JS encryption parameter positioning

When we grab the data on the web , Often encrypted parameters 、 Encrypting data , How to quickly locate these encryption and decryption functions , Particularly important . The article of this film is my reverse js It's a summary of some skills , If there is any omission , Welcome to add .

The environment required ：Chrome browser

1. Search for

1.1 Global search

It is suitable for quickly locating key files and codes according to keywords

Right click the current page -> Check , Pop up the check tool

Search support key word 、 Regular expressions

1.2 In code search

It is suitable for quickly locating key codes according to keywords

Click code , Then press ctrl+f or command+f Call up the search box . Search support key word 、css expression 、xpath

2. debug

2.1 routine debug

It is suitable for analyzing the code logic of key functions

1. Bury breakpoints

1. debugging

As shown in the figure , I marked 1 To 6, The following describes their meanings
1. Execute to the next endpoint 2. Perform the next step , It will not enter the function called 3. Go inside the called function 4. Jump out of the function 5. Step by step code execution , Encountered a function call , Then enter the function 6.Call Stack Stack information for code calls , The code is executed from bottom to top , This is very helpful for the calling relationship of key functions

2.2 XHR debug

matching url Chinese key words , If it matches, it will jump to the parameter generation , Apply to url The encryption parameters in the global search cannot be found , This can be used to intercept

2.3 Behavior debug

Applicable when clicking the button , Analyze code execution logic

As shown in the figure , You can quickly locate and click the explore button , Executed js.

3 View the stack of the request call

Can be in Network Under tabs , The requested Initiator See its call stack in the column , The call order is from top to bottom ：

4. Execute functions in heap memory

When debug To a certain function , We want to actively call , For example, pass custom parameters , At this time, it can be found in the inspection tool console Call inside

Notice here , Only debug When you type this function , Only in the console can you call . If you want to keep this function , You can use this.xxx=xxx The way . There is no need to debug To xxx function , Use it directly http://this.xxx  that will do .

5. Modify the parameter value in the stack

6. Write js Code

7. Print windows The value of the object

stay console Enter the following code , If only print _$ The variable value at the beginning

for (var p in window) {
    if (p.substr(0, 2) !== "_$") 
        continue;
    console.log(p + " >>> " + eval(p))
}

8. hook

With chrome Plug in way , Insert the keyword at the breakpoint

8.1 cookie hook

Used to locate cookie Generation location of key parameters in

var code = function(){
    var org = document.cookie.__lookupSetter__('cookie');
    document.__defineSetter__("cookie",function(cookie){
        if(cookie.indexOf('TSdc75a61a')>-1){
            debugger;
        }
        org = cookie;
    });
    document.__defineGetter__("cookie",function(){return org;});
}
var script = document.createElement('script');
script.textContent = '(' + code + ')()';
(document.head||document.documentElement).appendChild(script);
script.parentNode.removeChild(script);

When cookie There's a match in  TSdc75a61a, Insert breakpoint .

8.2 request hook

Used to locate the generation position of key parameters in the request

var code = function(){
var open = window.XMLHttpRequest.prototype.open;
window.XMLHttpRequest.prototype.open = function (method, url, async){
    if (url.indexOf("MmEwMD")>-1){
        debugger;
    }
    return open.apply(this, arguments);
};
}
var script = document.createElement('script');
script.textContent = '(' + code + ')()';
(document.head||document.documentElement).appendChild(script);
script.parentNode.removeChild(script);

When requested url It contains MmEwMD when , Insert breakpoint

8.3 header hook

Used to locate header Generation location of key parameters in

var code = function(){
var org = window.XMLHttpRequest.prototype.setRequestHeader;
window.XMLHttpRequest.prototype.setRequestHeader = function(key,value){
    if(key=='Authorization'){
        debugger;
    }
    return org.apply(this,arguments);
}
}
var script = document.createElement('script');
script.textContent = '(' + code + ')()';
(document.head||document.documentElement).appendChild(script);
script.parentNode.removeChild(script);

When header Contained in the Authorization when , Insert breakpoint

8.4 manifest.json

Plug in configuration file

{
   "name": "Injection",
    "version": "2.0",
    "description": "RequestHeader hook ",
    "manifest_version": 2,
    "content_scripts": [
        {
            "matches": [
                "<all_urls>"
            ],
            "js": [
                "inject.js"
            ],
            "all_frames": true,
            "permissions": [
                "tabs"
            ],
            "run_at": "document_start"
        }
    ]
}

Usage method

1. As shown in the figure , Create a folder , Create a hook function file in the folder inject.js And Plug in configuration file manifest.json that will do

1. open chrome Extension program , Load the unzipped extender , Select steps 1 Create a new folder

1. Switch back to the original page , Refresh the page , If hook function keyword matches , The trigger debug

9. Crack infinite debugger Anti commissioning

If you turn it on chrome Inspection tool , It is found that it is automatically disconnected to the following position , Then this method is a common anti debugging method

The corresponding cracking methods are as follows ：

9.1 Method is left blank

From the original function, we can see that this is an infinite recursive function , The purpose is when you open the inspection tool , Appear countless times debug, Stop you debug debugging . Then we can rewrite this function , stay Console Use anonymous functions in the column to re assign values to this function , This way _0x355d23 Function becomes an empty function , To crack infinite debugger Purpose

9.2 Kill the timer

It is applicable to the trigger of timer class debug

for (var i = 1; i < 99999; i++)window.clearInterval(i);

9.3 Man in the middle intercepts and replaces infinite debug function

Recommended mitmproxy Intercept

10. console Use in xpath or css

xpath: $x("your_xpath_selector")
css: $$("css_selector")

11. Network Next Filters（ filter ）

Filter box can achieve a lot of customized filtering , For example, string matching , Keywords screening, etc , Among them, keyword screening mainly includes the following （ Input - Show all ）：

1. domain： Only show resources from the specified domain . You can use wildcards （） To include multiple domains . for example ,.com Display with .com Resources in all domain names at the end . DevTools All fields it encounters are automatically populated in the autocomplete drop-down menu .
2. has-response-header： Display contains assignments HTTP Resources that respond to header information . DevTools All response headers it encounters are automatically populated in the autocomplete drop-down menu .
3. is： adopt is:running find WebSocket request .
4. larger-than( Greater than ) ： Show resources larger than the specified size （ In bytes ）. Set the value 1000 Equivalent to the set value 1k.
5. method( Method ) ： Display through the specified HTTP Method type to retrieve resources .DevTools Use all of the HTTP Method to fill in the drop-down list .
6. mime-type（mime type ： According to specified MIME Type of resource . DevTools Use all of the MIME Type fill drop-down list .
7. mixed-content（ Mixed content ： Show all mixed content resources （mixed-content:all） Or show only what is currently displayed （mixed-content:displayed）.
8. Scheme（ agreement ）： Show through unprotected HTTP（scheme:http） Or protected HTTPS（scheme:https） Retrieved resources .
9. set-cookie-domain（cookie Domain ）： The display has Set-Cookie head , And its Domain The resource whose property matches the specified value .DevTools Will automatically fill in the autocomplete drop-down menu with all the Cookie Domain .
10. set-cookie-name（cookie name ）： The display has Set-Cookie head , And the resource whose name matches the specified value .DevTools Will automatically fill in the autocomplete drop-down menu with all the Cookie name .
11. set-cookie-value（cookie value ）： The display has Set-Cookie head , And the resource whose value matches the specified value .DevTools Will automatically fill in the autocomplete drop-down menu with all the cookie value .
12. status-code（ Status code ）： Just show it HTTP Resources whose status code matches the specified code .DevTools It will automatically fill in all the status codes it encounters in the autocomplete drop-down menu .