JS reverse case: cracking login password

I am not a professional IT personnel , But yes. python Reptiles are of great interest , I read it on Tiktok zhen The teacher's python Full stack live course , Decisively choose to join zhen The teacher's VIP big family , to zhen Teachers can also make money by submitting articles ,50 element .

I don't say much nonsense , Get into the subject . Studying recently JS reverse Knowledge of , Because I've done it before 12306 Automatic ticket grabbing Software , So right. 12306 show special preference to 🤭, Next, I'd like to introduce you 12306 Parameter cracking method for user login password .

First let's open up 12306 Login interface of , Open grab tool , Enter the user name and an incorrect password （ example ：123456）, Click the login button and slide the verification code to verify , stay Ajax In the package, we can click login This package goes into view , We can find out password This parameter is encrypted , So we need to find the corresponding encryption js Code , Analyze the encryption mechanism , And use python Realization .

First, click the arrow in the upper right corner of the developer tool to indicate the location , The second step is to find search And click the , A search box will pop up below , Step 3 enter... In the search box password, Step 4 Click the search button next to it , Contains password All the files of keywords are in here , We click in every file from top to bottom to find , look down password The location of the encryption algorithm in the file .

After query and analysis ,password In the second file , We find the corresponding JS Code , And hit a breakpoint .

After hitting the breakpoint , Here we enter the user name and password , Click login , At this point, it is found that the browser stops at the breakpoint , As shown in the figure below

At this point, let's analyze this line carefully JS Code , It is found that the last generated parameter is "@" Plus the result returned by an encryption function , The first parameter of this function is obviously the plaintext password we entered （123456）, The second parameter is our public key , It is fixed as SM4_key ="tiekeyuankp12306", So we can finally encapsulate a JS function , The code is as follows ：

function getpwd(p){
    var SM4_key = 'tiekeyuankp12306';
        return '@' + encrypt_ecb(p, SM4_key)
            }
console.log(getpwd('123456'))

Now we need to find encrypt_ecb The specific implementation of this function , We place the mouse over the function , And click the encryption function pointed by the arrow , We found that we entered an encrypted function file , There are all encryption algorithms .

Through the analysis of , There are specific encryption and decryption algorithms we need , And the code of this file is only 300 Multiple lines , So we can dig it all out , Put it into the top of the function we just encapsulated for debugging , After running the code , We found a bug in the program , Tips ：base64js Undefined , Therefore, the principle of "what is missing, what is missing" is implemented to supplement the principle of "what is missing" base64js The relevant code section of .

At this point, we continue to search in the way just now base64js part , Found a file named base64js Of , And only 100 Many lines of code , At this point, we will copy it all to the top of the code we just ran , Run again , We found that we still reported an error , Tips ：base64js Undefined .

Now I have a little friend to ask , I will all base64js It's all in , Why not ？ Actually base64js This object is complex , After we dug it out JS Not recognized in the code . We are carefully analyzing the errors reported , Find out base64js Of fromByteArray The method is the function P, But let's just replace it all with P Function is not feasible , The same will be reported P Function undefined error .

At this time, we are analyzing carefully , We found that it can completely replace base64js This thing , First we will P Function is copied to the top of the code , And then base64js.fromByteArray(outArray) Replace with P(outArray), Operation tips l Function undefined , Look for l Copy the part of the function to the top of the code , Debug in this run , According to the principle of what is missing and what is missing in the program , Make corresponding supplement .

Last , Add the completed code to debug and run , give the result as follows ：

Will be JS The code is packaged into a JS file , utilize python Of execjs The package can run js Code , Call directly JS In the document getpwd Function ,python The code is as follows ：

import execjs
f = open(r"test2.js", encoding='utf-8').read()
ctx = execjs.compile(f)
FuncName = 'getpwd'
password = ctx.call(FuncName, '123456')
print(password)

It's going on JS In the beginning of reverse learning , Don't just skim the code , Still learn to analyze JS Code , Then start with simplicity , Accumulate experience , Gradually, it will become more and more handy when encountering encryption parameters .