网站分析
目标网站
aHR0cHM6Ly96enh5Lm5lYS5nb3YuY24vZ2F0ZXdheS9pbnF1aXJ5UHVibGljaHR0cDovanojL2dhdGV3YXkvbWVzc2FnZT9jdXJyZW50PTEmc2l6ZT0xMCZ0b3RhbD0xMTUwNzE
请求分析
发现网站更改 响应体加密 需要进行解密操作
下断点
随便怎么下断都能跟过去 我简单说几种 着急的直接搜索 JSON.parse(r[“sm2”].doDecrypt(n, s)) 或者直接去看最后解密的代码
常规下断
XHR
DOM断点
选中 节点 直接右键下断
直接搜
然后一个一个打断点看能不能断住吧
**几种方法都能跟过去 直接搜索最简单,其他的因为有很多异步操作记得单步去跟 **
逆向分析
跟到这个位置 发现了关键字gm2 基本确定了加密方式 单步进去确定就是gm2
node执行 祈祷别魔改
使用node库发现最后没有魔改 就是正常的gm2 并且成功拿到结果
完整代码
// 使用了第三方库 记得安装一下
npm install sm-crypto
const sm2 = require('sm-crypto').sm2const privateKey = '密钥'、
const cipherText = '密文'// 解密操作(假设密文是16进制字符串)
const decrypted = sm2.doDecrypt(cipherText,privateKey,{inputEncoding: 'hex', // 输入编码(根据实际情况选hex/base64)outputEncoding: 'utf8' // 输出编码}
)console.log('解密结果:', decrypted)
硬抠代码
function m(t, e) {p = [null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,0,1,2,3,4,5,6,7,8,9,null,null,null,null,null,null,null,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,null,null,null,null,null,null,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35]var n = p[t.charCodeAt(e)];return null == n ? -1 : n
}function w() {var t = this.s & this.DM;while (this.t > 0 && this[this.t - 1] == t)--this.t
}function iii(t, e) {var n;if (16 == e)n = 4;else if (8 == e)n = 3;else if (256 == e)n = 8;else if (2 == e)n = 1;else if (32 == e)n = 5;else {if (4 != e)return void this.fromRadix(t, e);n = 2}this.t = 0,this.s = 0;DB = 28var i = t.length, o = !1, a = 0;while (--i >= 0) {var s = 8 == n ? 255 & t[i] : m(t, i);s < 0 ? "-" == t.charAt(i) && (o = !0) : (o = !1,0 == a ? this[this.t++] = s : a + n > DB ? (this[this.t - 1] |= (s & (1 << DB - a) - 1) << a,this[this.t++] = s >> DB - a) : this[this.t - 1] |= s << a,a += n,a >= DB && (a -= DB))}8 == n && 0 != (128 & t[0]) && (this.s = -1,a > 0 && (this[this.t - 1] |= (1 << DB - a) - 1 << a)),w(),o && r.ZERO.subTo(this, this)
}function v(t, e) {return t.length >= e ? t : new Array(e - t.length + 1).join("0") + t
}a = {hexToArray: function (t) {const e = [];let n = t.length;n % 2 !== 0 && (t = v(t, n + 1)),n = t.length;for (let i = 0; i < n; i += 2)e.push(parseInt(t.substr(i, 2), 16));return e},leftPad: function (t, e) {return t.length >= e ? t : new Array(e - t.length + 1).join("0") + t},arrayToHex: function (t) {return t.map(t => (t = t.toString(16),1 === t.length ? "0" + t : t)).join("")},arrayToUtf8: function (t) {const e = [];let n = 0;for (let r = 0; r < 2 * t.length; r += 2)e[r >>> 3] |= parseInt(t[n], 10) << 24 - r % 8 * 4,n++;try {const n = [];for (let i = 0; i < t.length; i++) {const t = e[i >>> 2] >>> 24 - i % 4 * 8 & 255;n.push(String.fromCharCode(t))}return decodeURIComponent(escape(n.join("")))} catch (i) {throw new Error("Malformed UTF-8 data")}},
}function d(t, e, n = 1, {output: r = "string"} = {}) {e = new iii(e, 16);h = 0;let o = t.substr(128, 64), l = t.substr(192);n === h && (o = t.substr(t.length - 64),l = t.substr(128, t.length - 128 - 64));const u = a.hexToArray(l)// , c = a.getGlobalCurve().decodePointHex("04" + t.substr(0, 128)),c = ec.keyFromPublic("04" + t.substr(0, 128), 'hex').getPublic()// , f = c.multiply(e), f = c.mul(e), d = a.hexToArray(a.leftPad(f.getX().toBigInteger().toRadix(16), 64)), p = a.hexToArray(a.leftPad(f.getY().toBigInteger().toRadix(16), 64));let v = 1, m = 0, g = [];const y = [].concat(d, p), b = () => {g = s([...y, v >> 24 & 255, v >> 16 & 255, v >> 8 & 255, 255 & v]),v++,m = 0};b();for (let i = 0, a = u.length; i < a; i++)m === g.length && b(),u[i] ^= 255 & g[m++];const _ = a.arrayToHex(s([].concat(d, u, p)));return _ === o.toLowerCase() ? "array" === r ? u : a.arrayToUtf8(u) : "array" === r ? [] : ""
}
抠了一大半没抠完,那个a对象 应该去抠一下构造函数的,走了不少弯路,但是已经抠了不少代码出来了 并且上面的代码已经能用了 就没有去弄了
