【js逆向】poco之sign_code参数加密分析

·  阅读 94

文章内容仅供参考学习,禁止用于商业用途与非法用途,相关接口已经过脱敏处理,由此产生的一切后果均与作者无关,若有侵权,请联系我立即删除

前戏

今天要分析的是网站poco中的sign_code参数分析。

地址:aHR0cHM6Ly93d3cucG9jby5jbi9jYW1lcmFtYW4vcmVjb21tZW5k

接口分析

直接打开network ,刷新页面,对其我们所需要的接口进行分析

image.png

刷新两次页面,对比Fromdata中参数变化,发现ctime,time_point,sign_code发生变化

Fromdata 关键参数分析结果
ctime16开头,长度为14位,疑似时间戳
time_point与ctime前11位相同,疑似时间戳
sign_code密文,可能与时间戳相关

接下来直接搜索sign_code这个关键字发现只有一处js与之相关

image.png

直接点进这个js内部进行,定位到sign_code位置

image.png

此处js代码逻辑并没有经过混淆,比较简单清晰,就是创建了一个payload对象,由此可知而其中的n参数就是我们此次的目标,而n由t()方法得出,直接打一个断点,跟进去调试看,可以看出e就是我们之前在分析接口时payload中的param,然后转换组成新的字符串后传入了t方法,那我们跟下去看t方法内部逻辑

image.png

可以看出已经跳到了另一个js文件,n参数就是我们之前穿进来的参数,接下来就是疯狂一直下一步,直到调试出加密后的sign_code

image.png

image.png

此时,已经执行完加密逻辑,而加密逻辑只涉及到了一个js文件,跳出了t函数,然后经过substr方法取出切割后的字符串,现在,我们整个加密逻辑就已经很清楚。

那我们就得分析sign_code生成逻辑,重新进到刚刚那个js中,具体分析,通过python复现或者扣出相关的js调用相关库去执行加密逻辑代码,我们这里为了方便,选择后者

js代码

function r(n, t) {
    var r = (65535 & n) + (65535 & t)
        , e = (n >> 16) + (t >> 16) + (r >> 16);
    return e << 16 | 65535 & r
};

function e(n, t) {
    return n << t | n >>> 32 - t
};

function u(n, t, u, o, c, f) {
    return r(e(r(r(t, n), r(o, f)), c), u)
};

function o(n, t, r, e, o, c, f) {
    return u(t & r | ~t & e, n, t, o, c, f)
};

function c(n, t, r, e, o, c, f) {
    return u(t & e | r & ~e, n, t, o, c, f)
};

function f(n, t, r, e, o, c, f) {
    return u(t ^ r ^ e, n, t, o, c, f)
};

function i(n, t, r, e, o, c, f) {
    return u(r ^ (t | ~e), n, t, o, c, f)
};

function a(n, t) {
    n[t >> 5] |= 128 << t % 32,
        n[(t + 64 >>> 9 << 4) + 14] = t;
    var e, u, a, h, g, d = 1732584193, l = -271733879, v = -1732584194, s = 271733878;
    for (e = 0; e < n.length; e += 16)
        u = d,
            a = l,
            h = v,
            g = s,
            d = o(d, l, v, s, n[e], 7, -680876936),
            s = o(s, d, l, v, n[e + 1], 12, -389564586),
            v = o(v, s, d, l, n[e + 2], 17, 606105819),
            l = o(l, v, s, d, n[e + 3], 22, -1044525330),
            d = o(d, l, v, s, n[e + 4], 7, -176418897),
            s = o(s, d, l, v, n[e + 5], 12, 1200080426),
            v = o(v, s, d, l, n[e + 6], 17, -1473231341),
            l = o(l, v, s, d, n[e + 7], 22, -45705983),
            d = o(d, l, v, s, n[e + 8], 7, 1770035416),
            s = o(s, d, l, v, n[e + 9], 12, -1958414417),
            v = o(v, s, d, l, n[e + 10], 17, -42063),
            l = o(l, v, s, d, n[e + 11], 22, -1990404162),
            d = o(d, l, v, s, n[e + 12], 7, 1804603682),
            s = o(s, d, l, v, n[e + 13], 12, -40341101),
            v = o(v, s, d, l, n[e + 14], 17, -1502002290),
            l = o(l, v, s, d, n[e + 15], 22, 1236535329),
            d = c(d, l, v, s, n[e + 1], 5, -165796510),
            s = c(s, d, l, v, n[e + 6], 9, -1069501632),
            v = c(v, s, d, l, n[e + 11], 14, 643717713),
            l = c(l, v, s, d, n[e], 20, -373897302),
            d = c(d, l, v, s, n[e + 5], 5, -701558691),
            s = c(s, d, l, v, n[e + 10], 9, 38016083),
            v = c(v, s, d, l, n[e + 15], 14, -660478335),
            l = c(l, v, s, d, n[e + 4], 20, -405537848),
            d = c(d, l, v, s, n[e + 9], 5, 568446438),
            s = c(s, d, l, v, n[e + 14], 9, -1019803690),
            v = c(v, s, d, l, n[e + 3], 14, -187363961),
            l = c(l, v, s, d, n[e + 8], 20, 1163531501),
            d = c(d, l, v, s, n[e + 13], 5, -1444681467),
            s = c(s, d, l, v, n[e + 2], 9, -51403784),
            v = c(v, s, d, l, n[e + 7], 14, 1735328473),
            l = c(l, v, s, d, n[e + 12], 20, -1926607734),
            d = f(d, l, v, s, n[e + 5], 4, -378558),
            s = f(s, d, l, v, n[e + 8], 11, -2022574463),
            v = f(v, s, d, l, n[e + 11], 16, 1839030562),
            l = f(l, v, s, d, n[e + 14], 23, -35309556),
            d = f(d, l, v, s, n[e + 1], 4, -1530992060),
            s = f(s, d, l, v, n[e + 4], 11, 1272893353),
            v = f(v, s, d, l, n[e + 7], 16, -155497632),
            l = f(l, v, s, d, n[e + 10], 23, -1094730640),
            d = f(d, l, v, s, n[e + 13], 4, 681279174),
            s = f(s, d, l, v, n[e], 11, -358537222),
            v = f(v, s, d, l, n[e + 3], 16, -722521979),
            l = f(l, v, s, d, n[e + 6], 23, 76029189),
            d = f(d, l, v, s, n[e + 9], 4, -640364487),
            s = f(s, d, l, v, n[e + 12], 11, -421815835),
            v = f(v, s, d, l, n[e + 15], 16, 530742520),
            l = f(l, v, s, d, n[e + 2], 23, -995338651),
            d = i(d, l, v, s, n[e], 6, -198630844),
            s = i(s, d, l, v, n[e + 7], 10, 1126891415),
            v = i(v, s, d, l, n[e + 14], 15, -1416354905),
            l = i(l, v, s, d, n[e + 5], 21, -57434055),
            d = i(d, l, v, s, n[e + 12], 6, 1700485571),
            s = i(s, d, l, v, n[e + 3], 10, -1894986606),
            v = i(v, s, d, l, n[e + 10], 15, -1051523),
            l = i(l, v, s, d, n[e + 1], 21, -2054922799),
            d = i(d, l, v, s, n[e + 8], 6, 1873313359),
            s = i(s, d, l, v, n[e + 15], 10, -30611744),
            v = i(v, s, d, l, n[e + 6], 15, -1560198380),
            l = i(l, v, s, d, n[e + 13], 21, 1309151649),
            d = i(d, l, v, s, n[e + 4], 6, -145523070),
            s = i(s, d, l, v, n[e + 11], 10, -1120210379),
            v = i(v, s, d, l, n[e + 2], 15, 718787259),
            l = i(l, v, s, d, n[e + 9], 21, -343485551),
            d = r(d, u),
            l = r(l, a),
            v = r(v, h),
            s = r(s, g);
    return [d, l, v, s]
};

function h(n) {
    var t, r = "";
    for (t = 0; t < 32 * n.length; t += 8)
        r += String.fromCharCode(n[t >> 5] >>> t % 32 & 255);
    return r
};

function g(n) {
    var t, r = [];
    for (r[(n.length >> 2) - 1] = void 0,
             t = 0; t < r.length; t += 1)
        r[t] = 0;
    for (t = 0; t < 8 * n.length; t += 8)
        r[t >> 5] |= (255 & n.charCodeAt(t / 8)) << t % 32;
    return r
};

function d(n) {
    return h(a(g(n), 8 * n.length))
};

function l(n, t) {
    var r, e, u = g(n), o = [], c = [];
    for (o[15] = c[15] = void 0,
         u.length > 16 && (u = a(u, 8 * n.length)),
             r = 0; 16 > r; r += 1)
        o[r] = 909522486 ^ u[r],
            c[r] = 1549556828 ^ u[r];
    return e = a(o.concat(g(t)), 512 + 8 * t.length),
        h(a(c.concat(e), 640))
};

function v(n) {
    var t, r, e = "0123456789abcdef", u = "";
    for (r = 0; r < n.length; r += 1)
        t = n.charCodeAt(r),
            u += e.charAt(t >>> 4 & 15) + e.charAt(15 & t);
    return u
};

function s(n) {
    return unescape(encodeURIComponent(n))
};

function C(n) {
    return d(s(n))
};

function A(n) {
    return v(C(n))
};

function m(n, t) {
    return l(s(n), s(t))
};

function p(n, t) {
    return v(m(n, t))
};

function b(n, t, r) {
    return t ? r ? m(t, n) : p(t, n) : r ? C(n) : A(n)
};

# get_sign()为自定义方法
function get_sign(e) {
    var o = JSON.stringify(e);
    var sign = b("poco_" + o + "_app");
    sign = sign.substr(5, 19);
    return sign
}
复制代码

python测试代码

import requests
import execjs


def encrypt(param):
    '''
    通过execjs库 调用相关js 获取加密后的密文
    :return:
    '''
    with open('encrypt_poco.js')as fp:
        encrypt_js = fp.read()
    ctx = execjs.compile(encrypt_js)
    enc_sign = ctx.call('get_sign', param)
    return enc_sign


if __name__ == '__main__':
    param = {"start": 0, "length": 20, "time_point": 1641813425, "recommend_type": "editor"}
    res = encrypt(param)
    print(res)
复制代码

效果

image.png

image.png

尾声

好了,以上就是此次全部分析过程

我是XinCheng,生死看淡、不服就干

记录爬虫的摸爬滚打

分类:
后端
标签:
分类:
后端
标签:
收藏成功!
已添加到「」, 点击更改