前言:由于时间原因,博主已经很久没有水文章了,但是博主也变懒了,所以再三思考,还是决定停掉对python基础栏目的更新(虽然也没有创作多少文章,怪尴尬的),今后有时间就会水一下JS专栏,争取早日完成100个站的逆向目标。
目标网址:
tips:以下网址经过脱敏处理,不知道怎么查看的大佬,私信小弟
aHR0cHM6Ly94dWVxaXUuY29tLw==
本期简介:
需要逆向的参数:网址请求需要携带的cookie值【acw_sc__v2】
acw_sc__v2来源:A厂系的一个cookie加密
逆向环境:NodeJS-v-18, python-v-3.12,IDE-Pycharm
需要了解的知识点:什么是混淆,OB混淆的格式
增加知识点的飞机票:大家自行搜索了解相关知识点,网上很多
查看抓包情况:
老规矩,打开网站,F12,先研究一下数据包,我们要解决的加密是cookie,那第一步应该先清空该网站所有的cookie,然后重新刷新页面,然后就会进入一个无限debugger,这个还是比较容易的,右击不再此处暂停,或者hook就可以过
(function () {
let constructorCache = Function.prototype.constructor;
Function.prototype.constructor = function (string) {
if (string === "debugger") {
console.log("Hook constructor debugger!");
return function () {};
}
return constructorCache(string);
};
})();
然后我们观察数据包,会产生两次发包,第一次会响应一个acw_tc的cookie,和一个加密acw_sc__v2的数据的页面
第二次请求携带了acw_tc,acw_sc__v2这两个cookie就响应回来正常的界面数据
分析完毕,ok, 那我们继续刚才的步骤,清空对应的数据跟cookie,然后在脚本处打上勾,重新刷新页面,hook住无限debugger。
然后进入到一个VM文件
然后这两个函数只是做了一个拼接的操作,并不是一个真正生成的地方,但是这个arg1的值是我们需要用到的,先记录一下。
继续往下走 发现函数调用reload(arg2)
继续跟踪函数调用链,发现reload(arg2)函数的调用,进一步分析arg2变量的生成位置。
然后你就会发现所有的变量和方法都在同一个函数里面了,除了混淆,其他没有什么难点,然后把arg1的值拿过来加密,然后hex,最后toString,就拼接到了cookie里面
好了,本期到这结束了,下课,附上代码
function hexXor(_0x4e08d8) {
var _0x5a5d3b = '';
for (var _0xe89588 = 0x0; _0xe89588 < this["length"] && _0xe89588 < _0x4e08d8["length"]; _0xe89588 += 0x2) {
var _0x401af1 = parseInt(this["slice"](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x105f59 = parseInt(_0x4e08d8["slice"](_0xe89588, _0xe89588 + 0x2), 0x10);
var _0x189e2c = (_0x401af1 ^ _0x105f59)["toString"](0x10);
if (_0x189e2c["length"] == 0x1) {
_0x189e2c = '\x30' + _0x189e2c;
}
_0x5a5d3b += _0x189e2c;
}
return _0x5a5d3b;
};
function unsbox() {
var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];
var _0x4da0dc = [];
var _0x12605e = '';
for (var _0x20a7bf = 0x0; _0x20a7bf < this['\x6c\x65\x6e\x67\x74\x68']; _0x20a7bf++) {
var _0x385ee3 = this[_0x20a7bf];
for (var _0x217721 = 0x0; _0x217721 < _0x4b082b["length"]; _0x217721++) {
if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {
_0x4da0dc[_0x217721] = _0x385ee3;
}
}
}
_0x12605e = _0x4da0dc['\x6a\x6f\x69\x6e']('');
return _0x12605e;
};
function f(arg1) {
var _0x5e8b26 = "3000176000856006061501533003690027800375";
var arg1 = arg1;
var _0x23a392 = unsbox.call(arg1);
let param = hexXor.call(_0x23a392, _0x5e8b26);
return param
}
import re
import execjs
import requests
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Pragma": "no-cache",
"Referer": "https://xueqiu.com/toure",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
"sec-ch-ua": '"Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"Windows"',
}
response = requests.get("https://xueqiu.com/", headers=headers)
HtmlStr = response.text
# print(HtmlStr)
acw_tc = response.cookies.get("acw_tc")
arg = re.findall("var arg1='(.*?)';", HtmlStr)
arg1 = arg[0] if arg else None
with open("1.js", mode="r", encoding="utf-8") as f:
jsStr = f.read()
jsCode = execjs.compile(jsStr)
result = jsCode.call("f", arg1)
print(arg1, result)
if arg1 and result:
cookies = {"acw_tc": acw_tc, "acw_sc__v2": result}
response = requests.get("https://xueqiu.com/", headers=headers, cookies=cookies)
response.encoding = response.apparent_encoding
print(response.text)