Sekiro与Yakit热加载无痛绕Sign技术详解<\/h1>

1. 背景与问题概述<\/h2>

在Web安全与逆向工程中，经常会遇到需要绕过签名验证(sign)的场景。传统方法需要完整分析加密算法并还原加密链，但面临以下挑战：<\/p>

多层加密或自研算法<\/li>
代码混淆严重<\/li>
算法复杂度高<\/li>

存在反调试机制(如无限debugger)<\/li> <\/ul>

本文介绍基于Sekiro框架和Yakit热加载技术的无痛绕签方案，无需完全理解算法细节即可实现签名绕过。<\/p>

2. 技术原理<\/h2>

2.1 JSRPC技术<\/h3>

JSRPC(JavaScript Remote Procedure Call)是一种远程调用JavaScript函数的技术，其工作原理：<\/p>

在客户端(浏览器)注入JSRPC环境<\/li>
建立与JSRPC服务器的WebSocket连接<\/li>
注册需要调用的加解密函数<\/li>
服务器通过WebSocket发送调用请求<\/li>

客户端执行函数并返回结果<\/li> <\/ol>

2.2 Sekiro框架<\/h3>

Sekiro是基于JSRPC的封装框架，主要特点：<\/p>

提供稳定的WebSocket通信通道<\/li>
简化函数注册和调用流程<\/li>
支持多语言客户端调用<\/li>

内置负载均衡和故障转移<\/li> <\/ul>

3. 实战演示：绕过签名验证<\/h2>

3.1 目标分析<\/h3>

目标场景：实名认证接口<\/p>

无频率限制但存在签名验证<\/li>
关键参数：APP_TIME、APP_LICENSE_ID<\/li>
签名函数：dd()<\/li>

签名生成逻辑：

sign=dd(l + cl + r + s, r)<\/code>

l = APP_TIME<\/li>
cl = APP_LICENSE_ID<\/li>
r = appKey<\/li>
s = URL编码后的姓名和身份证号<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 反调试绕过<\/h3>
目标网站设置了无限debugger反调试，绕过方法：<\/p>
var<\/span> _constructor<\/span> =<\/span> constructor<\/span>;
<\/span><\/span>Function.prototype<\/span>.constructor<\/span> =<\/span> function<\/span> (s<\/span>) {
<\/span><\/span>    if<\/span> (s<\/span> ==<\/span> "debugger"<\/span>){
<\/span><\/span>        console<\/span>.log<\/span>(s<\/span>)
<\/span><\/span>        return<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> _constructor<\/span>(s<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>配合Chrome开发者工具的"一律不在此处暂停"选项，可有效绕过。<\/p>
3.3 签名函数定位<\/h3>

通过删减参数法确定影响签名的参数<\/li>
在JS代码中搜索关键参数(APP_TIME、APP_LICENSE_ID)<\/li>
定位到签名函数dd()<\/li>
通过断点调试确认函数调用逻辑<\/li>
<\/ol>
3.4 Sekiro环境搭建<\/h3>

下载并启动Sekiro服务端(默认端口5612)<\/li>
在浏览器控制台注入以下代码(需修改4处关键点)：<\/li>
<\/ol>
\/\/ 修改1: WebSocket地址改为本地
<\/span><\/span><\/span>\/\/ 修改2: 自定义group名称
<\/span><\/span><\/span>\/\/ 修改3: 自定义action名称
<\/span><\/span><\/span>\/\/ 修改4: 实际业务逻辑
<\/span><\/span><\/span><\/span>
<\/span><\/span>(function<\/span>(){
<\/span><\/span>    var<\/span> client<\/span> =<\/span> new<\/span> SekiroClient<\/span>("ws:\/\/127.0.0.1:5612\/business\/register?group=wsyu9a&clientId="<\/span>+<\/span>Math.random<\/span>().toString<\/span>(36<\/span>).substr<\/span>(2<\/span>));
<\/span><\/span>    client<\/span>.registerAction<\/span>("signDecrypt"<\/span>,function<\/span>(request<\/span>, resolve<\/span>, reject<\/span>){
<\/span><\/span>        \/\/ 这里实现签名生成逻辑
<\/span><\/span><\/span><\/span>        var<\/span> result<\/span> =<\/span> dd<\/span>(request<\/span>['data1'<\/span>], request<\/span>['data2'<\/span>]);
<\/span><\/span>        resolve<\/span>(result<\/span>);
<\/span><\/span>    })
<\/span><\/span>})()
<\/span><\/span><\/code><\/pre>
将目标签名函数(dd)作用域提升至全局<\/li>
<\/ol>
3.5 Python客户端调用<\/h3>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    "group"<\/span>: "wsyu9a"<\/span>,  # 与注册时一致<\/span>
<\/span><\/span>    "action"<\/span>: "signDecrypt"<\/span>,  # 与注册时一致<\/span>
<\/span><\/span>    "data1"<\/span>: "参数1"<\/span>,  # 对应dd函数第一个参数<\/span>
<\/span><\/span>    "data2"<\/span>: "参数2"<\/span>   # 对应dd函数第二个参数<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>res =<\/span> requests.<\/span>get("http:\/\/127.0.0.1:5612\/business\/invoke"<\/span>, params=<\/span>data)
<\/span><\/span>print(res.<\/span>text)
<\/span><\/span><\/code><\/pre>3.6 Yakit热加载实现<\/h3>
在Yakit中创建热加载脚本：<\/p>
signDecryot<\/span> =<\/span> func<\/span>(sfz<\/span>) {
<\/span><\/span>    APP_TIME<\/span> =<\/span> '1735326352548'<\/span>
<\/span><\/span>    APP_LICENSE_ID<\/span> =<\/span> '1730789038315978754'<\/span>
<\/span><\/span>    appKey<\/span> =<\/span> '9b5a1fa345624fdf937312eb93aabe4e'<\/span>
<\/span><\/span>    s<\/span>=<\/span>codec<\/span>.EscapeQueryUrl<\/span>('张三'<\/span>)+<\/span>'&'<\/span>+<\/span>sfz<\/span>+<\/span>'&'<\/span> 
<\/span><\/span>    
<\/span><\/span>    data1<\/span>=<\/span>APP_TIME<\/span>+<\/span>APP_LICENSE_ID<\/span>+<\/span>appKey<\/span>+<\/span>codec<\/span>.EncodeUrl<\/span>(s<\/span>)
<\/span><\/span>    data2<\/span>=<\/span>appKey<\/span>
<\/span><\/span>    
<\/span><\/span>    rsp<\/span> =<\/span> http<\/span>.Get<\/span>(f<\/span>"http:\/\/127.0.0.1:5612\/business\/invoke?group=wsyu9a111&action=signDecrypt&data1=${data1}&data2=${data2}"<\/span>)
<\/span><\/span>    return<\/span> json<\/span>.Find<\/span>(rsp<\/span>.Data<\/span>(), "$.data"<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 技术优势<\/h2>

无需逆向算法<\/strong>：直接调用目标网站的JS函数，无需理解内部实现<\/li>
实时生效<\/strong>：修改后立即生效，无需重启或重新部署<\/li>
跨语言调用<\/strong>：任何语言都可以通过HTTP\/WebSocket调用JS函数<\/li>
批量处理<\/strong>：可轻松实现批量自动化操作<\/li>
动态调试<\/strong>：结合浏览器调试工具，方便验证和调整<\/li>
<\/ol>
5. 注意事项<\/h2>

确保目标函数已提升至全局作用域<\/li>
保持Sekiro服务端稳定运行<\/li>
注意WebSocket连接的安全性(生产环境建议使用wss)<\/li>
对于频繁变更的签名算法，需要及时更新注册的函数<\/li>
合理设置超时和重试机制，避免因网络问题导致失败<\/li>
<\/ol>
6. 参考资源<\/h2>

Sekiro官方文档: https:\/\/sekiro.iinti.cn\/sekiro-doc\/<\/li>
双层mitmproxy代理实现自动化加解密<\/li>
JSRPC技术原理详解<\/li>
<\/ol>
通过这套方案，安全研究人员可以高效绕过复杂的签名验证机制，专注于核心业务逻辑的分析和测试。<\/p>