某系统sign值JS逆向实战教学文档<\/h1>

一、背景分析<\/h2>
某系统接口存在sign签名验证机制，JS代码经过混淆处理，无法直接通过关键字搜索定位加密逻辑。<\/p>

二、逆向分析流程<\/h2>

1. 触发接口与断点定位<\/h3>

通过浏览器开发者工具的Initiator标签追踪接口调用栈<\/li>
在接口调用处设置断点进行调试分析<\/li>

发现接口参数和路径被赋值到变量t中<\/li> <\/ul>

2. 参数处理过程分析<\/h3>

u<\/span>(B<\/span>, e<\/span>)函数<\/span> \/\/ 疑似请求方法、接口路径和参数体的组合处理函数
<\/span><\/span><\/span><\/span>forEach<\/span>:<\/span> u<\/span>, merge<\/span> \/\/ 对参数进行循环遍历和合并操作
<\/span><\/span><\/span><\/code><\/pre>3. Cookie参数提取<\/h3>

从cookie中提取特定参数<\/li>
使用正则表达式进行模式匹配<\/li>
统计和遍历uid长度等操作<\/li>
<\/ul>
4. 加密算法识别<\/h3>
S函数<\/span> \/\/ 用于MD5加密
<\/span><\/span><\/span>\/\/ 加密对象为cookie中提取的键值对
<\/span><\/span><\/span><\/code><\/pre>5. 加密算法细节<\/h3>

字符串转换为32位整数数组的循环转换过程<\/li>
参数B的数据合并到当前对象中<\/li>
处理字节到32位整数的转换<\/li>
通过for循环进行多次加密编码<\/li>
<\/ul>
6. 数据格式转换<\/h3>
stringify方法<\/span> \/\/ 将包含二进制数据(words数组)的对象转换为十六进制字符串
<\/span><\/span><\/span><\/code><\/pre>7. Body参数处理<\/h3>

循环处理body中的参数<\/li>
与前面处理的参数进行拼接<\/li>
workname参数转换为类似MD5的加密字符串<\/li>
<\/ul>
8. Sign生成原理<\/h3>
经过调试分析得出：<\/p>
sign = md5(str(param) + md5(base))
<\/code><\/pre>
其中：<\/p>

param: 接口参数经过特定处理后的字符串<\/li>
base: 从cookie中提取的基准值<\/li>
<\/ul>
三、Python实现代码<\/h2>
1. MD5加密函数<\/h3>
import<\/span> hashlib
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>def<\/span> md5_encrypt<\/span>(text):
<\/span><\/span>    return<\/span> hashlib.<\/span>md5(text.<\/span>encode()).<\/span>hexdigest()
<\/span><\/span><\/code><\/pre>2. JSON解析与参数处理<\/h3>
def<\/span> parse_json_params<\/span>(json_str):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        params =<\/span> json.<\/span>loads(json_str)
<\/span><\/span>        # 增强代码健壮性处理<\/span>
<\/span><\/span>        return<\/span> params
<\/span><\/span>    except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>        print(f<\/span>"JSON解析错误: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span>        return<\/span> {}
<\/span><\/span><\/code><\/pre>3. 参数字符串排序<\/h3>
def<\/span> sort_params<\/span>(params):
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join([f<\/span>'<\/span>{<\/span>k}{<\/span>v}<\/span>'<\/span> for<\/span> k, v in<\/span> sorted(params.<\/span>items())])
<\/span><\/span><\/code><\/pre>4. 完整Sign生成代码<\/h3>
def<\/span> generate_sign<\/span>(params, base_cookie):
<\/span><\/span>    """
<\/span><\/span><\/span>    生成sign签名
<\/span><\/span><\/span>    :param params: 接口参数字典
<\/span><\/span><\/span>    :param base_cookie: 从cookie中提取的基准值
<\/span><\/span><\/span>    :return: sign签名值
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    # 参数排序拼接<\/span>
<\/span><\/span>    sorted_param_str =<\/span> sort_params(params)
<\/span><\/span>    
<\/span><\/span>    # base值的MD5加密<\/span>
<\/span><\/span>    base_md5 =<\/span> md5_encrypt(base_cookie)
<\/span><\/span>    
<\/span><\/span>    # 最终sign生成<\/span>
<\/span><\/span>    sign =<\/span> md5_encrypt(sorted_param_str +<\/span> base_md5)
<\/span><\/span>    
<\/span><\/span>    return<\/span> sign
<\/span><\/span><\/code><\/pre>5. 代码使用示例<\/h3>
# 示例参数<\/span>
<\/span><\/span>api_params =<\/span> {"key1"<\/span>: "value1"<\/span>, "key2"<\/span>: "value2"<\/span>}
<\/span><\/span>cookie_base =<\/span> "extracted_cookie_value"<\/span>
<\/span><\/span>
<\/span><\/span># 生成sign<\/span>
<\/span><\/span>signature =<\/span> generate_sign(api_params, cookie_base)
<\/span><\/span>print(f<\/span>"生成的sign: <\/span>{<\/span>signature}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>四、验证与绕过<\/h2>
1. 认证测试<\/h3>

修改userid参数测试认证失败情况<\/li>
运行Python脚本计算正确的sign值<\/li>
将计算的sign值写入请求参数<\/li>
<\/ul>
2. 成功绕过<\/h3>

使用生成的sign值成功绕过系统验证<\/li>
确认逆向分析的正确性<\/li>
<\/ul>
五、关键要点总结<\/h2>

调试技巧<\/strong>：使用Initiator追踪接口调用栈是关键突破口<\/li>
参数处理<\/strong>：注意cookie参数和body参数的不同处理流程<\/li>
加密逻辑<\/strong>：识别出MD5加密的多层嵌套使用方式<\/li>
算法还原<\/strong>：准确分析出sign = md5(str(param) + md5(base))的生成逻辑<\/li>
代码实现<\/strong>：严格按照分析流程实现Python代码，确保一致性<\/li>
<\/ol>
六、注意事项<\/h2>

不同系统的sign生成逻辑可能不同，需要具体分析<\/li>
Cookie中的base值可能需要动态获取<\/li>
参数排序规则可能影响最终sign值<\/li>
注意编码格式的一致性（UTF-8）<\/li>
混淆JS代码需要耐心分析核心逻辑<\/li>
<\/ol>
通过以上完整的逆向分析和代码实现，可以成功破解该系统的sign验证机制，为后续的安全测试和漏洞挖掘提供基础。<\/p>

某系统sign值JS逆向实战教学文档<\/h1>

一、背景分析<\/h2> 某系统接口存在sign签名验证机制，JS代码经过混淆处理，无法直接通过关键字搜索定位加密逻辑。<\/p>

二、逆向分析流程<\/h2>

三、Python实现代码<\/h2>

四、验证与绕过<\/h2>

一、背景分析<\/h2>
某系统接口存在sign签名验证机制，JS代码经过混淆处理，无法直接通过关键字搜索定位加密逻辑。<\/p>