1. url:
2. target:登录js
3. 简单分析:
寻找加密js:
3.1 直接寻找加密的参数p是不好找的,所以我们试着去寻找一些更明显的参数
3.2 然后我们直接去找“pp”参数,找到这里,打上断点去调试,一步步执行下去看看:
3.3 经过上面的步骤,我们不难发现,加密js就在下面不远处。。
3.4 这下就很清晰了,具体细节大家可自行调试,把加密的js 抠出来,运行即可。
js:
navigator = {};
var dbits;
var canary = 0xdeadbeefcafe;
var j_lm = ((canary & 0xffffff) == 0xefcafe);
function biginteger(d, e, f) {
if (d != null) if ("number" == typeof d) this.fromnumber(d, e, f);
else if (e == null && "string" != typeof d) this.fromstring(d, 256);
else this.fromstring(d, e);
}
function nbi() {
return new biginteger(null);
}
function am1(b, h, g, d, a, e) {
while (--e >= 0) {
var f = h * this[b++] + g[d] + a;
a = math.floor(f / 0x4000000);
g[d++] = f & 0x3ffffff;
}
return a;
}
function am2(d, p, o, e, a, k) {
var r = p & 0x7fff,
q = p >> 15;
while (--k >= 0) {
var f = this[d] & 0x7fff;
var b = this[d++] >> 15;
var g = q * f + b * r;
f = r * f + ((g & 0x7fff) << 15) + o[e] + (a & 0x3fffffff);
a = (f >>> 30) + (g >>> 15) + q * b + (a >>> 30);
o[e++] = f & 0x3fffffff;
}
return a;
}
function am3(d, p, o, e, a, k) {
var r = p & 0x3fff,
q = p >> 14;
while (--k >= 0) {
var f = this[d] & 0x3fff;
var b = this[d++] >> 14;
var g = q * f + b * r;
f = r * f + ((g & 0x3fff) << 14) + o[e] + a;
a = (f >> 28) + (g >> 14) + q * b;
o[e++] = f & 0xfffffff;
}
return a;
}
if (j_lm && (navigator.appname == "microsoft internet explorer")) {
biginteger.prototype.am = am2;
dbits = 30;
} else if (j_lm && (navigator.appname != "netscape")) {
biginteger.prototype.am = am1;
dbits = 26;
} else {
biginteger.prototype.am = am3;
dbits = 28;
}
biginteger.prototype.db = dbits;
biginteger.prototype.dm = ((1 << dbits) - 1);
biginteger.prototype.dv = (1 << dbits);
var bi_fp = 52;
biginteger.prototype.fv = math.pow(2, bi_fp);
biginteger.prototype.f1 = bi_fp - dbits;
biginteger.prototype.f2 = 2 * dbits - bi_fp;
var bi_rm = "0123456789abcdefghijklmnopqrstuvwxyz";
var bi_rc = new array();
var rr, vv;
rr = "0".charcodeat(0);
for (vv = 0; vv <= 9; ++vv) bi_rc[rr++] = vv;
rr = "a".charcodeat(0);
for (vv = 10; vv < 36; ++vv) bi_rc[rr++] = vv;
rr = "a".charcodeat(0);
for (vv = 10; vv < 36; ++vv) bi_rc[rr++] = vv;
function int2char(a) {
return bi_rm.charat(a);
}
function intat(d, b) {
var a = bi_rc[d.charcodeat(b)];
return (a == null) ? -1 : a;
}
function bnpcopyto(b) {
for (var a = this.t - 1; a >= 0; --a) b[a] = this[a];
b.t = this.t;
b.s = this.s;
}
function bnpfromint(a) {
this.t = 1;
this.s = (a < 0) ? -1 : 0;
if (a > 0) this[0] = a;
else if (a < -1) this[0] = a + dv;
else this.t = 0;
}
function nbv(a) {
var b = nbi();
b.fromint(a);
return b;
}
function bnpfromstring(f, a) {
var d;
if (a == 16) d = 4;
else if (a == 8) d = 3;
else if (a == 256) d = 8;
else if (a == 2) d = 1;
else if (a == 32) d = 5;
else if (a == 4) d = 2;
else {
this.fromradix(f, a);
return;
}
this.t = 0;
this.s = 0;
var c = f.length,
e = false,
g = 0;
while (--c >= 0) {
var h = (d == 8) ? f[c] & 0xff: intat(f, c);
if (h < 0) {
if (f.charat(c) == "-") e = true;
continue;
}
e = false;
if (g == 0) this[this.t++] = h;
else if (g + d > this.db) {
this[this.t - 1] |= (h & ((1 << (this.db - g)) - 1)) << g;
this[this.t++] = (h >> (this.db - g));
} else this[this.t - 1] |= h << g;
g += d;
if (g >= this.db) g -= this.db;
}
if (d == 8 && (f[0] & 0x80) != 0) {
this.s = -1;
if (g > 0) this[this.t - 1] |= ((1 << (this.db - g)) - 1) << g;
}
this.clamp();
if (e) biginteger.zero.subto(this, this);
}
function bnpclamp() {
var a = this.s & this.dm;
while (this.t > 0 && this[this.t - 1] == a)--this.t;
}
function bntostring(a) {
if (this.s < 0) return "-" + this.negate().tostring(a);
var f;
if (a == 16) f = 4;
else if (a == 8) f = 3;
else if (a == 2) f = 1;
else if (a == 32) f = 5;
else if (a == 4) f = 2;
else return this.toradix(a);
var g = (1 << f) - 1,
c,
h = false,
l = "",
e = this.t;
var j = this.db - (e * this.db) % f;
if (e-->0) {
if (j < this.db && (c = this[e] >> j) > 0) {
h = true;
l = int2char(c);
}
while (e >= 0) {
if (j < f) {
c = (this[e] & ((1 << j) - 1)) << (f - j);
c |= this[--e] >> (j += this.db - f);
} else {
c = (this[e] >> (j -= f)) & g;
if (j <= 0) {
j += this.db; --e;
}
}
if (c > 0) h = true;
if (h) l += int2char(c);
}
}
return h ? l: "0";
}
function bnnegate() {
var a = nbi();
biginteger.zero.subto(this, a);
return a;
}
function bnabs() {
return (this.s < 0) ? this.negate() : this;
}
function bncompareto(b) {
var d = this.s - b.s;
if (d != 0) return d;
var c = this.t;
d = c - b.t;
if (d != 0) return d;
while (--c >= 0) if ((d = this[c] - b[c]) != 0) return d;
return 0;
}
function nbits(c) {
var a = 1,
b;
if ((b = c >>> 16) != 0) {
c = b;
a += 16;
}
if ((b = c >> 8) != 0) {
c = b;
a += 8;
}
if ((b = c >> 4) != 0) {
c = b;
a += 4;
}
if ((b = c >> 2) != 0) {
c = b;
a += 2;
}
if ((b = c >> 1) != 0) {
c = b;
a += 1;
}
return a;
}
function bnbitlength() {
if (this.t <= 0) return 0;
return this.db * (this.t - 1) + nbits(this[this.t - 1] ^ (this.s & this.dm));
}
function bnpdlshiftto(b, c) {
var a;
for (a = this.t - 1; a >= 0; --a) c[a + b] = this[a];
for (a = b - 1; a >= 0; --a) c[a] = 0;
c.t = this.t + b;
c.s = this.s;
}
function bnpdrshiftto(b, c) {
for (var a = b; a < this.t; ++a) c[a - b] = this[a];
c.t = math.max(this.t - b, 0);
c.s = this.s;
}
function bnplshiftto(h, j) {
var b = h % this.db;
var e = this.db - b;
var a = (1 << e) - 1;
var f = math.floor(h / this.db),
d = (this.s << b) & this.dm,
g;
for (g = this.t - 1; g >= 0; --g) {
j[g + f + 1] = (this[g] >> e) | d;
d = (this[g] & a) << b;
}
for (g = f - 1; g >= 0; --g) j[g] = 0;
j[f] = d;
j.t = this.t + f + 1;
j.s = this.s;
j.clamp();
}
function bnprshiftto(f, g) {
g.s = this.s;
var d = math.floor(f / this.db);
if (d >= this.t) {
g.t = 0;
return;
}
var b = f % this.db;
var c = this.db - b;
var a = (1 << b) - 1;
g[0] = this[d] >> b;
for (var e = d + 1; e < this.t; ++e) {
g[e - d - 1] |= (this[e] & a) << c;
g[e - d] = this[e] >> b;
}
if (b > 0) g[this.t - d - 1] |= (this.s & a) << c;
g.t = this.t - d;
g.clamp();
}
function bnpsubto(b, g) {
var e = 0,
d = 0,
f = math.min(b.t, this.t);
while (e < f) {
d += this[e] - b[e];
g[e++] = d & this.dm;
d >>= this.db;
}
if (b.t < this.t) {
d -= b.s;
while (e < this.t) {
d += this[e];
g[e++] = d & this.dm;
d >>= this.db;
}
d += this.s;
} else {
d += this.s;
while (e < b.t) {
d -= b[e];
g[e++] = d & this.dm;
d >>= this.db;
}
d -= b.s;
}
g.s = (d < 0) ? -1 : 0;
if (d < -1) g[e++] = this.dv + d;
else if (d > 0) g[e++] = d;
g.t = e;
g.clamp();
}
function bnpmultiplyto(b, d) {
var e = this.abs(),
f = b.abs();
var c = e.t;
d.t = c + f.t;
while (--c >= 0) d[c] = 0;
for (c = 0; c < f.t; ++c) d[c + e.t] = e.am(0, f[c], d, c, 0, e.t);
d.s = 0;
d.clamp();
if (this.s != b.s) biginteger.zero.subto(d, d);
}
function bnpsquareto(d) {
var e = this.abs();
var b = d.t = 2 * e.t;
while (--b >= 0) d[b] = 0;
for (b = 0; b < e.t - 1; ++b) {
var a = e.am(b, e[b], d, 2 * b, 0, 1);
if ((d[b + e.t] += e.am(b + 1, 2 * e[b], d, 2 * b + 1, a, e.t - b - 1)) >= e.dv) {
d[b + e.t] -= e.dv;
d[b + e.t + 1] = 1;
}
}
if (d.t > 0) d[d.t - 1] += e.am(b, e[b], d, 2 * b, 0, 1);
d.s = 0;
d.clamp();
}
function bnpdivremto(g, o, s) {
var l = g.abs();
if (l.t <= 0) return;
var n = this.abs();
if (n.t < l.t) {
if (o != null) o.fromint(0);
if (s != null) this.copyto(s);
return;
}
if (s == null) s = nbi();
var x = nbi(),
w = this.s,
h = g.s;
var k = this.db - nbits(l[l.t - 1]);
if (k > 0) {
l.lshiftto(k, x);
n.lshiftto(k, s);
} else {
l.copyto(x);
n.copyto(s);
}
var b = x.t;
var a = x[b - 1];
if (a == 0) return;
var c = a * (1 << this.f1) + ((b > 1) ? x[b - 2] >> this.f2: 0);
var a = this.fv / c,
b = (1 << this.f1) / c,
c = 1 << this.f2;
var d = s.t,
f = d - b,
u = (o == null) ? nbi() : o;
x.dlshiftto(f, u);
if (s.compareto(u) >= 0) {
s[s.t++] = 1;
s.subto(u, s);
}
biginteger.one.dlshiftto(b, u);
u.subto(x, x);
while (x.t < b) x[x.t++] = 0;
while (--f >= 0) {
var p = (s[--d] == a) ? this.dm: math.floor(s[d] * a + (s[d - 1] + c) * b);
if ((s[d] += x.am(0, p, s, f, 0, b)) < p) {
x.dlshiftto(f, u);
s.subto(u, s);
while (s[d] < --p) s.subto(u, s);
}
}
if (o != null) {
s.drshiftto(b, o);
if (w != h) biginteger.zero.subto(o, o);
}
s.t = b;
s.clamp();
if (k > 0) s.rshiftto(k, s);
if (w < 0) biginteger.zero.subto(s, s);
}
function bnmod(b) {
var c = nbi();
this.abs().divremto(b, null, c);
if (this.s < 0 && c.compareto(biginteger.zero) > 0) b.subto(c, c);
return c;
}
function classic(a) {
this.m = a;
}
function cconvert(a) {
if (a.s < 0 || a.compareto(this.m) >= 0) return a.mod(this.m);
else return a;
}
function crevert(a) {
return a;
}
function creduce(a) {
a.divremto(this.m, null, a);
}
function cmulto(b, c, a) {
b.multiplyto(c, a);
this.reduce(a);
}
function csqrto(b, a) {
b.squareto(a);
this.reduce(a);
}
classic.prototype.convert = cconvert;
classic.prototype.revert = crevert;
classic.prototype.reduce = creduce;
classic.prototype.multo = cmulto;
classic.prototype.sqrto = csqrto;
function bnpinvdigit() {
if (this.t < 1) return 0;
var a = this[0];
if ((a & 1) == 0) return 0;
var b = a & 3;
b = (b * (2 - (a & 0xf) * b)) & 0xf;
b = (b * (2 - (a & 0xff) * b)) & 0xff;
b = (b * (2 - (((a & 0xffff) * b) & 0xffff))) & 0xffff;
b = (b * (2 - a * b % this.dv)) % this.dv;
return (b > 0) ? this.dv - b: -b;
}
function montgomery(a) {
this.m = a;
this.mp = a.invdigit();
this.mpl = this.mp & 0x7fff;
this.mph = this.mp >> 15;
this.um = (1 << (a.db - 15)) - 1;
this.mt2 = 2 * a.t;
}
function montconvert(b) {
var a = nbi();
b.abs().dlshiftto(this.m.t, a);
a.divremto(this.m, null, a);
if (b.s < 0 && a.compareto(biginteger.zero) > 0) this.m.subto(a, a);
return a;
}
function montrevert(b) {
var a = nbi();
b.copyto(a);
this.reduce(a);
return a;
}
function montreduce(d) {
while (d.t <= this.mt2) d[d.t++] = 0;
for (var a = 0; a < this.m.t; ++a) {
var b = d[a] & 0x7fff;
var c = (b * this.mpl + (((b * this.mph + (d[a] >> 15) * this.mpl) & this.um) << 15)) & d.dm;
b = a + this.m.t;
d[b] += this.m.am(0, c, d, a, 0, this.m.t);
while (d[b] >= d.dv) {
d[b] -= d.dv;
d[++b]++;
}
}
d.clamp();
d.drshiftto(this.m.t, d);
if (d.compareto(this.m) >= 0) d.subto(this.m, d);
}
function montsqrto(b, a) {
b.squareto(a);
this.reduce(a);
}
function montmulto(b, c, a) {
b.multiplyto(c, a);
this.reduce(a);
}
montgomery.prototype.convert = montconvert;
montgomery.prototype.revert = montrevert;
montgomery.prototype.reduce = montreduce;
montgomery.prototype.multo = montmulto;
montgomery.prototype.sqrto = montsqrto;
function bnpiseven() {
return ((this.t > 0) ? (this[0] & 1) : this.s) == 0;
}
function bnpexp(a, j) {
if (a > 0xffffffff || a < 1) return biginteger.one;
var d = nbi(),
f = nbi(),
b = j.convert(this),
c = nbits(a) - 1;
b.copyto(d);
while (--c >= 0) {
j.sqrto(d, f);
if ((a & (1 << c)) > 0) j.multo(f, b, d);
else {
var h = d;
d = f;
f = h;
}
}
return j.revert(d);
}
function bnmodpowint(a, b) {
var c;
if (a < 256 || b.iseven()) c = new classic(b);
else c = new montgomery(b);
return this.exp(a, c);
}
biginteger.prototype.copyto = bnpcopyto;
biginteger.prototype.fromint = bnpfromint;
biginteger.prototype.fromstring = bnpfromstring;
biginteger.prototype.clamp = bnpclamp;
biginteger.prototype.dlshiftto = bnpdlshiftto;
biginteger.prototype.drshiftto = bnpdrshiftto;
biginteger.prototype.lshiftto = bnplshiftto;
biginteger.prototype.rshiftto = bnprshiftto;
biginteger.prototype.subto = bnpsubto;
biginteger.prototype.multiplyto = bnpmultiplyto;
biginteger.prototype.squareto = bnpsquareto;
biginteger.prototype.divremto = bnpdivremto;
biginteger.prototype.invdigit = bnpinvdigit;
biginteger.prototype.iseven = bnpiseven;
biginteger.prototype.exp = bnpexp;
biginteger.prototype.tostring = bntostring;
biginteger.prototype.negate = bnnegate;
biginteger.prototype.abs = bnabs;
biginteger.prototype.compareto = bncompareto;
biginteger.prototype.bitlength = bnbitlength;
biginteger.prototype.mod = bnmod;
biginteger.prototype.modpowint = bnmodpowint;
biginteger.zero = nbv(0);
biginteger.one = nbv(1);
function arcfour() {
this.i = 0;
this.j = 0;
this.s = new array();
}
function arc4init(c) {
var a, b, d;
for (a = 0; a < 256; ++a) this.s[a] = a;
b = 0;
for (a = 0; a < 256; ++a) {
b = (b + this.s[a] + c[a % c.length]) & 255;
d = this.s[a];
this.s[a] = this.s[b];
this.s[b] = d;
}
this.i = 0;
this.j = 0;
}
function arc4next() {
var a;
this.i = (this.i + 1) & 255;
this.j = (this.j + this.s[this.i]) & 255;
a = this.s[this.i];
this.s[this.i] = this.s[this.j];
this.s[this.j] = a;
return this.s[(a + this.s[this.i]) & 255];
}
arcfour.prototype.init = arc4init;
arcfour.prototype.next = arc4next;
function prng_newstate() {
return new arcfour();
}
var rng_psize = 256;
var rng_state;
var rng_pool;
var rng_pptr;
function rng_seed_int(a) {
rng_pool[rng_pptr++] ^= a & 255;
rng_pool[rng_pptr++] ^= (a >> 8) & 255;
rng_pool[rng_pptr++] ^= (a >> 16) & 255;
rng_pool[rng_pptr++] ^= (a >> 24) & 255;
if (rng_pptr >= rng_psize) rng_pptr -= rng_psize;
}
function rng_seed_time() {
rng_seed_int(new date().gettime());
}
if (rng_pool == null) {
rng_pool = new array();
rng_pptr = 0;
var t;
if (navigator.appname == "netscape" && navigator.appversion < "5" && window.crypto) {
var z = window.crypto.random(32);
for (t = 0; t < z.length; ++t) rng_pool[rng_pptr++] = z.charcodeat(t) & 255;
}
while (rng_pptr < rng_psize) {
t = math.floor(65536 * math.random());
rng_pool[rng_pptr++] = t >>> 8;
rng_pool[rng_pptr++] = t & 255;
}
rng_pptr = 0;
rng_seed_time();
}
function rng_get_byte() {
if (rng_state == null) {
rng_seed_time();
rng_state = prng_newstate();
rng_state.init(rng_pool);
for (rng_pptr = 0; rng_pptr < rng_pool.length; ++rng_pptr) rng_pool[rng_pptr] = 0;
rng_pptr = 0;
}
return rng_state.next();
}
function rng_get_bytes(a) {
var b;
for (b = 0; b < a.length; ++b) a[b] = rng_get_byte();
}
function securerandom() {}
securerandom.prototype.nextbytes = rng_get_bytes;
function parsebigint(b, a) {
return new biginteger(b, a);
}
function linebrk(d, b) {
var c = "";
var a = 0;
while (a + b < d.length) {
c += d.substring(a, a + b) + "\n";
a += b;
}
return c + d.substring(a, d.length);
}
function byte2hex(a) {
if (a < 0x10) return "0" + a.tostring(16);
else return a.tostring(16);
}
function pkcs1pad2(e, c) {
if (c < e.length + 11) {
alert("message too long for rsa");
return null;
}
var a = new array();
var b = e.length - 1;
while (b >= 0 && c > 0) a[--c] = e.charcodeat(b--);
a[--c] = 0;
var d = new securerandom();
var f = new array();
while (c > 2) {
f[0] = 0;
while (f[0] == 0) d.nextbytes(f);
a[--c] = f[0];
}
a[--c] = 2;
a[--c] = 0;
return new biginteger(a);
}
function rsakey() {
this.n = null;
this.e = 0;
this.d = null;
this.p = null;
this.q = null;
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null;
}
function rsasetpublic(b, a) {
if (b != null && a != null && b.length > 0 && a.length > 0) {
this.n = parsebigint(b, 16);
this.e = parseint(a, 16);
} else alert("invalid rsa public key");
}
function rsadopublic(a) {
return a.modpowint(this.e, this.n);
}
function rsaencrypt(e) {
var d = pkcs1pad2(e, (this.n.bitlength() + 7) >> 3);
if (d == null) return null;
var a = this.dopublic(d);
if (a == null) return null;
var b = a.tostring(16);
if ((b.length & 1) == 0) return b;
else return "0" + b;
}
rsakey.prototype.dopublic = rsadopublic;
rsakey.prototype.setpublic = rsasetpublic;
rsakey.prototype.encrypt = rsaencrypt;
var b64map = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/";
var b64pad = "=";
function hex2b64(b) {
var d;
var a;
var e = "";
for (d = 0; d + 3 <= b.length; d += 3) {
a = parseint(b.substring(d, d + 3), 16);
e += b64map.charat(a >> 6) + b64map.charat(a & 63);
}
if (d + 1 == b.length) {
a = parseint(b.substring(d, d + 1), 16);
e += b64map.charat(a << 2);
} else if (d + 2 == b.length) {
a = parseint(b.substring(d, d + 2), 16);
e += b64map.charat(a >> 2) + b64map.charat((a & 3) << 4);
}
while ((e.length & 3) > 0) e += b64pad;
return e;
}
function b64tohex(d) {
var c = "";
var a;
var b = 0;
var e;
for (a = 0; a < d.length; ++a) {
if (d.charat(a) == b64pad) break;
v = b64map.indexof(d.charat(a));
if (v < 0) continue;
if (b == 0) {
c += int2char(v >> 2);
e = v & 3;
b = 1;
} else if (b == 1) {
c += int2char((e << 2) | (v >> 4));
e = v & 0xf;
b = 2;
} else if (b == 2) {
c += int2char(e);
c += int2char(v >> 2);
e = v & 3;
b = 3;
} else {
c += int2char((e << 2) | (v >> 4));
c += int2char(v & 0xf);
b = 0;
}
}
if (b == 1) c += int2char(e << 2);
return c;
}
function b64toba(e) {
var c = b64tohex(e);
var d;
var b = new array();
for (d = 0; 2 * d < c.length; ++d) {
b[d] = parseint(c.substring(2 * d, 2 * d + 2), 16);
}
return b;
}
function safeauth_js() {}
function getpwd(pwd) {
var publickey = "cf87d7b4c864f4842f1d337491a48fff54b73a17300e8e42fa365420393ac0346ae55d8afad975dfa175faf0106cba81af1dde4acec284dac6ed9a0d8feb1cc070733c58213effed46529c54cea06d774e3cc7e073346aebd6c66fc973f299eb74738e400b22b1e7cdc54e71aed059d228dfeb5b29c530ff341502ae56ddcfe9";
var rsa = new rsakey();
rsa.setpublic(publickey, "10001");
var publicts = "1578280046";
var res = rsa.encrypt(pwd + '\n' + publicts + '\n');
return hex2b64(res);
}
结果:
思路就是这样,不去用python做登录测试了。
