天翼云登录参数JavaSrcipt逆向

天翼云登录参数 password、comParam_curTime、comParam_seqCode、comParam_signature JavaSrcipt逆向

目标网站

https://m.ctyun.cn/wap/main/auth/login?redirect=%2Fmy

目标参数

要逆向的有 password、comParam_curTime、comParam_seqCode、comParam_signature 四个参数

逆向分析

password

点击如下红框所示可以快速定位到 password

可以看到 password：

encodeURI(Object(u["c"])(s.value, Object(u["f"])(Object(u["g"])(a.value))))

只要解出 Object(u[“c”])、Object(u[“f”])、Object(u[“g”])、a.value、s.value 即可

在该行打上断点，重新登录，然后在控制台输入 a.value、s.value，其值分别为账号、密码

Object(u[“c”]) 方法是一个 T 函数：

p.a 属性不用扣代码，使用 crypto-js 第三方模块就可以

Object(u[“f”]) 方法是一个 F 函数：

Object(u[“g”]) 方法是一个 K 函数：

代码：

// crypto-js 模块安装命令：npm i crypto-js --save
const CryptoJS = require('crypto-js')

const T = function (e) {
    var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : ""
        , t = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : {}
        , a = t.enc
        , r = void 0 === a ? "Utf8" : a
        , c = t.mode
        , i = void 0 === c ? "ECB" : c
        , o = t.padding
        , u = void 0 === o ? "Pkcs7" : o
        , d = CryptoJS.enc[r].parse(n)
        , l = {
            mode: CryptoJS.mode[i],
            padding: CryptoJS.pad[u]
        }
        , s = CryptoJS.TripleDES.encrypt(e, d, l);
    return s.toString()
}

const F = function (e) {
    var n = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {};
    if (e && "string" === typeof e) {
        var t = n.text || "0"
            , a = n.length || 24;
        if (e.length < a)
            for (var r = e.length; r < a; r++)
                e += t;
        else
            e = e.substring(0, a);
        return e
    }
}

const K = function () {
    var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "";
    return e.replace(/\s+/g, "")
}

const password = encodeURI(T('abc123', F(K('123@163.com'))))
console.log(password)

运行结果与浏览器一致：

KfGiIrUSTPM=

comParam_curTime

全局搜索 comParam_curTime

发现与 comParam_seqCode、comParam_signature 是放在一起的

在 return 处打上断点重新登录

comParam_curTime 值是变量 n：

n = (new Date).getTime() - h.getTimestampOffset()

h.getTimestampOffset() 是一个函数：

h.getTimestampOffset = function() {
    return localStorage.getItem("timestampOffset") || f
}

它返回一个整数形式的字符串，如果页面关闭后再打开，那么该字符串也随之改变。可以把它写成一个固定值

代码：

const n = (new Date).getTime() - '512'
console.log(n)

运行结果：

1663060561792

comParam_seqCode

comParam_seqCode 值是变量 a

a = Object(u["k"])()

Object(u[“k”]) 是一个 _ 函数

代码：

const _ = function() {
    var e, n, t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 32, a = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 16, r = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split(""), c = [];
    if (a = a || r.length,
    t)
        for (e = 0; e < t; e++)
            c[e] = r[0 | Math.random() * a];
    else
        for (c[8] = c[13] = c[18] = c[23] = "-",
        c[14] = "4",
        e = 0; e < 36; e++)
            c[e] || (n = 0 | 16 * Math.random(),
            c[e] = r[19 === e ? 3 & n | 8 : n]);
    return c.join("")
}

console.log(_())

运行结果：

A45E944C4450FD178A8A8438AAAA4CDC

comParam_signature

comParam_signature 值是变量 r：

r = o()(n + a + o()(a + t + n))

n 是 comParam_curTime

a 是 comParam_seqCode

t 是 s54zv9bm1vd5czfujy6nnuxj1l4g2ny6 固定值

o() 是 S 函数

代码：

const Y = function () {
    var e, n, t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 32, a = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 16, r = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split(""), c = [];
    if (a = a || r.length,
        t)
        for (e = 0; e < t; e++)
            c[e] = r[0 | Math.random() * a];
    else
        for (c[8] = c[13] = c[18] = c[23] = "-",
            c[14] = "4",
            e = 0; e < 36; e++)
            c[e] || (n = 0 | 16 * Math.random(),
                c[e] = r[19 === e ? 3 & n | 8 : n]);
    return c.join("")
}

function i(t, e) {
    var n = (65535 & t) + (65535 & e)
        , r = (t >> 16) + (e >> 16) + (n >> 16);
    return r << 16 | 65535 & n
}
function a(t, e) {
    return t << e | t >>> 32 - e
}
function u(t, e, n, r, o, u) {
    return i(a(i(i(e, t), i(r, u)), o), n)
}
function c(t, e, n, r, o, i, a) {
    return u(e & n | ~e & r, t, e, o, i, a)
}
function s(t, e, n, r, o, i, a) {
    return u(e & r | n & ~r, t, e, o, i, a)
}
function f(t, e, n, r, o, i, a) {
    return u(e ^ n ^ r, t, e, o, i, a)
}
function l(t, e, n, r, o, i, a) {
    return u(n ^ (e | ~r), t, e, o, i, a)
}
function p(t, e) {
    var n, r, o, a, u;
    t[e >> 5] |= 128 << e % 32,
        t[14 + (e + 64 >>> 9 << 4)] = e;
    var p = 1732584193
        , h = -271733879
        , d = -1732584194
        , v = 271733878;
    for (n = 0; n < t.length; n += 16)
        r = p,
            o = h,
            a = d,
            u = v,
            p = c(p, h, d, v, t[n], 7, -680876936),
            v = c(v, p, h, d, t[n + 1], 12, -389564586),
            d = c(d, v, p, h, t[n + 2], 17, 606105819),
            h = c(h, d, v, p, t[n + 3], 22, -1044525330),
            p = c(p, h, d, v, t[n + 4], 7, -176418897),
            v = c(v, p, h, d, t[n + 5], 12, 1200080426),
            d = c(d, v, p, h, t[n + 6], 17, -1473231341),
            h = c(h, d, v, p, t[n + 7], 22, -45705983),
            p = c(p, h, d, v, t[n + 8], 7, 1770035416),
            v = c(v, p, h, d, t[n + 9], 12, -1958414417),
            d = c(d, v, p, h, t[n + 10], 17, -42063),
            h = c(h, d, v, p, t[n + 11], 22, -1990404162),
            p = c(p, h, d, v, t[n + 12], 7, 1804603682),
            v = c(v, p, h, d, t[n + 13], 12, -40341101),
            d = c(d, v, p, h, t[n + 14], 17, -1502002290),
            h = c(h, d, v, p, t[n + 15], 22, 1236535329),
            p = s(p, h, d, v, t[n + 1], 5, -165796510),
            v = s(v, p, h, d, t[n + 6], 9, -1069501632),
            d = s(d, v, p, h, t[n + 11], 14, 643717713),
            h = s(h, d, v, p, t[n], 20, -373897302),
            p = s(p, h, d, v, t[n + 5], 5, -701558691),
            v = s(v, p, h, d, t[n + 10], 9, 38016083),
            d = s(d, v, p, h, t[n + 15], 14, -660478335),
            h = s(h, d, v, p, t[n + 4], 20, -405537848),
            p = s(p, h, d, v, t[n + 9], 5, 568446438),
            v = s(v, p, h, d, t[n + 14], 9, -1019803690),
            d = s(d, v, p, h, t[n + 3], 14, -187363961),
            h = s(h, d, v, p, t[n + 8], 20, 1163531501),
            p = s(p, h, d, v, t[n + 13], 5, -1444681467),
            v = s(v, p, h, d, t[n + 2], 9, -51403784),
            d = s(d, v, p, h, t[n + 7], 14, 1735328473),
            h = s(h, d, v, p, t[n + 12], 20, -1926607734),
            p = f(p, h, d, v, t[n + 5], 4, -378558),
            v = f(v, p, h, d, t[n + 8], 11, -2022574463),
            d = f(d, v, p, h, t[n + 11], 16, 1839030562),
            h = f(h, d, v, p, t[n + 14], 23, -35309556),
            p = f(p, h, d, v, t[n + 1], 4, -1530992060),
            v = f(v, p, h, d, t[n + 4], 11, 1272893353),
            d = f(d, v, p, h, t[n + 7], 16, -155497632),
            h = f(h, d, v, p, t[n + 10], 23, -1094730640),
            p = f(p, h, d, v, t[n + 13], 4, 681279174),
            v = f(v, p, h, d, t[n], 11, -358537222),
            d = f(d, v, p, h, t[n + 3], 16, -722521979),
            h = f(h, d, v, p, t[n + 6], 23, 76029189),
            p = f(p, h, d, v, t[n + 9], 4, -640364487),
            v = f(v, p, h, d, t[n + 12], 11, -421815835),
            d = f(d, v, p, h, t[n + 15], 16, 530742520),
            h = f(h, d, v, p, t[n + 2], 23, -995338651),
            p = l(p, h, d, v, t[n], 6, -198630844),
            v = l(v, p, h, d, t[n + 7], 10, 1126891415),
            d = l(d, v, p, h, t[n + 14], 15, -1416354905),
            h = l(h, d, v, p, t[n + 5], 21, -57434055),
            p = l(p, h, d, v, t[n + 12], 6, 1700485571),
            v = l(v, p, h, d, t[n + 3], 10, -1894986606),
            d = l(d, v, p, h, t[n + 10], 15, -1051523),
            h = l(h, d, v, p, t[n + 1], 21, -2054922799),
            p = l(p, h, d, v, t[n + 8], 6, 1873313359),
            v = l(v, p, h, d, t[n + 15], 10, -30611744),
            d = l(d, v, p, h, t[n + 6], 15, -1560198380),
            h = l(h, d, v, p, t[n + 13], 21, 1309151649),
            p = l(p, h, d, v, t[n + 4], 6, -145523070),
            v = l(v, p, h, d, t[n + 11], 10, -1120210379),
            d = l(d, v, p, h, t[n + 2], 15, 718787259),
            h = l(h, d, v, p, t[n + 9], 21, -343485551),
            p = i(p, r),
            h = i(h, o),
            d = i(d, a),
            v = i(v, u);
    return [p, h, d, v]
}
function h(t) {
    var e, n = "", r = 32 * t.length;
    for (e = 0; e < r; e += 8)
        n += String.fromCharCode(t[e >> 5] >>> e % 32 & 255);
    return n
}
function d(t) {
    var e, n = [];
    for (n[(t.length >> 2) - 1] = void 0,
        e = 0; e < n.length; e += 1)
        n[e] = 0;
    var r = 8 * t.length;
    for (e = 0; e < r; e += 8)
        n[e >> 5] |= (255 & t.charCodeAt(e / 8)) << e % 32;
    return n
}
function v(t) {
    return h(p(d(t), 8 * t.length))
}
function y(t, e) {
    var n, r, o = d(t), i = [], a = [];
    for (i[15] = a[15] = void 0,
        o.length > 16 && (o = p(o, 8 * t.length)),
        n = 0; n < 16; n += 1)
        i[n] = 909522486 ^ o[n],
            a[n] = 1549556828 ^ o[n];
    return r = p(i.concat(d(e)), 512 + 8 * e.length),
        h(p(a.concat(r), 640))
}
function g(t) {
    var e, n, r = "0123456789abcdef", o = "";
    for (n = 0; n < t.length; n += 1)
        e = t.charCodeAt(n),
            o += r.charAt(e >>> 4 & 15) + r.charAt(15 & e);
    return o
}
function b(t) {
    return unescape(encodeURIComponent(t))
}
function m(t) {
    return v(b(t))
}
function _(t) {
    return g(m(t))
}
function w(t, e) {
    return y(b(t), b(e))
}
function x(t, e) {
    return g(w(t, e))
}
function S(t, e, n) {
    return e ? n ? w(e, t) : x(e, t) : n ? m(t) : _(t)
}

const t = 's54zv9bm1vd5czfujy6nnuxj1l4g2ny6'
const n = (new Date).getTime() - '512'
const r = S(n + Y() + S(Y() + t + n))
console.log(r)

运行结果：

5de73ee3988222d4dedaad5ed7fcd49c