当前位置：网站首页>web逆向之丁香园

web逆向之丁香园

2022-08-10 20:55:00 【不爱打代码的程序员】

文章目录

1.比较常规的web逆向流程，找关键词sign，查找发现痕迹比较多，换noncestr

2.找到sign=o,进入api()函数

3. 缺什么补什么，不需要补环境

4.node环境右键运行现成的代码

function wordsToBytes(e) {
    
    for (var t = [], n = 0; n < 32 * e.length; n += 8)
        t.push(e[n >>> 5] >>> 24 - n % 32 & 255);
    return t
}

n = {
    
    utf8: {
    
        stringToBytes: function stringToBytes(e) {
    
            return n.bin.stringToBytes(unescape(encodeURIComponent(e)))
        },
        bytesToString: function bytesToString(e) {
    
            return decodeURIComponent(escape(n.bin.bytesToString(e)))
        }
    },
    bin: {
    
        stringToBytes: function stringToBytes(e) {
    
            for (var t = [], n = 0; n < e.length; n++)
                t.push(255 & e.charCodeAt(n));
            return t
        },
        bytesToString: function bytesToString(e) {
    
            for (var t = [], n = 0; n < e.length; n++)
                t.push(String.fromCharCode(e[n]));
            return t.join("")
        }
    }
};
r = n;
a = r.utf8;
i = r.bin;

function bytesToWords(e) {
    
    for (var t = [], n = 0, r = 0; n < e.length; n++,
        r += 8)
        t[r >>> 5] |= e[n] << 24 - r % 32;
    return t
}

l = function sha1(e) {
    
    e.constructor == String ? e = a.stringToBytes(e) : "undefined" !== typeof t && "function" == typeof t.isBuffer && t.isBuffer(e) ? e = Array.prototype.slice.call(e, 0) : Array.isArray(e) || (e = e.toString());
    var n = bytesToWords(e)
        , r = 8 * e.length
        , i = []
        , l = 1732584193
        , s = -271733879
        , c = -1732584194
        , u = 271733878
        , f = -1009589776;
    n[r >> 5] |= 128 << 24 - r % 32,
        n[15 + (r + 64 >>> 9 << 4)] = r;
    for (var d = 0; d < n.length; d += 16) {
    
        for (var p = l, h = s, y = c, m = u, b = f, v = 0; v < 80; v++) {
    
            if (v < 16)
                i[v] = n[d + v];
            else {
    
                var g = i[v - 3] ^ i[v - 8] ^ i[v - 14] ^ i[v - 16];
                i[v] = g << 1 | g >>> 31
            }
            var k = (l << 5 | l >>> 27) + f + (i[v] >>> 0) + (v < 20 ? 1518500249 + (s & c | ~s & u) : v < 40 ? 1859775393 + (s ^ c ^ u) : v < 60 ? (s & c | s & u | c & u) - 1894007588 : (s ^ c ^ u) - 899497514);
            f = u,
                u = c,
                c = s << 30 | s >>> 2,
                s = l,
                l = k
        }
        l += p,
            s += h,
            c += y,
            u += m,
            f += b
    }
    return [l, s, c, u, f]
}

function bytesToHex(e) {
    
    for (var t = [], n = 0; n < e.length; n++)
        t.push((e[n] >>> 4).toString(16)),
            t.push((15 & e[n]).toString(16));
    return t.join("")
}

function api(e, t) {
    
    var n = wordsToBytes(l(e));
    return t && t.asBytes ? n : t && t.asString ? i.bytesToString(n) : bytesToHex(n)
};

function randomWords() {
    
    for (var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 8, t = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "alphabet", n = "", r = {
    
        alphabet: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
        number: "0123456789"
    }[t], o = 0; o < e; o++)
        n += r.charAt(Math.floor(Math.random() * r.length));
    return n
}

noncestr = randomWords(8, "number")
console.log(noncestr)
timestamp = Date.now()
console.log(timestamp)
c = "xxx"+noncestr+"&serverTimestamp=0&timestamp="+timestamp
sign = api(c)
console.log(sign)