美文网首页
JS逆向案例,破解加密JSON字符串数据!真的强!

JS逆向案例,破解加密JSON字符串数据!真的强!

作者: 爱是一道光_e5f7 | 来源:发表于2021-02-22 13:56 被阅读0次

之前,我们介绍了两种基础的JS逆向案例。今天,就继续来分享一个稍微复杂的JS逆向案例吧~

爬取网址:企业科技,本次爬取仅供学习,无任何商业用途

一、寻找加密源码

进入网站后,利用Chrome浏览器进行抓包,结果如下

从上图可知,我们需要的数据encypt_data被加密成一长串字符。按照JS逆向的一般套路,首先,我们来搜索一下encypt_data参数,基本步骤如下

通过比对搜索出的6个encypt_data参数,最终定位到10790行的encypt_data,在此数打下断点,刷新页面,结果如下

依步调试代码,最终定位在11087行

不难看出,参数t就是之前我们看到的加密后字符串encypt_data!分析o函数可知:它将encypt_data参数传给s函数,然后利用json解析其返回值即可实现解密!(JSON.parse是javascript中解析json字符串的方法,后续就无需复制此处,因为我们可以利用Python复写)

由于上述s函数与a.a.decode函数均未定义,因此我们对其进行补充,将鼠标放置s上即可进行跳转。最终复制的JS代码如下,并将其另存为tech.js(这里我将a.a.decode函数重命名为mydecode函数)

function o(t) {

//注意此处没有JSON.parse,并且将a.a.decode改为mydecode

    return  s("5e5062e82f15fe4ca9d24bc5", mydecode(t), 0, 0, "012345677890123", 1) 

}

function s(t, e, i, n, a, s) {

    var o, r, c, l, u, d, h, p, f, v, m, g, b, y, C = new Array(16843776,0,65536,16843780,16842756,66564,4,65536,1024,16843776,16843780,1024,16778244,16842756,16777216,4,1028,16778240,16778240,66560,66560,16842752,16842752,16778244,65540,16777220,16777220,65540,0,1028,66564,16777216,65536,16843780,4,16842752,16843776,16777216,16777216,1024,16842756,65536,66560,16777220,1024,4,16778244,66564,16843780,65540,16842752,16778244,16777220,1028,66564,16843776,1028,16778240,16778240,0,65540,66560,0,16842756), _ = new Array(-2146402272,-2147450880,32768,1081376,1048576,32,-2146435040,-2147450848,-2147483616,-2146402272,-2146402304,-2147483648,-2147450880,1048576,32,-2146435040,1081344,1048608,-2147450848,0,-2147483648,32768,1081376,-2146435072,1048608,-2147483616,0,1081344,32800,-2146402304,-2146435072,32800,0,1081376,-2146435040,1048576,-2147450848,-2146435072,-2146402304,32768,-2146435072,-2147450880,32,-2146402272,1081376,32,32768,-2147483648,32800,-2146402304,1048576,-2147483616,1048608,-2147450848,-2147483616,1048608,1081344,0,-2147450880,32800,-2147483648,-2146435040,-2146402272,1081344), w = new Array(520,134349312,0,134348808,134218240,0,131592,134218240,131080,134217736,134217736,131072,134349320,131080,134348800,520,134217728,8,134349312,512,131584,134348800,134348808,131592,134218248,131584,131072,134218248,8,134349320,512,134217728,134349312,134217728,131080,520,131072,134349312,134218240,0,512,131080,134349320,134218240,134217736,512,0,134348808,134218248,131072,134217728,134349320,8,131592,131584,134217736,134348800,134218248,520,134348800,131592,8,134348808,131584), x = new Array(8396801,8321,8321,128,8396928,8388737,8388609,8193,0,8396800,8396800,8396929,129,0,8388736,8388609,1,8192,8388608,8396801,128,8388608,8193,8320,8388737,1,8320,8388736,8192,8396928,8396929,129,8388736,8388609,8396800,8396929,129,0,0,8396800,8320,8388736,8388737,1,8396801,8321,8321,128,8396929,129,1,8192,8388609,8193,8396928,8388737,8193,8320,8388608,8396801,128,8388608,8192,8396928), k = new Array(256,34078976,34078720,1107296512,524288,256,1073741824,34078720,1074266368,524288,33554688,1074266368,1107296512,1107820544,524544,1073741824,33554432,1074266112,1074266112,0,1073742080,1107820800,1107820800,33554688,1107820544,1073742080,0,1107296256,34078976,33554432,1107296256,524544,524288,1107296512,256,33554432,1073741824,34078720,1107296512,1074266368,33554688,1073741824,1107820544,34078976,1074266368,256,33554432,1107820544,1107820800,524544,1107296256,1107820800,34078720,0,1074266112,1107296256,524544,33554688,1073742080,524288,0,1074266112,34078976,1073742080), A = new Array(536870928,541065216,16384,541081616,541065216,16,541081616,4194304,536887296,4210704,4194304,536870928,4194320,536887296,536870912,16400,0,4194320,536887312,16384,4210688,536887312,16,541065232,541065232,0,4210704,541081600,16400,4210688,541081600,536870912,536887296,16,541065232,4210688,541081616,4194304,16400,536870928,4194304,536887296,536870912,16400,536870928,541081616,4210688,541065216,4210704,541081600,0,541065232,16,16384,541065216,4210704,16384,4194320,536887312,0,541081600,536870912,4194320,536887312), T = new Array(2097152,69206018,67110914,0,2048,67110914,2099202,69208064,69208066,2097152,0,67108866,2,67108864,69206018,2050,67110912,2099202,2097154,67110912,67108866,69206016,69208064,2097154,69206016,2048,2050,69208066,2099200,2,67108864,2099200,67108864,2099200,2097152,67110914,67110914,69206018,69206018,2,2097154,67108864,67110912,2097152,69208064,2050,2099202,69208064,2050,67108866,69208066,69206016,2099200,0,2,69208066,0,2099202,69206016,2048,67108866,67110912,2048,2097154), L = new Array(268439616,4096,262144,268701760,268435456,268439616,64,268435456,262208,268697600,268701760,266240,268701696,266304,4096,64,268697600,268435520,268439552,4160,266240,262208,268697664,268701696,4160,0,0,268697664,268435520,268439552,266304,262144,266304,262144,268701696,4096,64,268697664,4096,266304,268439552,64,268435520,268697600,268697664,268435456,262144,268439616,0,268701760,262208,268435520,268697600,268439552,268439616,0,268701760,266240,266240,4160,4160,262208,268435456,268701696), S = function(t) {

        for (var e, i, n, a = new Array(0,4,536870912,536870916,65536,65540,536936448,536936452,512,516,536871424,536871428,66048,66052,536936960,536936964), s = new Array(0,1,1048576,1048577,67108864,67108865,68157440,68157441,256,257,1048832,1048833,67109120,67109121,68157696,68157697), o = new Array(0,8,2048,2056,16777216,16777224,16779264,16779272,0,8,2048,2056,16777216,16777224,16779264,16779272), r = new Array(0,2097152,134217728,136314880,8192,2105344,134225920,136323072,131072,2228224,134348800,136445952,139264,2236416,134356992,136454144), c = new Array(0,262144,16,262160,0,262144,16,262160,4096,266240,4112,266256,4096,266240,4112,266256), l = new Array(0,1024,32,1056,0,1024,32,1056,33554432,33555456,33554464,33555488,33554432,33555456,33554464,33555488), u = new Array(0,268435456,524288,268959744,2,268435458,524290,268959746,0,268435456,524288,268959744,2,268435458,524290,268959746), d = new Array(0,65536,2048,67584,536870912,536936448,536872960,536938496,131072,196608,133120,198656,537001984,537067520,537004032,537069568), h = new Array(0,262144,0,262144,2,262146,2,262146,33554432,33816576,33554432,33816576,33554434,33816578,33554434,33816578), p = new Array(0,268435456,8,268435464,0,268435456,8,268435464,1024,268436480,1032,268436488,1024,268436480,1032,268436488), f = new Array(0,32,0,32,1048576,1048608,1048576,1048608,8192,8224,8192,8224,1056768,1056800,1056768,1056800), v = new Array(0,16777216,512,16777728,2097152,18874368,2097664,18874880,67108864,83886080,67109376,83886592,69206016,85983232,69206528,85983744), m = new Array(0,4096,134217728,134221824,524288,528384,134742016,134746112,16,4112,134217744,134221840,524304,528400,134742032,134746128), g = new Array(0,4,256,260,0,4,256,260,1,5,257,261,1,5,257,261), b = t.length > 8 ? 3 : 1, y = new Array(32 * b), C = new Array(0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0), _ = 0, w = 0, x = 0; x < b; x++) {

            var k = t.charCodeAt(_++) << 24 | t.charCodeAt(_++) << 16 | t.charCodeAt(_++) << 8 | t.charCodeAt(_++)

              , A = t.charCodeAt(_++) << 24 | t.charCodeAt(_++) << 16 | t.charCodeAt(_++) << 8 | t.charCodeAt(_++);

            k ^= (n = 252645135 & (k >>> 4 ^ A)) << 4,

            k ^= n = 65535 & ((A ^= n) >>> -16 ^ k),

            k ^= (n = 858993459 & (k >>> 2 ^ (A ^= n << -16))) << 2,

            k ^= n = 65535 & ((A ^= n) >>> -16 ^ k),

            k ^= (n = 1431655765 & (k >>> 1 ^ (A ^= n << -16))) << 1,

            k ^= n = 16711935 & ((A ^= n) >>> 8 ^ k),

            n = (k ^= (n = 1431655765 & (k >>> 1 ^ (A ^= n << 8))) << 1) << 8 | (A ^= n) >>> 20 & 240,

            k = A << 24 | A << 8 & 16711680 | A >>> 8 & 65280 | A >>> 24 & 240,

            A = n;

            for (var T = 0; T < C.length; T++)

                C[T] ? (k = k << 2 | k >>> 26,

                A = A << 2 | A >>> 26) : (k = k << 1 | k >>> 27,

                A = A << 1 | A >>> 27),

                A &= -15,

                e = a[(k &= -15) >>> 28] | s[k >>> 24 & 15] | o[k >>> 20 & 15] | r[k >>> 16 & 15] | c[k >>> 12 & 15] | l[k >>> 8 & 15] | u[k >>> 4 & 15],

                i = d[A >>> 28] | h[A >>> 24 & 15] | p[A >>> 20 & 15] | f[A >>> 16 & 15] | v[A >>> 12 & 15] | m[A >>> 8 & 15] | g[A >>> 4 & 15],

                n = 65535 & (i >>> 16 ^ e),

                y[w++] = e ^ n,

                y[w++] = i ^ n << 16

        }

        return y

    }(t), F = 0, I = e.length, B = 0, j = 32 == S.length ? 3 : 9;

    p = 3 == j ? i ? new Array(0,32,2) : new Array(30,-2,-2) : i ? new Array(0,32,2,62,30,-2,64,96,2) : new Array(94,62,-2,32,64,2,30,-2,-2),

    2 == s ? e += "        " : 1 == s ? i && (c = 8 - I % 8,

    e += String.fromCharCode(c, c, c, c, c, c, c, c),

    8 === c && (I += 8)) : s || (e += "\0\0\0\0\0\0\0\0");

    var z = ""

      , O = "";

    for (1 == n && (f = a.charCodeAt(F++) << 24 | a.charCodeAt(F++) << 16 | a.charCodeAt(F++) << 8 | a.charCodeAt(F++),

    m = a.charCodeAt(F++) << 24 | a.charCodeAt(F++) << 16 | a.charCodeAt(F++) << 8 | a.charCodeAt(F++),

    F = 0); F < I; ) {

        for (d = e.charCodeAt(F++) << 24 | e.charCodeAt(F++) << 16 | e.charCodeAt(F++) << 8 | e.charCodeAt(F++),

        h = e.charCodeAt(F++) << 24 | e.charCodeAt(F++) << 16 | e.charCodeAt(F++) << 8 | e.charCodeAt(F++),

        1 == n && (i ? (d ^= f,

        h ^= m) : (v = f,

        g = m,

        f = d,

        m = h)),

        d ^= (c = 252645135 & (d >>> 4 ^ h)) << 4,

        d ^= (c = 65535 & (d >>> 16 ^ (h ^= c))) << 16,

        d ^= c = 858993459 & ((h ^= c) >>> 2 ^ d),

        d ^= c = 16711935 & ((h ^= c << 2) >>> 8 ^ d),

        d = (d ^= (c = 1431655765 & (d >>> 1 ^ (h ^= c << 8))) << 1) << 1 | d >>> 31,

        h = (h ^= c) << 1 | h >>> 31,

        r = 0; r < j; r += 3) {

            for (b = p[r + 1],

            y = p[r + 2],

            o = p[r]; o != b; o += y)

                l = h ^ S[o],

                u = (h >>> 4 | h << 28) ^ S[o + 1],

                c = d,

                d = h,

                h = c ^ (_[l >>> 24 & 63] | x[l >>> 16 & 63] | A[l >>> 8 & 63] | L[63 & l] | C[u >>> 24 & 63] | w[u >>> 16 & 63] | k[u >>> 8 & 63] | T[63 & u]);

            c = d,

            d = h,

            h = c

        }

        h = h >>> 1 | h << 31,

        h ^= c = 1431655765 & ((d = d >>> 1 | d << 31) >>> 1 ^ h),

        h ^= (c = 16711935 & (h >>> 8 ^ (d ^= c << 1))) << 8,

        h ^= (c = 858993459 & (h >>> 2 ^ (d ^= c))) << 2,

        h ^= c = 65535 & ((d ^= c) >>> 16 ^ h),

        h ^= c = 252645135 & ((d ^= c << 16) >>> 4 ^ h),

        d ^= c << 4,

        1 == n && (i ? (f = d,

        m = h) : (d ^= v,

        h ^= g)),

        O += String.fromCharCode(d >>> 24, d >>> 16 & 255, d >>> 8 & 255, 255 & d, h >>> 24, h >>> 16 & 255, h >>> 8 & 255, 255 & h),

        512 == (B += 8) && (z += O,

        O = "",

        B = 0)

    }

    if (z = (z += O).replace(/\0*$/g, ""),

    !i) {

        if (1 === s) {

            var E = 0;

            (I = z.length) && (E = z.charCodeAt(I - 1)),

            E <= 8 && (z = z.substring(0, I - E))

        }

        z = decodeURIComponent(escape(z))

    }

    return z

}

//修改函数名为mydecode

function  mydecode(t) {

                var e = (t = String(t).replace(f, "")).length;

                e % 4 == 0 && (e = (t = t.replace(/==?$/, "")).length),

                (e % 4 == 1 || /[^+a-zA-Z0-9/]/.test(t)) && l("Invalid character: the string to be decoded is not correctly encoded.");

                for (var n, r, i = 0, o = "", a = -1; ++a < e; )

                    r = c.indexOf(t.charAt(a)),

                    n = i % 4 ? 64 * n + r : r,

                    i++ % 4 && (o += String.fromCharCode(255 & n >> (-2 * i & 6)));

                return o

            }

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106

二、查漏补全JS代码

这里我们依旧是借助execjs库来执行JS代码,执行代码如下

import execjs

import json

import requests

def get_encrypt_data(url):

    header = {

        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36'}

    r = requests.get(url, headers=header)

    return r.json()['encrypt_data']

def load_jscode(js_path):

    with open(js_path, 'r', encoding='utf8') as f:

        jscode = f.read()

    return jscode

if __name__ == '__main__':

    url = 'https://vipapi.qimingpian.com/DataList/productListVip'

    encrypt_data = get_encrypt_data(url)

    jscode = load_jscode('c:/Users/dell/Desktop/tech.js')

    rst = execjs.compile(jscode).call('o', encrypt_data)

    data = json.loads(rst)

    print(data)

123456789101112131415161718192021222324

执行结果如下,分析可知参数f未定义,接下来就到了"查漏补缺"的时候了

通过分析上述JS代码可知,参数f是在decode函数中的。在11282处打下断点,刷新页面,将鼠标放置f上可得到/[\t\n\f\r ]/g(或者在console控制台输入f亦可得到,注意:这里需要将之前打过的断点删除,否则不会有参数显示!)

将参数f加入之前的mydecode函数,如下所示

function  mydecode(t) {

var f = '/[\t\n\f\r ]/g'  //添加f的定义

                var e = (t = String(t).replace(f, "")).length;

                e % 4 == 0 && (e = (t = t.replace(/==?$/, "")).length),

                (e % 4 == 1 || /[^+a-zA-Z0-9/]/.test(t)) && l("Invalid character: the string to be decoded is not correctly encoded.");

                for (var n, r, i = 0, o = "", a = -1; ++a < e; )

                    r = c.indexOf(t.charAt(a)),

                    n = i % 4 ? 64 * n + r : r,

                    i++ % 4 && (o += String.fromCharCode(255 & n >> (-2 * i & 6)));

                return o

            }

1234567891011

再次执行代码,结果如下,可知参数c尚未定义

同理,找到参数c的位置后(依然是在decode函数下),打断点分析,可知参数c为ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/.将参数c加入之前的mydecode函数,如下所示

function  mydecode(t) {

var f = '/[\t\n\f\r ]/g'  //添加f的定义

var c = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' //添加c的定义

                var e = (t = String(t).replace(f, "")).length;

                e % 4 == 0 && (e = (t = t.replace(/==?$/, "")).length),

                (e % 4 == 1 || /[^+a-zA-Z0-9/]/.test(t)) && l("Invalid character: the string to be decoded is not correctly encoded.");

                for (var n, r, i = 0, o = "", a = -1; ++a < e; )

                    r = c.indexOf(t.charAt(a)),

                    n = i % 4 ? 64 * n + r : r,

                    i++ % 4 && (o += String.fromCharCode(255 & n >> (-2 * i & 6)));

                return o

            }

123456789101112

再次执行代码,结果如下

已成功返回数据!

三、全部代码

将得到的json字符串,整理为Dataframe格式,全部代码如下

import execjs

import json

import requests

import pandas as pd

def get_encrypt_data(url):

    header = {

        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36'}

    r = requests.get(url, headers=header)

    return r.json()['encrypt_data']

def load_jscode(js_path):

    with open(js_path, 'r', encoding='utf8') as f:

        jscode = f.read()

    return jscode

def save_data(data):

    df = []

    for content in data['list']:

        item = content['product']

        business = content['yewu']

        industry = content['hangye1']

        loc = content['province']

        period = content['jieduan']

        invest_time = content['time']

        invest_money = content['money']

        investor = [investor['investor'] for investor in content['investor_info']]

        df.append([item,business,industry,loc,period,invest_time,invest_money,investor])

    df1 = pd.DataFrame(df,columns=['项目','业务','行业','地区',

                                  '投资阶段','投资时间','投资金额','投资方'])

    df1.to_csv('c:/users/dell/Desktop/company.csv',index=False,encoding='gbk')

    print('数据保存成功')

if __name__ == '__main__':

    url = 'https://vipapi.qimingpian.com/DataList/productListVip'

    encrypt_data = get_encrypt_data(url)

    jscode = load_jscode('c:/Users/dell/Desktop/tech.js')

    rst = execjs.compile(jscode).call('o', encrypt_data)

    data = json.loads(rst)

    save_data(data)

1234567891011121314151617181920212223242526272829303132333435363738394041

爬取数据如下

以上就是本次分享的全部内容~

近期有很多朋友通过私信咨询有关Python学习问题。为便于交流,点击蓝色自己加入讨论解答资源基地

相关文章

  • JS逆向案例,破解加密JSON字符串数据!真的强!

    之前,我们介绍了两种基础的JS逆向案例。今天,就继续来分享一个稍微复杂的JS逆向案例吧~ 爬取网址:企业科技[ht...

  • jsdom如何好用吗?

    听说个小工具jsdom搞js逆向加密破解很牛逼?

  • json字符串和json对象转化

    json字符串 json对象 在获得json数据时,先使用 alert(typeof(str)); 函数显示 js...

  • js逆向之有道翻译加密的破解

    上一篇我们破解了百度翻译的sign参数,今天我们来破解有道翻译结果的请求加密参数。由于之前写过几篇基础的js逆向分...

  • JS注意事项

    JS/JSON js对象转换字符串:JSON.stringify(要转换的对象)json字符串转换成js对象:JS...

  • js逆向之百度翻译加密参数的破解

    又来到了我们的js逆向时间了,这次我们要抓取的是百度翻译的翻译信息,但是其请求存在加密参数,我们需要调试js来破解...

  • js/json

    js对象转换字符串:JSON.stringify(要转换的对象)json字符串转换成js对象:JSON.parse...

  • js/json

    js对象转换字符串:JSON.stringify(要转换的对象) json字符串转换成js对象:JSON.pars...

  • js以及json

    js对象转换字符串:JSON.stringify(要转换的对象)json字符串转换成js对象:JSON.parse...

  • js/json

    js对象转换字符串:JSON.stringify(要转换的对象)json字符串转换成js对象:JSON.parse...

网友评论

      本文标题:JS逆向案例,破解加密JSON字符串数据!真的强!

      本文链接:https://www.haomeiwen.com/subject/fbnhfltx.html