以登录为例:
抓包结果:
POST /user/v1/login HTTP/1.1
Host: newapi.dianyuan.com
Connection: keep-alive
Content-Length: 104
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
access-token:
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, /
client-type: web
sign: w7ws7xOy5qUVWA7aqSswnb7lJP7ZjFBQLyf2v2z8EGCRpSdk3TwATcAXaHXay7UUL8GbjvwdxtPrVpvEApZTa96fdljtHc36kSx7szojrjzGGpLgqqPZMpJcoT8OpRKuZFmXPw59DvIG/RaFULFhqA==
sec-ch-ua-platform: "Windows"
Origin: https://www.dianyuan.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.dianyuan.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8
Cookie: __yjs_duid=1_c2e52019f6147e1e163e8ff16491d2401667047888112; __gads=ID=67991659b54dbb6f-22856a7e93d700fa:T=1667047890:RT=1667047890:S=ALNI_MaV2gIZUhyPjEFyAmnxAwGhw4TGtg; __gpi=UID=00000b6fa0fafc68:T=1667047890:RT=1667047890:S=ALNI_MYuVCMVioJkr3_ZHs-5FC3Qi_hhcg; _gid=GA1.2.1193200286.1667047887; Hm_lvt_dd2486feb652190c6d492457baf80d7b=1667048090; _gat_gtag_UA_39990293_1=1; _ga_W633JEXTK7=GS1.1.1667047886.1.1.1667048118.0.0.0; Hm_lpvt_dd2486feb652190c6d492457baf80d7b=1667048119; _ga=GA1.2.1596519636.1667047886
{"type":3,"account":"Np9OqT8tgRwKv4cs8FBYKA==","credential":"tQJoCzU/YCh2+DZmH5Ttuw==","area_code":"86"}
返回:
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 29 Oct 2022 12:55:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Vary: Accept-Encoding
Access-Control-Allow-Origin: https://www.dianyuan.com
Access-Control-Allow-Headers: Authorization,Content-Type,If-Match,If-Modified-Since,If-None-Match,If-Unmodified-Since,X-Requested-With,client-type,access-token,sign,eestarsign,eestarparam
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
Connection: keep-alive
{"code":403,"msg":"验证码错误","data":[]}
可知:帐号被加密、验证码被加密
我们此次以帐号加密算法逆向来分析。
搜索请求路径:/user/v1/login
可知:登录方法如下:
2
3
4
5
6
7
return Object(a["a"])({
url: "user/v1/login",
method: "post",
data: n
})
}
通过断点参数可知:加密方法在前面。追踪调用堆栈逆向,找到帐号加密的地方:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
var n = this;
this.submitBtnWord = "正在登录",
this.submitBtnLoading = !0,
this.$parent.login({
type: this.$config.login.type_mobile,
account: s["a"].aesEncrypt(this.mobile),
credential: s["a"].aesEncrypt(this.code),
area_code: this.areaCode
}).then((function(e) {
n.submitBtnWord = "立即登录",
n.submitBtnLoading = !1
}
)).catch((function() {
n.submitBtnWord = "立即登录",
n.submitBtnLoading = !1
}
))
}
可知加密方法为:s["a"].aesEncrypt
进入方法内部查看代码:
2
3
4
5
6
7
8
9
10
11
12
13
14
, o = t.n(a)
, c = "sgy459sf03#$5^&b"
, i = "1234567890123456"
, l = function(n) {
var e = o.a.enc.Utf8.parse(c)
, t = o.a.enc.Utf8.parse(n)
, a = o.a.AES.encrypt(t, e, {
mode: o.a.mode.CBC,
padding: o.a.pad.Pkcs7,
iv: o.a.enc.Utf8.parse(i)
});
return a.toString()
}
初步来看,是aes加密,模式CBC,key:sgy459sf03#$5^&b,iv:1234567890123456
拿着该密钥和iv去验证:
2
3
4
5
6
7
8
.支持库 spec
result = 编码_BASE64编码 (对称加密 (到字节集 (“15512345678”), 到字节集 (“sgy459sf03#$5^&b”), #对称算法_AES_CBC, #数据填充_PKCS7_PADDING, 到字节集 (“1234567890123456”)))
调试输出 (result)
输出:“Np9OqT8tgRwKv4cs8FBYKA==” //与抓包结果相同
因此可以确认最终帐号加密方式已经破解成功:
AES,CBC,密钥:sgy459sf03#$5^&b,偏移:1234567890123456