Article directory
Preface
Today’s article is about generating the x_bogus parameter at the dy web page interface location in the comment area, and performing JS reverse analysis on the parameter. As far as I know, the blogger’s home page is also encrypted with this parameter. I haven’t tried it on other pages yet, so I think it should be it is also fine
Statement
All content in this article is only for learning and communication, and is not used for any other purpose. The complete code is not provided. The packet capture content, sensitive URLs, data interfaces, etc. have been processed Desensitization is strictly prohibited for commercial and illegal purposes, otherwise the author will have nothing to do with any consequences arising therefrom.
This article is prohibited from being reproduced without permission, and is prohibited from being redistributed after any modification. The author is not responsible for any accidents caused by the unauthorized use of the technology explained in this article. If there is any infringement, please contact the author immediately Delete, please consciously abide by relevant laws and regulations.
1. Practical analysis
- Reverse target: DY
- Reverse parameter: x_bogus
- Reverse interface:?device_platform=webapp
Analyze the interface
webid: Can be temporarily fixed
msToken: Can be temporarily fixed
X-Bogus: Core Decrypt parameters, let’s restore its generation logic
After determining the data reverse interface and reverse parameters, directly search for the reverse parameters. There are two locations. Test these two locations. Set a breakpoint and hit several positions in succession, and found that I couldn't stop it
Then I extracted the XHR breakpoint, refreshed, analyzed, and debugged the stack
Following this section, I found that _0x1f1790 contains parameters such as msToken. Take a closer look at these parameters. 22 is the x_bogus parameter value we want. At 24, it is spliced at the end
If I continue to follow the stack here, there will be no results, so I choose to use a conditional breakpoint because the parameter length is 28
Then refresh, at this time our parameter situation is as shown below
After pausing, we looked at this value, single-step debugged this part, and found that we were back to this block< /span> Then the value can be generated normally, but some versions have deprecated it. You can ignore the warning message
This part is the interpreter. It is all deducted and the environment is supplemented. The specific environment detection is as follows
Write at the end:
My writing level is limited. If there are any explanations that are not in place or wrong, please give me some advice in the comment area and we can make progress together. If there is any If you need code and explanation communication, you can add me on WeChat 18847868809