JS逆向：RSA加密分析实战教程<\/h1>

一、RSA加密基础认知<\/h2>

在进行JS逆向分析时，了解常见加密方法的特征至关重要：<\/p>

常见加密方法的密文长度特征<\/strong>：<\/p>

MD5加密：16位或32位<\/li>
SHA1加密：40位<\/li>
RSA加密：通常较长（128位以上），每次加密结果不同<\/li> <\/ul> <\/li>

RSA加密的典型JS实现模式<\/strong>：<\/p>
var<\/span> o<\/span> =<\/span> new<\/span> JSEncrypt<\/span>(); <\/span><\/span>o<\/span>.setPublicKey<\/span>("公钥内容"<\/span>); <\/span><\/span>o<\/span>.encrypt<\/span>("明文内容"<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 二、案例一分析：gm99.com登录密码加密<\/h2> 1. 定位关键代码<\/h3> 直接搜索"password:"快速定位<\/li> 密码加密流程：a.encode(t.password, s)<\/code>，其中： t.password<\/code>：用户输入密码<\/li> s<\/code>：时间戳<\/li> <\/ul> <\/li> <\/ul> 2. 加密过程分析<\/h3> 使用jsencrypt库<\/li> 典型RSA加密三步：创建加密对象<\/li> 设置公钥<\/li> 执行加密<\/li> <\/ol> <\/li> <\/ul> 3. 代码扒取与复现<\/h3> 模块化代码处理<\/strong>：<\/p> 识别模块加载器（call()\/apply()方法）<\/li> 复制相关模块（本例中为模块3和模块4）<\/li> <\/ul> <\/li> 环境补全<\/strong>：<\/p> \/\/ Node.js环境下补全window对象 <\/span><\/span><\/span><\/span>var<\/span> window =<\/span> global<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 浏览器环境补全 <\/span><\/span><\/span><\/span>var<\/span> navigator<\/span> =<\/span> { <\/span><\/span> userAgent<\/span>:<\/span> 'Mozilla\/5.0...'<\/span> <\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> 常见报错处理<\/strong>：<\/p> "ASN1 is not defined"：需确保JS解码器环境<\/li> 在Node.js中应将window = this<\/code>改为window = global<\/code><\/li> <\/ul> <\/li> <\/ul> 三、案例二分析：minmetals.com.cn采购信息加密<\/h2> 1. 加密特征识别<\/h3> 加密参数param长度很长→RSA加密可能性大<\/li> 搜索setPublicKey<\/code>快速定位加密代码<\/li> <\/ul> 2. 加密流程解析<\/h3> 加密对象创建<\/strong>：<\/p> t<\/span> =<\/span> new<\/span> v<\/span>["a"<\/span>](); <\/span><\/span>t<\/span>.setPublicKey<\/span>(r<\/span>); \/\/ r为公钥 <\/span><\/span><\/span><\/code><\/pre><\/li> 参数构造<\/strong>：<\/p> a<\/span> =<\/span> m<\/span>({ <\/span><\/span> ...e<\/span>, \/\/ 原始数据对象 <\/span><\/span><\/span><\/span> sign<\/span>:<\/span> f<\/span>(JSON<\/span>.stringify<\/span>(e<\/span>), 32<\/span>), \/\/ MD5签名 <\/span><\/span><\/span><\/span> timeStamp<\/span>:<\/span> +<\/span>new<\/span> Date() \/\/ 时间戳 <\/span><\/span><\/span><\/span>}); <\/span><\/span><\/code><\/pre><\/li> 长文本加密<\/strong>：<\/p> s<\/span> =<\/span> t<\/span>.encryptLong<\/span>(JSON<\/span>.stringify<\/span>(a<\/span>)); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 关键组件分析<\/h3> MD5签名<\/strong>：<\/p> f(JSON.stringify(e), 32)<\/code>生成32位签名<\/li> 可通过在线MD5工具验证<\/li> <\/ul> <\/li> 时间戳<\/strong>：<\/p> +new Date()<\/code>获取当前时间戳<\/li> <\/ul> <\/li> 公钥获取<\/strong>：<\/p> 在Console中直接输出r<\/code>变量获取<\/li> <\/ul> <\/li> <\/ul> 4. Webpack模块处理<\/h3> 识别模块加载器<\/strong>：<\/p> v<\/span> =<\/span> gb<\/span>("9816"<\/span>); \/\/ 9816是模块ID <\/span><\/span><\/span><\/code><\/pre><\/li> 模块依赖分析<\/strong>：<\/p> 9816模块依赖a524模块<\/li> 需要完整复制所有依赖模块代码<\/li> <\/ul> <\/li> 方法补全顺序<\/strong>：<\/p> 先补全m<\/code>方法<\/li> 然后补全m<\/code>依赖的d<\/code>和b<\/code>方法<\/li> 最后补全encryptLong<\/code>及其依赖的w<\/code>方法<\/li> <\/ul> <\/li> <\/ol> 四、完整复现流程<\/h2> 1. 环境搭建<\/h3> \/\/ Node.js环境设置 <\/span><\/span><\/span><\/span>var<\/span> window =<\/span> global<\/span>; <\/span><\/span>var<\/span> navigator<\/span> =<\/span> { userAgent<\/span>:<\/span> 'Mozilla\/5.0...'<\/span> }; <\/span><\/span> <\/span><\/span>\/\/ 加载器设置 <\/span><\/span><\/span><\/span>var<\/span> gb<\/span>; <\/span><\/span>(function<\/span>(A<\/span>){...})({ <\/span><\/span> \/\/ 所有依赖模块 <\/span><\/span><\/span><\/span> a524<\/span>:<\/span> function<\/span>(e<\/span>) {...}, <\/span><\/span> 9816<\/span>:<\/span> function<\/span>(e<\/span>, t<\/span>, n<\/span>) {...} <\/span><\/span>}); <\/span><\/span><\/code><\/pre>2. 加密函数实现<\/h3> function<\/span> getParam<\/span>() { <\/span><\/span> \/\/ 1. 准备原始数据 <\/span><\/span><\/span><\/span> e<\/span> =<\/span> { <\/span><\/span> "inviteMethod"<\/span>:<\/span> ""<\/span>, <\/span><\/span> "businessClassfication"<\/span>:<\/span> ""<\/span>, <\/span><\/span> "mc"<\/span>:<\/span> ""<\/span>, <\/span><\/span> "lx"<\/span>:<\/span> "ZBGG"<\/span>, <\/span><\/span> "dwmc"<\/span>:<\/span> ""<\/span>, <\/span><\/span> "pageIndex"<\/span>:<\/span> 1<\/span> <\/span><\/span> }; <\/span><\/span> <\/span><\/span> \/\/ 2. 设置公钥 <\/span><\/span><\/span><\/span> r<\/span> =<\/span> '-----BEGIN PUBLIC KEY-----\n...'<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 3. MD5签名方法 <\/span><\/span><\/span><\/span> function<\/span> f<\/span>(string<\/span>, bit<\/span>) {...} <\/span><\/span> <\/span><\/span> \/\/ 4. 辅助方法 <\/span><\/span><\/span><\/span> function<\/span> b<\/span>(A<\/span>, e<\/span>, t<\/span>) {...} <\/span><\/span> function<\/span> w<\/span>(A<\/span>) {...} <\/span><\/span> function<\/span> d<\/span>(A<\/span>, e<\/span>) {...} <\/span><\/span> <\/span><\/span> \/\/ 5. 参数构造方法 <\/span><\/span><\/span><\/span> function<\/span> m<\/span>(A<\/span>) { <\/span><\/span> return<\/span> { <\/span><\/span> ...A<\/span>, <\/span><\/span> sign<\/span>:<\/span> f<\/span>(JSON<\/span>.stringify<\/span>(A<\/span>), 32<\/span>), <\/span><\/span> timeStamp<\/span>:<\/span> +<\/span>new<\/span> Date() <\/span><\/span> }; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 6. 执行加密 <\/span><\/span><\/span><\/span> v<\/span> =<\/span> gb<\/span>("9816"<\/span>); <\/span><\/span> t<\/span> =<\/span> new<\/span> v<\/span>["a"<\/span>](); <\/span><\/span> v<\/span>["a"<\/span>].prototype<\/span>.encryptLong<\/span> =<\/span> function<\/span>(A<\/span>) {...}; <\/span><\/span> t<\/span>.setPublicKey<\/span>(r<\/span>); <\/span><\/span> <\/span><\/span> a<\/span> =<\/span> m<\/span>(m<\/span>({}, e<\/span>)); <\/span><\/span> s<\/span> =<\/span> t<\/span>.encryptLong<\/span>(JSON<\/span>.stringify<\/span>(a<\/span>)); <\/span><\/span> return<\/span> s<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 执行验证<\/h3> a<\/span> =<\/span> getParam<\/span>(); <\/span><\/span>console<\/span>.log<\/span>(a<\/span>); <\/span><\/span><\/code><\/pre>五、关键技巧总结<\/h2> 快速定位技巧<\/strong>：<\/p> 搜索关键词：password<\/code>, encrypt<\/code>, setPublicKey<\/code><\/li> 观察网络请求中的加密参数特征<\/li> <\/ul> <\/li> 模块化代码处理<\/strong>：<\/p> 识别加载器（通常包含call\/apply）<\/li> 按需复制依赖模块<\/li> 注意模块ID类型（数字不加引号，字符串需加引号）<\/li> <\/ul> <\/li> 环境补全原则<\/strong>：<\/p> 浏览器对象：window, navigator, document等<\/li> Node.js环境特殊处理：window = global<\/code><\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 在关键位置打debugger断点<\/li> 使用Console输出中间变量值<\/li> 对比在线加密工具验证加密结果<\/li> <\/ul> <\/li> 加密方法识别<\/strong>：<\/p> 通过密文长度初步判断<\/li> 观察是否有设置公钥\/私钥的操作<\/li> 注意是否有初始化向量(IV)等特征<\/li> <\/ul> <\/li> <\/ol> 通过以上详细分析和步骤拆解，可以系统性地掌握JS逆向中RSA加密的分析方法和复现技巧。实际应用中需根据具体网站情况灵活调整策略。<\/p>