js逆向步骤
- js调试工具
- PyExecJs
- 实现使用python执行js代码
- 安装环境
- 安装node.js开发环境
- pip install PyExecJs
- js算法改写初探
- 打断点
- 代码调试时,如果发现了相关变量的缺失,一般给其定义成空字典即可。
- 代码调试时,如果js内置对象确实,直接将该内置对象赋值为
this。例如:window = this;
js反混淆
- 相关概念
- js混淆:对核心的js代码进行加密
- js反混淆:对js加密代码进行解密
- 破解
- 使用浏览器自带的反混淆工具【推荐】:打开开发者工具 ----> 点击小齿轮 ----> 找到Souces选项卡 ----> 勾选Search in anonymous and scripts框 ----> 刷新页面
- 暴力破解【迫不得已】:暴力破解网站
1. 微信公众号平台js算法逆向【MD5算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件./wechat.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{}")\'.format(\'123123123\')
pwd = ctx.eval(funcName)
print(pwd)
2. Steam游戏平台js算法逆向【RSA算法】
import requests
import execjs
import time
# 动态获取mod和exp串
url = \'https://store.steampowered.com/login/getrsakey/\'
data = {
\'donotcache\': str(int(time.time() * 1000)), # 时间戳
\'username\': \'123@qq.com\',
}
headers = {
\'user-agent\':\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\',
}
response_json = requests.post(url=url,headers=headers,data=data).json()
mod = response_json[\'publickey_mod\']
exp = response_json[\'publickey_exp\']
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件./steam.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{0}","{1}","{2}")\'.format(\'123123123\',mod,exp)
pwd = ctx.eval(funcName)
print(pwd)
3. 凡科网js算法逆向【MD5算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/fanke.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'md5("{0}")\'.format(\'123123123\')
pwd = ctx.eval(funcName)
print(pwd)
4. 完美世界游戏js算法逆向【RSA算法】
import requests
from lxml import etree
import execjs
# 获取公钥串
url = \'https://passport.wanmei.com/sso/login?service=passport&isiframe=1&location=2f736166652f\'
headers = {
\'user-agent\':\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\',
}
response_text = requests.post(url=url,headers=headers).text
tree = etree.HTML(response_text)
publicKey = tree.xpath(\'//input[@id="e"]/@value\')[0]
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/wanmei.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{0}","{1}")\'.format(\'123123123\',publicKey)
pwd = ctx.eval(funcName)
print(pwd)
5. 试客联盟js算法逆向【RSA算法】
import requests
from lxml import etree
import execjs
import re
# 获取rsa_n串
url = \'http://login.shikee.com/getkey?v=19b53e441bc51f28a9e6afead8e665ea\'
headers = {
\'user-agent\':\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\',
}
response_text = requests.get(url=url,headers=headers).text
ex = \'var rsa_n = "(.*?)";\'
rsa_n = re.findall(ex,response_text)[0]
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/shike.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{}","{}")\'.format(\'123123123\',rsa_n)
pwd = ctx.eval(funcName)
print(pwd)
6. 空中网js算法逆向【RSA算法】
import requests
import execjs
import re
import json
# 获取j_data[\'dc\']串
url = \'https://sso.kongzhong.com/ajaxLogin?j=j&jsonp=j&service=https://passport.kongzhong.com/&_=1626875097213\'
headers = {
\'user-agent\':\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\',
\'Referer\': \'https://passport.kongzhong.com/\'
}
response_text = requests.get(url=url,headers=headers).text
ex = "KZLoginHandler.jsonpCallbackKongZ\((.*?)\)"
data = re.findall(ex,response_text)[0]
dc = json.loads(data)[\'dc\']
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/kongzhong.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{}","{}")\'.format(\'123123123\',dc)
pwd = ctx.eval(funcName)
print(pwd)
7. 长房网js算法逆向【DES算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/changfang.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{}")\'.format(\'123123123\')
pwd = ctx.eval(funcName)
print(pwd)
8. 有道翻译js算法逆向【MD5算法】
import time
import random
import execjs
import requests
word = input("Please input a English word:")
r = str(int(time.time() * 1000))
i = r + str(random.randint(0,9))
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/youdao.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getSign("{}","{}")\'.format(word,i)
sign = ctx.eval(funcName)
url = \'https://fanyi.youdao.com/translate_o?smartresult=dict&smartresult=rule\'
headers = {
\'user-agent\':\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\',
\'Referer\': \'https://fanyi.youdao.com/\',
\'Cookie\': \'OUTFOX_SEARCH_USER_ID_NCOO=512615467.85577774; OUTFOX_SEARCH_USER_ID="-673357154@10.169.0.82"; _ga=GA1.2.446310143.1622377950; _ntes_nnid=4ef5ec83bdbbbe870ec8f8c735810336,1622941677257; JSESSIONID=aaa-vW4aILneN-aFSiiRx; ___rl__test__cookies=1626879075736\',
}
data = {
\'i\': word,
\'from\': \'AUTO\',
\'to\': \'AUTO\',
\'smartresult\': \'dict\',
\'client\': \'fanyideskweb\',
\'salt\': i,
\'sign\': sign,
\'lts\': r,
\'bv\': \'24ecb70ba6203e4453baed50aa26b78e\',
\'doctype\': \'json\',
\'version\': \'2.1\',
\'keyfrom\': \'fanyi.web\',
\'action\': \'FY_BY_REALTlME\',
}
response_json = requests.post(url=url,headers=headers,data=data).json()
print(response_json)
9. CTE四六级js算法逆向【DES算法】
import execjs
# 1. 实例化一个node对象
node = execjs.get()
# 2. js源文件编译
ctx = node.compile(open(\'./js源文件/CTE.js\',encoding=\'utf-8\').read())
# 3. 执行js函数
funcName = \'getPwd("{}")\'.format(\'123123123\')
pwd = ctx.eval(funcName)print(pwd)