Netease game login password encryption crack test

I’ve been too busy recently, and the update speed has been slow. Today, I have to surf the Internet for a while. On a whim, I opened the official website of the childhood game Dahua Westward Journey. When I was logging in, I couldn't help but pressed F12. As I thought, the password is indeed encrypted. Well, wait until I deduct the JS code before posting. I find it helpful to pay attention to the knowledge graph and Big data public account, of course it doesn't matter if you don't pay attention.

foreword

There is still complete JS code, Original link , click at the end of the article to read more, or the familiar rsa encryption. If you are interested, you can follow the east button and the west button to exercise. The whole process is not difficult. Please skip to the operation chapter for the login address, which is available in the python code. .

straight to the point

Open the login interface and enter the wrong account and password (the accounts in the picture are fictitious).

The purpose is, of course, to check whether the submitted data is encrypted, and to find its submission url, as shown below:

Pull down a little on the right to see the submitted parameters. This time is a little different. The submitted parameters are not in the form of FormData, but it does not affect them, as follows:

If you look closely, you can probably know that pw is the result of password encryption, un is the account number, and several other parameters can be regarded as fixed temporarily (the same can also be obtained through debugging). Today, pw is the password decryption, and then you can call it by calling You can also use a little tricks to enter the stack and call the stack. For example, you can view the method name. We are now decrypting the login, so we can enter through the method name with something similar to login. As shown below:

After entering, you may be impatient to search for the pw keyword as usual. In fact, you can also guess through the keyword that you can find it in this way. It took a lot of effort at that time. After all, pw only has two letters and it is too easy to match other words:

Is it right? It matches 113 places all at once. Of course, you can click it a little bit, so you can find it if you are careful, but it just takes a little time. There is another way. Now that we know that the password is encrypted, then we Just search for words about encryption, similar to encrypt, this is an experience that everyone can master, try to search for encrypt:

A total of 16 places were found, which is much less than 113, and the hand is no longer sore, because there will be many cases where the parameter name has only one letter or two in the future. This is a more interesting method. Next, we set breakpoints on several suspicious encrypt ions. There are three places in total. Why do you say this? Look at the code below, does it all look like what you are looking for (screenshots are troublesome, I put the code directly below):

n.pw = MP.encrypt2(this.__password);//first place
t.pw = MP.encrypt2(this.$refs.mpinput._$getValue() || "0");//second place
 t.pw = MP.encrypt2(n);//third place

enter debug

We have set breakpoints in several possible points before, and then we can debug, activate the breakpoint (that is, enter the account password, click to log in), as expected, jump to one of the breakpoints:

That's it, step by step and enter the encryption function encrypt2:

The parameter e of encrypt2 is the password you entered. After debugging several times, I found that the parameter p of getPublicKey is actually a fixed value. There are only two main functions that need to be pulled, one encrypt and getPublicKey. Please see the following figure for the p value:

Continue to run and enter the set getPublicKey function:

  getPublicKey: function(e) {
        if (e.length < 50)
            return !1;
        if ("-----BEGIN PUBLIC KEY-----" != e.substr(0, 26))
            return !1;
        e = e.substr(26);
        if ("-----END PUBLIC KEY-----" != e.substr(e.length - 24))
            return !1;
        e = e.substr(0, e.length - 24);
        e = new ASN1Data(Base64.decode(e));
        if (e.error)
            return !1;
        e = e.data;
        if ("1.2.840.113549.1.1.1" == e[0][0][0])
            return new RSAPublicKey(e[0][1][0][0],e[0][1][0][1]);
        else
            return !1
    }

encrypt function:

   encrypt: function(e, t) {
        if (!t)
            return !1;
        var i = t.modulus.bitLength() + 7 >> 3;
        e = this.pkcs1pad2(e, i);
        if (!e)
            return !1;
        e = e.modPowInt(t.encryptionExponent, t.modulus);
        if (!e)
            return !1;
        e = e.toString(16);
        for (; e.length < 2 * i; )
            e = "0" + e;
        return Base64.encode(Hex.decode(e))
    }

At this point, everyone should know what to deduct. Yes, it is some small functions used in getPublicKey and encrypt, such as Base64.decode(e), Hex.decode(e), etc. The difficulty is that these methods still There are other methods nested. The easy part is that these methods are basically all together. Let’s mention a little trick for digging code. When digging, you can find the function you want. Click the curly brackets of the function, and there will be a horizontal line under the brackets. , at this time you can determine where the cut is, because there will also be a horizontal line under the curly brackets at the end.

I will not list all the codes here. If you are interested, you can pay attention to the knowledge graph and big data public account, find this article, and click on the original text at the end of the article to see the complete JS code.

run

I believe that everyone can pull it out. After pulling it, you can run it through python. The code in the Pangu period:

import execjs
#url = http://xy2.netease.com/member.php?mod=logging&action=login
with open('..//js//dahuaxiyou.js', encoding='utf-8') as f:
    dahuaxiyou = f.read()
js = execjs.compile(dahuaxiyou)
logid = js.call('get_pwd', "qwerqwrqrq")
print(logid)

The results are as follows:

Finish

It does take a little more time to pull the rsa code than md5, but as long as you are careful, you can pull it out. If you can't pull it out, you can read the original text at the end of the text. If you find it helpful, pay attention to the knowledge graph and big data public account. There are a lot of articles about digging JS code. Of course, it doesn't matter if you don't pay attention.

Tags: crawler

Posted by Angry Lettuce on Wed, 11 May 2022 12:48:20 +0300