JS reverse---asymmetric encryption confrontation (RSA, DSA detailed explanation and case analysis)

---

Preface

Unlike symmetric encryption algorithms, asymmetric encryption algorithms require two keys: public key and private key. The public key and the private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt it; if the private key is used to encrypt the data, then only the corresponding public key can be used to decrypt it. Decrypt. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm.

Statement
All content in this article is only for learning and communication, and is not used for any other purpose. The complete code is not provided. The packet capture content, sensitive URLs, data interfaces, etc. have been processed Desensitization, commercial and illegal use is strictly prohibited, otherwise the author has nothing to do with any consequences arising therefrom!
This article is prohibited from being reproduced without permission, and is prohibited from being redistributed after any modification. The author is not responsible for any accidents caused by the unauthorized use of the technology explained in this article. If there is any infringement, please contact the author immediately Delete

1. Introduction to asymmetric encryption

• Common asymmetric encryption algorithms are RSA and DSA.
• The private key of the asymmetric encryption algorithm is held by the data recipient and will not be transmitted on the network, ensuring the security of the key.
• Asymmetric encryption algorithms are usually more computationally complex than symmetric encryption algorithms and have high performance consumption.
• Asymmetric encryption algorithms can be used for digital signatures.
  
• Common asymmetric encryption algorithms are RSA and DSA.
• The private key of the asymmetric encryption algorithm is held by the data recipient and will not be transmitted on the network, ensuring the security of the key.
• Asymmetric encryption algorithms are usually more computationally complex than symmetric encryption algorithms and have high performance consumption.
• Asymmetric encryption algorithms can be used for digital signatures.
• When used, public key encryption is used and private key decryption is used. The public key can be made public and the private key is kept by itself.
• The strength of the algorithm is complex, and security depends on the algorithm and key. However, due to the complexity of the algorithm, the encryption and decryption speed is slower than symmetric encryption.

2. Asymmetric features

Common JavaScript debugging algorithms

• Search keywords new JSEncrypt(), JSEncrypt, etc. Generally, the JSEncrypt library will be used, and there will be an operation of new an instance object;
• Search for the keywords setPublicKey, setKey, setPrivateKey, getPublicKey, etc. Generally, the implemented code contains the process of setting the key.

The private key, public key, plaintext, and ciphertext lengths of RSA also have a certain corresponding relationship, and you can also make a preliminary judgment from this aspect:

Private key length	Public key length	Plaintext length	Ciphertext length
428	128	1~53	88
812	216	1~117	172
1588	392	1~245	344

1. Javascript implementation

// npm install node-rsa --save
// 引用 node-rsa 加密模块
var NodeRSA = require('node-rsa');

function rsaEncrypt() {
    
    
    pubKey = new NodeRSA(publicKey,'pkcs8-public');
    var encryptedData = pubKey.encrypt(text, 'base64');
    return encryptedData
}

function rsaDecrypt() {
    
    
    priKey = new NodeRSA(privatekey,'pkcs8-private');
    var decryptedData = priKey.decrypt(encryptedData, 'utf8');
    return decryptedData
}

var key = new NodeRSA({
    
    b: 512});                    //生成512位秘钥
var publicKey = key.exportKey('pkcs8-public');    //导出公钥
var privatekey = key.exportKey('pkcs8-private');  //导出私钥
var text = "I love Python!"

var encryptedData = rsaEncrypt()
var decryptedData = rsaDecrypt()

console.log("公钥:\n", publicKey)
console.log("私钥:\n", privatekey)
console.log("加密字符串: ", encryptedData)
console.log("解密字符串: ", decryptedData)

2. python implementation

Module:rsa

import rsa
import base64

def rsa_encrypt(pu_key, t):
    # 公钥加密
    rsas = rsa.encrypt(t.encode("utf-8"), pu_key)
    return base64.b64encode(rsas)

def rsa_decrypt(pr_key, t):
    # 私钥解密
    rsas = rsa.decrypt(base64.b64decode(t), pr_key).decode("utf-8")
    return rsas

if __name__ == "__main__":
    public_key, private_key = rsa.newkeys(512)   # 生成公钥、私钥
    print('公钥：', public_key)
    print('私钥：', private_key)
    text = 'I love Python!'  # 加密对象
    encrypted_str = rsa_encrypt(public_key, text)
    print('加密字符串：', encrypted_str)
    decrypted_str = rsa_decrypt(private_key, encrypted_str)
    print('解密字符串：', decrypted_str)

3. Case analysis

1. RSA reverse analysis

• Reverse goal: Fangtianxia login
• Reverse parameter: form data

First perform packet capture analysis

Then enter the source code directly from the launcher

If you feel that you have found the form information, break the point and test it. We paused and tested the code to see if it is the data pwd we need

Basic confirmation, this is the location we need, search for key_to_encode

Then analyze the encryptedString algorithm part



and determine that the encryption part of the algorithm is the JS part
There are only more than 400 lines in total, so I chose to deduct all JS
Result Test

2. Multi-layer nested encryption case analysis

• Reverse goal: Microflow cloud platform login

Analyze the target, capture the packet, and find that there are two addresses that need to be analyzed

After checking and analyzing, it is found that the address Token contains the parameter address code to return the public key and item2 parameters a>


Analyze the Token and log in directly from the launcher
Directly see the encryption part at a glance
Set breakpoints for debugging and analysis< /span> to test the result< /span> and pass it in pull the slider to get the background public key item1 and item2 with time and reverse analyzed. Just is the part we need to reverse. Obviously, after password is encrypted by sha512, it is encrypted by RSA. var encrypted = encrypt.encrypt(pubCode + sha512(password)); encrypt.setPublicKey(pub);

var encrypt = new JSEncrypt();

Summary process notes:

https://api.wei-liu.com/api/v1/Token/code
item1: “-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo0nnZ/9wVN7HV/VeepE3\r\nIVAlAT6n1fmkXrHxbA08Olv+nYp7QlTW3heOEsOWTEMKRcYU1xAIMwt7pZ+qbyFD\r\nitnHkQUqneYs6PKeK2nDxGXR4MIRUz/MFJ4I3QRzmmklFPkJpfxnL0HnwNHw0fm4\r\nuX3GD9qxEcVsqSdhQMvgrW7gFQMD9tSiaXflgyQv1CZjCPNW2xSpWVoFl0+ODpFT\r\nsEmEt+uRiBD1ZVJnTVTCI0txqFLzFw/JwhUcUgflFRovtkcXTU+8aUCtnAAW019U\r\n5Anw6S4S6Ct2PTO0ZFwRNgjboRmT/0x/zdUfn/h6otQSllRfdqF1RVG4HoDf1U0s\r\neQIDAQAB\r\n-----END
PUBLIC KEY-----”
item2: “fcb20f51535b41179e2facaa4c7147df”

Analyze JS and confirm the analysis location

var encrypt = new JSEncrypt(); encrypt.setPublicKey(pub); var
encrypted = encrypt.encrypt(pubCode + sha512(password));

Basically, it can be confirmed that item1 is a public key file. After analyzing JS, we can get that pubcode is the parameter passed in by item2. That is, these two parameters are returned by the backend.

It was found that this case is multi-layer nested encryption sha512+RSA encryption

Write at the end:
My writing level is limited. If there are any explanations that are not in place or wrong, please give me some advice in the comment area and we can make progress together. If there is any If you need code and explanation communication, you can add me on WeChat 18847868809