JS网页逆向求助

dmvip · 发表于 2023-4-25 15:55

本帖最后由 dmvip 于 2023-4-25 16:07 编辑

本着学习的心态去尝试逆向,直接给我整懵了，难道就要为此放弃嘛。
做等大佬，做等大佬
-----------------------------------------------------------------------Base64

目标站点：aHR0cHM6Ly93d3cuNjA4MGR5My5jb20vdnBsYXkvMTIxNDU5LTEtMS5odG1s

需要解密的(_0x5c7706)：63QJYNYuO6V6cktrgf81lSdHJnGG5581N2rzz97P2SXBEEfUfQqSC74CxvNKjCxnrhzftR8QbiTP9lR7Yf8Znwt7OH3shPWPlQXBZa5emEVh8DQ/unOrEm3bxX435A9O/6WqxspsMUOkfQHWA499/Q==

刚刚学习网页逆向，对应混淆过的代码根本不知道怎么看，求大佬帮忙，解释下解密流程

看了最后应该是用AES解密的  秘钥和偏移量是怎么获取的

如果大佬你有时间，能否帮我用 java 或者Python  把解密代码也贴一下，感谢，感谢，感谢

[Java] 纯文本查看 复制代码

function decrypt(_0x5c7706) {
                const _0xf09890 = _0x43f7
      , _0x371a13 = {
        'QlwhA': function(_0x11b2e6, _0x173adf) {
            return _0x11b2e6(_0x173adf);
        },
        'RYvDS': _0xf09890(0x1a1, 'phIM'),
        'vPeFP': function(_0x1a8c9d, _0x3821fc) {
            return _0x1a8c9d(_0x3821fc);
        },
        'vlAsi': _0xf09890(0x10a, 'iftC'),
        'oDqtd': function(_0x23a589, _0x8b98ba) {
            return _0x23a589(_0x8b98ba);
        },
        'pfPHT': _0xf09890(0x153, '4xs1'),
        'RwGZX': _0xf09890(0xe7, 'bm4R'),
        'GTNPZ': function(_0x4bb43d, _0x16cf77) {
            return _0x4bb43d < _0x16cf77;
        },
        'bHLlV': 'CbUsa',
        'fglUk': function(_0x2d34dc, _0x376471, _0x122a69, _0x66f2b) {
            return _0x2d34dc(_0x376471, _0x122a69, _0x66f2b);
        },
        'RiITT': function(_0x18c854, _0x2f10b2) {
            return _0x18c854 !== _0x2f10b2;
        },
        'PBXpz': _0xf09890(0xb8, ')64p'),
        'cYaYB': _0xf09890(0xfe, 'm55r'),
        'SHNtg': _0xf09890(0xcb, 'rYdw'),
        'cjIiJ': function(_0x516478, _0x3819a0) {
            return _0x516478 + _0x3819a0;
        },
        'Auoif': 'xsjyy6080yy'
    };
    let _0x25d79b = _0x371a13[_0xf09890(0xce, ')h18')]($, _0xf09890(0xdf, 'kmBq'))[_0xf09890(0xbc, 'phIM')]('id')['replace'](_0x371a13[_0xf09890(0x120, 'Jkp8')], '')
      , _0x1ddf0e = _0x371a13['vPeFP']($, _0x371a13[_0xf09890(0x177, '@)Xc')])['attr']('id')[_0xf09890(0x13d, 'K3$N')](_0x371a13[_0xf09890(0xe1, 'Oid*')], '')
      , _0x2c7504 = []
      , _0x293155 = []
      , _0x345ee3 = '';
    for (var _0x1952df = 0x0; _0x371a13[_0xf09890(0x117, 'Fn!f')](_0x1952df, _0x1ddf0e[_0xf09890(0x134, ']CVv')]); _0x1952df++) {
        _0xf09890(0x196, ')h18') === _0x371a13['bHLlV'] ? _0x2c7504[_0xf09890(0x126, ')SO4')]({
            'id': _0x1ddf0e[_0x1952df],
            'text': _0x25d79b[_0x1952df]
        }) : _0x258c38[_0xf09890(0xf6, 'K3$N')][_0xf09890(0x1ae, 'phIM')] = _0x5cbca6;
    }
    _0x293155 = _0x371a13[_0xf09890(0xcd, 'mH^2')](sortByKey, 'id', _0x2c7504, (_0x30c593,_0x61fcb3)=>_0x30c593 - _0x61fcb3);
    for (var _0x1952df = 0x0; _0x1952df < _0x293155[_0xf09890(0xc8, 'SKH]')]; _0x1952df++) {
        _0x371a13[_0xf09890(0x157, '#m&)')](_0x371a13[_0xf09890(0x1ab, 'mNad')], _0x371a13[_0xf09890(0x18d, ')h18')]) ? _0x345ee3 += _0x293155[_0x1952df][_0x371a13[_0xf09890(0xf9, '%2fC')]] : (_0x371a13[_0xf09890(0xad, 'gfa(')](_0x1752d8, 'body')[_0xf09890(0x1a4, 'Jkp8')](_0x371a13[_0xf09890(0xf8, 'P2o[')]),
        _0x371a13[_0xf09890(0xfc, 'gfa(')](_0x13247f, _0x371a13[_0xf09890(0xef, '%2fC')])['remove']());
    }
    let _0x57df6f = CryptoJS[_0xf09890(0xae, '4xs1')](_0x371a13['cjIiJ'](_0x345ee3, _0x371a13[_0xf09890(0x137, '#bmV')]))[_0xf09890(0x143, '!ud8')]()
      , _0x156d70 = CryptoJS[_0xf09890(0x11c, 'H[$Y')]['Utf8'][_0xf09890(0x169, 'SKH]')](_0x57df6f[_0xf09890(0x167, 'm55r')](0x10))
      , _0x19f557 = CryptoJS[_0xf09890(0xeb, '#bmV')][_0xf09890(0x154, 'mH^2')][_0xf09890(0x169, 'SKH]')](_0x57df6f[_0xf09890(0xd2, 'Fn!f')](0x0, 0x10))
      , _0x416a2f = CryptoJS[_0xf09890(0x16d, '#qrH')]['decrypt'](_0x5c7706, _0x156d70, {
        'iv': _0x19f557,
        'mode': CryptoJS[_0xf09890(0x19b, 'H[$Y')][_0xf09890(0x1ad, 'PXu9')],
        'padding': CryptoJS[_0xf09890(0xc7, 'P2o[')][_0xf09890(0x1b0, 'phIM')]
    });
    return _0x416a2f[_0xf09890(0x19c, '#qrH')](CryptoJS[_0xf09890(0x174, 'zffY')][_0xf09890(0x110, 'YxIw')]);
}

李玉风我爱你 · 发表于 2023-4-25 19:31

应该是 md5(nPdGvFVAty+xsjyy6080yy) 再取前16位做iv 后16位做解密密码
360截图20230425193133829.jpg

dylaliu · 发表于 2023-4-25 16:22

这不就是v7加密的吗，要他这个decrypt算法？

dmvip · 发表于 2023-4-25 16:25

dylaliu 发表于 2023-4-25 16:22
这不就是v7加密的吗，要他这个decrypt算法？

是的，需要 decrypt 是怎么解密的

astree · 发表于 2023-4-25 16:33

dmvip 发表于 2023-4-25 16:25
是的，需要 decrypt 是怎么解密的

断点直接打到最后的return。都是调的CryptoJS的AES的加解密方法，mode= CryptoJS.mode.CBC，padding: CryptoJS.pad.Pkcs7，你自己把上面的IV 输出一下就能自己解密了。

dmvip · 发表于 2023-4-25 16:37

astree 发表于 2023-4-25 16:33
断点直接打到最后的return。都是调的CryptoJS的AES的加解密方法，mode= CryptoJS.mode.CBC，padding: C ...

手残党，大佬能细说一点嘛

kof21411 · 发表于 2023-4-25 17:16

这里不是已经写有了吗
      'iv': _0x19f557,
      'mode': CryptoJS[_0xf09890(0x19b, 'H[$Y')][_0xf09890(0x1ad, 'PXu9')],
      'padding': CryptoJS[_0xf09890(0xc7, 'P2o[')][_0xf09890(0x1b0, 'phIM')]
打个断点就知道了

dmvip · 发表于 2023-4-25 21:36

李玉风我爱你发表于 2023-4-25 19:31
应该是 md5(nPdGvFVAty+xsjyy6080yy) 再取前16位做iv 后16位做解密密码

谢谢谢谢谢谢

dmvip · 发表于 2023-4-26 09:56

李玉风我爱你发表于 2023-4-25 19:31
应该是 md5(nPdGvFVAty+xsjyy6080yy) 再取前16位做iv 后16位做解密密码

nPdGvFVAty
你好大佬请问下这个值是怎么来的

helian147 · 发表于 2023-4-26 13:53

dmvip 发表于 2023-4-26 09:56
nPdGvFVAty
你好大佬请问下这个值是怎么来的

let _0x57df6f = CryptoJS[_0xf09890(0xae, '4xs1')](_0x371a13['cjIiJ'](_0x345ee3, _0x371a13[_0xf09890(0x137, '#bmV')]))[_0xf09890(0x143, '!ud8')]()

这句里面：
_0xf09890(0xae, '4xs1')                                  MD5
_0x345ee3                                                    'gYVjBeBEyP'
_0x371a13[_0xf09890(0x137, '#bmV')]          'xsjyy6080yy'

断在return，鼠标在上面划一下，就有值出现；也可复制了，在console里面看具体值

帐号		自动登录	找回密码
密码			注册[Register]

[求助] JS网页逆向求助

免费评分