js逆向-模拟加密
实战七麦数据:
1.寻找加密入口
尝试搜索的方法:
那只能使用跟栈的方法,进入send发包位置:
打上断点,寻找加密入口,前面是发包分包,promise注意到是一个异步操作,看是否在此加密,不是跳出异步跟栈:
2.模拟调试
打印一下t:
打断点,发现被加密了,那么此处就是加密位置
3.模拟执行
原加密代码:
var n;
f || $ != s || (n = (0,
i[Zt])(m),
s = c[x][k][Rt] = -(0,
i[Zt])(l) || +new R[K] - r2 * n);
var e, r = +new R[K] - (s || H) - 1661224081041, a = [];
return void 0 === t[Ot] && (t[Ot] = {}),
R[W][o7](t[Ot])[M](function(n) {
if (n == v)
return !B;
t[Ot][_2](n) && a[b](t[Ot][n])
}),
a = a[jt]()[I5](N),
a = (0,
i[Jt])(a),
a = (a += p + t[qt][T](t[Tt], N)) + (p + r) + (p + 3),
e = (0,
i[Jt])((0,
i[Qt])(a, d)),
-B == t[qt][O](v) && (t[qt] += (-B != t[qt][O](Bn) ? Nn : Bn) + v + B5 + R[V5](e)),
t发现是一个混淆代码,需要进行处理,删除不必要的代码,不执行的代码(参数| &运算false)添加未知参数、未知函数,修改合适格式。
删除不必要的代码,此处之前已经加密:
t的寻找,刚刚的t已经有了analysis参数,重新跳过进入,复制t的object:
不执行的代码:
混淆代码,反应一个结果用浏览器智能提示进行替换 R[K]=Date:
存在内部又一个调用函数:
存在内部又一个调用函数:
存在内部又一个调用函数:
最后js代码:
t = {
"url": "/rank/indexPlus/brand_id/0",
"method": "get",
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
}
},
"params": {
"brand": "all",
"device": "iphone",
"country": "cn",
"genre": "36"
},
"baseURL": "https://api.qimai.cn",
"transformRequest": [
null
],
"transformResponse": [
null
],
"timeout": 15000,
"withCredentials": true,
"xsrfCookieName": "XSRF-TOKEN",
"xsrfHeaderName": "X-XSRF-TOKEN",
"maxContentLength": -1,
"maxBodyLength": -1
}
s = 968;
H = 0;
p = "@#";
function i_qt(n, t) {
for (var e = (n = n.split("")).length, r = t.length, a = "charCodeAt", i = H; i < e; i++)
n[i] = o(n[i][a](H) ^ t[(i + 10) % r][a](H));
return n.join("")
}
function o(n) {
t = "",
['66', '72', '6f', '6d', '43', '68', '61', '72', '43', '6f', '64', '65'].forEach(function (n) {
t += unescape("%u00" + n)
});
var t, e = t;
return String[e](n)
}
function i_jt(t) {
t = encodeURIComponent(t).replace(/%([0-9A-F]{2})/g, function (n, t) {
return o("0x" + t)
});
return btoa(t)
}
function get_analysis(t) {
var n;
var e, r = +new Date() - (s || H) - 1661224081041, a = [];
Object.keys(t.params).forEach(function (n) {
if (n == "analysis")
return false;
t.params.hasOwnProperty(n) && a.push(t.params[n])
})
a = a.sort().join("")
a = i_jt(a)
a = (a += p + t.url.replace(t.baseURL, "")) + (p + r) + (p + 3)
e = i_jt(i_qt(a, "xyz517cda96efgh"))
return e
}
console.log(get_analysis(t))
还可以在精简一下,去除不必要的代码:
js代码+python代码调用实现:
s = 968;
H = 0;
p = "@#";
function i_qt(n, t) {
for (var e = (n = n.split("")).length, r = t.length, a = "charCodeAt", i = H; i < e; i++)
n[i] = o(n[i][a](H) ^ t[(i + 10) % r][a](H));
return n.join("")
}
function o(n) {
t = "",
['66', '72', '6f', '6d', '43', '68', '61', '72', '43', '6f', '64', '65'].forEach(function (n) {
t += unescape("%u00" + n)
});
var t, e = t;
return String[e](n)
}
function i_jt(t) {
t = encodeURIComponent(t).replace(/%([0-9A-F]{2})/g, function (n, t) {
return o("0x" + t)
});
return btoa(t)
}
function get_analysis(t) {
var n;
var e, r = +new Date() - (s || H) - 1661224081041, a = [];
Object.keys(t.params).forEach(function (n) {
if (n == "analysis")
return false;
t.params.hasOwnProperty(n) && a.push(t.params[n])
})
a = a.sort().join("")
a = i_jt(a)
a = (a += p + t.url.replace(t.baseURL, "")) + (p + r) + (p + 3)
e = i_jt(i_qt(a, "xyz517cda96efgh"))
return e
}
// console.log(get_analysis(t))
import requests
import execjs
with open('七麦爬虫.js','r',encoding='utf-8') as f:
js_code = f.read()
headers = {
"accept": "application/json, text/plain, */*",
"accept-language": "zh-CN,zh;q=0.9,en;q=0.8",
"cache-control": "no-cache",
"origin": "https://www.qimai.cn",
"pragma": "no-cache",
"priority": "u=1, i",
"sec-ch-ua": "\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"Windows\"",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-site",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
}
cookies = {
"qm_check": "A1sdRUIQChtxen8pI0dAOTQ+GRdzfX0QZlkBAwgGWFEueB4Sd0tRRFAMBRRIUEkCBQcCAAgFcQ9MRiMBChwZQQR2AQgQQks6UzhYWAkJagJtABUQcAshV1ZBWlVYVl9XU1ISDhpVSldESFVKGQcQTQ%3D%3D",
"PHPSESSID": "bsmo60rhgvm8agj62f6i6hpkio",
"gr_user_id": "a9dbc2ff-61c1-4e4e-a91e-6556ac15a1ae",
"ada35577182650f1_gr_session_id": "769644b9-a263-4c0e-8c01-6568f5f9c0ce",
"ada35577182650f1_gr_session_id_sent_vst": "769644b9-a263-4c0e-8c01-6568f5f9c0ce",
"USERINFO": "8ce4AvyvF4frUWw%2Bfg%2FLVh5N6smv4JB5cBUIqIFkBf6Lrspr3BoLCwCUkSnsDf9aBNTzRUdQehFa%2FfVqeOoJ6b%2BRTIiCjx34FVeN4k4FBTvwnspAyGH3XJDhscOWaRRmCnxW4mn3kWVhbVE8BluihQ%3D%3D",
"AUTHKEY": "POJK%2Fi4kQMJvUXS9sjPzP5hK%2B9PxhVbbmdgkypn%2F7NNY1%2B87injqLgLPKkabSm71Z2UGM65rvp%2FkGRxptXlB9nuQZjAojf%2Beusf1jaSdpQH2oogk%2FNUVJQ%3D%3D",
"ada35577182650f1_gr_last_sent_sid_with_cs1": "769644b9-a263-4c0e-8c01-6568f5f9c0ce",
"ada35577182650f1_gr_last_sent_cs1": "qm22941302962",
"synct": "1730621742.633",
"syncd": "-995",
"ada35577182650f1_gr_cs1": "qm22941302962",
"tgw_l7_route": "1ed618a657fde25bb053596f222bc44a"
}
t = {
"url": "/rank/indexPlus/brand_id/0",
"params": {
"brand": "all",
"device": "iphone",
"country": "cn",
"genre": "36"
},
"baseURL": "https://api.qimai.cn",
}
analysis =execjs.compile(js_code).call('get_analysis',t)
params = t['params']
params['analysis'] = analysis
# print(params)
# exit()
url = t['baseURL']+t['url']
response = requests.get(url, headers=headers, cookies=cookies, params=params)
print(response.json())4.执行结果
