[JS reverse hundred examples] pedata encryption information and zlib Application of gunzipsync()

Statement

All contents in this article are for learning and communication only , The content of the package 、 Sensitive website 、 All data interfaces have been desensitized , It is strictly prohibited to use for commercial and illegal purposes , Otherwise, all the consequences have nothing to do with the author , If there is infringement , Please contact me to delete ！

Reverse target

• The goal is ： An investment field SAAS System PEDATA MAX information , The returned results are encrypted
• Home page ：aHR0cHM6Ly9tYXgucGVkYXRhLmNuL2NsaWVudC9uZXdzL25ld3NmbGFzaA==
• Interface ：aHR0cHM6Ly9tYXgucGVkYXRhLmNuL2FwaS9xNHgvbmV3c2ZsYXNoL2xpc3Q=
• Inverse parameter ： The encryption result returned by the request ,data: "L+o+YmIyNDE..."

Caught analysis

We're on the front page , Click to see all 24 Hourly information , Pull down , Information is based on Ajax Form loaded , We select the developer tool XHR Screening , It's easy to find one list request , The return value data Is a string of encrypted strings ,exor I don't know what it is , But it may be useful later ,ts It's a time stamp , As shown in the figure below ：

Payload There is nothing special about the parameters in , Just some page turning information , Let's look at the request header, Note here Cookie and HTTP-X-TOKEN Two parameters , You need to log in to this page , Generally speaking ,Cookie It is used to identify different users , But after K Brother test found , In this case , This HTTP-X-TOKEN Parameters are used to identify users , So no need Cookie It's OK , Just mention it ,Cookie We often see Hm_lvt_xxx and Hm_lpvt_xxx It is used for the data statistics of Baidu alliance advertising , It has nothing to do with reptiles .

Encryption reverse

We notice that a dictionary is returned , After obtaining the encrypted data , There must be a process of taking values , So let's go straight to the search key , Search for exor There was only one result ：

here e.data Is the returned dictionary ,e.data.data、e.data.exor Take the encrypted value and exor, Here you can guess that the encrypted value is taken out for decryption , We also make a breakpoint at the end of this function , Look at this code after it is executed ,data Whether the value of becomes clear text ：

It is as expected ,Object(p["y"])(e.data.data, e.data.exor) This code is the decryption function ,Object(p["y"]) It's actually called M Method , Follow in and have a look ：

Incoming t and n They are the encrypted value and exor, Last returned JSON.parse(c) Is the decryption result ：

Key code ：

function M(t, n) {
    var a = L(Object(s["a"])(), n)
    , r = Y(B(t), a)
    , c = o.a.gunzipSync(e.from(r)).toString("utf-8");
    return JSON.parse(c)
}

Function by function , Simply don't say , among Object(s["a"]), Select it , It's actually called c Method , To follow up c Method , Actually, I took loginToken, This loginToken It is in the request header we analyzed earlier HTTP-X-TOKEN, Contains your login information .

Expand knowledge ：window.localStorage Property is used to store data in the form of key value pairs in the browser ,localStorage And sessionStorage similar , The difference lies in ：localStorage Data in can be retained for a long time , No expiration time , Until it is manually deleted .sessionStorage The data of is only saved in the current session , The data will be deleted after closing the window or tab .

Look down again , There is one o.a.gunzipSync(), Put it first , Let's first look at the parameters passed in e.from(r), Follow up may not show anything , Direct comparison r and e.from(r), You'll find it's all Uint8Array The data of , As like as two peas. , As shown in the figure below ：

Look again. o.a.gunzipSync(), It's actually calling theta chunk-vendors.js Anonymous function in , I don't know this JS It doesn't matter , We noticed that chunk-vendors.js There are more than 14 Line ten thousand , Plus this strange name , What module suppliers , It's not hard to think that this is generated by a system or a third party JS, In fact it is vue Files created during application build , For us reptilian Engineers , Roughly understand it as something like jquery.js The same thing will do , We usually don't do it jquery.js The code inside , The same one chunk-vendors.js It is impossible to make a stupid deduction .

Let's focus on the function name ,gunzipSync, I don't know others , But know zip Well , It can be associated with compression , It doesn't matter if you don't know , Use Baidu Dafa directly ：

This directly gives nodejs The implementation method inside , It's using zlib modular , Just look for an example to see how it works ：

var zlib = require('zlib');
var input = "Nidhi";
var gzi = zlib.gzipSync(input);
var decom = zlib.gunzipSync(new Buffer.from(gzi)).toString();

console.log(decom);

Further study , We can know zlib.gunzipSync() The method is zlib Module's built-in application programming interface , For the use of Gunzip Decompress data block . The incoming data can be Buffer、TypedArray、DataView、ArrayBuffer、string type , We can see the update history in the official document , stay v8.0.0 in the future , The incoming data supports Uint8Array 了 ：

In combination with our previous discussion on r Value analysis , So in nodejs in , Put... Directly r Value passed to the zlib.gunzipSync() It's OK in the method , Will be used L、V、B There are three ways to deduct , And then with zlib library , Rewrite it to get the decompressed data ：

function getDecryptedData(encryptedData, exor, loginToken) {
    var a = L(loginToken, exor);
    var r = Y(B(encryptedData), a)
    var decryptedData = zlib.gunzipSync(r).toString();
    return decryptedData
}

Complete code

The following shows only part of the key code , Can't run directly ！ Full code warehouse address ：https://github.com/kgepachong/crawler/

JavaScript Encryption code

/* ==================================
# @Time    : 2021-12-31
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: main.js
# @Software: PyCharm
# ================================== */

var zlib = require('zlib');

function L(e, t) {
    if ("1" == t)
        return [7, 65, 75, 31, 71, 101, 57, 0];
    for (var n = [], a = 0, r = t.length; a < r; a += 2)
        n.push(e.substr(1 * t.substr(a, 2), 1).charCodeAt());
    return n
}

function Y(e, t) {
    for (var n, a = new Uint8Array(e.length), r = 0, c = e.length; r < c; r++)
        n = t[r % t.length],
            a[r] = e[r].charCodeAt() ^ n;
    return a
}

function B(e) {
    var t, n, a, r, c, u, i, o = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", s = "", f = 0;
    e = e.replace(/[^A-Za-z0-9\+\/\=]/g, "");
    while (f < e.length)
        r = o.indexOf(e.charAt(f++)),
            c = o.indexOf(e.charAt(f++)),
            u = o.indexOf(e.charAt(f++)),
            i = o.indexOf(e.charAt(f++)),
            t = r << 2 | c >> 4,
            n = (15 & c) << 4 | u >> 2,
            a = (3 & u) << 6 | i,
            s += String.fromCharCode(t),
        64 != u && (s += String.fromCharCode(n)),
        64 != i && (s += String.fromCharCode(a));
    return s
}

function getDecryptedData(encryptedData, exor, loginToken) {
    var a = L(loginToken, exor);
    var r = Y(B(encryptedData), a)
    var decryptedData = zlib.gunzipSync(r).toString();
    return decryptedData
}

Python Sample code

# ==================================
# --*-- coding: utf-8 --*--
# @Time    : 2021-12-31
# @Author  :  WeChat official account ：K Brother reptile 
# @FileName: main.py
# @Software: PyCharm
# ==================================


import execjs
import requests

news_est_url = " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler"
login_token = "token  Replace it with your own ！"
headers = {
    "Accept": "application/json, text/plain, */*",
    "Content-Type": "application/json",
    "Host": " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler",
    "HTTP-X-TOKEN": login_token,
    "Origin": " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler",
    "Referer": " Desensitization treatment , Full code focus  GitHub：https://github.com/kgepachong/crawler",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
}


def get_decrypted_data(encrypted_data, exor):
    with open('pedata_decrypt.js', 'r', encoding='utf-8') as f:
        pedata_js = f.read()
    decrypted_data = execjs.compile(pedata_js).call('getDecryptedData', encrypted_data, exor, login_token)
    return decrypted_data


def get_encrypted_data():
    data = {
        "type": "",
        "module": "LP",
        "page":
            {
                "currentPage": 1,
                "pageSize": 10
            }
    }
    response = requests.post(url=news_est_url, headers=headers, json=data).json()
    encrypted_data, exor = response["data"], response["exor"]
    return encrypted_data, exor


def main():
    encrypted_data, exor = get_encrypted_data()
    decrypted_data = get_decrypted_data(encrypted_data, exor)
    print(decrypted_data)


if __name__ == '__main__':
    main()