Foreword:
As we all know, rpc has a miraculous effect on some complex encryption. We only need to find the location of the encryption function to call it remotely through RPC, thus saving the hair loss process such as deducting codes and supplementing the environment. This article takes VIP journals as an example to explore the mystery of Ruishu.
1. Packet capture analysis request interface
Through packet capture analysis, we can see that the url we are looking for is SearchList? xxxx, the comparison shows that this interface encrypts string parameters and cookies. From this, it is determined that there are two parameters we need to solve this time: G5tA5iQ4 and GW1gelwM5yZuT.
2. Decrypt G5tA5iQ4 parameters
First search the G5tA5iQ4 parameters globally and find no results. Carry out follow-up send, and the interruption point analysis is as follows.
Through the analysis, we can see that the url is encrypted in the u.open function. Continue to follow up the u.open function to find the encryption function _$BZ, and the passed parameter is "/Search/SearchList". Export the _$BZ function to save globally.
3. Decrypt the cookie encryption parameter GW1gelwM5yZuT
Since cookies are usually stored in documents, we hook document.cookie.
window.cason_cookie = document.cookie;
Object.defineProperty(document, 'cookie', {
get:()=>{
return window.cason_cookie;
},
set:(x)=>{
debugger; window.cason_cookie = x;
}
})Locate the cookie and search forward with the stack.
Find the variable name where the parameter is located and add a breakpoint.
Find the definition position of _$re, add a log breakpoint, and refresh the calling process of the restore printing function again.
It is observed that the _$re values before the breakpoint execution are 275, 276, and 457 respectively. Define window.casonIoo=[] to continue adding conditional breakpoint print verification.
Debug step by step to _$re == 374, analyze the encryption process, find that the encryption position coincides with the previous breakpoint position, and prove that the analysis process is correct. Continue to modify the conditional breakpoint and print out the change of _$CK value.
It can be seen that the encryption process occurs when the value of _$re is between 457--276, and the conditional breakpoint is modified so that it is located at 457 before encryption.
Find the encryption function and stack analysis
Make sure the encryption function is _$rs, export and save to the global. Encrypted value successfully obtained
4. RPC local call value
We successfully obtained the two parameters that need to be encrypted by exporting the global
Afterwards, we can deploy the call request locally through RPC. For details on RPC operations, refer to the example of obtaining request parameters through RPC remote calls in python.
The screenshot after success is as follows
Summarize:
This article successfully cracked Ruishu 5 encryption through a series of operations such as hooking, stubbing, stacking, and RPC. Since the local operation has not been implemented, it is a tricky method. It is still very suitable for crawling some websites that have little demand but complicated encryption. . The idea of deciphering comes from the first phase of reverse video js reverse Ruishu 5 deciphering explanation and stub insertion explanation of B station up master Chen Bubu and Wanfeng . If you are interested, you can watch the original video. If this article is helpful to you, please give a free like to support it~
Attached source code:
# coding:utf-8
import requests
from lxml import etree
def get_url_cookie():
rpc_url = 'http://127.0.0.1:9420/cbb?type=S&webId=1001&data=12'
res = requests.get(rpc_url)
wp_url = 'http://qikan.cqvip.com:80/Search/SearchList?' + \
res.text.split('http://qikan.cqvip.com:80/Search/SearchList?')[1].split('"')[0]
wp_cookie = 'GW1gelwM5YZuS=5.GTgDKU1Gpbz5ZsqN_0cK6sxHb8z9K7hB8h.zauqK5m3XmDfw6t2lMBQerygmlEioWgsndYhhKNP5A2bFIe7na; ae51635ca5836b4864=94ee5fb45ad7f8f15d2d00578ab61262; f5d52daf4f=a8689784c908323177b0bd80577db832; ASP.NET_SessionId=4wo05dxpa1pmjfiqlr2xj3qi; search_isEnable=1; GW1gelwM5YZuT=' + \
res.text.split('false},"')[1].split('"]')[0]
return wp_url, wp_cookie
def get_content():
for i in range(1, 11):
wp_url, wp_cookie = get_url_cookie()
headers = {
'Cookie': wp_cookie,
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': 'http://qikan.cqvip.com',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36'
}
data = {
'searchParamModel': '{"ObjectType":1,"SearchKeyList":[],"SearchExpression":null,"BeginYear":null,"EndYear":null,"UpdateTimeType":null,"JournalRange":null,"DomainRange":null,"ClusterFilter":"","ClusterLimit":0,"ClusterUseType":"Article","UrlParam":"U=人工智能","Sort":"0","SortField":null,"UserID":"0","PageNum":%s,"PageSize":20,"SType":null,"StrIds":null,"IsRefOrBy":0,"ShowRules":" 任意字段=人工智能 ","IsNoteHistory":0,"AdvShowTitle":null,"ObjectId":null,"ObjectSearchType":0,"ChineseEnglishExtend":0,"SynonymExtend":0,"ShowTotalCount":143588,"AdvTabGuid":""}' % i
}
res = requests.post(wp_url, data=data, headers=headers)
html = etree.HTML(res.text)
title_list = html.xpath('//*[@id="remark"]/dl/dt/a')
t = ''
for title in title_list:
for x in title.xpath('.//text()'):
t += x
print(t)
t = ''
def main():
get_content()
if __name__ == '__main__':
main()