js逆向-百度登陆参数_百度登录逆向

声明

本文仅供学习参考，禁止用于其他途径，违者后果自负

前言

网站：aHR0cHM6Ly93d3cuYmFpZHUuY29tLw==
接口：aHR0cHM6Ly9wYXNzcG9ydC5iYWlkdS5jb20vdjIvYXBpLz9sb2dpbg==

逆向分析

抓包后会发现post请求会提交很多的参数，有很多参数都加密了。所以今天的逆向是个大工程。
老规矩还是以搜索为主，搜索passoword。

有12个文件，文件内容比较多。搜索比较费劲，搜索一下别的关键字试一下。
搜索rsakey

完美！就一个文件，点进去继续寻找。

典型RSA加密，打下断点，重新调试。

console中打印结果。

此时就已经完成了加密。

token值和gid（不清除数据）为固定值，网页源码中可以直接找到，这个没有什么说的，写死就可以。

gid的生成逻辑

guideRandom = function() {
            return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {
                var t = 16 * Math.random() | 0
                  , n = "x" === e ? t : 3 & t | 8;
                return n.toString(16)
            }).toUpperCase()
        }();
1
2
3
4
5
6
7

至于as、ds、tk其实在另一个请求中就可以得到，这里就不做分析了。

继续搜索sig、shaOne等关键词。最终在moonshad.js中找到，找到后打下断点，继续调试。

代码经过混淆，但是也不影响我们观察，可以看到_0x2933a3对象中有我们想要的内容，接下来一个一个拿下来就可以了。

首先看sig的生成，简单解一下混淆

_0x54af57['encryption'](_0x5831c9, _0x264412, _0x59e197)
1

参数如下：

_0x5831c9 = {
    "staticpage": "https://www.baidu.com/cache/user/html/v3Jump.html",
    "charset": "UTF-8",
    "token": "脱敏1a01b6bb1896c020c5",
    "tpl": "mn",
    "subpro": "",
    "apiver": "v3",
    "tt": 1660983405451,
    "codestring": "",
    "safeflg": "0",
    "u": "https://www.baidu.com/s?tn=68018901_2_oem_dg&ie=utf-8&wd=%E7%99%BE%E5%BA%A6",
    "isPhone": "",
    "detect": "1",
    "gid": "DF63DA6-D5DA-44D2-8047-B9EBF4E70064",
    "quick_user": "0",
    "logintype": "dialogLogin",
    "logLoginType": "pc_loginDialog",
    "idc": "",
    "loginmerge": "true",
    "mkey": "",
    "splogin": "rate",
    "username": "13888888888",
    "password": "脱敏yZDczo+RzjY0jtcXYdMw1UbO9lTkTvWgyh+6zHiCs9rlgcX1PRyqOw89D175fMAY4yzUdCWMhrhFnSuA0d+zWWDj5Xe9LB0vuAT3D93dzd9R8HUKf1oJC4EbTKgWLdRlFY9048yIqyZAz97Y/6U49nS7MIefvtE=",
    "mem_pass": "on",
    "rsakey": "ZEzbf6Ny3wfSMkTA4yXdQW8EFfjD4VRK",
    "crypttype": 12,
    "ppui_logintime": 595891,
    "countrycode": "",
    "fp_uid": "",
    "fp_info": "",
    "loginversion": "v4",
    "supportdv": "1",
    "bdint_sync_cookie": "",
    "ds": "y2UQ4N脱敏5IEbud7HnGMQLdiJzwTyFi+4jYtAfaT9gJWTeunP8snvlg4D1Kjp5aLPFDbFAMtkzvaaVENbGjs5okXPUUWu6r3cP7MoU6jI8as0PC7e6Az+TVO3gBhC0mPMY4n9z7rPTcLZTtefMZR3oaCoazJj/roMhlZxtBnmyQxZala4+TlY+7og9AoikMBgYpVV6//ntDLyfJX6n9k1jkF3ZkIhJKFeckdnBDQ89/BYTzEB7X1OJTnMvSdsJKkJbjsMbPqRLARhl8nTpZwzDP0eq/nKa/4s5iOsdtBI9xkHZpdoHhgbJn7BkdswhmYjLILPbzs+yToQ1S1uRqd3PLVkbIM0OcQtRQBGNdFwFUXuI9uvl8uE1+DehDkMz2Ysv7Q277RzPKt22SjNWbfaaZ3xkYp/YwEezhOJqvoFf3VCpFER/QSrj7462b/cN0ZPftniu+MAUfOATwlS5Snhmcg08jwf+j88mHkvXl+XnujRPE3OLhWp9Hf+uYHIfy4XC1vyFdO0ad47Gvfe9diQnD8phpZTTF3vywtY/s/RfXExTiN/73S7wV/K5WaAyHieEm61xDwJDuzXi6umIKzKPlwyMeUxoElOKvrgkfRdutPtulwPW1tpWInqAceDTPYeH3MJHxipJFLkxc6X+kle9L+yJnqi+rc82op8wa2prOCICqts6cSsIhFNhNf4KLQCFdQPLeG3UJXo/cLNrK/i1rE3/ajocbY3o1ACOI81/pmzuRgxE7CULFvGsPQRwhyQU0Dc5d/HHrg3GxHS4Cz+YB06etGa6yBl7wkp58Q+AEhm1GCkfbnopJRbk6Ruz8YbbdYGqXrbgJtgnPsdOp79m2T312r1aqnVlR2gjAfTPq/rhX5PUQ+CQfcOswRVn59hbWkES5/dkoaAHPoodVLCexCoXg/71Wu2cl3WAy1/ueGG2Y5wQQFg/uCt0ugtH9mZxgWWlyLtHD7WKAy7zqflFbneXmr5sbvNDvP5ju3umiGbOChfoljcXYwK/7rgsGZkvRRqMsUbloCDCv7CyZ4mnWLJl0Y8pg4WBMggVorOccePCWK9XvLokd5Gn1cqjp3Qq8mqrjjvqm70xIMZGbLOc04518Lwk5OCDfXMYZwtcaFs+v4Q3I+IC8k7YceAyIqQxVHGMyL+jgU6MvBRCPWIkiK5KWxtYSaLpZKbIQ08rHNwQ3SuW5tMWlifBRFgdgHz1+zrupIjIR87MViDWXjVQzhca557pclA6upUHjcrMln3MJHT5N1+5YlLJLdV1A7S/tUdruz4QFm3Q5HTaXtgfbK/AMhagljXr3LCRsx/AXRCdwq3fKgxlKiSAwr17ldSp+jbcX1ssqWOo1byrrgugoX1UNDv1/FsSQssS2kVNA1pUbxWaOunLXoNVkPbmC+Tw+biz78XnBmrFk6XXiT8IIcoqN2BQnTlvblyd2TfH4K3jHW7lEA52PQm4FG+YFg9aBJqyKL/7uIh27zjnlT+2Z7KzVyquaOaoIIBOn6PkVDHAyDyQZFNrLB+vOtUpqpGnom99DT9+A3pTNC6P53FVAnIiBPEvWAUbMYLxZd6PtX7O9fkz0p//RhnMYiSg/ewdUZ45uuhgMgVP+tKr3Pz/VS7uJK4wHpr4Gy1acZ/JjfZsz6bSrLvEkqDPDgKUw6CEV/rNmOjQm+NTFbLCNVx9m9ZCDNJJcKpIFLrG85bKaUJrvsaV6MNqCRSH38mjjFwxk59TxA2YkB53FLhnySOgb/5TSNljcYARXk=",
    "tk": "2819RfayEoNj80zsjv+SSCiCCDRCR7kxDOftg+DfYPcU7jK008xmrBEoaAfG+gt7G693Os/aEVMpDDlVFiw9mnjvkqyflet+kUkoH2IbyvjJ+2w=",
    "dv": "tk0.28786421530038231660982809765@rrp0Xy2GNKrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnkserGpw2G3KrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnksa2kOwrGqenkqK8ou27a0hG8YMBupDFgojFaYaNd8xGRuWHAzx2kDyMkozpmzznu7hG3OADBaMFahGBuwjr8YMOFpQN3-9PLBKrgqy25zjrkDKrmjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQnkrxpGHwdp0Ly2kDynkozrAz-pSrK8ou27a0hG8YMBupDFgojFaYQNU0ZNUzypgBKrSDKrGDarAjBDB-5B3upFaYDBahMrGuMF~8gHF02vLaQMk3jpmzjrgNKpgDgrAjBDB-5B3upFaYDBahMrGuMF~pavRaVO5z~rSCKrSv-nkoy2k3dn5HSPd7QnFpzILyWvRYeOtYW2GNxMkvapxzerg3KrG3dpGDKNtugNxaSPd-eHL-e2GNxMq__ynnIwn~Hv0qSh~pBrAzxnkozpq__FpUOtKznSsypgCdpksjpGrzrkryrSrjpSvz2GCx2kq-pgvahpNImjaPR7QHRQJHLD_-pvrmzznkoargvKrSNa2mzjpGrdnk3drmzjpGrdnkoargvK2Gox",
    "fuid": "FOCoIC3q5fKa8fgJnwzbE67EJ49BGJeplOzf+4l4EOvDuu2RXBRv6R3A1AZMa49I27C0gDDLrJyxcIIeAeEhD8JYsoLTpBiaCXhLqvzbzmvy3SeAW17tKgNq/Xx+RgOdb8TWCFe62MVrDTY6lMf2GrfqL8c87KLF2qFER3obJGl43uTZzSgDGcEe8IZtTqNSGEimjy3MrXEpSuItnI4KD4K+4yxfmojUV0RdBd4+Oukqsp4Z6BDtw7ctbZCaAm94P2D3AzmuQKtwVwPlZfqNnoOswVAInEL977Gkc4LGHFurc6cZOQiWpdWZFfM9cCLuTBuECl+tiP++NCHKpXEMdWH1SPBXDyoMbf9Ga3EX3JC70/lU+rOcT92RpNAO3HyuQbeCqJ91LNPfk1CUv8oZVlm2kjHPQwsGQ9uwCuW8RID0uiYirEQ4VKXMmTE7xcZoq7kqBCL+XRozeJ7jdMpMPSKGrlOAU2xKyPf12iIeqlp1pfuVcgAAXBP18U5zCRDX2z2pK9F7JDaBbznWo6XY3dMMGrweUracAvqOGvkcWCkbabfuAhICynUZ9dpyd84KIArwzZKNYlfcEkE/coI4l9E8V02o2uAuZkYGvr/xRKGfezxD2zg/ciUh9kJABfAzTeAd2C9z9UHlh+I3bt/mn2o3PFDIohCzg/DRTUtNxRgJ13AUairLDWhe5SwH+f9kx+4rjNadQYRXY62cs4wa6vu3FNhnx0vECH7/RD7jOBK8s5HD6sBtW/MElAB0oMo4jKy5x23aGU1DlI3auIZ7ZNPbWvBGdywMRZgsegAwbNhsBAiZVqRumDq+zV3cirOdalgjfdDmOpvo6TsQUOMAzrtNSRMEGREm8qOjoaqrQ87P+ZDbYZPDEQGdhuxHTXO3W36eKL+Mph5GSAWOEr53TgnFB5JmUP4Qdg4gpcDC59EN6c3W7FZhGROFu41/8n2Qc5K6v586kUCA/y0bCSVtuHvtTeMJSc4TZhVzENGImFXau2hzfPTsm7rfsbHN/CeiOFndq1Yucax/IRqr3e+zibsx/F/rW9D1fl57tzS9X5qiyIfl3Ben58jxT1MbXkLW7S8ovoKuc6MINaBY/Dvy/eFFJ0izWQNfgqQiCVUlDzl17+9HHzEp+Dq5hHfufQG9+AkTn4pt67ALIC8lEZQDZ53VW4iqCsR7wY7tkA+HnvZnR2AMO4uEIa13c3O+4rF4ji2jIgUyGLK2eNsG1KoWdZCJfNSGrHvwtel1Tyjo/Vw=",
    "alg": "v3",
    "time": 1660983436
}
_0x264412 = undefined;
_0x59e197 = 'moonshad1moonsh9'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

继续步入看一下加密函数的逻辑

function encryption(_0x3b8bda, _0x24f1ad, _0x5c5637) {
            var _0x422d82 = _0x199e5c(_0x3b8bda, _0x24f1ad);
            return _0x573aaf(_0x39342d(_0x422d82, _0x5c5637));
            }
1
2
3
4

剩下的就是扣代码了，细看逻辑就知道是一个md5和AES的混合加密。

shaOne的加密，其实已经告诉我们了就是SHA1，只要找到入参就可以还原出了。

拿下来就OK了。

最后逆向就完成了。