[JS reverse series] analysis of a customs publicity platform

1. Sample address

aHR0cDovL2NyZWRpdC5jdXN0b21zLmdvdi5jbi9jY3Bwd2Vic2VydmVyL3BhZ2VzL2NjcHAvaHRtbC9kZWNsQ29tcGFueS5odG1s

2. Anti debugging

Use traceless windows , open f12 Open web page after . Find yourself stopping at the breakpoint

Look on the call stack net , This confusion of formats is used ob confusion , use first ast hold 【SwCaHu_p.js】 and 【menuManger.js】 These two files are anti aliased . The anti confusion method is in the front AST The series of articles talks about , I'll skip it here .

After anti aliasing , Use Fiddler.exe Capture packets and automatically respond to these two js file , Try opening the web page again .

3. Page analysis

After anti confusion, there will be no infinity debugger The situation of the , But then the slider appears . First, manually slide on the web page

If the slider passes ,code by 0, Then you get 【csessionid】 and 【value】. Then these two values are used for the next interface request , Under normal circumstances, there will be a 307 Response , And then you get a 【acw_sc__v3】 Of cookie value , Then request the interface , You can get encrypted data

Through the call stack , Find the callback function when the request succeeds , Set breakpoints , And then refresh

You can see , adopt loadAESDecryptStr After the method , You can get clear text , Follow this method

Finally, it is called MuData_KXC Method

4. Algorithm analysis

See here isPadding、mode、sk. Guess it is sm4 Algorithm , And there is a sentence 【_0x3ca6b6[‘sk’] = _0x3ca6b6[‘sk’]“reverse”】. This is after the key rotation , In decryption, you need to get the key sk Reverse , Then you can be sure ,CaData_KXC yes sm4 Encryption function ,MuData_KXC yes sm4 Decryption function .

But use standards sm4 To decrypt , It is found that the decryption result is a pile of garbled code . Take a closer look at the code , Found some magic changes , Including initialization values and algorithm details

Copy gmssl In the library sm4 Code , And in accordance with the js Code for magic change

Finally, try to decrypt , Clear text can be solved