猿人学 — 第1届第1题(解题思路附源码)
-
F12进入开发者工具—> 发现停止在debugger处 —> 右键点击Never pause here后下一步
-
翻页,抓包后发现请求携带page和m两个参数,page应该就是页数,m则需要逆向
-
依次查找文件,寻找m在哪里被赋值,随后在VM14235:6中发现混淆代码比较可疑
-
进入文件,给request函数中的赋值语句给上断点,重新请求
-
发现
'\x6d'='m',而_0x5d83a3['\x6d']的值则与Payload中m的值神似 -
继续调试,让请求过去,验证,发现Payload中m确实与此处的值对应
-
-
手动翻译一下代码
var _0x2268f9 = Date['parse'](new Date()) + 100000000 var _0x57feae = ooΘ0Θ(_0x2268f9['toString'()])+window['f']; const _0x5d83a3 = {}; _0x5d83a3['page'] = window['page'] _0x5d83a3['m'] = _0x57feaa + '丨'+ _0x2268f9 / 1000; -
逆向m,则必须知道
_0x57feaa和_0x2268f9,而_0x2268f9很明显是一个时间戳,因此主要解决_0x57feaa-
多次请求后发现
ooΘ0Θ(_0x2268f9['toString'()])返回一个空字符串,因此主要关注window['f'] -
通过Console面板定义Hook,定位
window['f']在哪里被赋值Object.defineProperty(window, 'f', { set: function(val) { console.log('f的值:', val); debugger return val; } } )
-
再次请求,停止后,向上寻找调用栈,发现是一个hex_md5函数的返回值,而这个函数的形参则是之前的
_0x2268f9,即时间戳,不过注意类型是字符串(我开始没有注意,导致得到的m一直是一个错误的固定值)
-
-
最后就是去扣hex_md5函数及其运行依赖放到node中执行(当然也可以将整个js文件copy下来),源码如下
window = global var hexcase = 0; var chrsz = 16; function hex_md5(a) { return binl2hex(core_md5(str2binl(a), a.length * chrsz)) } function core_md5(p, k) { p[k >> 5] |= 128 << ((k) % 32); p[(((k + 64) >>> 9) << 4) + 14] = k; var o = 1732584193; var n = -271733879; var m = -1732584194; var l = 271733878; for (var g = 0; g < p.length; g += 16) { var j = o; var h = n; var f = m; var e = l; o = md5_ff(o, n, m, l, p[g + 0], 7, -680976936); l = md5_ff(l, o, n, m, p[g + 1], 12, -389564586); m = md5_ff(m, l, o, n, p[g + 2], 17, 606105819); n = md5_ff(n, m, l, o, p[g + 3], 22, -1044525330); o = md5_ff(o, n, m, l, p[g + 4], 7, -176418897); l = md5_ff(l, o, n, m, p[g + 5], 12, 1200080426); m = md5_ff(m, l, o, n, p[g + 6], 17, -1473231341); n = md5_ff(n, m, l, o, p[g + 7], 22, -45705983); o = md5_ff(o, n, m, l, p[g + 8], 7, 1770035416); l = md5_ff(l, o, n, m, p[g + 9], 12, -1958414417); m = md5_ff(m, l, o, n, p[g + 10], 17, -42063); n = md5_ff(n, m, l, o, p[g + 11], 22, -1990404162); o = md5_ff(o, n, m, l, p[g + 12], 7, 1804660682); l = md5_ff(l, o, n, m, p[g + 13], 12, -40341101); m = md5_ff(m, l, o, n, p[g + 14], 17, -1502002290); n = md5_ff(n, m, l, o, p[g + 15], 22, 1236535329); o = md5_gg(o, n, m, l, p[g + 1], 5, -165796510); l = md5_gg(l, o, n, m, p[g + 6], 9, -1069501632); m = md5_gg(m, l, o, n, p[g + 11], 14, 643717713); n = md5_gg(n, m, l, o, p[g + 0], 20, -373897302); o = md5_gg(o, n, m, l, p[g + 5], 5, -701558691); l = md5_gg(l, o, n, m, p[g + 10], 9, 38016083); m = md5_gg(m, l, o, n, p[g + 15], 14, -660478335); n = md5_gg(n, m, l, o, p[g + 4], 20, -405537848); o = md5_gg(o, n, m, l, p[g + 9], 5, 568446438); l = md5_gg(l, o, n, m, p[g + 14], 9, -1019803690); m = md5_gg(m, l, o, n, p[g + 3], 14, -187363961); n = md5_gg(n, m, l, o, p[g + 8], 20, 1163531501); o = md5_gg(o, n, m, l, p[g + 13], 5, -1444681467); l = md5_gg(l, o, n, m, p[g + 2], 9, -51403784); m = md5_gg(m, l, o, n, p[g + 7], 14, 1735328473); n = md5_gg(n, m, l, o, p[g + 12], 20, -1921207734); o = md5_hh(o, n, m, l, p[g + 5], 4, -378558); l = md5_hh(l, o, n, m, p[g + 8], 11, -2022574463); m = md5_hh(m, l, o, n, p[g + 11], 16, 1839030562); n = md5_hh(n, m, l, o, p[g + 14], 23, -35309556); o = md5_hh(o, n, m, l, p[g + 1], 4, -1530992060); l = md5_hh(l, o, n, m, p[g + 4], 11, 1272893353); m = md5_hh(m, l, o, n, p[g + 7], 16, -155497632); n = md5_hh(n, m, l, o, p[g + 10], 23, -1094730640); o = md5_hh(o, n, m, l, p[g + 13], 4, 681279174); l = md5_hh(l, o, n, m, p[g + 0], 11, -358537222); m = md5_hh(m, l, o, n, p[g + 3], 16, -722881979); n = md5_hh(n, m, l, o, p[g + 6], 23, 76029189); o = md5_hh(o, n, m, l, p[g + 9], 4, -640364487); l = md5_hh(l, o, n, m, p[g + 12], 11, -421815835); m = md5_hh(m, l, o, n, p[g + 15], 16, 530742520); n = md5_hh(n, m, l, o, p[g + 2], 23, -995338651); o = md5_ii(o, n, m, l, p[g + 0], 6, -198630844); l = md5_ii(l, o, n, m, p[g + 7], 10, 11261161415); m = md5_ii(m, l, o, n, p[g + 14], 15, -1416354905); n = md5_ii(n, m, l, o, p[g + 5], 21, -57434055); o = md5_ii(o, n, m, l, p[g + 12], 6, 1700485571); l = md5_ii(l, o, n, m, p[g + 3], 10, -1894446606); m = md5_ii(m, l, o, n, p[g + 10], 15, -1051523); n = md5_ii(n, m, l, o, p[g + 1], 21, -2054922799); o = md5_ii(o, n, m, l, p[g + 8], 6, 1873313359); l = md5_ii(l, o, n, m, p[g + 15], 10, -30611744); m = md5_ii(m, l, o, n, p[g + 6], 15, -1560198380); n = md5_ii(n, m, l, o, p[g + 13], 21, 1309151649); o = md5_ii(o, n, m, l, p[g + 4], 6, -145523070); l = md5_ii(l, o, n, m, p[g + 11], 10, -1120210379); m = md5_ii(m, l, o, n, p[g + 2], 15, 718787259); n = md5_ii(n, m, l, o, p[g + 9], 21, -343485551); o = safe_add(o, j); n = safe_add(n, h); m = safe_add(m, f); l = safe_add(l, e) } return Array(o, n, m, l) } function md5_cmn(h, e, d, c, g, f) { return safe_add(bit_rol(safe_add(safe_add(e, h), safe_add(c, f)), g), d) } function md5_ff(g, f, k, j, e, i, h) { return md5_cmn((f & k) | ((~f) & j), g, f, e, i, h) } function md5_gg(g, f, k, j, e, i, h) { return md5_cmn((f & j) | (k & (~j)), g, f, e, i, h) } function md5_hh(g, f, k, j, e, i, h) { return md5_cmn(f ^ k ^ j, g, f, e, i, h) } function md5_ii(g, f, k, j, e, i, h) { return md5_cmn(k ^ (f | (~j)), g, f, e, i, h) } function safe_add(a, d) { var c = (a & 65535) + (d & 65535); var b = (a >> 16) + (d >> 16) + (c >> 16); return (b << 16) | (c & 65535) } function bit_rol(a, b) { return (a << b) | (a >>> (32 - b)) } function str2binl(d) { var c = Array(); var a = (1 << chrsz) - 1; for (var b = 0; b < d.length * chrsz; b += chrsz) { c[b >> 5] |= (d.charCodeAt(b / chrsz) & a) << (b % 32) } return c } function binl2hex(c) { var b = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var d = ""; for (var a = 0; a < c.length * 4; a++) { d += b.charAt((c[a >> 2] >> ((a % 4) * 8 + 4)) & 15) + b.charAt((c[a >> 2] >> ((a % 4) * 8)) & 15) } return d } function playload_m(){ var _0x2268f9 = Date['parse'](new Date()) + (100000000) return hex_md5(_0x2268f9.toString()) + '丨' + _0x2268f9 / (1000); }import requests import execjs # 请求获取页面数据 def get_data(page, m): res = requests.get( url='https://match.yuanrenxue.cn/api/match/1', params={ 'page': page, 'm': m } ) return res # 执行js代码获得参数m def get_m(): with open('v1.js', 'rt', encoding='utf-8') as f: js_string = f.read() js_code = execjs.compile(js_string) param_m = js_code.call('playload_m') return param_m # 处理请求返回的数据,计算机票平均价格 def get_average(page): count = 0 value = 0 param_m = get_m() for pid in range(1, page + 1): url_res = get_data(pid,param_m) if url_res.status_code == 200: page_data = get_data(pid,param_m).json()['data'] for item in page_data: value += int(item['value']) count += len(page_data) else: print(f"{pid}页数据请求失败:{url_res.json()}") print(f"前{page}页机票平均价格:{value / count}") if __name__ == '__main__': get_average(5) -
运行结果
-
笔者为刚接触逆向的小白,若上面有错误、不合理和值得优化的地方,欢迎各位大佬批评指正!
