),
p = s(p, d, f, v, e[n + 7], 16, -155497632),
v = s(v, p, d, f, e[n + 10], 23, -1094730640),
f = s(f, v, p, d, e[n + 13], 4, 681279174),
d = s(d, f, v, p, e[n], 11, -358537222),
p = s(p, d, f, v, e[n + 3], 16, -722521979),
v = s(v, p, d, f, e[n + 6], 23, 76029189),
f = s(f, v, p, d, e[n + 9], 4, -640364487),
d = s(d, f, v, p, e[n + 12], 11, -421815835),
p = s(p, d, f, v, e[n + 15], 16, 530742520),
f = u(f, v = s(v, p, d, f, e[n + 2], 23, -995338651), p, d, e[n], 6, -198630844),
d = u(d, f, v, p, e[n + 7], 10, 1126891415),
p = u(p, d, f, v, e[n + 14], 15, -1416354905),
v = u(v, p, d, f, e[n + 5], 21, -57434055),
f = u(f, v, p, d, e[n + 12], 6, 1700485571),
d = u(d, f, v, p, e[n + 3], 10, -1894986606),
p = u(p, d, f, v, e[n + 10], 15, -1051523),
v = u(v, p, d, f, e[n + 1], 21, -2054922799),
f = u(f, v, p, d, e[n + 8], 6, 1873313359),
d = u(d, f, v, p, e[n + 15], 10, -30611744),
p = u(p, d, f, v, e[n + 6], 15, -1560198380),
v = u(v, p, d, f, e[n + 13], 21, 1309151649),
f = u(f, v, p, d, e[n + 4], 6, -145523070),
d = u(d, f, v, p, e[n + 11], 10, -1120210379),
p = u(p, d, f, v, e[n + 2], 15, 718787259),
v = u(v, p, d, f, e[n + 9], 21, -343485551),
f = o(f, c),
v = o(v, r),
p = o(p, a),
d = o(d, h);
return [f, v, p, d]
}
function f(e) {
var t, n = "",
c = 32 * e.length;
for (t = 0; t < c; t += 8) n += String.fromCharCode(e[t >> 5] >>> t % 32 & 255);
return n
}
function v(e) {
var t, n = [];
for (n[(e.length >> 2) - 1] = void 0, t = 0; t < n.length; t += 1) n[t] = 0;
var c = 8 * e.length;
for (t = 0; t < c; t += 8) n[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32;
return n
}
function p(e) {
var t, n, c = "";
for (n = 0; n < e.length; n += 1) t = e.charCodeAt(n),
c += "0123456789abcdef".charAt(t >>> 4 & 15) + "0123456789abcdef".charAt(15 & t);
return c
}
function d(e) {
return unescape(encodeURIComponent(e))
}
function m(e) {
return function(e) {
    return f(h(v(e), 8 * e.length))
} (d(e))
}
function z(e, t) {
return function(e, t) {
    var n, c, r = v(e),
    o = [],
    a = [];
    for (o[15] = a[15] = void 0, r.length > 16 && (r = h(r, 8 * e.length)), n = 0; n < 16; n += 1) o[n] = 909522486 ^ r[n],
    a[n] = 1549556828 ^ r[n];
    return c = h(o.concat(v(t)), 512 + 8 * t.length),
    f(h(a.concat(c), 640))
} (d(e), d(t))
}
function getpwd(e, t, n) {
return t ? n ? z(t, e) : p(z(t, e)) : n ? m(e) : p(m(e))
}

密碼加密邏輯

import hashlib
import execjs

with open('password.js', 'r', encoding='utf-8') as f:
    ctx = execjs.compile(f.read())

password = hashlib.md5((ctx.call('getpwd', '123456') + 'daddy').encode()).hexdigest()

print(password)
3. 解決nonce參數

在這裏插入圖片描述
nonce 就是一個0~f的9位隨機數

4. 解決xyz參數

在這裏插入圖片描述

加密參數c
"/nr/user/login/loginByAccount?AppKey=joker&account=13333333333&password=e6908815aad7ba628e0625e5d9b144d8&state=1&nonce=c5da87f62"

就是前面解決的用戶密碼nonce拼接後的一個字符,然後MD5加密一次

5. login 源碼
# @Time : 2020/5/11 14:23
# @Author : GKL
# FileName : login.py
# Software : PyCharm

import requests
import hashlib
import execjs
import random


class Login(object):
    def __init__(self, username, password):
        self.url = 'https://www.newrank.cn/nr/user/login/loginByAccount'
        self.username = username
        self.password = password

    def decrypt_password(self):
        with open('password.js', 'r', encoding='utf-8') as f:
            ctx = execjs.compile(f.read())

        password = hashlib.md5((ctx.call('getpwd', self.password) + 'daddy').encode()).hexdigest()

        return password

    def decrypt_nonce(self):
        array = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"]
        nonce = ''
        for _ in range(9):
            nonce += random.choice(array)

        return nonce

    def decrypt_xyz(self):
        str = "/nr/user/login/loginByAccount?AppKey=joker&account={}&password={}&state=1&nonce={}".format(self.username, self.decrypt_nonce(), self.decrypt_nonce())

        xyz = hashlib.md5(str.encode()).hexdigest()

        return xyz

    def login(self):
        data = {
            'account': self.username,
            'password': self.decrypt_password(),
            'state': '1',
            'nonce': self.decrypt_nonce(),
            'xyz': self.decrypt_xyz()
        }

        response = requests.post(self.url, data=data).text
        print(response)


if __name__ == '__main__':
    s = Login('xxxxxx', xxxxxx)
    s.login()


{
	"success":true,
	"value":{
		"msg":"登錄成功",
		"code":"1",
		"users":[
			{
	...
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

JS逆向--雨水監視

保护我方豆豆 2020-05-15 00:14:12

網易雲評論信息

保护我方豆豆 2020-04-26 00:54:58

美拍視頻(20200424更新)

保护我方豆豆 2020-04-26 00:54:58

百度翻譯(20200425更新)

保护我方豆豆 2020-04-26 00:54:58

Python 與常見加密方式

保护我方豆豆 2020-04-21 13:43:20

JS逆向--雨水監視

保护我方豆豆 2020-05-15 00:14:12

網易雲評論信息

保护我方豆豆 2020-04-26 00:54:58

美拍視頻(20200424更新)

保护我方豆豆 2020-04-26 00:54:58

百度翻譯(20200425更新)

保护我方豆豆 2020-04-26 00:54:58

Python 與常見加密方式

保护我方豆豆 2020-04-21 13:43:20