Analysis tips#

// ajax完整的流程
var xhr = new XMLHttpRequest();

xhr.open(method, url);
// xhr.open("get", url?xxx=xxxx&xxx=xxx); // get请求的请求体是空的

xhr.onreadystatechange = function(){  // response need to be decrypted, check it out
    if(xhr.readyState == 4){
        if(xhr.status == 200){
            xhr.responseText; // 响应的内容  
        }
    }
}

case 23:
	return h.show(),
    //...,
	r.next = 24,
    C();
//...
case 24:
	x = r.sent,
    //...
//...

(function () {
    var temp = "";
    Object.defineProperty(document, "cookie", {
        get: function () {
            debugger;
            return temp
        },
        set: function (v) {
            debugger;
            temp = v;
            return v
        }
    })
}())

debug tips#

window.onbeforeunload = function(){
    debugger;
}

Date.prototype.getTime = function() {
    return 1733498813000;
}
Math.random = function() {
    return 0.123456;
}

b64pic#

a picture return llike

session = requests.session()
session.headers = {...}

verify_img_url = "https://user.wangxiao.cn/apis//common/getImageCaptcha"
resp = session.post(verify_img_url, headers={
    "content-type":"application/json;charset=UTF-8"  # 特殊的头信息
})
img_bs = base64.b64decode(resp.json()['data'].split(',')[-1])
with open("tu.png", mode="wb") as f:
    f.write(img_bs)

verify code#

import ddddocr
# 识别验证码
dddd = ddddocr.DdddOcr(show_ad=False)
verify_code = dddd.classification(img_bs)

search tips#

• if you only want to search the word X-S, just type in x-s will contain a bunch of useless shit, \bX-S\b

1. initiator
2. /xxx/xxxx/xxx from end to front
3. params

瑞数特征#

• Application -> Cookie->clear all cookies->ctrl shift R

RSA#

e = 65537 is it’s feature, remember it, 010001,10001 also a hex version of e

node install node-jsencrypt

var JSEncrypt = require("node-jsencrypt");

var enc = new JSEncrypt();
enc.setPublicKey("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9klAzVIHt2MLVdjdtSb2MAeioBPbJtUg6tWHybZtFwb/KK1J+AapWyiBAV2FWs7ruiK0HuXmXH5HijtLI4LqUOUNBMtVH/BoCJkj22+iQJg5+o3uqvRoEXceIUgqdXpcz+1dvJCQvDOMP8U1bhd9u4pzOroNZIic9ifzX1D6pGVPzhNPAHc+105AUkKOysGibQYzz148vO+Gxzx5XFtYUtNjDrvfojtEs4hb9aSTjCGkaiupJu4HhyXP9wQ0JUGvQQlvHYTHA+WOPwijOQSS0dPdxmHwSsMguvRRpXQya4OPXnvc+6ydgMZ1TC/DCGGWlaNQm7t0JfiwY6iuA1ipwIDAQAB");
var mi = enc.encrypt("星际拓荒，启动！");
console.log(mi);

# 加密流程(我们最有用的地方) 我们在客户端(js)
from Crypto.PublicKey import RSA  # 管理秘钥的
from Crypto.Cipher import PKCS1_v1_5  # 用来加密的
import base64

# 1. 加载秘钥(公钥)
pub_key = RSA.import_key(open("public.pem", mode='rb').read())
# 2. 创建加密器
rsa = PKCS1_v1_5.new(key=pub_key)
# 3. 加密
s = "我的xp不能让任何人知道".encode("utf-8")
bs = rsa.encrypt(s)
# print(bs)
print(base64.b64encode(bs).decode())
# rsa加密后的东西. 如果不是纯数学算法. 每次都是随机的.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzyOrnwC/kJARZQRjPXQJ
kT8kDo79Y0e9DuLicRABy2x+l3JZMh5Hy98gRcQsYbGdTE1qYG1OvbaJkxbEys4b
yDJ0pEYNs3b/O3+chZsdLyypgFIp9DtqMWFfxDeXZ9xvNO6sZQ1S0jQ8APQvQeoI
Ux/WKDsbl+bwUCPzd90CiP7dyfgCBB+9lJ9Kpyg/a3jwQUsE/2ppwfCwvuVMiLXD
wZ4A7M+Jwf5kZil2bgxL+Hc0vlIS7zFVp2rcp/mUoS++vlbj8ZlkeDHrbbGZEwZg
WgZRJlGbWF13QitN8pD9yQgTc/BaeY25q6s/wmif2Lxo+vVbfQlBLaxw2Ojd5Itl
owIDAQAB
-----END PUBLIC KEY-----

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64
# 解密的流程(我们几乎不用)
xp = 'wG1U+fawSbSg0RNWi59ox3CnLCjhyErZqpDw5/IZLHcA5jBq/ify0dUuK+clIypNVj0kpTNR/CaTni9zHjNmfmk99AW1AFvNU6jzBI1+Pj5E1QJtXkYc2NVL8whkTFXgeoZ3fTp+IvinfUvNUmfiXsIoEn2Ngp0C4sTqHSw7iiHRhmeEr7NdGvBrbkl4yyNTNtiQjWv+e5uKe0G0Pvq/3jKiCvFa/iI0wryXDDyDyUjl5Mou1/QtkfIPpTPFkLYRoYpNzwssoo9urp5LNiO5oL9nnc0e08P3zdtZsUn+bvnmJQIre8D7+/wL6IB3k+CHJkU0c4ge6szrfKToUAF2tw=='
# 1. 加载私钥
private_key = RSA.import_key(open("private.pem", mode="rb").read())
# 2. 创建加密器
rsa = PKCS1_v1_5.new(key=private_key)
# 3. 解密
result = rsa.decrypt(base64.b64decode(xp), None)
print(result.decode("utf-8"))

v5#

定时特征,可以hook它。无限Debug。本地替换，添加代码.

setInterval(function1, 100)

// hook setInterval
var setInterval_ = setInterval
setInterval = function () {
    debugger;
    // 不让它执行正常的了. 直接怼死
    return;
}

但是这样不太好，可能会影响整体逻辑，所以需要原本 setInterval 的后面还原它

setInterval = setInterval_

注意，在maplocal的时候，本地文件不要格式化，因为它可能导致代码报错！说明代码里有检测格式化的地方。

检测方法：toString + 正则。所以hook toString 找到检测代码格式化的地方。输出检测代码，调用栈找到检测位置

var func_toString = Function.prototype.toString;

Function.prototype.toString = function(){
    var s = func_toString.apply(this, arguments);
    console.log(s);
    debugger;
    return s;
}

所以它是在检测removeCookie这个函数的格式。把格式化之前的代码替换上去就行

v6#

又一个无限debugger,调用栈往下找一个

Function = function() {
    for(var i = 0; i < arguments.length; i++) {
        arguments[i] = arguments[i].replace("debugger", "");
    }
}
 // bypass such a shit

本地替换 格式化代码后问题同v5.

tips：输入this可以快速定位到函数

消失的 console.log

在前面把它留起来

var printf = console.log;

v7#

同上，打开F12后出现debugger

格式化代码，加上hook

退出，重新进那个链接，要提前打开F12

然后按照之前的方法替换函数。当你发现总是有眼熟的函数轮换出现，就直接注销调hook函数里的debugger，然后放开，发现页面还是加载不出来，在console里往回看，发现还是有个函数没改，把那个函数改了。

console.log 还是不能用，同上。

百度翻译#

• http://39.105.154.231:3000/play/66192

拼多多#

• https://mobile.pinduoduo.com/

http://39.105.154.231:3000/play/66191

say the 11th line has a breakpoint

case 0:
    return n = It({
        platform: "H5",
        page_sn: 10002,
        page_id: "index_list.html",
        engine_version: "3.0"
    }, t),
        e.next = 4,
        $e.a.getAntiContent();
case 4:
	(r = e.sent) && (n.anti_content = r);

copy $e.a.getAntiContent();

paste it in Console, add some keywords as below:

$e.a.getAntiContent().then(function(args){console.log(args)})

then push Enter key.

Promise shown below.

release the breakpoint.

u will find out some shit appear.

enter $e.a.getAntiContent();

b.getAntiContent = o()(l.a.mark((function e() {
    var t, n;
    return l.a.wrap((function(e) {
        for (; ; )
            switch (e.prev = e.next) {
                case 0:
                    if (t = null,
                        !(n = b.getInstance())) {
                        e.next = 11;
                        break
                    }
                    return e.prev = 3,
                        e.next = 6,
                        n.getRiskControlInfoAsync();
                case 6:
                    t = e.sent,
                        e.next = 11;
                    break;
                case 9:
                    e.prev = 9,
                        e.t0 = e.catch(3);
                case 11:
                    return e.abrupt("return", t);
                case 12:
                case "end":
                    return e.stop()
            }
    }
//...

line 23 is the real return, so see where is t comes from

reverse to line 14, find the correct place!

有道翻译 https://fanyi.youdao.com/index.html#/#

• decrypt the response text

the original code be like

B gets the return value of all these shit

B = (e,t)=>Object(a["d"])("https://dict.youdao.com/webtranslate", Object(n["a"])(Object(n["a"])({}, e), E(t)), {
                headers: {
                    "Content-Type": "application/x-www-form-urlencoded"
                }
            })

• just ignore Object

B = function (e,t) {
    a.d("https://dict.youdao.com/webtranslate", n.a(n.a({}, e), E(t)), {
        headers: {
            "Content-Type": "application/x-www-form-urlencoded"
        }
    })
}

• n.a(n.a({}, e) can be seen as merging two objects n.a({}, e) -> e => n.a(e, E(t))

• to figure out who the fuck calls B, check out Call Stack on the right panel

• codes that related to the response data

// native ajax
XMLHTTPRequest.onreadystatechange = function() {
    if xml.readyState == 4 {
        // deal with response text
    }
}

// advanced(?) ajax
$.ajax({
    success: function() {
        // response data
    }
})

// axios
axios.get(url, function(){
    // response data
})

• new Promise(function(resolve, rejec){})

in order to figure out how they deal with response shit, we need to find out who used the function l, which means send in original axios logic.

we know B gets the return value of these function, so find out code like B().then()

        function l(e, t, o) {
            return new Promise((n,i)=>{
                // axios.post
                a["a"].post(e, t, o).then(e=>{
                    n(e.data) // after response...
                }
                ).catch(e=>{
                    i(e)
                }
                )
            }
            )
        }

• if u wonder whether a value is all the same, copy it and search it. see if u can find out.
• pay attention to _ and -, replace them with / a nd +

Z21kD9ZK1ke6ugku2ccWuz4Ip5f4PLCoxWstZf_6UUyBoy8dpWc3NOXFRrnPMya74JgUpIL-6 IEqnM

易车 https://car.yiche.com/siyucivic/peizhi#

• md5 in node js

var crypto = require("crypto");
function my_md5(e) {
    return crypto.createHash("md5").update(e).digest("hex");
}

• JSON.stringify() in js is difference to json.dumps() in python. in js, it’s json result doesn’t contain any blank.

  this is a problem raised by json.dumps(). its result contains blanks.

  dic = {"cityId": "201", "serialId": "2406"}
  params = {
      "cid": "508",
      "param": json.dumps(dic) # incorrect
  }
  

  if its a get request, once the params is url-enceded, the blanks will be enceded too, which is difference to the no blanks one.

fix this problem: json.dumps(dic, separators=(',', ':'))

易久批 https://www.yijiupi.com/#/login#

it seems that its api has been disappeared

• if you search a word that is not easy to locate, search another word in the same payload, that would be helpful
• REMEMBER THIS KNOWLEDGE! abrupt

trigger a return thing, after r is already. some bowsers may not support await or async. its basically alternatives.

r = "us/user/loginByCode",
t.abrupt("return", a)({
	url: r,
	method: "post"
	// ...
}).then(function(t){
	return Promise.resolve(t.data) // success
}).then(function(t){
    return Promise.reject(t.data) // fail
})

• if you notice a function that always return some random shit, that would be generated by Math.random(), dig into it and pay attention to Math thing if it’s been obscured or junk code. copy it’s random return value can fit the demand.
• in junk code, there are loads of shit you need to analysis, but you don’t need to reverse every command sometimes. copy a code to console and execute it by passing simple variable like “123456” will help a lot. copy the result and search in https://1024tools.com/hash to see if you can find a specific algorithm, if you find, you will save a lot of time :)
• sha1 in node js

var crypto = require("crypto");
function my_md5(e) {
    return crypto.createHash("sha1").update(e).digest("hex");
}

• this snippet didn’t use if block but it has the same effect

//...
, s = La(u)
, l = 'POST' + t['url'] + s;
// if it equal to 'get', then excult code after &&
(t['method'] == 'get') && (l = ['GET' + t['url']]);

• you copy a function name and paste it in console to execute, the result is like init{words: Array(5, sigBytes: 20)}. just add toString() behind the function can make it print out great stuff.
• payload is json

remember to addContent-Type: application/json in headers

data = {
    # from R
}
requests.post(url, data=json.dumps(data, separators=(',',':')), headers=headers)

:triangular_flag_on_post:http://39.105.154.231:3000/play/68361#

一品威客 https://www.epwk.com/login.html#

• elements in this object show as a form of (...).cuz they are generated by get function. check out the get thing down below and find the generation process.

• AES in node js

v = function(data) {
    return function(data) {
        return o.a.AES.encrypt(data, l.key, {
            iv: l.iv,
            mode: o.a.mode.CBC,
            padding: o.a.pad.Pkcs7
        }).toString()
    }(data)
}

solve method:

npm install crypto-js

• ‘0’ isn’t equal to \x00

l = {
    key: o.a.enc.Utf8.parse("fX@VyCQVvpdj8RCa"),
    iv: o.a.enc.Utf8.parse(function(t) {
        for (var e = "", i = 0; i < t.length - 1; i += 2) {
            var n = parseInt(t[i] + "" + t[i + 1], 16);
            e += String.fromCharCode(n)
        }
        return e
    }("00000000000000000000000000000000"))
}

pay attention to this shit!!! ITS A FUCKING BIG PROBLEM

if u wanna see its real look:

观鸟#

https://www.birdreport.cn/home/search/report.html?search=eyJ0YXhvbmlkIjoiIiwic3RhcnRUaW1lIjoiIiwiZW5kVGltZSI6IiIsInByb3ZpbmNlIjoi6Z2S5rW355yBIiwiY2l0eSI6IiIsImRpc3RyaWN0IjoiIiwicG9pbnRuYW1lIjoiIiwidXNlcm5hbWUiOiIiLCJzZXJpYWxfaWQiOiIiLCJjdGltZSI6IiIsInRheG9ubmFtZSI6IiIsInN0YXRlIjoiIiwibW9kZSI6IjAiLCJvdXRzaWRlX3R5cGUiOjB9

• when u see an eval shit

cut the shit in eval, swap them with(), run in console, and get the result.

then u need to formalize them.

here are two methods:

1. copy and paste them in pycharm Code->Reformat File
2. in Developer tool, Sources->>>->Snippets->+ New snippet->just paste them and click {} button

• set breakpoints in eval

u c $.ajaxSetup right? go to Initiator, click in ajax

set a breakpoint on the beforeSend line. and u can get the snippet the same as before.

since $.ajaxSetup is an operation that every jquery request should execute, similar to an interceptor

• the module u import doesn’t contain a specific function.

1. copy what u need from js file
2. paste them in source code in the module, below xxx.prototype.xxx

• print what iv or key look like

f.prototype.decode = function(a) {
    var b = CryptoJS.enc.Utf8.parse(this.key);
    var c = CryptoJS.enc.Utf8.parse(this.iv);
    var d = CryptoJS.AES.decrypt(a, b, {
        iv: c,
        mode: CryptoJS.mode.CBC,
        padding: CryptoJS.pad.Pkcs7
    });
    return d.toString(CryptoJS.enc.Utf8)
}

七麦 https://www.qimai.cn/rank/#

• if you notice every requests contain a specific param, may be they used interceptor. go to Initiator, see Promise, it def is interceptors, just search it.
• if you can’t even find out interceptors by searching, it’s possible that they obscured the original code.

function c is axios source code.

fine im done with that too much to record.

just see the video. began from 03:00:00.

• node js doesn’t include window

window = this;
// if that didn't work:
window = global; // glob

:triangular_flag_on_post:http://39.105.154.231:3000/play/68360#

问财 https://www.iwencai.com/unifiedwap/result?w=20230517%E8%B7%8C%E5%81%9C#

• rpc start from 01:58:00

say u have a function rt.update(), u wanna call it in global.

window.idiot = rt.update();

usage:idiot()

chrome: execute js, chrome return result, send them to web through ws

python websocket server: communicate with js; communicate with user

web: communicate with spider; send command to ws; ws return command to chrome;

:clipboard: remember to release the breakpoint after window.idiot = rt.update();

:triangular_flag_on_post:http://39.105.154.231:3000/play/68362#

拼多多 https://www.pinduoduo.com/home/girlclothes#

• it’s annoying to meet async in so many requests. it’s enough to drive u crazy

but u can try to find a single request like this. it only contain a single api, here async turn into a single thread

• a very important logic. it return l.a ‘s value and then t.t1 receive it. like t.t1 = l.a()

l.a() is the place.

window.shit = l.a

shit().then(function(ret){console.log("--", ret)})

release the breakpoint and u can get the result :)

• if you notice a function contains exports . that means whenever u wanna use this function, u should new it first.

瑞数4代#

http://www.fangdi.com.cn/old_house/old_house_list.html?district=27d3af3bd45acf5e&area=&location=&listingNo=&region=&blockName=&verifyNo=&time=&houseType=&check_input=esnz&RecordCount=14539&PageCount=1454&SortType=&SortField=

• cant find out some shit, use breakpoint

• document.cookie != cookie u c in application

HttpOnly is the mother fuck, right click it Edit HttpOnly untag it will be ok

9期

:triangular_flag_on_post: https://appl2m4pcpu3553.pc.xiaoe-tech.com/live_pc/l_6497ff33e4b0b2d1c4287d0d:#

建设库#

started from 3:18:30

invalid :(

• how to confirm they used this kind of method: the following is a normal situation

however, a sus situation be like:

it proof that XMLHttpRequest.prototype.open has been changed.

• urlencode, make shit in url contains % whatever…

encodeURIComponent("ur shit")

:shaved_ice: http://39.105.154.231:3000/play/57712#

• u wanna see wtf is \uxx . do remember to contain "" when u choice and slide upon them.

• see concat as push. they have the same function
• from this snippet, we can know $_CEFCV = $_Ci = $_CEFDY = $_CEFEQ

var $_CEFCV = tLnKP.$_Ci
, $_CEFBQ = ['$_CEFFN'].concat($_CEFCV) // ['$_CEFFN', $_CEFCV]
, $_CEFDY = $_CEFBQ[1]; // $_CEFCV
$_CEFBQ.shift(); // throw away '$_CEFFN'
var $_CEFEQ = $_CEFBQ[0]; // $_CEFCV

• don’t just dig into this shit. try to guess what’s that, and what they do. stringify is kind of like json will do. compare it’s original value with after its fucked by the function.

the original value:

after the function worked:

we can c it seemed to be jsonfy

try fe[$_CEFDY(431)](t[$_CEFCV(370)]) === JSON.stringify(t[$_CEFCV(370)]) and we got true !

• we now library node-jsencrypt. it receive base64 string, but now we only have shit like 00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02D...

var xxx = new JSEncrypt()
xxx.setPublicKey("base64 thing ...");
xxx.encrypt();

function $_CCHk(e) {
    var t = new G()["encrypt"](this["$_CCIm"](e));
    while (!t || 256 !== t['length'])
        t = new G()["encrypt"](this['$_CCIm'](!0));
    return t;
}


function G() { // RSA
    var idiot = '00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02DC1D9451F79DD5D1C10C29ACB6A9B4D6FB7D0A0279B6719E1772565F09AF627715919221AEF91899CAE08C0D686D748B20A3603BE2318CA6BC2B59706592A9219D0BF05C9F65023A21D2330807252AE0066D59CEEFA5F2748EA80BAB81';
    this['n'] = null,
    this['e'] = 0,
    this['d'] = null,
    this['p'] = null,
    this['q'] = null,
    this['dmp1'] = null,
    this['dmq1'] = null,
    this['coeff'] = null;
    this['setPublic'](idiot, '10001');
}

how to deal with that ? check out its source code!

• if a node modules contains more than one export, when it’s used, use {} to contain what u want. var {RSAKey} = require("node-jsencrypt")

module.exports = {
    "JSEncrypt": JSEncryptExports.JSEncrypt,
    'RSAKey' : JSEncryptExports.RSAKey,
};

• function $_CCHk(e) {
      var rsa = new RSAKey();
      rsa.setPublic('00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02DC1D9451F79DD5D1C10C29ACB6A9B4D6FB7D0A0279B6719E1772565F09AF627715919221AEF91899CAE08C0D686D748B20A3603BE2318CA6BC2B59706592A9219D0BF05C9F65023A21D2330807252AE0066D59CEEFA5F2748EA80BAB81');
      var t = rsa["encrypt"](this["$_CCIm"](e));
      while (!t || 256 !== t['length'])
          t = rsa["encrypt"](this['$_CCIm'](!0));
      return t;
  }
  

• 

solution: just add this snippet. change this into a global shit. this["$_EHw"] -> shit["_EHw"]

var shit = {
    $_EHw: {

    }
}

• rsa in python(another method, not recommand)

  import rsa
  rsakey = rsa.key.PublicKey(two nums)
  rsa.encrypt("xxx", rsakey)
  

• toString didn’t work

• u don’t have to cut all codes, guess what they will be will save u a lot of time.

function encrypt1(e, t, n) { // guess: aes CryptoJS
    t = u["parse"](t); // CryptoJS.enc.utf8.parse(t)
    iv = u["parse"]('0000000000000000'); // CryptoJS.enc.utf8.parse('0000000000000000')

    // n && n["iv"] || ((n = n || {})["iv"] = u["parse"]('0000000000000000'));
    var r = m['encrypt'](c, e, t, n), o = r['ciphertext']['words'];  // CryptoJS.AES.encrypt
    var i = r['ciphertext']['sigBytes'];
    var s = [], a = 0;
    for (; a < i; a++) {
        var _ = o[a >>> 2] >>> 24 - a % 4 * 8 & 255;
        s['push'](_);
    }
    return s;
}

to verify ur guess:

var CryptoJS = require("crypto-js")

var key = "bd565e12f66150c7";
var iv  = "0000000000000000";
key = CryptoJS.enc.Utf8.parse(key);
iv = CryptoJS.enc.Utf8.parse(iv);

var data = ''
var r = CryptoJS.AES.encrypt(data, key, {
    iv: iv,
    mode: CryptoJS.mode.CBC
});
console.log(r.ciphertext)  // 密文

• you literally set breakpoints but they didn’t stop at what you imagined. wth was happening?

cuz :chicken::eye: used a dynamic method to load javascript scripts. like document.head.appendChild(<script src="http:www.baidu.com"></script>). it automatically send a request to the src address.

• when u feel a shit is hard to search. remember if it gets a value from a shit, u just need to search this shit.

  here must be a snippet like this["xx(1160)"] = "xxx" first it need to receive a value and then it’s value can be grabbed by someone. so search 1160 to find what u want.

• if you see new xxx(e).abc(f). the functionabc() may be in xxx’s prototype. in ur code, u can write as below:

// first set a function for xxx
function xxx(e) {
    // type xxx in console
}

xxx.prototype = {
    "abc": function(e) {
        // type xxx(e).abc( in console
        return x;
    }
}

• image is messy. they may use canvas to draw it in a correct sequence. tickCanvas in event listener, refresh the picture.

• getImageData in js is different with crop in python.

getImageData(left, upper, width, height)

crop(left, upper, right, lower)

there’s relationship is: right= left + width lower= upper + height

• if a value in Elements panel can be seen when they are changing, set a break point to locate the snippet

• pycharm don’t have code tips when using library cv2. check out video http://39.105.154.231:3000/play/58935 03:11:20
• 03:33:30 once the program come to a certain snippet, log out the content: right click that line, choose Add logpoint...