Disclaimer: This article is for study and research only, and it is forbidden to be used for illegal purposes. Otherwise, you will be at your own risk. If there is any infringement, please notify and delete it, thank you!
Project scene:
The JS encryption we usually encounter is usually that the request parameters are encrypted, but this time the return parameters are encrypted. In fact, the decryption methods for both are the same, that is, to find the JS decryption function called by the front end. Not much to say, let’s just start.
solution:
1. This is about drug research and development-information in the drug registration and acceptance database
2. Clear xhr and click on the second page to see the request. It can be clearly seen that the data parameter is encrypted, then we need to find the JS code for data decryption. What should we do? Here are two ideas ①: ctrl+ Shift+f searches globally for the main part of the requested link, which is /zhuce, and then finds the JS code that requests this link one by one to see if there is a decryption method in it. Idea ②: Find out the decryption method at the xhr breakpoint when turning the page, that is, the method I used this time, I will explain it slowly next.
3. Then hit the xhr breakpoint, request the next page, and then go in and slowly find the decryption place...
4. Finally, we found the decrypted location in the JS file at the beginning of the app, we can see that the a parameter is the encrypted data returned by the front end, and then use it at.decryptResponse(a.data, "yaozh_vip2020")
to decrypt it.
5. Let's click the at.decryptResponse method to take a look, this is clear, and directly extract the at function.
6. Here I help you pull it out. What should be noted here is this.decryptResponse
a = et()(i) in the method. This parameter a is a fixed value, that is MD5('yaozh_vip2020') --> c8d9534c6e599a37818fc0d613515b88
, we find an encrypted data and execute it.
var at = new function () {
var e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
, a = ""
, t = 0
, n = []
, o = function (e) {
return 32 == t && (t = 0),
e ^= a.charCodeAt(t++),
i(e)
}
, i = function (e) {
if (n.length) {
var a = n[0];
if (a > 191 && a < 224)
return n = [],
String.fromCharCode((31 & a) << 6 | 63 & e);
if (1 === n.length)
return n.push(e),
"";
var t = n[1];
return n = [],
String.fromCharCode((15 & a) << 12 | (63 & t) << 6 | 63 & e)
}
return e < 128 ? String.fromCharCode(e) : (n.push(e),
"")
};
this.decryptResponse = function (n) {
var i = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "yaozh_cydn";
if (!n)
return !1;
// a = et()(i), //MD5('yaozh_vip2020') --> c8d9534c6e599a37818fc0d613515b88
a = 'c8d9534c6e599a37818fc0d613515b88';
t = 0;
var s = ""
, r = 0;
for (n = n.replace(/[^A-Za-z0-9\+\/\=]/g, ""); r < n.length;) {
var A = e.indexOf(n.charAt(r++))
, c = e.indexOf(n.charAt(r++))
, u = e.indexOf(n.charAt(r++))
, m = e.indexOf(n.charAt(r++));
s += o(A << 2 | c >> 4),
64 != u && (s += o((15 & c) << 4 | u >> 2)),
64 != m && (s += o((3 & u) << 6 | m))
}
return s
}
}
;