FollowWeChat公众号:BrotherKCrawler,continuetosharetechnicaldrygoodssuchascrawleradvancement,JS/Androidreverseengineering!Itisdeclaredthatallthecontentinthisarticleisforlearningandcommunicationonly.Thecapturedcontent,sensitiveURLs,anddatainterfaceshavebeendesensitized,andarestrictlyprohibitedfrombeingusedforcommercialorillegalpurposes.Otherwise,allconsequencesarisingtherefromhavenothingtodowiththeauthor.Infringement,pleasecontactmetodeleteimmediately!逆向目标目标:某易支付密码加密主页:aHR0cHM6Ly9lcGF5LjE2My5jb20vaDVDYXNoaWVyL2JlZm9yZS12YWxpZGF0aW9u接口:aHR0cHM6Ly9lcGF5LjE2My5jb20vY2FzaGllci9tL3NlY3VyaXR5L3ZlcmlmeVBheUl0ZW1z逆向参数:FormData:"shortPayPassword":"ZY4iJQkXwvhMwlw2hvpZQ9T%2Fc1S7wRfcfQrpe6bmnlA3hy5PJTJqeYY%2Bj372D70i"逆向过程本期逆向素材来源于K哥爬虫交流群里某位群友Forhelp:ThelinksentbythefansofthepacketcaptureanalysisisaBaogeplatform,apurchaselinkofagamecharacter,thepurchasemethodisYiyipayment,andthereverseobjectistheencryptedpaymentpasswordwhenpurchasing.Switchtomobilephonemode,clickPay,andcometothepasswordinputpage,entera6-digitpasswordatrandom,clickOK,capturethepacketandseethatthepaymentpasswordisencrypted,asshowninthefigurebelow:TheparameterreversesanddirectlysearchesforthekeywordshortPayPassword,whichcanbefoundincommonFindtheencryptionfunctionin.e94aeed9.js,asshowninthefigurebelow:ThekeypointisthesentenceObject(n.b)(Object(c.MD5)(this.input).toString(),e),printeachpartintheconsoleinturn,Observeitsmeaning.(this.input).toString():plaintextpassword;e:astringofstrings,youcan’tfindtheplacewhereitwasgenerated,youcandirectlysearchforthisstring,andfindthatitisthepeEnSeedvaluereturnedthroughaninterface;Object(c.MD5):Amethod,youcantellitisMD5justbylookingatthename,andtheresultobtainedbypassingthepasswordisindeedMD5;Object(n.b):Itisansmethod,whichneedsfurtherfollow-upanalysis.一般来说,密码的MD5值和e的值是一起传入s方法的,继续跟进,看s函数,如下图:很明显是AES加密的,并且密码的MD5值为待加密对象,peEnSeed为key,iv偏移量为0123456789012345。最终的加密结果经过了一次URL编码,直接导入crypto-js加密包,传入相应的值。代码如下://quotecrypto-js加密模块varCryptoJS=require('crypto-js')functiongetEncryptedPassword(password,peEnSeed){varpwd=CryptoJS.enc.Utf8.parse(CryptoJS.MD5(password));varkey=CryptoJS.enc.Utf8.parse(peEnSeed);variv=CryptoJS.enc.Utf8.parse("0123456789012345");varencrypted=CryptoJS.AES.encrypt(pwd,key,{iv:iv,mode:CryptoJS.mode.CBC,padding:CryptoJS.pad.Pkcs7});返回密码?钥匙?encodeURIComponent(encrypted.toString()):pwd:""}//testsamplevarpassword="123456"varpeEnSeed="2F63CCD861E4397F1C2181006904BAB2"console.log(getEncrypted(password,peEnSeed))//ZY4iJQkXwvhMwlw2hvpZQ9T%2Fc1S7wRfcfQrpe6bmnlA3hy5PJTJqeYY%2Bj372D70i
