The goal this time is to analyze the encryption algorithm of a certain shopping website. The website is as follows
aHR0cHM6Ly93d3cuemtoLmNvbS8=
(Note: The website as a whole is encrypted by webpack, but the implementation method of this article does not deduct the js code or make up for the environment. Because in the final analysis, this website uses standard encryption algorithms, so it is purely from the perspective of the algorithm. Implementation)
After entering the website, search for a keyword at will, open the network request, and
find a request at will. This should be a request to display the price. Here we see that the parameters sent and the parameters returned are encrypted, which is our final The request needs to be encrypted and sent, and then the returned string is decrypted to finally get the result. Next, we first search for the keywords to see if there are any results.
After the search is found, we search in turn and find that this place is very suspicious. There is also the encryption process of the request header. After we set a breakpoint here and
successfully broke the breakpoint, we found that this is the encryption of the request parameters and the encrypted list of product numbers. Friends who have a foundation in cryptography should know that using The encryption of ECB encryption mode and Pkcs7 padding method are all symmetric encryption. Generally, AES encryption is the most commonly used in encrypted websites. After stack search, it is indeed AES encryption. I will not trace the search process here. For this encryption, we Use js to restore, the code is as follows:
const crypto = require('crypto');
function padString(data) {
const blockSize = 16;
const paddingSize = blockSize - (data.length % blockSize);
const padding = Buffer.alloc(paddingSize, paddingSize);
return Buffer.concat([Buffer.from(data, 'utf8'), padding]);
}
function aesEncrypt(plainText, key) {
const iv = Buffer.alloc(0); // ECB 模式不需要 IV 向量
const cipher = crypto.createCipheriv('aes-256-ecb', key, iv);
cipher.setAutoPadding(false);
const paddedText = padString(plainText);
let encrypted = cipher.update(paddedText, 'utf8', 'base64');
encrypted += cipher.final('base64');
return encrypted;
}
Next, we look at the changes in x-akac and x-rgn in the headers
and find that the encryption library JSEncrypt is used here. We follow the stack and find that it is rsa encryption, the public key is fixed, and the x-rgn parameter is A timestamp, we restore this code again
window = {
}
const jsencrypt = require('jsencrypt')
function rsaenc(N){
let s = new jsencrypt();
s.setPublicKey('MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCglz4D9dnGsJbt5HIjSjuM5KqBheaRZVBczbAJ1s5lkeWoOZHA7pbTo8lph5qj9fuVnUErY+XnlpMzMp7GtmnLPioxkY7zlcvOTsK90wnBxCxKN94/OvAtX/f4QivCR80B5KZYlvj4aVUEONVNls9hP6cHvt85gPFro8oeTs4fwIDAQAB')
const encryptedData = s.encrypt(N)
return encryptedData
}
Basically, the encryption parameters of the request are all activated. Then we look at the decryption process of the return parameters. Then we find through the stack that
AES encryption is also used here. The secret key used is the same as the secret key used to send the request. This is easy to handle. , send it out encrypted, and then come back to decrypt it. The decrypted js code is as follows
function aesDecrypt(encryptedData, key) {
const iv = Buffer.alloc(0); // ECB模式不需要IV向量
const decipher = crypto.createDecipheriv('aes-256-ecb', key, iv);
decipher.setAutoPadding(false);
let decrypted = decipher.update(encryptedData, 'base64', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
Finally, after we used python to assemble the code, we got the request correctly** (It should be noted here that the fixed secret key mentioned in the above analysis steps may be related to the current session and is not necessarily fixed. This article only analyzes the overall encryption steps. )**
success! !