网址:登录- 一品威客网,创新型知识技能共享服务平台
抓到登陆包分析,发现请求头有参数加密,直接搜索
定位到加密位置,打上断点,很明显是对象f的a方法进行了加密。
往上找f,可以发现f被定义了,是个webpack,打上断点,刷新页面‘
进入e,找到加载器,复制自执行函数,导出加载器,补上环境,改成字典格式,删除初始化。找到443函数,复制函数。
初步写成代码
现在把里面的参数找齐,l是一个固定对象,是固定的打印一下就知道了
M是载荷
U在上方有定义
里面缺少A,上面定义了
又缺少h.e函数 ,进去复制
将h.e改写成d
现在代码情况,现在就是缺少模块了。去一个个复制即可。
其实也不用这样子扣webpack,因为我发现就如f.a函数中,里面的的方法无非是MD5和AES
所以调用库即可。
完整代码:
const CryptoJS = require("crypto-js");
function d(t) {return CryptoJS.MD5(t)
};
l = {key: CryptoJS.enc.Utf8.parse("fX@VyCQVvpdj8RCa"),iv: CryptoJS.enc.Utf8.parse(function(t) {for (var e = "", i = 0; i < t.length - 1; i += 2) {var n = parseInt(t[i] + "" + t[i + 1], 16);e += String.fromCharCode(n)}return e}("00000000000000000000000000000000"))}
var v = function(data) {return function(data) {return CryptoJS.AES.encrypt(data, l.key, {iv: l.iv,mode: CryptoJS.mode.CBC,padding: CryptoJS.pad.Pkcs7}).toString()}(data)
};
var g = {"i": false,"j": false,"h": true,"d": "prod","a": "https://s1.weikeimg.com/_nuxt/","e": "https://im2.epwitkey.com","b": "4ac490420ac63db4","c": "a75846eb4ac490420ac63db46d2a03bf","f": "af9f93d4530c6167","g": "c93ce713af9f93d4530c6167b78a3871"
};
A = parseInt((new Date).getTime() / 1e3);
var M={"username": "123456","password": "123456","code": "","hdn_refer": "https://zt.epwk.com/"
};
var U = {"App-Ver": "","Os-Ver": "","Device-Ver": "",Imei: "","Access-Token": "",Timestemp: A,NonceStr: "".concat(A).concat(Object(d)()),"App-Id": l.j ? l.f : l.b,"Device-Os": "web"
};
f = function(t) {var e = "";return Object.keys(t).sort().forEach((function(n) {e += n + ("object" === typeof (t[n]) ? JSON.stringify(t[n], (function(t, e) {return "number" == typeof e && (e = String(e)),e})).replace(/\//g, "\\/") : t[n])})),e};
h = function(t) {var data = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {}, e = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : "a75846eb4ac490420ac63db46d2a03bf", n = e + f(data) + f(t) + e;return n = d(n),n = v(n)};
console.log(h(U, M, g.c))
// 结果为RLD9f/i0LE0orrEqIey98ZOF7ezlL+yFkeycUVYF2kI=
