www.dianyuan.com网站逆向加解密

以登录为例:

抓包结果:

POST /user/v1/login HTTP/1.1
Host: newapi.dianyuan.com
Connection: keep-alive
Content-Length: 104
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
access-token:
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, /
client-type: web
sign: w7ws7xOy5qUVWA7aqSswnb7lJP7ZjFBQLyf2v2z8EGCRpSdk3TwATcAXaHXay7UUL8GbjvwdxtPrVpvEApZTa96fdljtHc36kSx7szojrjzGGpLgqqPZMpJcoT8OpRKuZFmXPw59DvIG/RaFULFhqA==
sec-ch-ua-platform: "Windows"
Origin: https://www.dianyuan.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.dianyuan.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8
Cookie: __yjs_duid=1_c2e52019f6147e1e163e8ff16491d2401667047888112; __gads=ID=67991659b54dbb6f-22856a7e93d700fa:T=1667047890:RT=1667047890:S=ALNI_MaV2gIZUhyPjEFyAmnxAwGhw4TGtg; __gpi=UID=00000b6fa0fafc68:T=1667047890:RT=1667047890:S=ALNI_MYuVCMVioJkr3_ZHs-5FC3Qi_hhcg; _gid=GA1.2.1193200286.1667047887; Hm_lvt_dd2486feb652190c6d492457baf80d7b=1667048090; _gat_gtag_UA_39990293_1=1; _ga_W633JEXTK7=GS1.1.1667047886.1.1.1667048118.0.0.0; Hm_lpvt_dd2486feb652190c6d492457baf80d7b=1667048119; _ga=GA1.2.1596519636.1667047886

{"type":3,"account":"Np9OqT8tgRwKv4cs8FBYKA==","credential":"tQJoCzU/YCh2+DZmH5Ttuw==","area_code":"86"}

返回:

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 29 Oct 2022 12:55:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Vary: Accept-Encoding
Access-Control-Allow-Origin: https://www.dianyuan.com
Access-Control-Allow-Headers: Authorization,Content-Type,If-Match,If-Modified-Since,If-None-Match,If-Unmodified-Since,X-Requested-With,client-type,access-token,sign,eestarsign,eestarparam
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
Connection: keep-alive

{"code":403,"msg":"验证码错误","data":[]}

可知:帐号被加密、验证码被加密

我们此次以帐号加密算法逆向来分析。

搜索请求路径:/user/v1/login

可知:登录方法如下:


1
2
3
4
5
6
7
function h(n) {
            return Object(a["a"])({
                url: "user/v1/login",
                method: "post",
                data: n
            })
        }

通过断点参数可知:加密方法在前面。追踪调用堆栈逆向,找到帐号加密的地方:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 loginSubmit: function() {
                    var n = this;
                    this.submitBtnWord = "正在登录",
                    this.submitBtnLoading = !0,
                    this.$parent.login({
                        type: this.$config.login.type_mobile,
                        account: s["a"].aesEncrypt(this.mobile),
                        credential: s["a"].aesEncrypt(this.code),
                        area_code: this.areaCode
                    }).then((function(e) {
                        n.submitBtnWord = "立即登录",
                        n.submitBtnLoading = !1
                    }
                    )).catch((function() {
                        n.submitBtnWord = "立即登录",
                        n.submitBtnLoading = !1
                    }
                    ))
                }

可知加密方法为:s["a"].aesEncrypt

进入方法内部查看代码:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
var a = t("3452")
          , o = t.n(a)
          , c = "sgy459sf03#$5^&b"
          , i = "1234567890123456"
          , l = function(n) {
            var e = o.a.enc.Utf8.parse(c)
              , t = o.a.enc.Utf8.parse(n)
              , a = o.a.AES.encrypt(t, e, {
                mode: o.a.mode.CBC,
                padding: o.a.pad.Pkcs7,
                iv: o.a.enc.Utf8.parse(i)
            });
            return a.toString()
        }

初步来看,是aes加密,模式CBC,key:sgy459sf03#$5^&b,iv:1234567890123456

拿着该密钥和iv去验证:


1
2
3
4
5
6
7
8
.版本 2
.支持库 spec

result = 编码_BASE64编码 (对称加密 (到字节集 (“15512345678”), 到字节集 (“sgy459sf03#$5^&b”), #对称算法_AES_CBC, #数据填充_PKCS7_PADDING, 到字节集 (“1234567890123456”)))
调试输出 (result)


输出:“Np9OqT8tgRwKv4cs8FBYKA==”    //与抓包结果相同

因此可以确认最终帐号加密方式已经破解成功:

AES,CBC,密钥:sgy459sf03#$5^&b,偏移:1234567890123456

----------------------------------------------------------------------------------------------------
文章内容仅用作技术探讨研究,禁止他用!
若相关单位认为文章内容不适合公开发表,请联系站长删除!
----------------------------------------------------------------------------------------------------
上一篇
下一篇