點點數據登錄包K參數分析

滲透逆向 · 9 天前 · 8 人浏览

本次測試網址
如圖所示,本次分析K參數,先去啓動器找到發送的地方下斷點。
2025-05-29T09:49:30.png
發現k值已經生成,那麽就往前調,從堆棧那裏。
2025-05-29T09:54:48.png
定位到異步方法,跟進去這個m,進攔截器裏面找request下斷點。
2025-05-29T09:55:44.png
2025-05-29T09:57:02.png
發現此時沒有k值生成,因爲t方法還沒有執行。
2025-05-29T09:58:08.png
控制臺輸入HOOK代碼,把 e.data hook住。

Object.defineProperty(e, 'data', {
    set(){
        debugger
    }
})

然後發現hook成功,繼續往上跟
2025-05-29T10:01:51.png
於是便找到了k的生成邏輯。
2025-05-29T10:02:38.png

跟y.a函數,進入内部把整個函數複製本地,然後運行,修修補補最終發現y.b,然後跟,就會發現是個aes128加密,即對稱加密算法。然後用gpt生成相同邏輯的加密代碼,運行。
2025-05-29T10:04:23.png
2025-05-29T10:04:55.png
最終結果對比:
2025-05-29T09:52:09.png

aes的參數在login頁面有。
2025-05-29T10:16:39.png

const crypto = require('crypto');

/**
 * AES-128-CBC 解密函数 (对应原 h 函数)
 * @param {string} e - 要解密的hex字符串
 * @param {string} n - 密钥(utf8字符串)
 * @param {string} o - 初始化向量IV(utf8字符串)
 * @returns {string} 解密后的utf8字符串
 */
function decrypt(e, n, o) {
    let d = "";
    // 将密钥和IV从utf8转为Buffer (对应原t.from)
    n = Buffer.from(n, 'utf8');
    o = Buffer.from(o, 'utf8');
    
    // 创建解密器 (对应原r.createDecipheriv)
    const c = crypto.createDecipheriv('aes-128-cbc', n, o);
    
    // 执行解密 (输入hex,输出utf8)
    d += c.update(e, 'hex', 'utf8');
    d += c.final('utf8');
    
    return d;
}

/**
 * AES-128-CBC 加密函数
 * @param {string} plaintext - 要加密的utf8字符串
 * @param {string} key - 密钥(utf8字符串)
 * @param {string} iv - 初始化向量IV(utf8字符串)
 * @returns {string} 加密后的hex字符串
 */
function encrypt(plaintext, key, iv) {
    // 将密钥和IV转为Buffer
    key = Buffer.from(key, 'utf8');
    iv = Buffer.from(iv, 'utf8');
    
    // 创建加密器
    const cipher = crypto.createCipheriv('aes-128-cbc', key, iv);
    
    // 执行加密 (输入utf8,输出hex)
    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    
    return encrypted;
}


function v(e, path, n, r) {
    var s = n.s
        , d = n.k
        , m = n.l
        , f = n.d
        , v = n.sort
        , l = n.num
        , k = function (content, t, e) {
            for (var a = Array.from(content), n = Array.from(t), r = a.length, o = n.length, d = String.fromCodePoint, i = 0; i < r; i++)
                a[i] = d(a[i].codePointAt(0) ^ n[(i + e) % o].codePointAt(0));
            return a.join("")
        }(function (s, t, path, e) {
            return [s, t, e, path].join("(&&)")
        }(function (t, e) {
            var n = t;
            if (true) {
                var r = [];
                for (var d in n)
                    false,
                        false,
                        r.push(n[d]);
                return r.sort(),
                    r.join("")
            }
        }(e, r), parseInt((new Date).getTime() / 1e3) - 655876800 - f, path, v), decrypt(s, d, m), l);
    return Buffer.from(k).toString("base64")
}


data = {
    "email": "[email protected]",
    "password": "[email protected]"
}

n = {
    "proxy": "/common",
    "target": "",
    "sort": "dc",
    "num": 10,
    "s": "e67880246791be9405485e8283a17079",
    "k": "a3613c28c5c3988f",
    "l": "1ba8849d5584ce6d",
    "d": -2
}

t = {
    "url": "/common/v1/user/company/login",
    "method": "post",
    "data": {data}
}

path = '/v1/user/company/login'


d = v(data, path, {
    s: n.s,
    k: n.k,
    l: n.l,
    d: n.d,
    sort: n.sort,
    num: n.num
}, "post");
t.data.k = d

console.log(t.data);
本站立足于美利堅合衆國,請讀者自覺遵守當地法律!如有違規,本站不承擔任何法律責任! This site is based in the United States of America, readers are requested to abide by local laws! If there are any violations, this site does not bear any legal responsibility! Theme Jasmine by Kent Liao