微信公众平台某参数加密JS逻辑

1. 网址

https://mp.weixin.qq.com/

2. 模拟登录，找到发起请求的地址

目的：解决pwd加密逻辑

3. 全局搜索pwd:

定位到一个js文件，点击进去

4. 继续搜索pwd:

定位到236行，打断点

5. 进入断点处

i.pwd正是我刚输入的密码；证明找的地方是对的；通过r函数调用,单步进入函数里面去

跳转到1363行；这里就是参数加密逻辑

6. 扣js代码

先将整个函数扣下来再说（1286行~1369行）

1366行就是加密后的数据

7. 执行js代码，修复bug

bug1：第一行，define 没有定义；删掉

bug2： 94行，t没有定义

解决办法：该函数正是输出结果的函数，以匿名函数表示，将其改为有名函数，然后调用（js基础知识，匿名函数 有名函数）

此时就没有错误显示了，证明js代码已经没有问题了；最后调用

8. 源码参考

function d(n, r) {
    var t = (65535 & n) + (65535 & r)
    return (n >> 16) + (r >> 16) + (t >> 16) << 16 | 65535 & t
}

function f(n, r, t, e, u, o) {
    return d(function(n, r) {
        return n << r | n >>> 32 - r
    }(d(d(r, n), d(e, o)), u), t)
}

function g(n, r, t, e, u, o, c) {
    return f(r & t | ~r & e, n, r, u, o, c)
}

function l(n, r, t, e, u, o, c) {
    return f(r & e | t & ~e, n, r, u, o, c)
}

function v(n, r, t, e, u, o, c) {
    return f(r ^ t ^ e, n, r, u, o, c)
}

function s(n, r, t, e, u, o, c) {
    return f(t ^ (r | ~e), n, r, u, o, c)
}

function i(n, r) {
    n[r >> 5] |= 128 << r % 32,
        n[14 + (r + 64 >>> 9 << 4)] = r
    var t, e, u, o, c, f = 1732584193,
        i = -271733879,
        a = -1732584194,
        h = 271733878
    for (t = 0; t < n.length; t += 16)
        i = s(i = s(i = s(i = s(i = v(i = v(i = v(i = v(i = l(i = l(i = l(i = l(i = g(i = g(i = g(i = g(u = i, a = g(o = a, h = g(c = h, f = g(e = f, i, a, h, n[t], 7, -680876936), i, a, n[t + 1], 12, -389564586), f, i, n[t + 2], 17, 606105819), h, f, n[t + 3], 22, -1044525330), a = g(a, h = g(h, f = g(f, i, a, h, n[t + 4], 7, -176418897), i, a, n[t + 5], 12, 1200080426), f, i, n[t + 6], 17, -1473231341), h, f, n[t + 7], 22, -45705983), a = g(a, h = g(h, f = g(f, i, a, h, n[t + 8], 7, 1770035416), i, a, n[t + 9], 12, -1958414417), f, i, n[t + 10], 17, -42063), h, f, n[t + 11], 22, -1990404162), a = g(a, h = g(h, f = g(f, i, a, h, n[t + 12], 7, 1804603682), i, a, n[t + 13], 12, -40341101), f, i, n[t + 14], 17, -1502002290), h, f, n[t + 15], 22, 1236535329), a = l(a, h = l(h, f = l(f, i, a, h, n[t + 1], 5, -165796510), i, a, n[t + 6], 9, -1069501632), f, i, n[t + 11], 14, 643717713), h, f, n[t], 20, -373897302), a = l(a, h = l(h, f = l(f, i, a, h, n[t + 5], 5, -701558691), i, a, n[t + 10], 9, 38016083), f, i, n[t + 15], 14, -660478335), h, f, n[t + 4], 20, -405537848), a = l(a, h = l(h, f = l(f, i, a, h, n[t + 9], 5, 568446438), i, a, n[t + 14], 9, -1019803690), f, i, n[t + 3], 14, -187363961), h, f, n[t + 8], 20, 1163531501), a = l(a, h = l(h, f = l(f, i, a, h, n[t + 13], 5, -1444681467), i, a, n[t + 2], 9, -51403784), f, i, n[t + 7], 14, 1735328473), h, f, n[t + 12], 20, -1926607734), a = v(a, h = v(h, f = v(f, i, a, h, n[t + 5], 4, -378558), i, a, n[t + 8], 11, -2022574463), f, i, n[t + 11], 16, 1839030562), h, f, n[t + 14], 23, -35309556), a = v(a, h = v(h, f = v(f, i, a, h, n[t + 1], 4, -1530992060), i, a, n[t + 4], 11, 1272893353), f, i, n[t + 7], 16, -155497632), h, f, n[t + 10], 23, -1094730640), a = v(a, h = v(h, f = v(f, i, a, h, n[t + 13], 4, 681279174), i, a, n[t], 11, -358537222), f, i, n[t + 3], 16, -722521979), h, f, n[t + 6], 23, 76029189), a = v(a, h = v(h, f = v(f, i, a, h, n[t + 9], 4, -640364487), i, a, n[t + 12], 11, -421815835), f, i, n[t + 15], 16, 530742520), h, f, n[t + 2], 23, -995338651), a = s(a, h = s(h, f = s(f, i, a, h, n[t], 6, -198630844), i, a, n[t + 7], 10, 1126891415), f, i, n[t + 14], 15, -1416354905), h, f, n[t + 5], 21, -57434055), a = s(a, h = s(h, f = s(f, i, a, h, n[t + 12], 6, 1700485571), i, a, n[t + 3], 10, -1894986606), f, i, n[t + 10], 15, -1051523), h, f, n[t + 1], 21, -2054922799), a = s(a, h = s(h, f = s(f, i, a, h, n[t + 8], 6, 1873313359), i, a, n[t + 15], 10, -30611744), f, i, n[t + 6], 15, -1560198380), h, f, n[t + 13], 21, 1309151649), a = s(a, h = s(h, f = s(f, i, a, h, n[t + 4], 6, -145523070), i, a, n[t + 11], 10, -1120210379), f, i, n[t + 2], 15, 718787259), h, f, n[t + 9], 21, -343485551),
        f = d(f, e),
        i = d(i, u),
        a = d(a, o),
        h = d(h, c)
    return [f, i, a, h]
}

function a(n) {
    var r, t = ""
    for (r = 0; r < 32 * n.length; r += 8)
        t += String.fromCharCode(n[r >> 5] >>> r % 32 & 255)
    return t
}

function h(n) {
    var r, t = []
    for (t[(n.length >> 2) - 1] = void 0,
        r = 0; r < t.length; r += 1)
        t[r] = 0
    for (r = 0; r < 8 * n.length; r += 8)
        t[r >> 5] |= (255 & n.charCodeAt(r / 8)) << r % 32
    return t
}

function e(n) {
    var r, t, e = "0123456789abcdef",
        u = ""
    for (t = 0; t < n.length; t += 1)
        r = n.charCodeAt(t),
        u += e.charAt(r >>> 4 & 15) + e.charAt(15 & r)
    return u
}

function u(n) {
    return unescape(encodeURIComponent(n))
}

function o(n) {
    return function(n) {
        return a(i(h(n), 8 * n.length))
    }(u(n))
}

function c(n, r) {
    return function(n, r) {
        var t, e, u = h(n),
            o = [],
            c = []
        for (o[15] = c[15] = void 0,
            16 < u.length && (u = i(u, 8 * n.length)),
            t = 0; t < 16; t += 1)
            o[t] = 909522486 ^ u[t],
            c[t] = 1549556828 ^ u[t]
        return e = i(o.concat(h(r)), 512 + 8 * r.length),
            a(i(c.concat(e), 640))
    }(u(n), u(r))
}

function passwd(n, r, t) {
    return r ? t ? c(r, n) : function(n, r) {
        return e(c(n, r))
    }(r, n) : t ? o(n) : function(n) {
        return e(o(n))
    }(n)
};
pwd = passwd('123456');
console.log(pwd);

9. 补充

函数开头md5.js ； 其实就是通过MD5加密的

Python测试：返回结果一致

拓展：上述js代码就是前端MD5加密的逻辑