当前位置：首页 > news >正文

【JS逆向学习】大学竞争力2021排行榜（md5加密）

news 2025/5/29 21:53:31

逆向目标

网址：https://www.jizhy.com/44/rank/school
接口：https://www.jizhy.com/open/sch/rank-list
参数：
- sign

逆向过程

老一套先分析网络请求
在这里插入图片描述
经过比对 payload 参数发现，除了 page、ts、sign 三个参数外，其他参数都是固定不变的

逆向分析

上述三个参数中的 page 和 ts 都很好理解，分别是页数和13位的时间戳，那我们直接分析 sign 参数，先搜索关键字 app_id 因为 app_id 是固定不变的，我们猜测是写死的
在这里插入图片描述
只有一个搜索结果，点击跳转并打上断点，然后点击查看更多，发现断住了，这就是我们要找的入口

var n = Wt(t);return n += "&key=" + U,t.sign = Xt(n),Object.assign(t, e)

其中 U 是固定字符串 "146fd1e66513611ac7af69f21f1d7725"，
另外也可以从启动器入口去跟栈分析，这里就不多介绍了，感兴趣的可以看我的其他的 js逆向 相关的文章
在这里插入图片描述
加密的位置找到了，在整个加密运算过程中我们看到很多加密函数进行运算，sign 的长度是 32 位，猜测应该是个 md5 加密，为了验证我们的这一猜想，我们把用于加密的参数拿出来测试一下

var n ="{app_id=98357f659cf8fb6001cff80f7c6b85f2&diploma_id=7&page=7&page_len=20&platform=desktop&ts=1725954922292&v=210&wenli=0}&key=146fd1e66513611ac7af69f21f1d7725";var CryptoJS = require("crypto-js");
console.log(CryptoJS.MD5(n).toString().toUpperCase());
// 输出如下
>> 7CCFF462B37DBD6E39D8D6F2943F6086

由此可以判断 sign 参数就是一个 md5 加密，分析到这就简单了，下面两种方法任选一种：

拼接一个排序的字典参数生成一个用于加密的字符串，然后做一个md5加密并把加密字符串转为大写
扣代码，把加密用到的函数全部扣出来

逆向结果

以上就是一个完整的分析过程，扣代码有几个点需要注意一下

var St = 0;
var Vt = Et;
var ht = {a: function (t) {return typeof t;},
};

以下是完整的加密逻辑

function Wt(t) {var e = Object.prototype.toString.call(t),n = Object.keys(t);n.sort(function (a, b) {return ("[object Array]" === e && ((a = +a), (b = +b)),a < b ? -1 : a > b ? 1 : 0);});for (var r, param = [], o = 0, c = n; o < c.length; o++) {var l = c[o],data = t[l];null == data && (t[l] = data = ""),(data || 0 === data) &&("object" === Object(ht.a)(data) && (data = Wt(data)),param.push("".concat(l, "=").concat(data)));}return ("[object Object]" === e? ((r = param.join("&")), (r = "{".concat(r, "}"))): "[object Array]" === e? ((r = param.join(",")), (r = "[".concat(r, "]"))): (r = param.join("&")),r);
}function Xt(t) {var e = Vt(t);return (e = e.toUpperCase());
}function Et(s) {return Tt(At(Rt(s)));
}
function At(s) {return Dt(Nt(Lt(s), 8 * s.length));
}
St = 0;
function Tt(input) {for (var t,e = St ? "0123456789ABCDEF" : "0123456789abcdef",output = "",i = 0;i < input.length;i++)(t = input.charCodeAt(i)),(output += e.charAt((t >>> 4) & 15) + e.charAt(15 & t));return output;
}
function Rt(input) {for (var t, e, output = "", i = -1; ++i < input.length; )(t = input.charCodeAt(i)),(e = i + 1 < input.length ? input.charCodeAt(i + 1) : 0),55296 <= t &&t <= 56319 &&56320 <= e &&e <= 57343 &&((t = 65536 + ((1023 & t) << 10) + (1023 & e)), i++),t <= 127? (output += String.fromCharCode(t)): t <= 2047? (output += String.fromCharCode(192 | ((t >>> 6) & 31),128 | (63 & t))): t <= 65535? (output += String.fromCharCode(224 | ((t >>> 12) & 15),128 | ((t >>> 6) & 63),128 | (63 & t))): t <= 2097151 &&(output += String.fromCharCode(240 | ((t >>> 18) & 7),128 | ((t >>> 12) & 63),128 | ((t >>> 6) & 63),128 | (63 & t)));return output;
}
function Lt(input) {for (var output = Array(input.length >> 2), i = 0; i < output.length; i++)output[i] = 0;for (i = 0; i < 8 * input.length; i += 8)output[i >> 5] |= (255 & input.charCodeAt(i / 8)) << i % 32;return output;
}
function Dt(input) {for (var output = "", i = 0; i < 32 * input.length; i += 8)output += String.fromCharCode((input[i >> 5] >>> i % 32) & 255);return output;
}
function Nt(t, e) {(t[e >> 5] |= 128 << e % 32), (t[14 + (((e + 64) >>> 9) << 4)] = e);for (var a = 1732584193,b = -271733879,n = -1732584194,r = 271733878,i = 0;i < t.length;i += 16) {var o = a,c = b,l = n,f = r;(a = qt(a, b, n, r, t[i + 0], 7, -680876936)),(r = qt(r, a, b, n, t[i + 1], 12, -389564586)),(n = qt(n, r, a, b, t[i + 2], 17, 606105819)),(b = qt(b, n, r, a, t[i + 3], 22, -1044525330)),(a = qt(a, b, n, r, t[i + 4], 7, -176418897)),(r = qt(r, a, b, n, t[i + 5], 12, 1200080426)),(n = qt(n, r, a, b, t[i + 6], 17, -1473231341)),(b = qt(b, n, r, a, t[i + 7], 22, -45705983)),(a = qt(a, b, n, r, t[i + 8], 7, 1770035416)),(r = qt(r, a, b, n, t[i + 9], 12, -1958414417)),(n = qt(n, r, a, b, t[i + 10], 17, -42063)),(b = qt(b, n, r, a, t[i + 11], 22, -1990404162)),(a = qt(a, b, n, r, t[i + 12], 7, 1804603682)),(r = qt(r, a, b, n, t[i + 13], 12, -40341101)),(n = qt(n, r, a, b, t[i + 14], 17, -1502002290)),(a = Ft(a,(b = qt(b, n, r, a, t[i + 15], 22, 1236535329)),n,r,t[i + 1],5,-165796510)),(r = Ft(r, a, b, n, t[i + 6], 9, -1069501632)),(n = Ft(n, r, a, b, t[i + 11], 14, 643717713)),(b = Ft(b, n, r, a, t[i + 0], 20, -373897302)),(a = Ft(a, b, n, r, t[i + 5], 5, -701558691)),(r = Ft(r, a, b, n, t[i + 10], 9, 38016083)),(n = Ft(n, r, a, b, t[i + 15], 14, -660478335)),(b = Ft(b, n, r, a, t[i + 4], 20, -405537848)),(a = Ft(a, b, n, r, t[i + 9], 5, 568446438)),(r = Ft(r, a, b, n, t[i + 14], 9, -1019803690)),(n = Ft(n, r, a, b, t[i + 3], 14, -187363961)),(b = Ft(b, n, r, a, t[i + 8], 20, 1163531501)),(a = Ft(a, b, n, r, t[i + 13], 5, -1444681467)),(r = Ft(r, a, b, n, t[i + 2], 9, -51403784)),(n = Ft(n, r, a, b, t[i + 7], 14, 1735328473)),(a = Ut(a,(b = Ft(b, n, r, a, t[i + 12], 20, -1926607734)),n,r,t[i + 5],4,-378558)),(r = Ut(r, a, b, n, t[i + 8], 11, -2022574463)),(n = Ut(n, r, a, b, t[i + 11], 16, 1839030562)),(b = Ut(b, n, r, a, t[i + 14], 23, -35309556)),(a = Ut(a, b, n, r, t[i + 1], 4, -1530992060)),(r = Ut(r, a, b, n, t[i + 4], 11, 1272893353)),(n = Ut(n, r, a, b, t[i + 7], 16, -155497632)),(b = Ut(b, n, r, a, t[i + 10], 23, -1094730640)),(a = Ut(a, b, n, r, t[i + 13], 4, 681279174)),(r = Ut(r, a, b, n, t[i + 0], 11, -358537222)),(n = Ut(n, r, a, b, t[i + 3], 16, -722521979)),(b = Ut(b, n, r, a, t[i + 6], 23, 76029189)),(a = Ut(a, b, n, r, t[i + 9], 4, -640364487)),(r = Ut(r, a, b, n, t[i + 12], 11, -421815835)),(n = Ut(n, r, a, b, t[i + 15], 16, 530742520)),(a = Bt(a,(b = Ut(b, n, r, a, t[i + 2], 23, -995338651)),n,r,t[i + 0],6,-198630844)),(r = Bt(r, a, b, n, t[i + 7], 10, 1126891415)),(n = Bt(n, r, a, b, t[i + 14], 15, -1416354905)),(b = Bt(b, n, r, a, t[i + 5], 21, -57434055)),(a = Bt(a, b, n, r, t[i + 12], 6, 1700485571)),(r = Bt(r, a, b, n, t[i + 3], 10, -1894986606)),(n = Bt(n, r, a, b, t[i + 10], 15, -1051523)),(b = Bt(b, n, r, a, t[i + 1], 21, -2054922799)),(a = Bt(a, b, n, r, t[i + 8], 6, 1873313359)),(r = Bt(r, a, b, n, t[i + 15], 10, -30611744)),(n = Bt(n, r, a, b, t[i + 6], 15, -1560198380)),(b = Bt(b, n, r, a, t[i + 13], 21, 1309151649)),(a = Bt(a, b, n, r, t[i + 4], 6, -145523070)),(r = Bt(r, a, b, n, t[i + 11], 10, -1120210379)),(n = Bt(n, r, a, b, t[i + 2], 15, 718787259)),(b = Bt(b, n, r, a, t[i + 9], 21, -343485551)),(a = zt(a, o)),(b = zt(b, c)),(n = zt(n, l)),(r = zt(r, f));}return Array(a, b, n, r);
}
function Mt(q, a, b, t, s, e) {return zt(((n = zt(zt(a, q), zt(t, e))) << (r = s)) | (n >>> (32 - r)), b);var n, r;
}
function qt(a, b, t, e, n, s, r) {return Mt((b & t) | (~b & e), a, b, n, s, r);
}
function Ft(a, b, t, e, n, s, r) {return Mt((b & e) | (t & ~e), a, b, n, s, r);
}
function Ut(a, b, t, e, n, s, r) {return Mt(b ^ t ^ e, a, b, n, s, r);
}
function Bt(a, b, t, e, n, s, r) {return Mt(t ^ (b | ~e), a, b, n, s, r);
}
function zt(t, e) {var n = (65535 & t) + (65535 & e);return (((t >> 16) + (e >> 16) + (n >> 16)) << 16) | (65535 & n);
}function Vt(t) {var e = !1;return function () {for (var n = [], r = arguments.length; r--; ) n[r] = arguments[r];if (!e) return (e = !0), t.apply(this, n);};
}
var Vt = Et;
var ht = {a: function (t) {return typeof t;},
};var n ="{app_id=98357f659cf8fb6001cff80f7c6b85f2&diploma_id=7&page=7&page_len=20&platform=desktop&ts=1725954922292&v=210&wenli=0}&key=146fd1e66513611ac7af69f21f1d7725";
console.log(Xt(n));