JS逆向-抠代码的第四天【手把手学会抠代码】

　　今天是md5巩固项目，该项目比昨天的复杂一些，但方法思路是一样的。

　　今天的目标：https://www.webportal.top/

　　接下来，就是解析pwd的加密方式，通过全局所搜，可以出如下结果：

　　第二个很明显不是加密。那么是不是在第一个js文件里面呢，点进去，简单搜索发现了这样的情况：

　　这么友好的吗？果断打下断点，调试，发现到这里后，i.pwd就是我们的密码123456，而$.md5整体是一个加密函数，处理之后，也确实是加密数据。直接跳入函数，会发现该函数时这样的：

　　这里明显是该函数调用了其他函数，而且没有什么加密算法会只有两行！先不用管，把前面的加密动作和这里复制出来进行简单的改写：

　　接下来，对MD5这个改写后的函数简单分析，返回的这个玩意首先我是看不懂的，但是我猜测，字母后面跟括号，那么这个字母肯定是某函数！只有函数才需要传参。通过调试工具进行调试，发现函数u不存在，断点跳进来，查看函数，直接复制过来。看了下格式，改都不需要改。来都来了，我们把这一行的几个函数都先看下，比如，f c u，其中u已经找到了，找下f和c，然后也复制过来，接着就重复上述操作，根据调试工具的提示，缺啥补啥。当我们补完就发现，没问题了，运行也直接出结果了。

　　至此该加密数据解密结束。

　　下附代码：

　　python部分：

1 import execjs 2  3  4 def read_js(file): 5     with open(file, 'r', encoding='utf8') as f: 6         data = f.read() 7         return data 8  9 10 if __name__ == '__main__':11     js_str = read_js('webportal.js')12     js_o = execjs.compile(js_str)13     md5_password = js_o.call('getpwd', '123456')14     print(md5_password)

　　JS代码部分

1 function a(e, t, n, o, a, r, s) {  2 return i(t ^ n ^ o, e, t, a, r, s)  3 }  4   5 function r(e, t, n, o, a, r, s) {  6 return i(n ^ (t | ~o), e, t, a, r, s)  7 }  8   9 function o(e, t, n, o, a, r, s) { 10 return i(t & o | n & ~o, e, t, a, r, s) 11 } 12  13 function t(e, t) { 14 var i = (65535 & e)   (65535 & t); 15 return (e >> 16)   (t >> 16)   (i >> 16) << 16 | 65535 & i 16 } 17  18 function i(e, i, n, o, a, r) { 19 return t((s = t(t(i, e), t(o, r))) << (l = a) | s >>> 32 - l, n); 20 var s, l 21 } 22  23 function n(e, t, n, o, a, r, s) { 24 return i(t & n | ~t & o, e, t, a, r, s) 25 } 26  27 function d(e) { 28 var t, i = []; 29 for (i[(e.length >> 2) - 1] = void 0, t = 0; t < i.length; t  = 1) i[t] = 0; 30 for (t = 0; t < 8 * e.length; t  = 8) i[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32; 31 return i 32 } 33  34 function s(e, i) { 35 e[i >> 5] |= 128 << i % 32, 36 e[14   (i   64 >>> 9 << 4)] = i; 37 var s, l, d, c, p, u = 1732584193, 38 f = -271733879, 39 h = -1732584194, 40 g = 271733878; 41 for (s = 0; s < e.length; s  = 16) l = u, 42 d = f, 43 c = h, 44 p = g, 45 u = n(u, f, h, g, e[s], 7, -680876936), 46 g = n(g, u, f, h, e[s   1], 12, -389564586), 47 h = n(h, g, u, f, e[s   2], 17, 606105819), 48 f = n(f, h, g, u, e[s   3], 22, -1044525330), 49 u = n(u, f, h, g, e[s   4], 7, -176418897), 50 g = n(g, u, f, h, e[s   5], 12, 1200080426), 51 h = n(h, g, u, f, e[s   6], 17, -1473231341), 52 f = n(f, h, g, u, e[s   7], 22, -45705983), 53 u = n(u, f, h, g, e[s   8], 7, 1770035416), 54 g = n(g, u, f, h, e[s   9], 12, -1958414417), 55 h = n(h, g, u, f, e[s   10], 17, -42063), 56 f = n(f, h, g, u, e[s   11], 22, -1990404162), 57 u = n(u, f, h, g, e[s   12], 7, 1804603682), 58 g = n(g, u, f, h, e[s   13], 12, -40341101), 59 h = n(h, g, u, f, e[s   14], 17, -1502002290), 60 u = o(u, f = n(f, h, g, u, e[s   15], 22, 1236535329), h, g, e[s   1], 5, -165796510), 61 g = o(g, u, f, h, e[s   6], 9, -1069501632), 62 h = o(h, g, u, f, e[s   11], 14, 643717713), 63 f = o(f, h, g, u, e[s], 20, -373897302), 64 u = o(u, f, h, g, e[s   5], 5, -701558691), 65 g = o(g, u, f, h, e[s   10], 9, 38016083), 66 h = o(h, g, u, f, e[s   15], 14, -660478335), 67 f = o(f, h, g, u, e[s   4], 20, -405537848), 68 u = o(u, f, h, g, e[s   9], 5, 568446438), 69 g = o(g, u, f, h, e[s   14], 9, -1019803690), 70 h = o(h, g, u, f, e[s   3], 14, -187363961), 71 f = o(f, h, g, u, e[s   8], 20, 1163531501), 72 u = o(u, f, h, g, e[s   13], 5, -1444681467), 73 g = o(g, u, f, h, e[s   2], 9, -51403784), 74 h = o(h, g, u, f, e[s   7], 14, 1735328473), 75 u = a(u, f = o(f, h, g, u, e[s   12], 20, -1926607734), h, g, e[s   5], 4, -378558), 76 g = a(g, u, f, h, e[s   8], 11, -2022574463), 77 h = a(h, g, u, f, e[s   11], 16, 1839030562), 78 f = a(f, h, g, u, e[s   14], 23, -35309556), 79 u = a(u, f, h, g, e[s   1], 4, -1530992060), 80 g = a(g, u, f, h, e[s   4], 11, 1272893353), 81 h = a(h, g, u, f, e[s   7], 16, -155497632), 82 f = a(f, h, g, u, e[s   10], 23, -1094730640), 83 u = a(u, f, h, g, e[s   13], 4, 681279174), 84 g = a(g, u, f, h, e[s], 11, -358537222), 85 h = a(h, g, u, f, e[s   3], 16, -722521979), 86 f = a(f, h, g, u, e[s   6], 23, 76029189), 87 u = a(u, f, h, g, e[s   9], 4, -640364487), 88 g = a(g, u, f, h, e[s   12], 11, -421815835), 89 h = a(h, g, u, f, e[s   15], 16, 530742520), 90 u = r(u, f = a(f, h, g, u, e[s   2], 23, -995338651), h, g, e[s], 6, -198630844), 91 g = r(g, u, f, h, e[s   7], 10, 1126891415), 92 h = r(h, g, u, f, e[s   14], 15, -1416354905), 93 f = r(f, h, g, u, e[s   5], 21, -57434055), 94 u = r(u, f, h, g, e[s   12], 6, 1700485571), 95 g = r(g, u, f, h, e[s   3], 10, -1894986606), 96 h = r(h, g, u, f, e[s   10], 15, -1051523), 97 f = r(f, h, g, u, e[s   1], 21, -2054922799), 98 u = r(u, f, h, g, e[s   8], 6, 1873313359), 99 g = r(g, u, f, h, e[s   15], 10, -30611744),100 h = r(h, g, u, f, e[s   6], 15, -1560198380),101 f = r(f, h, g, u, e[s   13], 21, 1309151649),102 u = r(u, f, h, g, e[s   4], 6, -145523070),103 g = r(g, u, f, h, e[s   11], 10, -1120210379),104 h = r(h, g, u, f, e[s   2], 15, 718787259),105 f = r(f, h, g, u, e[s   9], 21, -343485551),106 u = t(u, l),107 f = t(f, d),108 h = t(h, c),109 g = t(g, p);110 return [u, f, h, g]111 }112 113 function p(e) {114 return unescape(encodeURIComponent(e))115 }116 function l(e) {117 var t, i = "";118 for (t = 0; t < 32 * e.length; t  = 8) i  = String.fromCharCode(e[t >> 5] >>> t % 32 & 255);119 return i120 }121 function c(e) {122 var t, i, n = "";123 for (i = 0; i < e.length; i  = 1) t = e.charCodeAt(i),124 n  = "0123456789abcdef".charAt(t >>> 4 & 15)   "0123456789abcdef".charAt(15 & t);125 return n126 }127 128 function u(e) {129 return function(e) {130     return l(s(d(e), 8 * e.length))131 } (p(e))132 }133 134 MD5 = function(e, t, i) {135 return t ? i ? f(t, e) : c(f(t, e)) : i ? u(e) : c(u(e))136 }137 138 function getpwd(pwd) {139 var password = MD5(pwd);140 return password141 }