随手记3
本文章仅作学习参考使用,不做其他使用。
网站:aHR0cHM6Ly9wYXNzcG9ydC5rb25nemhvbmcuY29tL2xvZ2lu
登录后,抓包得到返回的加密password;
这里有两种方法定位加密位置:
第一种:采用传统的Search搜索,定位位置;
这里搜出来6个,先排除3、5、6,剩余3个,最后找到第4个,是eval 加密:
(js中的eval()方法就是一个js语言的执行器,它能把其中的参数按照JavaScript语法进行解析并执行,简单来说就是把原本的js代码变成了eval的参数,变成参数后代码就成了字符串,其中的一些字符就会被按照特定格式“编码”)
全选代码后复制到解码软件中进行eval解码,就能得出下面解码后数据了;
var KZLoginHandler = {
'id': 'kongzhong-login-agent',
'loginServer': 'http://sso.kongzhong.com',
'service': '',
'targetService': '',
'j_data': null,
'f_call_back': null,
'timestamp': 0,
'completed': false,
'renew': false,
'init': function() {
this.j_data = null;
this.f_call_back = null;
this.timestamp = 0;
this.completed = true;
},
'check': function(call_back) {
this.init();
this.f_call_back = call_back;
var param = "jsonp=j";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
},
'exec_login': function(param) {
if (this.completed == false) {
return false
};
if (this.j_data != null && this.j_data["state"] == "1") {
var data = {};
data["user"] = this.j_data["user"];
data["service"] = this.j_data["service"];
data["logged"] = true;
data["dc"] = this.j_data["dc"];
this.f_call_back(data);
return false
};
var url = this.loginServer + "/ajaxLogin";
jQuery.ajax({
async: false,
url: url,
type: 'post',
dataType: 'jsonp',
jsonp: 'j',
data: param,
jsonpCallback: "j",
timeout: 5000,
success: function(json) {},
error: function(xhr) {}
})
},
'jsonpCallbackKongZ': function(vData) {
this.j_data = vData;
this.timestamp = Date.parse(new Date());
if (this.f_call_back != null) {
var data = {};
if (vData["state"] == "0") {
data["service"] = vData["service"];
data["logged"] = false;
data["errors"] = vData["kzmsg"];
if (vData["requirevcode"] != null && vData["requirevcode"] == "1") {
data["requirevcode"] = true
} else {
data["requirevcode"] = false
}
} else if (vData["state"] == "1") {
data["user"] = vData["user"];
data["service"] = vData["service"];
data["logged"] = true
};
data["dc"] = this.j_data["dc"];
this.f_call_back(data)
};
this.completed = true
},
'login': function(user, pwd, to_save, vcode, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function(data) {
this.f_call_back = call_back;
var param = "";
param += "&type=1";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
param += "&username=" + user;
param += "&password=" + this.encrypt(pwd, data["dc"]);
param += "&vcode=" + vcode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=1";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
param += "&username=" + user;
param += "&password=" + this.encrypt(pwd, this.j_data["dc"]);
param += "&vcode=" + vcode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'login_sms': function(user, smscode, to_save, vcode, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function() {
this.f_call_back = call_back;
var param = "";
param += "&type=2";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&vcode=" + vcode;
param += "&smscode=" + smscode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null) {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=2";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&vcode=" + vcode;
param += "&smscode=" + smscode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null) {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'login_reg': function(user, pwd, to_save, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function() {
this.f_call_back = call_back;
var param = "";
param += "&type=101";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&password=" + pwd;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=101";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&password=" + pwd;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'encrypt': function(str, pwd) {
if (pwd == null || pwd.length <= 0) {
return null
};
var prand = "";
for (var i = 0; i < pwd.length; i++) {
prand += pwd.charCodeAt(i).toString()
};
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos * 2) + prand.charAt(sPos * 3) + prand.charAt(sPos * 4) + prand.charAt(sPos * 5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
if (mult < 2) {
return null
};
var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while (prand.length > 10) {
var a = prand.substring(0, 1);
var b = prand.substring(10, prand.length);
if (b.length > 10) {
prand = b
} else {
prand = (parseInt(a) + parseInt(b)).toString()
}
};
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for (var i = 0; i < str.length; i++) {
enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
if (enc_chr < 16) {
enc_str += "0" + enc_chr.toString(16)
} else enc_str += enc_chr.toString(16);
prand = (mult * prand + incr) % modu
};
salt = salt.toString(16);
while (salt.length < 8) salt = "0" + salt;
enc_str += salt;
return enc_str
}
};
首先拿到eval解密后的代码后,先搜索一下我们需要的参数,比如password,发现能搜索到,
this.encrypt(pwd, this.j_data["dc"]) 这个东西就是我们需要的加密方法,然后我们直接搜索加密方法的关键字 encrypt ,发现找到了加密方法,并且是一个对象类型,那我们就直接去找它赋值给谁了;
最终找到了赋值给了一个全局变量 KZLoginHandler,
最后直接调用加密方法:KZLoginHandler.encrypt(str,pwd),
你以为这样就行了吗,如果你用上面的函数执行,结果肯定是错的。这里就需要说明一下前面的问题: this.encrypt(pwd, this.j_data["dc"]) ,这个函数一共需要传2个参数,一个是我们输入的密码,一个是“dc”参数,“dc”参数是data里面的,那我们可以直接回到抓包的位置,找到需要的数据:
这里还需要注意,我们调用的加密函数是:KZLoginHandler.encrypt(str,pwd),而站内的加密函数是: this.encrypt(pwd, this.j_data["dc"])。发现有什么不一样的吗?我们自己调用加密函数,里面传的2个参数是(str,pwd);而站内的加密函数传的2个参数是(pwd,this.j_data["dc"]);
这里我们不用去理会,就按照站内的加密方法就可以,最终写成这样就行了:
KZLoginHandler.encrypt(pwd,this.j_data["dc"])
############################################################################
第二种定位加密位置方法,采用跟栈的方式:
最终定位到 loqin 这个栈,发现里面有我们需要的东西:
直接在加密处下断,然后按F8执行到下一个断点,找到了我们的加密位置了;
这里发现加密函数中需要传2个参数,一个是pwd,一个是“dc”, 这没什么问题,已经确认“dc”参数是静态的后,直接传进去就行。 然后跟进加密函数中,发现加密方法是一个对象,那我们就向上找到它赋值给谁了,最后发现是给了这个全局变量 var KZLoginHandler;
那这样就好办了,直接调用就行了:
如有不对的,或是不够详细的,比如细节方面,请各位大佬指点一二。
以下为源码
var KZLoginHandler = {
'id': 'kongzhong-login-agent',
'loginServer': 'http://sso.kongzhong.com',
'service': '',
'targetService': '',
'j_data': null,
'f_call_back': null,
'timestamp': 0,
'completed': false,
'renew': false,
'init': function() {
this.j_data = null;
this.f_call_back = null;
this.timestamp = 0;
this.completed = true;
},
'check': function(call_back) {
this.init();
this.f_call_back = call_back;
var param = "jsonp=j";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
},
'exec_login': function(param) {
if (this.completed == false) {
return false
};
if (this.j_data != null && this.j_data["state"] == "1") {
var data = {};
data["user"] = this.j_data["user"];
data["service"] = this.j_data["service"];
data["logged"] = true;
data["dc"] = this.j_data["dc"];
this.f_call_back(data);
return false
};
var url = this.loginServer + "/ajaxLogin";
jQuery.ajax({
async: false,
url: url,
type: 'post',
dataType: 'jsonp',
jsonp: 'j',
data: param,
jsonpCallback: "j",
timeout: 5000,
success: function(json) {},
error: function(xhr) {}
})
},
'jsonpCallbackKongZ': function(vData) {
this.j_data = vData;
this.timestamp = Date.parse(new Date());
if (this.f_call_back != null) {
var data = {};
if (vData["state"] == "0") {
data["service"] = vData["service"];
data["logged"] = false;
data["errors"] = vData["kzmsg"];
if (vData["requirevcode"] != null && vData["requirevcode"] == "1") {
data["requirevcode"] = true
} else {
data["requirevcode"] = false
}
} else if (vData["state"] == "1") {
data["user"] = vData["user"];
data["service"] = vData["service"];
data["logged"] = true
};
data["dc"] = this.j_data["dc"];
this.f_call_back(data)
};
this.completed = true
},
'login': function(user, pwd, to_save, vcode, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function(data) {
this.f_call_back = call_back;
var param = "";
param += "&type=1";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
param += "&username=" + user;
param += "&password=" + this.encrypt(pwd, data["dc"]);
param += "&vcode=" + vcode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=1";
if (this.service != null && jQuery.trim(this.service) != "") {
param += "&service=" + decodeURIComponent(this.service)
};
param += "&username=" + user;
param += "&password=" + this.encrypt(pwd, this.j_data["dc"]);
param += "&vcode=" + vcode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null && jQuery.trim(this.targetService) != "") {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'login_sms': function(user, smscode, to_save, vcode, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function() {
this.f_call_back = call_back;
var param = "";
param += "&type=2";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&vcode=" + vcode;
param += "&smscode=" + smscode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null) {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=2";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&vcode=" + vcode;
param += "&smscode=" + smscode;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.targetService != null) {
param += "&targetService=" + decodeURIComponent(this.targetService)
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'login_reg': function(user, pwd, to_save, call_back) {
var tempTime = Date.parse(new Date()) - this.timestamp;
if ((tempTime / 1000) >= 180) {
this.j_data = null
};
if (this.j_data == null || this.j_data == "") {
this.check(function() {
this.f_call_back = call_back;
var param = "";
param += "&type=101";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&password=" + pwd;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
})
} else {
this.f_call_back = call_back;
var param = "";
param += "&type=101";
param += "&service=" + this.service;
param += "&username=" + user;
param += "&password=" + pwd;
if (to_save) {
param += "&toSave=1"
} else {
param += "&toSave=0"
};
if (this.renew) {
param += "&renew=1"
};
this.exec_login(param)
}
},
'encrypt': function(str, pwd) {
if (pwd == null || pwd.length <= 0) {
return null
};
var prand = "";
for (var i = 0; i < pwd.length; i++) {
prand += pwd.charCodeAt(i).toString()
};
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos * 2) + prand.charAt(sPos * 3) + prand.charAt(sPos * 4) + prand.charAt(sPos * 5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
if (mult < 2) {
return null
};
var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while (prand.length > 10) {
var a = prand.substring(0, 1);
var b = prand.substring(10, prand.length);
if (b.length > 10) {
prand = b
} else {
prand = (parseInt(a) + parseInt(b)).toString()
}
};
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for (var i = 0; i < str.length; i++) {
enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
if (enc_chr < 16) {
enc_str += "0" + enc_chr.toString(16)
} else enc_str += enc_chr.toString(16);
prand = (mult * prand + incr) % modu
};
salt = salt.toString(16);
while (salt.length < 8) salt = "0" + salt;
enc_str += salt;
return enc_str
}
};