JS加密逆向分析教学文档<\/h1>

0x00 前言<\/h2>
JS加密逆向分析是前端安全与逆向工程领域的核心技术之一，主要针对网页、移动端H5或Electron等基于JavaScript运行的应用中，用于保护数据传输、接口请求、核心逻辑的加密机制，通过技术手段还原加密流程、推导加密算法、破解加密参数的一系列分析过程。<\/p>
在安全测试中，经常遇到接口存在越权漏洞但数据包被加密的情况，此时需要分析JS进行参数伪造和数据包构造。本文基于真实案例，详细讲解JS加密逆向分析的技术要点。<\/p>

0x01 JS加密逆向分析反调试对抗<\/h2>

靶场地址<\/h3>
http:\/\/www.loveli.com.cn\/see_bug_one?id=379<\/p>

反调试技术分析<\/h3>

反调试手段：<\/strong><\/p>

禁用快捷键和右键菜单<\/li>
持续触发debugger暂停<\/li>
通过窗口尺寸变化检测DevTools状态<\/li> <\/ol>
应对方法：<\/strong><\/p>

页面Ctrl+S保存源码到本地分析<\/li>
浏览器调试器中选择"一律不在此处暂停"<\/li> <\/ul>
JavaScript逆向分析流程<\/h3>
1. 数据隐藏机制<\/h4>
页面DOMContentLoaded时拼出隐藏节点#__k<\/code>：<\/p>
data-x<\/code>：存储被"插隔符+反转+Base64"处理的公钥数据<\/li> data-s<\/code>：存储分隔符（默认::<\/code>）<\/li> <\/ul> 2. 加密请求构造<\/h4> 默认id=2，用公钥对字符串"2"加密<\/li> 加密结果作为htccheck参数传给后端<\/li> <\/ul> 3. 公钥还原函数d()的实现<\/h4> \/\/ 还原流程： <\/span><\/span><\/span>\/\/ 1. 从data-x用data-s拼接 <\/span><\/span><\/span>\/\/ 2. 反转字符串 <\/span><\/span><\/span>\/\/ 3. Base64解码得到PEM文本 <\/span><\/span><\/span><\/code><\/pre>4. 加密算法核心<\/h4> 算法：RSA-OAEP(SHA-256)<\/li> 优先使用WebCrypto API，回退使用node-forge<\/li> 两条路径算法保持一致<\/li> <\/ul> 加密算法逆向步骤<\/h3> PEM公钥还原：<\/h4> 从data-x去掉分隔符::<\/code><\/li> 拼接为连续字符串<\/li> 整串反转<\/li> Base64解码得到标准PEM文本<\/li> <\/ol> 加密流程：<\/h4> 对明文"1"执行RSA-OAEP(SHA-256)加密<\/li> 对密文字节进行Base64编码<\/li> 得到htccheck参数值<\/li> <\/ol> 脚本实现<\/h3> # htccheck.py 用法：<\/span> <\/span><\/span># 生成id=1：python htccheck.py<\/span> <\/span><\/span># 生成任意id：python htccheck.py --id 2<\/span> <\/span><\/span><\/code><\/pre>0x02 JS加密加盐逆向分析案例<\/h2> 代码结构分析<\/h3> 常量定义（main.min.js）<\/h4> 常量数组存储在b中，通过r(idx)取值：<\/p> b<\/span>[0<\/span>] =<\/span> "-----BEGIN PUBLIC KEY-----"<\/span> <\/span><\/span>b<\/span>[1<\/span>] =<\/span> "-----END PUBLIC KEY-----"<\/span> <\/span><\/span>b<\/span>[2<\/span>] =<\/span> "spki"<\/span> <\/span><\/span>b<\/span>[3<\/span>] =<\/span> "RSA-OAEP"<\/span> <\/span><\/span>b<\/span>[4<\/span>] =<\/span> "SHA-256"<\/span> <\/span><\/span>b<\/span>[5<\/span>] =<\/span> "encrypt"<\/span> <\/span><\/span>b<\/span>[6<\/span>] =<\/span> "data-x"<\/span> <\/span><\/span>b<\/span>[7<\/span>] =<\/span> "data-s"<\/span> <\/span><\/span><\/code><\/pre>核心函数分析<\/h4> 1. c()函数 - 回退加载器<\/strong><\/p> 检测全局forge.pki是否存在<\/li> 依次尝试3个CDN动态加载node-forge<\/li> 成功resolve(true)，全部失败reject<\/li> <\/ul> 2. __resolvePem()函数 - PEM公钥还原<\/strong><\/p> function<\/span> __resolvePem<\/span>() { <\/span><\/span> const<\/span> element<\/span> =<\/span> document.getElementById<\/span>('__k'<\/span>); <\/span><\/span> if<\/span> (!<\/span>element<\/span>) return<\/span> ''<\/span>; <\/span><\/span> <\/span><\/span> const<\/span> dataX<\/span> =<\/span> element<\/span>.getAttribute<\/span>('data-x'<\/span>); <\/span><\/span> const<\/span> dataS<\/span> =<\/span> element<\/span>.getAttribute<\/span>('data-s'<\/span>) ||<\/span> '::'<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 还原流程： <\/span><\/span><\/span><\/span> \/\/ 1. 去掉分隔符拼接 <\/span><\/span><\/span><\/span> \/\/ 2. 字符串反转 <\/span><\/span><\/span><\/span> \/\/ 3. Base64解码 <\/span><\/span><\/span><\/span> return<\/span> atob<\/span>(dataX<\/span>.replace<\/span>(new<\/span> RegExp(dataS<\/span>, 'g'<\/span>), ''<\/span>).split<\/span>(''<\/span>).reverse<\/span>().join<\/span>(''<\/span>)); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. rsaEncryptWithPEM()函数 - 加密主函数<\/strong><\/p> async<\/span> function<\/span> rsaEncryptWithPEM<\/span>(g<\/span>, h<\/span>) { <\/span><\/span> \/\/ 明文构造逻辑 <\/span><\/span><\/span><\/span> h<\/span> =<\/span> h<\/span> ||<\/span> "2"<\/span>; \/\/ 默认值 <\/span><\/span><\/span><\/span> h<\/span> =<\/span> h<\/span> +<\/span> "10086"<\/span>; \/\/ 加盐处理 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 加密实现... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>详细加密流程<\/h3> WebCrypto加密路径（优先）<\/h4> 步骤1：PEM预处理<\/strong><\/p> k<\/span> =<\/span> g<\/span>.trim<\/span>() <\/span><\/span> .replace<\/span>("-----BEGIN PUBLIC KEY-----"<\/span>, ""<\/span>) <\/span><\/span> .replace<\/span>("-----END PUBLIC KEY-----"<\/span>, ""<\/span>) <\/span><\/span> .replace<\/span>(\/\s+\/g<\/span>, ''<\/span>); <\/span><\/span><\/code><\/pre>步骤2：Base64转ArrayBuffer<\/strong><\/p> l<\/span> =<\/span> Uint8Array<\/span>.from<\/span>(atob<\/span>(k<\/span>), ch<\/span> => ch<\/span>.charCodeAt<\/span>(0<\/span>)); <\/span><\/span>const<\/span> buffer<\/span> =<\/span> l<\/span>.buffer<\/span>; <\/span><\/span><\/code><\/pre>步骤3：导入公钥<\/strong><\/p> const<\/span> publicKey<\/span> =<\/span> await<\/span> crypto<\/span>.subtle<\/span>.importKey<\/span>( <\/span><\/span> "spki"<\/span>, <\/span><\/span> buffer<\/span>, <\/span><\/span> { <\/span><\/span> name<\/span>:<\/span> "RSA-OAEP"<\/span>, <\/span><\/span> hash<\/span>:<\/span> "SHA-256"<\/span> <\/span><\/span> }, <\/span><\/span> false<\/span>, <\/span><\/span> ["encrypt"<\/span>] <\/span><\/span>); <\/span><\/span><\/code><\/pre>步骤4：明文编码与加密<\/strong><\/p> const<\/span> encoder<\/span> =<\/span> new<\/span> TextEncoder<\/span>(); <\/span><\/span>const<\/span> plaintextBytes<\/span> =<\/span> encoder<\/span>.encode<\/span>(h<\/span>); <\/span><\/span> <\/span><\/span>const<\/span> ciphertext<\/span> =<\/span> await<\/span> crypto<\/span>.subtle<\/span>.encrypt<\/span>( <\/span><\/span> { name<\/span>:<\/span> "RSA-OAEP"<\/span> }, <\/span><\/span> publicKey<\/span>, <\/span><\/span> plaintextBytes<\/span> <\/span><\/span>); <\/span><\/span> <\/span><\/span>\/\/ 转Base64输出 <\/span><\/span><\/span><\/span>const<\/span> uint8Array<\/span> =<\/span> new<\/span> Uint8Array<\/span>(ciphertext<\/span>); <\/span><\/span>const<\/span> htccheck<\/span> =<\/span> btoa<\/span>(String.fromCharCode<\/span>(...uint8Array<\/span>)); <\/span><\/span><\/code><\/pre>node-forge回退路径<\/h4> 步骤1：动态加载检测<\/strong><\/p> if<\/span> (typeof<\/span> forge<\/span> ===<\/span> 'undefined'<\/span>) { <\/span><\/span> await<\/span> c<\/span>(); \/\/ 加载node-forge <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤2：PEM解析与加密<\/strong><\/p> const<\/span> publicKey<\/span> =<\/span> forge<\/span>.pki<\/span>.publicKeyFromPem<\/span>(g<\/span>); <\/span><\/span>const<\/span> plaintext<\/span> =<\/span> forge<\/span>.util<\/span>.encodeUtf8<\/span>(h<\/span>); <\/span><\/span> <\/span><\/span>const<\/span> cipherBytes<\/span> =<\/span> publicKey<\/span>.encrypt<\/span>(plaintext<\/span>, 'RSA-OAEP'<\/span>, { <\/span><\/span> md<\/span>:<\/span> forge<\/span>.md<\/span>.sha256<\/span>.create<\/span>(), <\/span><\/span> mgf1<\/span>:<\/span> forge<\/span>.mgf1<\/span>.create<\/span>(forge<\/span>.md<\/span>.sha256<\/span>.create<\/span>()) <\/span><\/span>}); <\/span><\/span> <\/span><\/span>const<\/span> htccheck<\/span> =<\/span> forge<\/span>.util<\/span>.encode64<\/span>(cipherBytes<\/span>); <\/span><\/span><\/code><\/pre>完整调用流程<\/h3> 获取PEM公钥<\/strong><\/li> <\/ol> const<\/span> pem<\/span> =<\/span> __resolvePem<\/span>(); <\/span><\/span><\/code><\/pre> 生成htccheck<\/strong><\/li> <\/ol> const<\/span> htccheck<\/span> =<\/span> await<\/span> rsaEncryptWithPEM<\/span>(pem<\/span>, prefix<\/span>); <\/span><\/span>\/\/ 不传prefix：默认明文"210086" <\/span><\/span><\/span>\/\/ 传"9"：明文"910086" <\/span><\/span><\/span><\/code><\/pre>其他文件说明<\/h3> beta.min.js<\/code>：生成sessionStorage.k1..k3<\/li> gamma.min.js<\/code>：设置window.__z<\/li> zeta.min.js<\/code>：设置window.__q<\/li> 注：这些文件主要起混淆作用，与核心加密逻辑无关<\/li> <\/ul> 0x03 关键技术要点总结<\/h2> 1. 反调试对抗技术<\/h3> 多维度检测调试环境<\/li> 需要掌握相应的绕过技巧<\/li> <\/ul> 2. 数据隐藏技术<\/h3> 分隔符插入<\/li> 字符串反转<\/li> Base64编码组合使用<\/li> <\/ul> 3. 加密算法要点<\/h3> 算法：RSA-OAEP with SHA-256<\/li> 双路径实现（WebCrypto + node-forge）<\/li> 加盐处理：明文拼接固定字符串"10086"<\/li> <\/ul> 4. 逆向分析步骤<\/h3> 识别加密参数（htccheck）<\/li> 定位加密函数调用<\/li> 分析公钥获取方式<\/li> 还原加密算法流程<\/li> 编写对应加密脚本<\/li> <\/ol> 5. 脚本开发要点<\/h3> 准确还原PEM公钥获取流程<\/li> 实现双加密路径兼容<\/li> 支持参数化输入（不同id值）<\/li> <\/ul> 通过掌握以上技术要点，可以系统性地分析和逆向JS加密实现，为安全测试和漏洞利用提供技术支撑。<\/p>

JS加密逆向分析教学文档<\/h1>

0x01 JS加密逆向分析反调试对抗<\/h2>

靶场地址<\/h3> http:\/\/www.loveli.com.cn\/see_bug_one?id=379<\/p>

JavaScript逆向分析流程<\/h3>

加密算法逆向步骤<\/h3>

0x02 JS加密加盐逆向分析案例<\/h2>

代码结构分析<\/h3>

详细加密流程<\/h3>

0x03 关键技术要点总结<\/h2>

5. 脚本开发要点<\/h3> 准确还原PEM公钥获取流程<\/li> 实现双加密路径兼容<\/li> 支持参数化输入（不同id值）<\/li> <\/ul> 通过掌握以上技术要点，可以系统性地分析和逆向JS加密实现，为安全测试和漏洞利用提供技术支撑。<\/p>

靶场地址<\/h3>
http:\/\/www.loveli.com.cn\/see_bug_one?id=379<\/p>

5. 脚本开发要点<\/h3>

准确还原PEM公钥获取流程<\/li>
实现双加密路径兼容<\/li>
支持参数化输入（不同id值）<\/li> <\/ul>
通过掌握以上技术要点，可以系统性地分析和逆向JS加密实现，为安全测试和漏洞利用提供技术支撑。<\/p>