JS reverse analysis of HMAC encryption and wasm module encryption of a certain branch network

Enterprise 2024-01-08 23:00:40 views: null

This is an example of how I successfully learned to do JS reverse engineering in 2022. URL: (desensitization processing) aHR0cHM6Ly93d3cuZ2R0di5jbi9hdWRpb0NoYW5uZWxEZXRhaWwvOTE=

Reverse analysis:

1. The headers carried by each XHR GET request include:

{
    "X-ITOUCHTV-Ca-Timestamp": "1697608868940",
    "X-ITOUCHTV-Ca-Signature": "hGlre/JKwbHvCWLpO5JQdUHF7nP4HiaA5ya1DenJToA=",
    "X-ITOUCHTV-Ca-Key": "89541443007807288657755311869534",
    "X-ITOUCHTV-CLIENT": "WEB_PC",
    "X-ITOUCHTV-DEVICE-ID": "WEB_1c2f8b90-6bd8-11ee-96e0-5bc8d7091aa8"
}

2. The website’s JS files are in the form of webpack. Find out the key encryption logic:

this.s = function(t, n, a) {                
    var s = i.default.getUser
      , u = i.default.getJWT
      , c = i.default.getDeviceId
      , d = (new Date).getTime()
      , f = {}
      , p = ""
      , _ = "";
    a && (p = (0,
    r.default)(a),
    _ = l.default.stringify(p));
    var m = "".concat(t, "\n").concat(n, "\n").concat(d, "\n").concat(_);
    return f = {
        "Content-Type": "application/json",
        "X-ITOUCHTV-Ca-Timestamp": d,
        "X-ITOUCHTV-Ca-Signature": l.default.stringify((0,
        o.default)(m, "dfkcY1c3sfuw0Cii9DWjOUO3iQy2hqlDxyvDXd1oVMxwYAJSgeB6phO8eW1dfuwX")),
        "X-ITOUCHTV-Ca-Key": "89541443007807288657755311869534",
        "X-ITOUCHTV-CLIENT": "WEB_PC",
        "X-ITOUCHTV-DEVICE-ID": e.__DEVICEID__ || c()
    },
    u() && (f.Authorization = u()),
    s() && s().pk && (f["X-ITOUCHTV-USER-PK"] = s().pk),
    e.__X_FORWARDED_FOR__ && (f["X-Forwarded-For"] = e.__X_FORWARDED_FOR__),
    f
};

3. Preliminary analysis:

(1) X-ITOUCHTV-Ca-Timestamp is obviously a timestamp.

(2) The value of X-ITOUCHTV-Ca-Key is fixed "89541443007807288657755311869534" and can be written to death.

(3) "X-ITOUCHTV-CLIENT": "WEB_PC" is also hard-coded.

(4) X-ITOUCHTV-DEVICE-ID: Device UUID, you can just enter a string of characters, but the website requires it to start with "WEB_", for example: WEB_9527-3547-709394.

(5) X-ITOUCHTV-Ca-Signature: This is a crucial signature value.

l.default.stringify((0, o.default)(m, "dfkcY1c3sfuw0Cii9DWjOUO3iQy2hqlDxyvDXd1oVMxwYAJSgeB6phO8eW1dfuwX"))

The l.default in front of this line of code can be ignored, so it is understood as: o.default(m, "dfkcY1c3sfuw0Cii9DWjOUO3iQy2hqlDxyvDXd1oVMxwYAJSgeB6phO8eW1dfuwX");

The long string of characters is the key, and the m value and key are encrypted through the o.default method.

What is m? The above lines are clearly written:

var m = "".concat(t, "\n").concat(n, "\n").concat(d, "\n").concat(_);

m is a character concatenated by t, n, d, and _ values. Through breakpoint tracking, we can know: t is the method of sending the request (GET, POST, OPTION, etc.), n is the URL link, d is the timestamp, as for "_", it is an empty string, and then each sub-character Strings are concatenated with newlines, so this line can be simplified to m = t + '\n' + n + '\n' + d + '\n'.

4. Algorithm analysis:

Track the o.default method mentioned above through breakpoints. The o value comes from "o = a(n(1305))", which is the method with serial number 1305 called through WebPack. You can see

function(e, _t, n) {
    var r;
    e.exports = (r = n(43),
    n(393),
    n(285),
    r.HmacSHA256)
},

That is, use the HmacSHA256 algorithm to encrypt and then output a BASE64 string.

Find a Python HmacSHA256 encryption code and try it:

import hmac
from base64 import b64encode
from hashlib import sha256


key = '。。。。。。'  # HMAC-SHA256加密的密钥
text = '。。。。。。' # 加密前的明文字符串
signature = str(b64encode(hmac.new(key.encode('utf-8'), text.encode('utf-8'), digestmod=sha256).digest()), 'utf-8')
print(signature)

Enter the plaintext and key, and the result pair generated is consistent with the X-ITOUCHTV-Ca-Signature of the request header seen in the developer tools. Fortunately, the website does not magically change the encryption algorithm, so next use Python The hmac library and base64 library encryption code comes naturally.

Updated on October 19, 2023:

Recently, the .js files of this website have been modified. The encryption logic mentioned above can no longer be found in all .js files. Instead, encryption is performed through the wasm module (WebAssembly), which further increases the difficulty of reverse engineering.

Through reverse engineering of wasm and instrumentation analysis, I finally learned that wasm is just a paper tiger. The encryption algorithm is still HmacSHA256 and has not been modified. Only the key and the value of X-ITOUCHTV-Ca-Key have changed.

Friends who need the source code are welcome to contact me (+V: Scott373519).

Reference sources:

Python uses HmacSHA256 and encrypts with base64_sha256+base64-CSDN blog

Guess you like

Origin blog.csdn.net/Scott0902/article/details/133939126
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com