Article directory
- Preface
- 1 Capture packet
- 2 Search for encrypted fields
- 3 Breakpoint debugging
- 4 js deduction code restoration
- 5 Crack the verification code
- 5 Selenium gets cookies
- 6 Complete code display
Foreword
New business alliance cigarette password js reverse
Password encryption is easy to solve, but if you request multiple times, there will be a verification code.
At this time, the request will fail
So I will also solve the verification code problem
1 Packet capture
First simulate login and capture the package that returns the form.
2 Search encrypted fields
Enter the encrypted field and search for js files to break point debugging
3 Breakpoint debugging
Set breakpoints at suspicious fields
Enter again to debug
After debugging we found that there are two fields and we are not sure which one is the encrypted field, but we can now see
c is the verification code
g.j_mcmm is the return value with verification code
p.j_mcmm is the return value without verification code. Let’s exit debugging here and see which is the final return value.
After exiting, you can see that g.j_mcmm is returned, indicating that he has added a verification code.
So: F(F(b) + c) is the function we need
b is your password
c is the verification code
First encrypt b using the F function
Add the verification code to the encrypted password and encrypt it again.
is the value returned
4 js deduction code restoration
Find the F function and put a breakpoint to view it
After finding it, set a breakpoint for debugging
You can see that d is the F function, and parameter a is the password.
After multiple encryptions of n, e, o, m functions, the return value is
So we directly deduct the js code, remember to bring the n, e, o, m functions too
// js code
function e(a, b) {<!-- -->
for (var c = 1732584193, d = -271733879, e = -1732584194, f = 271733878, l = 0; l < a.length; l + = 16) {<!-- -->
var m = c
, n = d
, o = e
, p = f;
c = g(c, d, e, f, a[l + 0], 7, -680876936),
f = g(f, c, d, e, a[l + 1], 12, -389564586),
e = g(e, f, c, d, a[l + 2], 17, 606105819),
d = g(d, e, f, c, a[l + 3], 22, -1044525330),
c = g(c, d, e, f, a[l + 4], 7, -176418897),
f = g(f, c, d, e, a[l + 5], 12, 1200080426),
e = g(e, f, c, d, a[l + 6], 17, -1473231341),
d = g(d, e, f, c, a[l + 7], 22, -45705983),
c = g(c, d, e, f, a[l + 8], 7, 1770035416),
f = g(f, c, d, e, a[l + 9], 12, -1958414417),
e = g(e, f, c, d, a[l + 10], 17, -42063),
d = g(d, e, f, c, a[l + 11], 22, -1990404162),
c = g(c, d, e, f, a[l + 12], 7, 1804603682),
f = g(f, c, d, e, a[l + 13], 12, -40341101),
e = g(e, f, c, d, a[l + 14], 17, -1502002290),
d = g(d, e, f, c, a[l + 15], 22, 1236535329),
c = h(c, d, e, f, a[l + 1], 5, -165796510),
f = h(f, c, d, e, a[l + 6], 9, -1069501632),
e = h(e, f, c, d, a[l + 11], 14, 643717713),
d = h(d, e, f, c, a[l + 0], 20, -373897302),
c = h(c, d, e, f, a[l + 5], 5, -701558691),
f = h(f, c, d, e, a[l + 10], 9, 38016083),
e = h(e, f, c, d, a[l + 15], 14, -660478335),
d = h(d, e, f, c, a[l + 4], 20, -405537848),
c = h(c, d, e, f, a[l + 9], 5, 568446438),
f = h(f, c, d, e, a[l + 14], 9, -1019803690),
e = h(e, f, c, d, a[l + 3], 14, -187363961),
d = h(d, e, f, c, a[l + 8], 20, 1163531501),
c = h(c, d, e, f, a[l + 13], 5, -1444681467),
f = h(f, c, d, e, a[l + 2], 9, -51403784),
e = h(e, f, c, d, a[l + 7], 14, 1735328473),
d = h(d, e, f, c, a[l + 12], 20, -1926607734),
c = i(c, d, e, f, a[l + 5], 4, -378558),
f = i(f, c, d, e, a[l + 8], 11, -2022574463),
e = i(e, f, c, d, a[l + 11], 16, 1839030562),
d = i(d, e, f, c, a[l + 14], 23, -35309556),
c = i(c, d, e, f, a[l + 1], 4, -1530992060),
f = i(f, c, d, e, a[l + 4], 11, 1272893353),
e = i(e, f, c, d, a[l + 7], 16, -155497632),
d = i(d, e, f, c, a[l + 10], 23, -1094730640),
c = i(c, d, e, f, a[l + 13], 4, 681279174),
f = i(f, c, d, e, a[l + 0], 11, -358537222),
e = i(e, f, c, d, a[l + 3], 16, -722521979),
d = i(d, e, f, c, a[l + 6], 23, 76029189),
c = i(c, d, e, f, a[l + 9], 4, -640364487),
f = i(f, c, d, e, a[l + 12], 11, -421815835),
e = i(e, f, c, d, a[l + 15], 16, 530742520),
d = i(d, e, f, c, a[l + 2], 23, -995338651),
c = j(c, d, e, f, a[l + 0], 6, -198630844),
f = j(f, c, d, e, a[l + 7], 10, 1126891415),
e = j(e, f, c, d, a[l + 14], 15, -1416354905),
d = j(d, e, f, c, a[l + 5], 21, -57434055),
c = j(c, d, e, f, a[l + 12], 6, 1700485571),
f = j(f, c, d, e, a[l + 3], 10, -1894986606),
e = j(e, f, c, d, a[l + 10], 15, -1051523),
d = j(d, e, f, c, a[l + 1], 21, -2054922799),
c = j(c, d, e, f, a[l + 8], 6, 1873313359),
f = j(f, c, d, e, a[l + 15], 10, -30611744),
e = j(e, f, c, d, a[l + 6], 15, -1560198380),
d = j(d, e, f, c, a[l + 13], 21, 1309151649),
c = j(c, d, e, f, a[l + 4], 6, -145523070),
f = j(f, c, d, e, a[l + 11], 10, -1120210379),
e = j(e, f, c, d, a[l + 2], 15, 718787259),
d = j(d, e, f, c, a[l + 9], 21, -343485551),
c = k(c, m),
d = k(d, n),
e = k(e, o),
f = k(f, p)
}
return new Array(c,d,e,f)
}
function f(a, b, c, d, e, f) {<!-- -->
return k(l(k(k(b, a), k(d, f)), e), c)
}
function g(a, b, c, d, e, g, h) {<!-- -->
return f(b & amp; c | ~b & amp; d, a, b, e, g, h)
}
function h(a, b, c, d, e, g, h) {<!-- -->
return f(b & amp; d | c & amp; ~d, a, b, e, g, h)
}
function i(a, b, c, d, e, g, h) {<!-- -->
return f(b ^ c ^ d, a, b, e, g, h)
}
function j(a, b, c, d, e, g, h) {<!-- -->
return f(c ^ (b | ~d), a, b, e, g, h)
}
function k(a, b) {<!-- -->
var c = (65535 & amp; a) + (65535 & amp; b);
return (a >> 16) + (b >> 16) + (c >> 16) << 16 | 65535 & c
}
function l(a, b) {<!-- -->
return a << b | a >>> 32 - b
}
function m(a) {<!-- -->
for (var b = a.length, c = new Array(b), d = 0; d < b; d + + ) {<!-- -->
var e = a.charCodeAt(d);
c[d] = 255 & e
}
return c
}
function n(a) {<!-- -->
for (var b = "0123456789abcdef", c = "", d = 0; d < 4 * a.length; d + + )
c + = b.charAt(a[d >> 2] >> d % 4 * 8 + 4 & amp; 15) + b.charAt(a[d >> 2] >> d % 4 * 8 & amp; 15);
return c
}
function o(a) {<!-- -->
for (var b = 1 + (a.length + 8 >> 6), c = new Array(16 * b), d = 0; d < 16 * b; d + + )
c[d] = 0;
for (var e = 0; e < a.length; e + + )
c[e >> 2] |= (255 & amp; a[e]) << e % 4 * 8;
return c[e >> 2] |= 128 << e % 4 * 8,
c[16 * b - 2] = 8 * a.length,
c
}
function d(a) {<!-- -->
return n(e(o(m(a + "{1#2$3%4(5)6@7!poeeww$3%4(5)djjkkldss}")), 32))
}
// var c = '4356'
var c = ''
function pwd(a) {<!-- -->
return d(d(a) + c)
}
// console.log(pwd(123456))
You can see that it is also very successful here.
But this verification code is an active value, it is not unique
So if we want to truly log in successfully, we need to crack the verification code
5 Crack the verification code
We didn’t have a verification code the first time, so why did it appear later?
Because of cookies, the following cookies are cookies with verification codes.
Let’s delete all cookies and try again
After clearing it, you can see that the verification code is no longer required.
We still debug and check
You can see that he is F(F(b) + c)
b is your password
c is the verification code
First encrypt b using the F function
Add the verification code to the encrypted password and encrypt it again.
is the value returned
The verification code is not a certain number, so we only need to let him have no verification code.
You can see that cookies without verification codes are different from cookies with verification codes.
So we use selenium here to get cookies,
In this case, we will use the latest cookies for every request, and there will be no verification code problem
Completely solved the verification code problem
5 selenium gets cookies
Use selenium’s interfaceless mode and mask selenium’s automated operations to obtain cookies
from selenium.webdriver.chrome.service import Service
from selenium import webdriver
# Get the latest cookies and crack the verification code
def get_cookies():
# Use chrome developer mode
options = webdriver.ChromeOptions()
options.add_experimental_option('excludeSwitches', ['enable-automation'])
# Disable the function of enabling Blink runtime
options.add_argument("--disable-blink-features=AutomationControlled")
# No interface mode
options.add_argument('--headless')
# Selenium executes the cdp command and overwrites the value of window.navigator.webdriver again
#ChromeDriver
service = Service(executable_path=r"X:\Python_selenium driver\chromedriver-win64\chromedriver.exe")
driver = webdriver.Chrome(options=options,service=service)
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {<!-- -->
"source": """
Object.defineProperty(navigator, 'webdriver', {
get: () => undefined
})
"""
})
url1 = 'http://hl.xinshangmeng.com/xsm6/'
# Get cookies
driver.get(url1)
cookie = driver.get_cookies()
# print(cookie)
cookies = {<!-- -->cookie[i].get('name'):cookie[i].get('value') for i in range(len(cookie))}
# print(cookies)
return cookies
cookies = get_cookies()
print(cookies)
You can see that the cookies have been successfully obtained and can be directly put into the request header.
6 Complete code display
from selenium.webdriver.chrome.service import Service
from selenium import webdriver
import requests
import execjs
# Get the latest cookies and crack the verification code
def get_cookies():
# Use chrome developer mode
options = webdriver.ChromeOptions()
options.add_experimental_option('excludeSwitches', ['enable-automation'])
# Disable the function of enabling Blink runtime
options.add_argument("--disable-blink-features=AutomationControlled")
# No interface mode
options.add_argument('--headless')
# Selenium executes the cdp command and overwrites the value of window.navigator.webdriver again
service = Service(executable_path=r"X:\Python_selenium driver\chromedriver-win64\chromedriver.exe")
driver = webdriver.Chrome(options=options, service=service)
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {<!-- -->
"source": """
Object.defineProperty(navigator, 'webdriver', {
get: () => undefined
})
"""
})
url1 = 'http://hl.xinshangmeng.com/xsm6/'
# Get cookies
driver.get(url1)
cookie = driver.get_cookies()
# print(cookie)
cookies = {<!-- -->cookie[i].get('name'): cookie[i].get('value') for i in range(len(cookie))}
# print(cookies)
return cookies
# Get the returned data
def get_data(username):
headers = {<!-- -->
"Referer": "http://hl.xinshangmeng.com/",
"User-Agent": "Your User-Agent"
}
\t
# Get the latest cookies and crack the verification code
cookies = get_cookies()
print('cookies:',cookies)
url = "http://login.xinshangmeng.com/login/users/dologin/dfaup"
f = open('New Business Alliance js.js','r',encoding='utf-8')
text = f.read()
f.close()
js = execjs.compile(text)
pwd = input('Please enter password:')
res = js.call('pwd',pwd) # call(func,*args) The first parameter is the function, and the following parameters are
print('j_mcmm:',res)
params = {<!-- -->
"j_mmrm": str(username),
"j_mcmm": res,
}
response = requests.get(url, headers=headers, cookies=cookies, params=params)
print(response)
print(response.text)
if __name__ == '__main__':
# The parameter is the account number
get_data(15666668888)
You can see that it was successfully cracked, and what was returned was not a verification code error or the like.
But the returned results are different from those on the web page
This is because of the “jsonp” parameter, which converts the data into a jquery object
The values in front of the jsonp parameter are the same, except that the value after the underscore is a timestamp.
If you bring it, it will be the same as on the website.
If you have any questions, please comment. If it helps you, please give it a like.
Or you are welcome to point out what I am doing wrong.