Let's look at the reverse analysis of the air network
js reverse analysis
After capturing the package, after analysis, we can see that the password is in a login handler xxx.js file
Let's click in and search for password:
But we can see that the password is in a long piece of text.
This involves js confusion.
js confusion:
What is js confusion:
The relevant code of js core is encrypted in a disguised form, and the encrypted data is the result of js confusion.
js anti aliasing:
-
Anti aliasing online tools (not ideal)
-
Browser's own anti aliasing tool settings (recommended)
Source - > Settings - > sources - > check the first item in the developer tool
Global keyword search - > vmxx (code after anti aliasing)
Then we click in. Search the password and find that there are several suspected encrypted keywords with breakpoints. Test the following:
We see that the code stays at 120 lines, indicating that this line is password encryption.
Let's write a js code in the debugging tool.
function getPwd(pwd) { return encrypt(pwd, data["dc"]); }
Here is a data["dc"], we don't know what it is. We'll deal with it later.
We click the function where encrypt is located to copy all the code into the debugging tool.
After the code is loaded successfully, we will search the data["dc"]
Sure enough, we can't find it here. We can only change it.
We know that the secret key is either in the front page or obtained by request. We can analyze the response data after the request to see if there is similar data:
Sure enough, we found the value of dc in the request response. We copied the value to test:
But there are mistakes here.
In the js code just now, there is a this. Before encrypt(pwd, dc). So which object does this represent? Let's analyze:
Click encrypt to view the top reference and see that the object is KZLoginHandler
OK, let's continue to rewrite the code:
The correct value is obtained from the calculation results.
Python code implementation
Create kongzhongwang.js file, rewrite and copy the above JS code:
function getPwd(pwd, dc) { return KZLoginHandler.encrypt(pwd, dc); }
Python code:
import requests import re import execjs # Get secret key url = 'https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=1635517824810' headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36' } page_text = requests.get(url=url, headers=headers).text print(page_text)
Writing here, we found that there was no printed content.
That's because the headers of this url also need a Referer:
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36', 'Referer': 'https://passport.kongzhong.com/' }
Let's continue to write code:
#!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import re import execjs import json # Get secret key url = 'https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=1635517824810' headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36', 'Referer': 'https://passport.kongzhong.com/' } page_text = requests.get(url=url, headers=headers).text ex = r'KZLoginHandler.jsonpCallbackKongZ\((.*?)\)' dc = re.findall(ex, page_text)[0] dc = json.loads(dc)['dc'] # Encrypted reverse node = execjs.get() ctx = node.compile(open('./kongzhongwang.js', encoding='utf-8').read()) funcName = 'getPwd("","")'.format('123456', dc) password = ctx.eval(funcName) print(password)
In this way, we get the ciphertext!
Knowledge points
- Understand js confusion
- If the secret key cannot be found, you can find it in the response data
- Referer s, Cookies and other data shall be added to the headers if necessary
Follow me! Learn more about Python!
