当前位置:网站首页>[JS reverse hundred examples] XHR breakpoint debugging, steam login reverse

[JS reverse hundred examples] XHR breakpoint debugging, steam login reverse

2021-09-15 08:12:35 Brother K reptile

Statement

All contents in this article are for learning and communication only , The content of the package 、 Sensitive website 、 All data interfaces have been desensitized , It is strictly prohibited to use for commercial and illegal purposes , Otherwise, all the consequences have nothing to do with the author , If there is infringement , Please contact me to delete !

Reverse target

  • The goal is :Steam Sign in
  • Home page :aHR0cHM6Ly9zdG9yZS5zdGVhbXBvd2VyZWQuY29tL2xvZ2lu
  • Interface :aHR0cHM6Ly9zdG9yZS5zdGVhbXBvd2VyZWQuY29tL2xvZ2luL2RvbG9naW4v
  • Inverse parameter :

    Form Data:

    password: MzX419b8uvaNe//lkf+15sx6hnLD/L1BX......
    captchagid: 5718995253934681478
    rsatimestamp: 374533150000

Reverse process

Caught analysis

Came to Steam Login page for , Enter any account and password to log in , Locate the login interface for packet capture as aHR0cHM6Ly9zdG9yZS5zdGVhbXBvd2VyZWQuY29tL2xvZ2luL2RvbG9naW4v ,POST request ,Form Data in ,donotcache yes 13 A time stamp , password password Encrypted ,captchagid and rsatimestamp I don't know what it is ,captcha_text It's a verification code :

01.png

We noticed the above of the login request , One more getrsakey Request , Obviously and RSA Encryption is about , It should be acquisition key Parameters like that , You can see that the return value is similar to :

{
  "success":true,
  "publickey_mod":"b1ae3215684fd66207415e39810dcbda75c143dc8c4497994db51591ed5bd17dbaf75e1e......", 
  "publickey_exp":"010001",
  "timestamp":"288093900000",
  "token_gid":"c304e76a58481ad12"
}

02.png

Here you can find the login request rsatimestamp The parameter is here timestamp, Other parameters will be used later .

XHR Breakpoint location

In this case, we use XHR Breakpoints to locate the encrypted location , First of all, let's understand what is XHR,XHR Full name XMLHttpRequest,XHR You can update the page without reloading it 、 Request from the server after the page has been loaded 、 receive data , yes Ajax The basis of , Belong to Ajax Special request types , Using the browser console, you can filter XHR request .

Since it is XHR The breakpoint , Then this method can only be used for XHR request , This is also a disadvantage of this method , adopt XHR The breakpoint , The location to be located is usually after the encryption process is completed , Ready to send the request , The advantage is that we can track the stack , You can easily find the encrypted place .

XHR There are two ways to locate breakpoints , The first is to find the person who sent the request URL after , Intercept URL Part of , stay Source Under the panel , On the right side XHR/fetch Breakpoints Add your intercepted URL, As shown in the figure below , Successfully disconnected :

03.png

The second method , stay Network panel , Click on XHR Filter XHR request , stay Initiator You can see the called JS, Mouse over JS On , You can see the call stack , Click on the first , You can go to the place where the request is sent , The location is the same as the first method . What we need to pay attention to in this way is ,XHR Filtering is not necessarily accurate , But as long as it's Initiator You can see JS, It means you can follow in for debugging , If it's through Form A request sent by form or other means ,Initiator The item is displayed Other, You can't debug in this way at this time .

04.png

The parameters are reversed

front XHR Two methods of , Whatever you use , The location is the same , Look at the right side Call Stack, Call stack , Step by step, look up at the called function , stay login.js Inside , You can find the statement var encryptedPassword = RSA.encrypt(password, pubKey);, Very obvious RSA encryption :

05.png

You can rewrite the key code , Convenient for local debugging :

function getEncryptedPassword(password, results) {
    var pubKey = RSA.getPublicKey(results.publickey_mod, results.publickey_exp);
    password = password.replace(/[^\x00-\x7F]/g, '');
    var encryptedPassword = RSA.encrypt(password, pubKey);
    return encryptedPassword
}

After finding the encrypted location , You can bury breakpoints , Cancel XHR The breakpoint , Re debug , You can see results That's the front. getrsakey Data returned by request :

06.png

RSA.getPublicKey and RSA.encrypt Namely rsa.js Inside RSA Of getPublicKey and encrypt Method :

07.png

08.png

09.png

Will the whole rsa.js Copy it for local debugging , Will prompt BigInteger Undefined , Put the mouse up and you will see that it is used jsbn.js The method inside , It will be more troublesome if you deduct one function by one , Direct the whole jsbn.js Copy the file code :

10.png

11.png

Complete code

GitHub Focus on K Brother reptile , Continue to share crawler related code ! welcome star !https://github.com/kgepachong/

The following shows only part of the key code , Can't run directly ! Full code warehouse address :https://github.com/kgepachong...

JavaScript Encryption key code architecture

navigator = {};

var dbits;

// JavaScript engine analysis
var canary = 0xdeadbeefcafe;
var j_lm = ((canary & 0xffffff) == 0xefcafe);

// (public) Constructor
function BigInteger(a, b, c) {}

// return new, unset BigInteger
function nbi() {}

// am: Compute w_j += (x*this_i), propagate carries,
// c is initial carry, returns final carry.
// c < 3*dvalue, x < 2*dvalue, this_i < dvalue
// We need to select the fastest one that works in this environment.

// am1: use a single mult and divide to get the high bits,
// max digit bits should be 26 because
// max internal value = 2*dvalue^2-2*dvalue (< 2^53)
function am1(i, x, w, j, c, n) {}

//  Omit here  N  A function 

var RSAPublicKey = function ($modulus_hex, $encryptionExponent_hex) {};

var Base64 = {};

var Hex = {};

var RSA = {};

function getEncryptedPassword(password, results) {
    var pubKey = RSA.getPublicKey(results.publickey_mod, results.publickey_exp);
    password = password.replace(/[^\x00-\x7F]/g, '');
    var encryptedPassword = RSA.encrypt(password, pubKey);
    return encryptedPassword
}

//  The test sample 
// var results = {
//     publickey_exp: "010001",
//     publickey_mod: "b1c6460eb07d9a6a9de07e2d7afbbe36f30b7196a4a13b7f069e8bc6be3217fe368df46ee506ad4bbaf4190a13d3937b7cc19d081fa40c3cb431d94956804b2c80aad349fa9f95254c899d905aaaab54e7bbe95159b400fde541ec6828df76f0c7a226b38651853f6cdc67dc46e7fc3253d819e0ece8aae8551a27ebbb9f8a579ba1c4f52b69fc6605c8e11b0c00e32043c7675e268815f491be48ee644670d2d632077f8ff09d7a4928e5187d6e33279760f23b0b72a4e2928154f87326e5a57541b91862b3916e4972313ad764608d9628793eef3a0a8dcdd1ab6b908d32f56f830262fd33ed6b441e6b1e0c945508461e9c083cb10d8069f9539ca70fdd33",
//     success: true,
//     timestamp: "370921200000",
//     token_gid: "3d1df3e102d1a1d2"
// }
//
// console.log(getEncryptedPassword("12345678", results))

Python Login key code

#!/usr/bin/env python3
# -*- coding: utf-8 -*-


import time

import execjs
import requests
from PIL import Image


index_url = ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler'
login_url = ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler'
get_rsa_key_url = ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler'
render_captcha_url = ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler'
refresh_captcha_url = ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler'

headers = {
    'Host': ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler',
    'Origin': ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler',
    'Referer': ' Desensitization treatment , Full code focus  GitHub:https://github.com/kgepachong/crawler',
    'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'
}
session = requests.session()


def get_cookies():
    response = session.get(url=index_url, headers=headers)
    cookies = response.cookies.get_dict()
    print(cookies)
    return cookies


def get_captcha(cookies):
    #  First of all get  gid
    data = {'donotcache': str(int(time.time() * 1000))}
    refresh_captcha_response = session.post(url=refresh_captcha_url, data=data, cookies=cookies, headers=headers)
    gid = refresh_captcha_response.json()['gid']

    #  carry  gid  Get verification code 
    params = {'gid': gid}
    render_captcha_response = session.get(url=render_captcha_url, params=params, cookies=cookies, headers=headers)

    with open('code.png', 'wb') as f:
        f.write(render_captcha_response.content)
    image = Image.open('code.png')
    image.show()
    captcha = input(' Please enter the verification code : ')
    return captcha, gid


def get_rsa_key(username, cookies):
    data = {
        'donotcache': str(int(time.time() * 1000)),
        'username': username
    }
    response = session.post(url=get_rsa_key_url, data=data, cookies=cookies, headers=headers).json()
    print(response)
    return response


def get_encrypted_password(password, rsa_key_dict):
    with open('encrypt.js', 'r', encoding='utf-8') as f:
        steampowered_js = f.read()
    encrypted_password = execjs.compile(js).call('getEncryptedPassword', password, rsa_key_dict)
    print(encrypted_password)
    return encrypted_password


def login(username, encrypted_password, cookies, rsa_key_dict, captcha, gid):
    data = {
        'donotcache': str(int(time.time() * 1000)),
        'password': encrypted_password,
        'username': username,
        'twofactorcode': '',
        'emailauth': '',
        'loginfriendlyname': '',
        'captchagid': gid,
        'captcha_text': captcha,
        'emailsteamid': '',
        'rsatimestamp': rsa_key_dict['timestamp'],
        'remember_login': False,
        # 'tokentype': '-1'
    }
    print(data)
    response = session.post(url=login_url, data=data, cookies=cookies, headers=headers)
    print(response.text)


def main():
    username = input(' Please enter your login account : ')
    password = input(' Please enter the login password : ')

    #  obtain  cookies
    cookies = get_cookies()

    #  Get the verification code and  gid
    captcha, gid = get_captcha(cookies)

    #  obtain  RSA  Encryption requires  key  Etc 
    rsa_key_dict = get_rsa_key(username, cookies)

    #  Get the encrypted password 
    encrypted_password = get_encrypted_password(password, rsa_key_dict)

    #  carry   user name 、 Encrypted password 、cookies、 Verification code, etc 
    login(username, encrypted_password, cookies, rsa_key_dict, captcha, gid)


if __name__ == '__main__':
    main()

版权声明
本文为[Brother K reptile]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/09/20210909134740261D.html

随机推荐