Foreword
Continuously updated long articles, the source code will be synchronized in my PythonSpider project in github
Source code click here
The main purpose of writing articles is to record the learning process. It would be best if it is helpful to everyone.
Friends who want to follow can follow me
This article will tackle all the hundreds of reverse engineering cases circulating on the market.
(Some things that cannot be conquered need to be continued research. The author is still learning, and the article is mainly for self-recording)
Table of Contents
Table of Contents
Preface
1. A certain Yiyun (conquered)
2. Login to the C-side of a certain shell new house (in progress, don’t watch it for now)
3. Caimou.com (conquered)
4. A certain exchange pass (already conquered)
5.a A certain art login (in progress, don’t look at it for now)
6. A certain river hotel (conquered)
7. A certain amount of money comes in (already conquered)
8. Login to XX Security Center (already conquered)
9. Construction market (already conquered)
10. A certain 500 login (already conquered)
1. A certain wing cloud (already conquered)
Goal: Crack the login process
First of all, we need to clarify which parameters will change. We need to find them in JS.
After we tried it twice, we could see that in addition to the account number and password we entered ourselves,
There are also three parameters: comParam_curTime, comParam_seqCode, and comParam_signature that will change.
Including the encrypted password, there are a total of 4 parameters, which can be cracked one by one.
1.password
Then we can consider cracking the encryption of the password
We search for the password directly and can quickly find the encryption place.
This line of code is as follows
password: encodeURI(Object(w[“c”])(a.value, Object(w[“f”])(Object(w[“g”])(r.value))) )
We step by step in the browser console to see what each part corresponds to
This way it’s very clear
This line of code is actually
pw='123123' account='[email protected]' password=Object(w["c"])(pw,account + '0000000')
Let’s enter this method
The format of this method is very familiar, it uses DES encryption.
We directly change the code to run in the node.js environment
Print and confirm the result. Now the two parameters are settled.
2.comParam_seqCode
If we directly search for this parameter, we can see that this other parameter is also together.
Let’s look at comParam_seqCode first
The value of comParam_seqCode is r, and r = Object(u[“k”])() We directly enter the method to view
The method is as above, just deduct it directly
Print view results
3.comParam_curTime
The value code of n is as follows var n = (new Date).getTime() – h.getTimestampOffset()
This return value can be hard-coded after testing.
That is to say, it is written as
var n = Date.now() - '-439'
4.comParam_signature
You can see that the value of comParam_signature is a, and a = i()(n + r + i()(r + t + n))
If we want the value of a, we need to know the values of n, r, t, and also use the i() method
We have solved the value of r in the previous parameter, which is comParam_seqCode
The value of t is hard-coded “s54zv9bm1vd5czfujy6nnuxj1l4g2ny6”
The value of n is the previous comParam_curTime
So we are left with the i() method
Just take ‘1’ and try it. The beginning of c4ca means that it is md5 encryption.
In the Node.js environment we can directly encrypt md5
CryptoJS.MD5(this.encryptionData).toString()
5.Result display
Compare with the payload in the web page
6. Simulated login
You can see that the simulated login is successful and you can go directly to your homepage.
You should just change your account and password when using it.
2. A certain shell new house C-side login (in the process of conquering, no need to watch it for now)
The old rule is to see which variables are
You can see that the dataId will change, the password is encrypted, the loginTicketId will change, and the srcId will also change.
1.loginTicketId
Through search, you can see that the loginTicketId has already come out as soon as you enter the web page. We only need to send a contract to this place to get the loginTicketId.
2.dataId
But the request package also needs a payload
The load is not ready yet
3.srcId
It seems that it can be written to death
4.password
4.passwordNo encryption place found yet
Three.cai.com (already conquered)
You can see that only the password is encrypted and needs to be cracked
1.password
By searching for password: you can locate it quickly
Analyze the specific values of each part
You can see that what is needed is this.encrypt(this.form.password)
Enter the encrypt method, using AES encryption.
Attach to JS file
The results are consistent after running
4. A certain exchange pass (already conquered)
The process has been recorded in a previous article, and the link is below.
An exchange pass
5.a A certain art login (in the process of conquering, no need to watch it yet)
The old rule is to first look at the quantities that will change.
It seems that all you need to do is crack the password.
1.password
Then we Go into the rsaFun() method
Deduct the code
You can see that there are two more methods to deduct.
(1)getKeyPair
Keep pushing in
6. A certain river hotel (already conquered)
I have done some simple parameter cracking on this website before, but I didn’t get the verification code or anything else.
This time, complete the full set of cracks to complete the simulated login.
You can see that Tdfingerprint and blackBoxMd5 will change, the password is encrypted, and a verification code is required.
1.blackBoxMd5,Tdfingerprint
Follow the stack to see where the encryption is
Here are some random places, we can try to write them to death
2.password
You can see that AES encryption is used
Let’s deduct the code
Running successfully and consistently
3.Verification code
This verification code comes out when the user clicks on the password after entering the account number.
View the package of verification code pictures
Find the breakpoint location
Imitate the format and write it in your own JS code
Open the URL and see if there is a verification code image
4. Simulated login
You should just change your account and password when using it.
Seven. A certain amount of money has advanced (already conquered)
1.Password
The website requires a total of 2 parameters, one is an encrypted password and the other is a verification code, which were previously recorded in two articles.
Daily website reversal exercise: day5 Encryption of login password for a certain amount of money to enter the website_Amamiya_Official’s blog-CSDN blog
2.Verification code
The verification code of this website is the simplest one and can be extracted directly using xpath
xpath extracts the verification code image URL, and then splices the complete image address
3. Simulated login
This website has a bug or something, and I can’t register an account.
8. Login to a certain security center (already conquered)
1. Password
Daily website reversal exercise: day4 login password encryption of a security center – CSDN Blog
Password cracking has been discussed in a previous article
2.Verification code
You can see that if we want a verification code, we need to know several parameters first
callback, ticket and _
(1)ticket
The ticket is obtained from the response in this package, and also requires callback and _
(2) callback and_
You can see that both of these have timestamps in them.
The first half of the callback is not sure where it comes from.
We can try to see if we can write it to death
3. Simulated login
We now have all the parameters we need in pycharm
(1)ticket
(2) Verification Code
Get the verification code image address first
and then parse
(3) Log in with parameters
Remember to replace the previous code with session
The login was really successful with that one, awesome.
9. Construction market (conquered)
The content is encrypted. In this case, choose to use json hook.
1. Content encryption
var my_parse = JSON.parse;
JSON.parse = function (params) {
debugger
console.log(“json_parse params:”,params);
return my_parse(params);
};
Keep running until it changes from ciphertext to plaintext
Then go to the front stack to view, and you can see that this is where encryption is done.
You can see that method b is needed
b
What you see here is AES encryption.
Just deduct it and rewrite it.
10. A certain 500 login (conquered)
Password and random need to be encrypted
1.random
You can quickly search for the encrypted place, and the password is also here.
Enter the o.encode method and pull it out
The _encode method inside also needs to be deducted
The utob inside needs to be deducted
Deduct cb_utob from this one
2.password
If you want to get the password, you need to get i and t first, and then deduct s.
tWe already got it when we asked for random.
Then to get i, you need to deduct the c method
Enter the c method and find that the s method is also needed.
Let’s try the s method and find that it is md5 encryption.
We rewrite it directly in the js file
The last step is also md5 encryption
11. A certain mother’s login parameters (already conquered)
When logging in to send a package, you can see that it mainly requires three parameters, the encrypted password, token and securityCode.
1.token
The token can be found directly in the response to the page.
Here we write the session in advance to ensure continuous operation
2.password
It’s easy to find md5 encryption
3.securityCode
This parameter is in this package
We can access it with parameters
11. A certain game network (conquered)
Just need to crack the password
Found that two parameters, nonce and ts, are needed
You can get it by carrying random in this package.
To use sha1 in python, you must first import hashlib
nonce=res['nonce']
ts=res['ts']
pw='123456'
sha1 = hashlib.sha1()
pw1=sha1.update(pw.encode('utf-8'))
pwstr=sha1.hexdigest()
dd = nonce + str(ts) + pwstr
sha2 = hashlib.sha1()
pwd2=sha2.update(dd.encode('utf-8'))
pw2str=sha2.hexdigest()
print(pw2str)